1、 ETSI TS 102 573 V1.1.1 (2007-07)Technical Specification Electronic Signatures and Infrastructures (ESI);Policy requirements for trust service providers signingand/or storing data for digital accountingETSI ETSI TS 102 573 V1.1.1 (2007-07) 2 Reference DTS/ESI-000047 Keywords e-commerce, electronic s
2、ignature, provider, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice In
3、dividual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Docu
4、ment Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the
5、current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be repr
6、oduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2007. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Memb
7、ers. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 102 573 V1.1.1 (2007-07) 3 Contents Intellectual Property
8、 Rights4 Foreword.4 Introduction 4 1 Scope 5 2 References 5 3 Definitions and abbreviations.6 3.1 Definitions6 3.2 Abbreviations .7 4 Notation8 5 General concepts 8 5.1 Fiscally Relevant Documents .8 5.2 Basic Model9 5.3 Commonly Acceptable Practices for Trusted Service Providers9 5.4 ISO/IEC 27001
9、ISMS and “Policy Requirements“.10 5.5 Normalized and Extended Policy Requirements 10 5.6 User Community and Applicability11 5.7 Conformance requirements 11 6 Obligations .11 6.1 Trust service providers obligations 11 6.2 Trust service providers organizational requirements12 6.3 Subscriber obligation
10、s 13 6.4 Information for trading partner.13 6.5 Information for auditor/regulatory/tax authorities13 Annex A (normative): Objectives and controls - signature and storage .15 Annex B (normative): Objectives and controls - information security management 21 Annex C (informative): Bibliography.28 Histo
11、ry 29 ETSI ETSI TS 102 573 V1.1.1 (2007-07) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be fo
12、und in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to
13、the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. F
14、oreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction Electronic records can provide a sound basis for maintaining accounting information, and with the application of good practices can prove more secure
15、and robust than the use of paper. The use of e-Invoicing and digital accounting is of major importance to European enterprises, because it can reduce significantly administrative costs. The European Directive on e-Invoicing 2001/115/EC 9 recognises the potential use of Advanced Electronic Signatures
16、 to protect the authenticity and integrity of electronic invoices. Some European national governments already regulate practices for the integrity and authenticity of digital accounting data through use of electronic signatures and data formats that are not vulnerable to changes in presentation thro
17、ugh malicious code. In order to achieve an acceptable level of security for accounting data, practices for the use of electronic signatures need to be augmented with practices regarding storage, particularly with regards to backup regimes, and the use of appropriate data formats. It has become clear
18、 that the technical format of the data to be signed and the process of the signature creation are of importance for data authentication. Fiscal auditing procedures can highly benefit of the availability of electronic Invoices and of digital accounting data. The present document is based on the findi
19、ngs presented in TR 102 572 (see bibliography) and addresses policy requirements for Trusted Service Providers (TSP) that act in name and on behalf of taxable persons that are required by the applicable law to produce and reliably keep, even beyond ten years, electronic invoices as well as other fis
20、cally relevant documents. These requirements may also be implemented by organizations issuing and storing these documents on their own behalf. ETSI ETSI TS 102 573 V1.1.1 (2007-07) 5 1 Scope The present document specifies policy requirements applicable to Trusted Service Providers (TSP) that sign fi
21、scally relevant electronically documents and/or store them on behalf of taxable persons. The present document aims to address regulatory requirements to produce and reliably keep, even beyond ten years, signed electronic invoices as well as other fiscally relevant documents. The practices identified
22、 in the present document are independent of the type of document or information being protected. The present document is directed at policies involving the use of the Advanced Electronic Signatures or Qualified Electronic Signatures. The primary aim of the application of signatures is to protect the
23、 integrity and provide data origin authentication of fiscally relevant documents in communication and storage. However, signatures may also be used, where required, to provide content commitment (i.e. non-repudiation). The present document addresses solely the Advanced Electronic Signature based sol
24、ution. It is recognized that other suitable measures, not employing Advanced Electronic Signatures, and hence that are outside the scope of the present document, may be applied to assure the authenticity and integrity of digital accounting documents. It should be noted that the reliability of such a
25、lternative measures generally depend on the trustworthiness of the organization and may require independent assessment of the technical and organizational measures applied. Advanced Electronic Signature may be used to augment existing measures to provide even higher security, or to reduce the need f
26、or other controls. The present document may be used by competent independent bodies as the basis for confirming that an organization is trustworthy in issuing and storing signed fiscally relevant electronic document on behalf of other taxable persons or on its own behalf. The present document does n
27、ot specify how the requirements identified may be assessed by an independent party, including requirements for information to be made available to such independent assessors, or requirements on such assessors. Within the present document the key words “should“ indicates that there may exist valid re
28、asons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present do
29、cument. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. Referenced documents which are not found to be pu
30、blicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 1 CEN CWA 14169: “Secure signature-creation devices “EAL 4+“. NOTE: ht
31、tp:/www.cenorm.be/catweb/35.040.htm. 2 CEN CWA 15579: “E-invoices and digital signatures“. NOTE: http:/www.cenorm.be/isss/einv. 3 CEN CWA 15580: “Storage of Electronic Invoices“. NOTE: http:/www.cenorm.be/isss/einv. ETSI ETSI TS 102 573 V1.1.1 (2007-07) 6 4 ISO/IEC 17799: “Information technology - S
32、ecurity techniques - Code of practice for information security management“. NOTE: The ISO organization will substitute ISO/IEC 17799 with ISO/IEC 27002, so it is recommended to move from ISO/IEC 17799 to ISO/IEC 27002 when available. It is also recommended to take in the future into account the whol
33、e 27000 family, that is still under development: 27000 (Overview and vocabulary), 27003 (ISMS implementation guidelines), 27004 (Information security management measurements), 27005 (Information security risk management), and other possible future ones. 5 ISO/IEC 27001: “Information technology - Sec
34、urity techniques - Information security management systems - Requirements“. 6 ISO/IEC 15408 (2005) (parts 1 to 3): “Information technology - Security techniques - Evaluation criteria for IT security“. 7 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protec
35、tion of individuals with regard to the processing of personal data and on the free movement of such data. 8 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 9 Council Directive 2001/115/EC of 20 December 2001 a
36、mending Directive 77/388/EEC with a view to simplifying, modernising and harmonising the conditions laid down for invoicing in respect of value added tax. 10 ETSI TS 101 456: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing qualified certifi
37、cates“. 11 ETSI TS 102 042: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates“. 12 ETSI TS 102 176-1: “Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 1
38、: Hash functions and asymmetric algorithms“. 13 ETSI TS 102 734: “Electronic Signatures and Infrastructures; Profiles of CMS Advanced Electronic Signatures based on TS 101 733 (CAdES)“. 14 ETSI TS 102 904: “Electronic Signatures and Infrastructures; Profiles of XML Advanced Electronic Signatures bas
39、ed on TS 101 903 (XAdES)“. 15 ETSI TS 101 733: “Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)“. 16 ETSI TS 101 903: “XML Advanced Electronic Signatures (XAdES)“. 17 CEN CWA 14170: “Security requirements for signature creation applications“. 3 Definitions
40、 and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: advanced electronic signature: electronic signature which is uniquely linked to the sender, is capable of identifying the signatory, is created using means that the signatory can m
41、aintain under his sole control, and is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable, Art. 5 No. 2 of the European Signature Directive (Directive 1999/93/EC 8) commonly acceptable practices: practices for Trust Service Providers signing
42、and/or storing data relevant for accounting (i.e. fiscally relevant data) which may be recognized as acceptable by authorities in several EU nations ETSI ETSI TS 102 573 V1.1.1 (2007-07) 7 electronic invoices: invoices sent by electronic means as defined in Directive 2001/115/EC 9 extended policy re
43、quirements: extended variant of the normalized policy requirements employing a secure signature creation device and Qualified Certificate (i.e. qualified electronic signatures) normalized policy requirements: policy requirement which offers a quality of service equivalent to the one defined in Direc
44、tive 1999/93/EC 8, in particular employing advanced electronic signatures as defined in article 2 No 2 of this Directive fiscally relevant data: financial data of a taxable person or company that may need to be exhibited to a regulatory authority concerned with financial accounting (e.g. Tax Authori
45、ty, Chamber of Commerce, Ministry of finance, etc.) fiscally relevant document: document or record containing fiscally relevant data qualified electronic signature: advanced electronic signature which is based on a qualified certificate and which is created by a secure-signature-creation device (Dir
46、ective 1999/93/EC 8) qualified certificate: certificate which meets the requirements laid down in annex I (of the Directive 1999/93/EC 8) and is provided by a certification-service-provider who fulfils the requirements laid down in annex II (of the Directive 1999/93/EC 8) secure signature creation d
47、evice: signature-creation device which meets the requirements laid down in annex III of Directive 1999/93/EC 8 signature creation data: unique data, such as codes or private cryptographic keys, which are used by the signatory to create an electronic signature (Directive 1999/93/EC 8) statement of ap
48、plicability: documented statement describing the control objectives and controls that are relevant and applicable to the TSPs ISMS (ISO/IEC 27001 5) trading partner: taxable person that has trading relationships with the TSPs services user and with which invoices and/or other fiscally relevant docum
49、ents are exchanged 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AdES Advanced Electronic Signature CA Certification Authority CEN Comit uropen de Normalisation CMS Cryptographic Message Syntax CRL Certificate Revocation List ES Electronic Signature EUMS European Union Member State ISMS Information Security Management System N Normalized Policy Requirements TSP Trusted Service Provider VAT Value Added Tax WWW World Wide Web XBRL eXtensible Business Reporting La
