1、 ETSI TS 102 640-4 V2.1.2 (2011-09) Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 4: REM-MD Conformance Profiles Technical Specification ETSI ETSI TS 102 640-4 V2.1.2 (2011-09)2Reference RTS/ESI-000071-4 Keywords e-commerce, electronic signature, email, secu
2、rity, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the p
3、resent document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In ca
4、se of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this a
5、nd other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authori
6、zed by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPT
7、M and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 102 640-4 V2.1.2 (2011-09)3Contents Intellectual Property Rights 4g3Foreword . 4g3Introd
8、uction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions, abbreviations and notations 6g33.1 Definitions 6g33.2 Abbreviations . 6g33.3 Notations 6g34 Basic Profile Requirements 7g34.1 Basic Elements . 7g34.2 REM-MD Management 7g34.3 Roles . 8g34.
9、4 Authentication 8g34.5 Interfaces and protocols 9g34.6 Evidence . 9g34.7 Information Security. 10g35 Advanced Profile Requirements . 11g35.1 General . 11g35.2 Interfaces and protocols 12g35.3 REM-PD related elements 12g35.4 Roles . 13g35.5 Evidence . 13g35.6 Information security management system 1
10、4g3History 16g3ETSI ETSI TS 102 640-4 V2.1.2 (2011-09)4Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and
11、can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETS
12、I IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword
13、 This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 4 of a multi-part deliverable. Full details of the entire series can be found in part 1 1. Introduction Business and administrative relations
14、hips among companies, public administrations and private citizens, are the more and more implemented electronically. Trust is becoming essential for their success and continued development of electronic services. It is therefore important that any entity using electronic services have suitable secur
15、ity controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their partners. Electronic mail is a major tool for electronic business and administration. Additional security services are necessary for e-mail to be trusted. At the time of writing the prese
16、nt document, in some European Union Member States (Italy, Belgium, etc.) regulation(s) and application(s) are being developed, if not already in place on mails transmitted by electronic means providing origin authentication and proof of delivery. A range of Registered E-Mail (“REM“) services is alre
17、ady established and their number is set to grow significantly over the next few years. Without the definition of common standards there will be no consistency in the services provided, making it difficult for users to compare them. Under these circumstances, users might be prevented from easily chan
18、ging to alternative providers, damaging free competition. Lack of standardization might also affect interoperability between REM based systems implemented based on different models. The present document is to ensure a consistent form of service across Europe, especially with regard to the form of ev
19、idence provided, in order to maximize interoperability even between e-mail domains governed by different policy rules. In order to move towards the general recognition and readability of evidence provided by registered e-mail services, it is necessary to specify technical formats, as well as procedu
20、res and practices for handling REM, and the ways the electronic signatures are applied to it. In this respect, the electronic signature is an important security component to protect the information and to provide trust in electronic business. It is to be noted that a simple “electronic signature“ wo
21、uld be insufficient to provide the required trust to an information exchange. Therefore the present document assumes the usage of at least an Advanced Electronic Signature, with the meaning of article 2(2) of EU Directive 1999/93/EC i.7 issued with a Secure Signature Creation Device, with the meanin
22、g of article 2(6) of the same Directive. The summarised scope of each part and sub-part can be found in part 1 1 of this multi-part deliverable. ETSI ETSI TS 102 640-4 V2.1.2 (2011-09)51 Scope The present document specifies two levels of conformance requirements: Basic Conformance Profile that indic
23、ates the minimum set of mandatory requirements that are to be met by any REM-MD that claims to be conformant with TS 102 640-1 1, TS 102 640-2 2 and TS 102 640-3 3; and Advanced Conformance Profile that includes a set of voluntary additional requirements to the Basic Conformance Profile for enhanced
24、 security and advanced evidential services. It should be emphasize that an organization claiming compliance with TS 102 640-1 1, TS 102 640-2 2 and TS 102 640-3 3 is only expected to fully comply with the mandatory requirements contained in the Basic Conformance Profile. 2 References References are
25、either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents whi
26、ch are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following refer
27、enced documents are necessary for the application of the present document. 1 ETSI TS 102 640-1: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 1: Architecture“. 2 ETSI TS 102 640-2: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail
28、 (REM); Part 2: Data requirements, Formats and Signatures for REM“. 3 ETSI TS 102 640-3: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 3: Information Security Policy Requirements for REM Management Domains“. 4 ISO/IEC 27002:2005: “Information technology - S
29、ecurity techniques - Code of practice for information security management“. 5 ETSI TS 101 862: “Qualified Certificate profile“. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a partic
30、ular subject area. i.1 IETF RFC 1305: “Network Time Protocol (Version 3) Specification, Implementation and Analysis“. i.2 ETSI TS 102 640-5: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 5: REM-MD Interoperability Profiles“. i.3 ETSI TS 102 640-6-1: “Electr
31、onic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 6: Interoperability Profiles; Sub-part 1: REM-MD UPU PReM Interoperability Profile“. ETSI ETSI TS 102 640-4 V2.1.2 (2011-09)6i.4 ETSI TS 102 640-6-2: “Electronic Signatures and Infrastructures (ESI); Registered Electro
32、nic Mail (REM); Part 6: Interoperability Profiles; Sub-part 2: REM-MD BUSDOX Interoperability Profile“. i.5 ETSI TS 102 640-6-3: “Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 6: Interoperability Profiles; Sub-part 3: REM-MD SOAP Binding Profile“. i.6 ISO/IE
33、C 27001:2005: “Information technology - Security techniques - Information security management systems - Requirements“. i.7 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 3 Definitions, abbreviations and notat
34、ions 3.1 Definitions For the purposes of the present document, the terms and definitions given in TS 102 640-1 1 apply. Throughout the present document a number of verbal forms are used, whose meaning is defined below: Shall, shall not: indicate requirements strictly to be followed in order to confo
35、rm to the present document and from which no deviation is permitted. Should, should not: indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or tha
36、t (in the negative form) a certain possibility or course of action is deprecated but not prohibited. May, need not: indicate a course of action permissible within the limits of the present document. 3.2 Abbreviations For the purposes of the present document, the abbreviations given in TS 102 640-1 1
37、 apply. 3.3 Notations All the requirements will be defined in tabular form. Table 1: Requirements template N Element TS reference Requirement Implementation guidance Notes Column N will identify a unique number for the requirements. This number will start from 1 in each clause. The eventual referenc
38、es to it would also include the clause number to avoid any ambiguity. Column Element will identify the element the requirement applies to. Elements include architectural elements (clauses 4.1 and 4.4), management element (clause 4.2), roles (clauses 4.3 and 5.4), interfaces (clauses 4.5 and 5.2), Ev
39、idence (clauses 4.6 and 5.5), Information Security Management elements (clause 4.7), Security Controls (clause 4.7), REM-PD related elements and Information security management system elements (clause 5.6). Tables in the aforementioned clauses have, in consequence, different headers for this column.
40、 Column TS Reference will reference the relevant clause of the standard where the element is defined. The reference is to TS 102 640-1 1, TS 102 640-2 2 or TS 102 640-3 3 except where explicitly indicated otherwise. ETSI ETSI TS 102 640-4 V2.1.2 (2011-09)7Column Requirement will contain an identifie
41、r, as defined in table 2. Table 2: Optionality Identifier Requirement to implement M REM-MD shall implement the element R REM-MD should implement the element O REM-MD may implement the element Column Implementation guidance will contain guidance explaining how to implement the identified requirement
42、. It is intended either to explain how the requirement is implemented or to. Column Notes will include explanatory and additional information. 4 Basic Profile Requirements 4.1 Basic Elements Table 3 shows the mandatory architectural elements that shall be present in the logical model of a Registered
43、 Electronic Mail service. Table 3 N Architectural Element TS reference Requirement Implementation guidance Notes 1 REM-MD 4.1 M see note 1 2 REM Sender 4.1 M see note 2 3 REM Recipient 4.1 M 4 REM-UA 4.1 M 5 Evidence 4.1 M see note 3 NOTE 1: The REM Sender has access to the REM-MD services through a
44、 User Agent. NOTE 2: The recipient accesses also the REM-MD services through a User Agent. NOTE 3: In addition to transport services as provided by other mailing systems, REM systems provide evidence services related to the submission, transmission (where applicable) and delivery of the REM Object.
45、In particular, evidence services including some or all of evidence types mentioned in clause 6 should be provided to users (be they humans or systems). 4.2 REM-MD Management Table 4 shows the minimum set of requirements for management of a REM-MD and REM-PD. Table 4 N Management elements TS referenc
46、e Requirement Implementation guidance Notes 1 Compliance to rules and procedures 4 M a) 2 Documenting procedures 4 M b) 3 Provision of information by REM-PD 4 M c) see noteNOTE: A REM Policy Domain may have an Authority supervising the application of the policy and, within one REM-PD, there may be o
47、ne or more REM-MD that provide end users with the whole set of REM related services. A REM-MD may belong to more than one REM-PD, provided that it complies with the rules of all of them. For example, a REM-MD set up in one country by a multinational company could be compliant to the sets of rules of
48、 both the relevant country and the multinational organizations. ETSI ETSI TS 102 640-4 V2.1.2 (2011-09)8Implementation guidance: a) The REM-MD shall be managed in compliance of rules and procedures ensuring abidance by the regulations governing the relevant REM Policy Domain (company rules, contract
49、ual obligations, and/or domestic and international law s and regulations applicable) in order to provide, where applicable, legal validity of REM-Dispatches, REM-MD Messages and REM-MD Evidence. b) The REM-procedures shall be documented in compliance of rules and procedures ensuring abidance by the regulations governing the relevant REM Policy Domain (company rules, contractual obligations, and/or domestic and international law s and regulations applicable) in order to provide, where applicable, legal
