1、 ETSI TS 119 612 V2.2.1 (2016-04) Electronic Signatures and Infrastructures (ESI); Trusted Lists floppy3TECHNICAL SPECIFICATION ETSI ETSI TS 119 612 V2.2.1 (2016-04)2 Reference RTS/ESI-0019612v221 Keywords e-commerce, electronic signature, security, trust services ETSI 650 Route des Lucioles F-06921
2、 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search T
3、he present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between suc
4、h versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on
5、 the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notificat
6、ion No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and
7、the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered
8、for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 119 612 V2.2.1 (2016-04)3 Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 6g3Introduction 6g31 Scope 8
9、g32 References 8g32.1 Normative references . 8g32.2 Informative references 9g33 Definitions and abbreviations . 10g33.1 Definitions 10g33.2 Abbreviations . 11g34 Overall structure of trusted lists . 12g35 Trusted list format and content . 16g35.1 General principles for trusted lists 16g35.1.1 Truste
10、d List Format 16g35.1.2 Use of Uniform Resource Identifiers 16g35.1.3 Date-time indication . 16g35.1.4 Language support 16g35.1.5 Value of Country Code fields . 17g35.2 Trusted List tag . 17g35.2.1 TSL Tag 17g35.3 Scheme information . 17g35.3.1 TSL version identifier . 17g35.3.2 TSL sequence number
11、18g35.3.3 TSL type . 18g35.3.4 Scheme operator name 19g35.3.5 Scheme operator address 19g35.3.5.0 General 19g35.3.5.1 Scheme operator postal address 19g35.3.5.2 Scheme operator electronic address 19g35.3.6 Scheme name 20g35.3.7 Scheme information URI 20g35.3.8 Status determination approach 21g35.3.9
12、 Scheme type/community/rules 21g35.3.10 Scheme territory 22g35.3.11 TSL policy/legal notice . 22g35.3.12 Historical information period 22g35.3.13 Pointers to other TSLs 22g35.3.14 List issue date and time . 23g35.3.15 Next update . 23g35.3.16 Distribution points 24g35.3.17 Scheme extensions 24g35.3.
13、18 Trust Service Provider List . 24g35.4 TSP information . 25g35.4.1 TSP name 25g35.4.2 TSP trade name . 25g35.4.3 TSP address 26g35.4.3.0 General 26g35.4.3.1 TSP postal address 26g35.4.3.2 TSP electronic address 26g35.4.4 TSP information URI 27g35.4.5 TSP information extensions 27g35.4.6 TSP Servic
14、es (list of services) 27g35.5 Service information 28g3ETSI ETSI TS 119 612 V2.2.1 (2016-04)4 5.5.1 Service type identifier . 28g35.5.2 Service name . 33g35.5.3 Service digital identity 34g35.5.4 Service current status 36g35.5.5 Current status starting date and time . 37g35.5.6 Scheme service definit
15、ion URI . 37g35.5.7 Service supply points 37g35.5.8 TSP service definition URI . 38g35.5.9 Service information extensions . 38g35.5.9.0 General 38g35.5.9.1 expiredCertsRevocationInfo Extension . 39g35.5.9.2 Qualifications Extension . 39g35.5.9.2.0 General 39g35.5.9.2.1 QualificationElement . 40g35.5
16、.9.2.2 CriteriaList . 40g35.5.9.2.3 Qualifier. 41g35.5.9.3 TakenOverBy Extension . 43g35.5.9.4 additionalServiceInformation Extension . 43g35.5.10 Service history 44g35.6 Service history instance 44g35.6.1 Service type identifier . 44g35.6.2 Service name . 45g35.6.3 Service digital identity 45g35.6.
17、4 Service previous status 45g35.6.5 Previous status starting date and time . 45g35.6.6 Service information extensions . 45g35.7 Digital signature . 45g35.7.1 Digitally signed Trusted List 45g35.7.2 Digital signature algorithm identifier 46g35.7.3 Digital signature value 46g36 Operations 46g36.1 TL p
18、ublication 46g36.2 Transport Protocols 47g36.2.1 HTTP-Transport . 47g36.2.1.1 HTTP-Media Type 47g36.2.2 MIME registrations . 47g36.3 TL Distribution Points in trust service tokens 47g36.4 TL availability 48g36.5 TLSO practices . 48g3Annex A (informative): Authenticating and trusting trusted lists .
19、49g3A.1 Authenticating and trusting a TL 49g3A.2 Ensuring continuity in TL authentication . 50g3Annex B (normative): Implementation in XML . 52g3B.0 General requirements . 52g3B.1 The Signature element . 52g3B.1.0 General . 52g3B.1.1 The scheme operator identifier in XAdES signatures 53g3B.1.2 Algor
20、ithm and parameters 53g3Annex C (normative): XML schema 54g3C.1 Electronic attachment . 54g3C.2 XML schemas 54g3Annex D (normative): Registered Uniform Resource Identifiers 55g3D.0 General . 55g3ETSI ETSI TS 119 612 V2.2.1 (2016-04)5 D.1 URIs registered within the present document 55g3D.2 ETSI Commo
21、n Domain URIs 56g3D.3 Scheme registered URIs . 56g3D.4 Common trusted lists URIs 56g3D.5 EU specific trusted lists URIs 57g3D.5.1 TSL Type 57g3D.5.2 Status determination approach . 57g3D.5.3 Scheme type/community/rules . 57g3D.5.4 Service information extensions/Qualifications Extension/Qualifiers .
22、58g3D.5.5 Service information extensions/additionalServiceInformation Extension 60g3D.5.6 Service current and previous statuses . 61g3D.6 Non-EU specific trusted lists URIs 63g3Annex E (normative): Implementation requirements for multilingual support 64g3E.1 General rules 64g3E.2 Multilingual charac
23、ter string 65g3E.3 Multilingual pointer 65g3E.4 Overall requirements 66g3Annex F (informative): TL manual/auto field usage 67g3Annex G (normative): Management and policy considerations . 68g3G.0 General . 68g3G.1 Change of scheme administrative information . 68g3G.2 Trust-service identification . 68
24、g3G.3 Change of trust service status . 68g3G.4 Change in trust service digital identity . 68g3G.5 Amendment response times 69g3G.6 On-going verification of authenticity . 69g3G.7 User reference to TL. 69g3G.8 TL size 69g3Annex H (informative): Locating a TL . 70g3H.1 Introduction 70g3H.2 Locating a
25、TL . 70g3Annex I (informative): Usage of trusted lists 71g3I.1 Introduction 71g3I.2 Example of model for the usage of trusted lists in the context of signature validation 71g3I.3 Policy elements for trust anchor management 72g3Annex J (normative): Migration of EU MS trusted lists in the context of R
26、egulation (EU) No 910/2014 73g3History 76g3ETSI ETSI TS 119 612 V2.2.1 (2016-04)6 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI me
27、mbers and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.et
28、si.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to t
29、he present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ an
30、d “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction The purpose of the present document is to establish a c
31、ommon template and a harmonized way for a Trusted List Scheme Operator (TLSO) to provide information about the status and status history of the trust services from Trust Service Providers (TSPs) regarding compliance with the relevant provisions of the applicable legislation on digital signatures and
32、 trust services for electronic transactions. The present document is aiming to meet the general requirements of the international community to allow production of trusted list including information on qualified and non-qualified trust service providers and the qualified and non-qualified trust servi
33、ces they provide, including, amongst others, applicable requirements from Regulation (EU) No 910/2014 i.10. NOTE 1: EU Member States trusted lists were established in EU by Commission Decision 2009/767/EC i.2 and aimed primarily at supporting the validation of advanced electronic signatures supporte
34、d by a qualified certificate and advanced electronic signature supported by both a qualified certificate and by a secure signature creation device, in the meaning of Directive 1999/93/EC i.3, as far as they included as a minimum trust service providers supervised/accredited for issuing qualified cer
35、tificates. TLSOs could however include in their trusted lists also other types of approved trust service providers. Hence, the cross-border use of electronic services based on advanced electronic signatures is also facilitated, where the supporting trust services (e.g. issuing of non-qualified certi
36、ficates) are part of the listed supervised/accredited services. Regulation (EU) No 910/2014 i.10 extends the scope of qualified trust services and trust service providers to a wider but definite list of harmonised trust services. The Regulation is applicable as of 1 July 2016, until when the Commiss
37、ion Decision 2009/767/EC i.2, as amended, remains applicable. For trust services not covered by the Regulation, Member States remain free to define other types of trust services, for national purposes where these can be considered as qualified trust services (without effect in other Member States).
38、ETSI ETSI TS 119 612 V2.2.1 (2016-04)7 Trusted lists, as specified by the present document, enable in practice any interested party to determine whether a trust service is or was operating in compliance with relevant requirements, currently or at a given time in the past (e.g. at the time the servic
39、e was provided, or at the time at which a transaction reliant on that service took place). In order to fulfil this requirement, trusted lists need to contain information from which it can be established whether the TSPs service is, or was, known by the Trusted List Scheme Operator (TLSO) and if so t
40、he status of the service at a given time. Trusted lists therefore contain not only the services current status, but also the history of its statuses. The present document provides specifications for trusted lists in two contexts, namely the European Union legislative context as set by Regulation (EU
41、) No 910/2014 i.10 and the context of countries outside the European Union and the EEA countries, or of international organizations willing to issue trusted lists in accordance with the present document. The benefits from the adoption of the present document by non-EU countries or international orga
42、nizations are twofold: This can be used to enable in practice any interested party to determine whether a trust service from a non-EU country or an international organization is or was operating under an approval scheme at either the time the service was provided, or the time at which a transaction
43、reliant on that service took place. This can facilitate the declaration of mutual recognition between trust services and their outputs (e.g. between EU and other nations/organizations outside the EU, within or between groups of nations/organizations outside the EU). NOTE 2: Hereafter the terms “non-
44、EU countries“ will be used to refer to countries outside the European Union and the EEA countries. NOTE 3: In order to validate that a trust service is a qualified one under Regulation (EU) No 910/2014 i.10, a relying party would need to check the qualified status of the given trust service and that
45、 it is provided by a qualified trust service provider. Provided a trust service is included in the trusted list, it provides the relying party with the necessary information about the given trust service, its status and status history and potentially additional relevant information helping the relyi
46、ng party to validate the trust service or its outputs (e.g. certificate, signature or seal, time-stamp). In order to allow access to the trusted lists of all Member States in an easy manner, the European Commission publishes a central list with links to the locations where the national trusted lists
47、 are published as notified by Member States. This central list, called the List Of Trusted Lists (LOTL), is available in both a human readable format and in a format suitable for automated (machine) processing XML. LOTL also plays an important role in authenticating EU MS trusted lists. Each nationa
48、l trusted list is electronically signed/or sealed by its MS scheme operator and the certificate to be used to verify such a signature/seal is included in the LOTL after notification to the European Commission. The authenticity and integrity of the machine processable version of the LOTL is ensured t
49、hrough a qualified electronic signature or seal supported by a qualified certificate which can be authenticated and directly trusted through one of the digests published in the Official Journal of the European Union. Trusted lists have four major components, in a structured relationship. These components: provide information on the issuing scheme, i.e. the relevant scheme underlying the issuance and maintenance of the TL; identify the TSPs recognized by the scheme; indicate the service(s) provided by these TSPs, their type and the current status of t
