e-signatures the real final 1008011 - eeurope
TRANSCRIPT
-
8/14/2019 E-Signatures the Real Final 1008011 - eEurope
1/6
Electronic Signatures
CEN/ISSS
Rue de Stassart 36B-1050 Brussels
Belgium
Email: [email protected]
Tel +32 2 550 08 13
Fax +32 2 550 09 66
www.cenorm.be/isss
Chairman of CEN/ ISSSWorkshop E-SIGN
Riccardo Genghini
SNG
EuropeanTelecommunicationsStandards Institute
F-06921 Sophia AntipolisCedex, France
Tel +33 4 92 94 42 00
Fax +33 4 92 94 43 33
www.etsi.org
Chairman of ETSIsESI Working Group
Gyrgy Endersz
Telia Research AB
CEN Workshop Agreements are available from the national standards
bodies in countries in the European Union, in the European Free Trade
Association and the Czech Republic. Those relevant to electronic
signatures will shortly be made available for downloading free of charge
from the CEN web site.
Individual ETSI deliverables are available free of charge from thePublications download area of the ETSI web site. A full set of ETSI
deliverables is obtainable by subscription to the ETSI Documentation
Service offered on the web site.
available for all
The eEurope initiative seeks to ensure that Europe reaps the benefits of the
Information Society in a cohesive and non-divisive way. It intends to
ensure equal access by Europe's citizens, to promote computer literacy
and, crucially, to create a partnership environment between the users and
providers of the systems based on trust and enterprise. Its ultimate
objective is to bring everyone in Europe - every citizen, every school,
every company - on-line as quickly as possible.
August 2001
EESSIhttp://www.ict.etsi.org/eessi/EESSI-homepage.htm
Chairman of EESSIClaude Boulle, Bull [email protected]
EESSI SecretariatYves Chauvel,ETSI Secretariat [email protected] Cipressi, CEN/ISSS [email protected]
E-Signatures Bro 10/8/01 11:44 am Page 1
-
8/14/2019 E-Signatures the Real Final 1008011 - eEurope
2/6
The Internet has created a borderless space forinformation exchange, and the keyword for the
deployment of Internet applications is trust. The EUElectronic Signature Directive has established the legalframework for the recognition of electronic signatures.
Reliable electronic signatures are essential in thecreation of open markets, enabling the development ofcross-border trust services and increasing
competitiveness, with consequent benefit to serviceproviders, manufacturers and, ultimately, the whole user
community.
The work of CEN/ ISSS and ETSI in providing technical
specifications and guidance material for theirimplementation is therefore crucial to the future ofe-Commerce.
Why Electronic Signatures?
The modern world is in the middle of acommunications revolution. The
Internet is opening up a host of
new possibi li ties, national and
international barriers to trade
are crumbling and electronic
commerce is emerging as the
future way of doing business.
Trust is essential to the success
and continued expansion of
electronic commerce. What is
needed is the electronic equivalent of a
written signature to validate transactions. The
way would then lie open to exploit the Internet forsecure document exchange, for example, for purchase
requisitions, contracts and invoice applications.
To date, the most common form of electronic signature is
the digital signature, which is created and verified by
means of cryptography mathematics. Digital signatures
use a public key cryptography which employs
mathematical algorithms using two different but
mathematically related keys: a private key for creating a
digital signature and a public key to verify it.
Taking ActionAuthentication systems do exist, but their development
and use are still in the introductory stage; there is no
complete set of agreed technical specifications governing
their usage. This lack of industry standards to support the
use of electronic signatures and public key certificates isone of the greatest impediments to electronic commerce.
Recognising that growth of the Internet and
developments in e-Commerce offer an unrivalled
opportunity for economic integration, the European
Union has published the Electronic Signature Directive,
aimed at providing a common framework for electronic
signatures and an open environment and infrastructure
for secure electronic transactions.
In response, i ndustry and the European standardization
bodies have come together under the auspices of the
Information and Communication Technologies StandardsBoard (ICTSB) to examine Europe's future standardization
needs in this area. Whilst some standardization projects
were underway at national, regional and international
levels, none met the need for a coherent set of
specifications to help companies implement the
Di rective. In January 1999, therefore, a new initiative
was launched the European Electronic Signature
Standardization Initiative (EESSI). Its task is to identify the
standardization activities necessary to enable electronic
signatures and to monitor the implementation of a work
programme to meet this need.
The goal is to provide a set of standards
and to harmonize specifications atthe international level to maximize
market take-up. EESSI has no
desire to 're-invent the wheel'
and, wherever possible, new
standards are being built on
existing specifications from the
International Telecommunication
Union (ITU), the International
Organization for Standardization
(ISO) and the Internet Engineering Task
Force (IETF).
E-Signatures Bro 10/8/01 11:44 am Page 3
-
8/14/2019 E-Signatures the Real Final 1008011 - eEurope
3/6
Involving all the StakeholdersThe standardization ini tiative
addresses two major aspects of
openness: one is to facilitate fast and
easy establishment of trust between
parties who want to do business on-
line; the other is to provide for the
technical compatibi li ty of services and
components. In such an environment, new
business relationships can be easily established
and the risk involved with investments by corporations as
well as by private users is minimized. An open
environment is favourable for public services to the
citizen and for all kinds of business activity.
The alternative is an environment governed by
proprietary solutions, creating a great many isolated
islands, lack of flexibility and aggregated costs for users
and service providers alike.
The EESSI work programme is being implemented under
the supervision of a Steering Committee which gathers
together representatives of the major market players
including industry, service providers, vendors, users and
consumers, national authorities and other interested
organizations. The necessary standards are being
developed within the Information Society Standardization
System of the European Committee for Standardization
(CEN/ISSS) and the European Telecommunications
Standards Institute (ETSI). These two bodies work in close
co-operation with each other and with other
standardization organizations around the world as
appropriate.
Electronic Signature work relevant to EESSI follows a
number of core principles, usual in CEN/ISSS and ETSI
Technical Bodies:
Openness - all interested parties have been invited toparticipate in EESSI activities
Transparency - Work Programmes are publicly
available on both CEN's and ETSI's web sites and
all EESSI drafts are submitted for public comment
Consensus - all decisions under the Initiative aremade by consensus
Effectiveness and relevance - the scope and scheduleof all deliverables under EESSI are defined in response
to market needs and regulatory requirements
Market analysts agree that the two pioneer segments in
authentication services are large financial institutions and
government or publ ic service organizations (including
local, regional and central governments and healthcare
and social services). The collaboration of all relevant
stakeholders is regarded as essential to the successful
standardization of electronic signatures. By involving all
interested parties, a common and harmonized framework
should be agreed and interoperability, at least within
Europe, ensured.
The TaskEESSI's first recommendations, made in July 1999,
contained an overview of the requirements for standards
related activities and drew up a detailed workprogramme to meet these needs. Three key areas were
identified:
Quality and functional standards for Certification
Service Providers (CSPs)
Quality and functional standards for Signature
Creation and Verification Products
Interoperable standardization requirements for
Electronic Signatures.
EESSI' s priorities are:
Security requirements for signature products
Certification/registration of conformance products and
services for electronic signatures
Security Management and Certificate Policy for
CSPs issuing qualified certificates
Signature creation and verification
Electronic signature syntax and
encoding formats and technical
aspects of signature polices
A standard for the use of X.509
public key certificates as
qualified certificates
Protocol to interoperate with a
Time-stamping Authority.
E-Signatures Bro 10/8/01 11:44 am Page 5
-
8/14/2019 E-Signatures the Real Final 1008011 - eEurope
4/6
The Standardization Organizations involved
CEN (Comit europen de normalisation) isone of the three recognized European
standards bodies,
and coversstandardization in
areas other than the
electrotechnical and
communications fields.
In the fast-moving
domain of information
and communications
technologies (ICT), CEN
has created the
Information Society
Standardization System
(CEN/ISSS). In addition to thetraditional CEN Technical
Committees, this makes use of open
workshops which are created whenever there is an
identified need and which are open to all interested
parties. Their deliverables are published by CEN as CEN
Workshop Agreements (CWAs).
CEN/ISSS Workshop E-SIGN is responsible for the part of
the EESSI work programme dealing with quality and
functional standards for signature creation and
verification products, as well as quality and functional
standards for CSPs. The Workshop's responsibilities
under EESSI include:
Security requirements for trustworthy systems andproducts
Security requirements for secure signature creation
devices
Signature creation environment
Signature verification process and environment
Conformity assessment of products and services for
electronic signatures.
Detailed information about the work of WS E-SIGN and
a registration form for participation are available at
http://www.cenorm.be/isss/Workshop/e-sign/Default.htm.
The European TelecommunicationsStandards Institute (ETSI) is a
recognized European Standardization
Body, and produces a wide range of standards and other
technical documentation as Europe's contribution to
world-wide standardization in telecommunications and
the related fields of broadcasting and information
technology. A non-profit making organization based in
Sophia Antipolis, France, ETSI unites nearly 900
members from over 50 countries inside and outside
Europe, and represents manufacturers, network operators,
administrations, service providers, research bodies and
users.
Within ETSI, the Electronic Signature Infrastructure (ESI)
Working Group deals with activities related to the
Electronic Signature. Its responsibilities under EESSI
include:
The use of X.509 public key certificates as quali fiedcertificates
Security Management and Certificate Policy for CSPs
issuing qualified certificates
Electronic signature syntax and encoding formats and
technical aspects of signature polices
Protocol to interoperate with a Time-stamping
Authority.
Security Management and Certificate Policy for CSPs
issuing other than qualified certificates
Security management and policy requirements for
CSPs issuing time stamps
Electronic Signature syntax and encoding formats in
XML
Signature policies for extended business models
Harmonized provision of CSP status information
Detailed information about ETSI's work on
electronic signatures is publicly
available on the ETSI web site
(http://www.etsi.org/sec/el-sign.htm).
In addition, there is an electronic
'open discussion area', providing
public access to draft documents
and background material, and
supporting the exchange of ideas,
comments and contributions.
E-Signatures Bro 10/8/01 11:44 am Page 7
-
8/14/2019 E-Signatures the Real Final 1008011 - eEurope
5/6
AchievementsPhase 1
Phase 1 of the work, performed in the second half of
1999, was the identification of the EESSI standardization
requirements. At the same time, an ETSI Standard (ES 201
733) on Electronic Signature formats was also completed,
and published in May 2000, defining formats for various
forms of electronic signatures and an experimental format
for signature policies.
Phase 2
The second phase of the work covered activities
performed mainly in 2000 and provided the
specifications required in support of the implementation
of the Electronic Signature Directive, as well as some
supporting specifications. They included:
Policy requirements and security management for
certification authorities issuing qualified certificates.
An ETSI Technical Specification (TS 101 456) waspublished in December 2000, providing a common
policy baseline for CSPs, adherence to which
guarantees users that an electronic signature meets the
requirements of the EU Directive, providing an
essential component for e-Commerce.
Quali fied Certificate Profiles. ETSI TS 101 862 was
also publ ished in December 2000, defining how the
X.509 public key certificate format, which dominates
the Public Key Infrastructure (PKI) market, may be
used to meet the requirements of the EU Directive.
Through the use of this document, parties relying on
Qualified Certificates can verify signatures supported
by Qualified Certificates issued by different CSPs,
improving technical interoperability between CSPs
and signature creation and verification applications.
Security Requirements for Trustworthy Systems
Managing Certificates for Electronic Signatures. Work
in this area will produce two related CWAs: the first,
CWA 14167, was publ ished in June 2001 and
specifies overall security requirements on trustworthy
system components which are used by CSPs to create
Standard and Qualified Certificates; the second, to be
completed by October 2001, defines specific
requirements for the Certifi cation Authority' s
cryptographic modules.
Security Requirements for Secure Signature CreationDevices (SSCDs). Two related CWAs in this area (CWAs14168 and 14169) define security requirements to ensureconformance with the EU Directive and mutualinteroperability.
Format and profil e for Time-stamping. ETSI TS 101 861was approved in November 2000 and publ ication awaitsfinalization of its 'mother' document, the IETF's time-stamping standard. The TS defines the Internetspecification for time-stamping, which is already beingadopted by the main suppliers, improving theinteroperabil ity between applications requiring long termvalidity of electronic signatures and CSPs providing time-stamping services.
Electronic Signature Formats. An amended version ofETSI TS 101 733 was published in December 2000,defining a format for Advanced Electronic Signaturesbased on the existing standard format that dominates thee-mail and document security market (ie CMS - Internet
specification RFC 2630). It also specifies how time-stamping or trusted archiving services may be used toensure that the electronic signature remains valid for longperiods so that it can be presented later as evidence incase of a dispute. ETSI TS 101 733 has been submitted tothe IETF in two separate parts and approved as RFC 3126and RFC 3125, respectively, further promoting theglobalization of EESSI results.
Signature Creation and Validation Process andEnvironment. Although not specifically required forcompl iance w ith the EU Di rective, EESSI consideredthese issues important enough to create two additionalCWAs specifying 'voluntary' security requirements for thesignature creation applications (CWA 14170) and
verification procedures (CWA 14171). These CWAs,finalized in May 2001, offer guidance to ensure thatapplication and computer system environments areimplemented to provide high quality functionality tominimize the chance of a dispute.
Conformance Assessment Guidance. A specificationcomprising five CWAs is in the process of publication asCWA 14172 Parts 1-5, offering ini tial guidance onconformity assessment concerning CertificationAuthorities services and processes for PKI andInformation Security Management, Signature CreationSystems, Signature Verification and Secure SignatureCreation Devices. Discussions are underway concerningthe enhancement of these specifications.
E-Signatures Bro 10/8/01 11:44 am Page 9
-
8/14/2019 E-Signatures the Real Final 1008011 - eEurope
6/6
Current Activities
Phase 3 was initiated in 2001. The Work Plan includes a
number of new items, aimed at answering the market
requirements for different classes of Electronic Signature.
CEN/ISSS is preparing two major new proposals, covering
the extension of secure signature creation requirements
towards specific applications and environments,
including e-Commerce applications (Art 5.2 of the
Directive), and requirements for smart cards used as
secure signature creation devices. The former work is
expected to be completed early in 2002, the latter
around mid-2002. The CEN/ISSS Electronic Commerce
Workshop is working to provide guidance on electronic
signatures for business users, as a complementary
activity.
In ETSI, the ESI Working Group's standardization
programme for 2001 includes five main tasks: securitymanagement and policy requirements for Certification
Service Providers (CSPs) issuing time stamps; security
management and certificate policy for CSPs issuing other
than qualified certificates; Electronic Signature syntax
and encoding formats in XML; technical aspects of
signature policies; and the
provision of
harmonized
CSP status
information.
Electronic signatures offer
the solution to a major
obstacle to the
'e-society'. Until
now, it has been
very difficul t to
ensure that
documents sent
electronically actually
have the same validity
as hand-written, signed
documents. Many
countries have provided the
legal framework for formal documents such as contracts
to be signed electronically: now, for many purposes, the
traditional validi ty of hand-signed paper documents
applies to electronic signatures. This will help to ensure
that business, citizens and Government can conduct
transactions at Internet speeds rather than relying onponderous paperwork.
In the context of this legislation in Europe, EESSI is
seeking to provide the necessary secure technical
framework to accompany it. Clearly, the future use of
electronic signatures will depend on the availability of
products and services meeting the specifications, but the
groundwork is being laid.
A Global InitiativeEESSI's activities have been well publicized outside
Europe, links have been established with fora and
consortia world-wide and representatives of international
organizations participate in EESSI's working groups.
Major input has been made and is continuing to be made
by EESSI participants to the IETF's activities in
authentication and electronic signatures and, wherever
possible, EESSI's deliverables have been based on
existing and widely accepted standards. The effect of
EESSI is not confined, therefore, to Europe; EESSI does
not work in isolation but is a major contributor to the
emergence of a global playing field for electronic
signatures, opening up world markets for electronic
commerce and helping to safeguard secure electronic
document exchange.
E-Signatures Bro 10/8/01 11:44 am Page 11