e-signatures the real final 1008011 - eeurope

8/14/2019 E-Signatures the Real Final 1008011 - eEurope

1/6

Electronic Signatures

CEN/ISSS

Rue de Stassart 36B-1050 Brussels

Belgium

Email: [email protected]

Tel +32 2 550 08 13

Fax +32 2 550 09 66

www.cenorm.be/isss

Chairman of CEN/ ISSSWorkshop E-SIGN

Riccardo Genghini

SNG

[email protected]

EuropeanTelecommunicationsStandards Institute

F-06921 Sophia AntipolisCedex, France

Tel +33 4 92 94 42 00

Fax +33 4 92 94 43 33

[email protected]

www.etsi.org

Chairman of ETSIsESI Working Group

Gyrgy Endersz

Telia Research AB

[email protected]

CEN Workshop Agreements are available from the national standards

bodies in countries in the European Union, in the European Free Trade

Association and the Czech Republic. Those relevant to electronic

signatures will shortly be made available for downloading free of charge

from the CEN web site.

Individual ETSI deliverables are available free of charge from thePublications download area of the ETSI web site. A full set of ETSI

deliverables is obtainable by subscription to the ETSI Documentation

Service offered on the web site.

available for all

The eEurope initiative seeks to ensure that Europe reaps the benefits of the

Information Society in a cohesive and non-divisive way. It intends to

ensure equal access by Europe's citizens, to promote computer literacy

and, crucially, to create a partnership environment between the users and

providers of the systems based on trust and enterprise. Its ultimate

objective is to bring everyone in Europe - every citizen, every school,

every company - on-line as quickly as possible.

August 2001

EESSIhttp://www.ict.etsi.org/eessi/EESSI-homepage.htm

Chairman of EESSIClaude Boulle, Bull [email protected]

EESSI SecretariatYves Chauvel,ETSI Secretariat [email protected] Cipressi, CEN/ISSS [email protected]

E-Signatures Bro 10/8/01 11:44 am Page 1


2/6

The Internet has created a borderless space forinformation exchange, and the keyword for the

deployment of Internet applications is trust. The EUElectronic Signature Directive has established the legalframework for the recognition of electronic signatures.

Reliable electronic signatures are essential in thecreation of open markets, enabling the development ofcross-border trust services and increasing

competitiveness, with consequent benefit to serviceproviders, manufacturers and, ultimately, the whole user

community.

The work of CEN/ ISSS and ETSI in providing technical

specifications and guidance material for theirimplementation is therefore crucial to the future ofe-Commerce.

Why Electronic Signatures?

The modern world is in the middle of acommunications revolution. The

Internet is opening up a host of

new possibi li ties, national and

international barriers to trade

are crumbling and electronic

commerce is emerging as the

future way of doing business.

Trust is essential to the success

and continued expansion of

electronic commerce. What is

needed is the electronic equivalent of a

written signature to validate transactions. The

way would then lie open to exploit the Internet forsecure document exchange, for example, for purchase

requisitions, contracts and invoice applications.

To date, the most common form of electronic signature is

the digital signature, which is created and verified by

means of cryptography mathematics. Digital signatures

use a public key cryptography which employs

mathematical algorithms using two different but

mathematically related keys: a private key for creating a

digital signature and a public key to verify it.

Taking ActionAuthentication systems do exist, but their development

and use are still in the introductory stage; there is no

complete set of agreed technical specifications governing

their usage. This lack of industry standards to support the

use of electronic signatures and public key certificates isone of the greatest impediments to electronic commerce.

Recognising that growth of the Internet and

developments in e-Commerce offer an unrivalled

opportunity for economic integration, the European

Union has published the Electronic Signature Directive,

aimed at providing a common framework for electronic

signatures and an open environment and infrastructure

for secure electronic transactions.

In response, i ndustry and the European standardization

bodies have come together under the auspices of the

Information and Communication Technologies StandardsBoard (ICTSB) to examine Europe's future standardization

needs in this area. Whilst some standardization projects

were underway at national, regional and international

levels, none met the need for a coherent set of

specifications to help companies implement the

Di rective. In January 1999, therefore, a new initiative

was launched the European Electronic Signature

Standardization Initiative (EESSI). Its task is to identify the

standardization activities necessary to enable electronic

signatures and to monitor the implementation of a work

programme to meet this need.

The goal is to provide a set of standards

and to harmonize specifications atthe international level to maximize

market take-up. EESSI has no

desire to 're-invent the wheel'

and, wherever possible, new

standards are being built on

existing specifications from the

International Telecommunication

Union (ITU), the International

Organization for Standardization

(ISO) and the Internet Engineering Task

Force (IETF).



3/6

Involving all the StakeholdersThe standardization ini tiative

addresses two major aspects of

openness: one is to facilitate fast and

easy establishment of trust between

parties who want to do business on-

line; the other is to provide for the

technical compatibi li ty of services and

components. In such an environment, new

business relationships can be easily established

and the risk involved with investments by corporations as

well as by private users is minimized. An open

environment is favourable for public services to the

citizen and for all kinds of business activity.

The alternative is an environment governed by

proprietary solutions, creating a great many isolated

islands, lack of flexibility and aggregated costs for users

and service providers alike.

The EESSI work programme is being implemented under

the supervision of a Steering Committee which gathers

together representatives of the major market players

including industry, service providers, vendors, users and

consumers, national authorities and other interested

organizations. The necessary standards are being

developed within the Information Society Standardization

System of the European Committee for Standardization

(CEN/ISSS) and the European Telecommunications

Standards Institute (ETSI). These two bodies work in close

co-operation with each other and with other

standardization organizations around the world as

appropriate.

Electronic Signature work relevant to EESSI follows a

number of core principles, usual in CEN/ISSS and ETSI

Technical Bodies:

Openness - all interested parties have been invited toparticipate in EESSI activities

Transparency - Work Programmes are publicly

available on both CEN's and ETSI's web sites and

all EESSI drafts are submitted for public comment

Consensus - all decisions under the Initiative aremade by consensus

Effectiveness and relevance - the scope and scheduleof all deliverables under EESSI are defined in response

to market needs and regulatory requirements

Market analysts agree that the two pioneer segments in

authentication services are large financial institutions and

government or publ ic service organizations (including

local, regional and central governments and healthcare

and social services). The collaboration of all relevant

stakeholders is regarded as essential to the successful

standardization of electronic signatures. By involving all

interested parties, a common and harmonized framework

should be agreed and interoperability, at least within

Europe, ensured.

The TaskEESSI's first recommendations, made in July 1999,

contained an overview of the requirements for standards

related activities and drew up a detailed workprogramme to meet these needs. Three key areas were

identified:

Quality and functional standards for Certification

Service Providers (CSPs)

Quality and functional standards for Signature

Creation and Verification Products

Interoperable standardization requirements for

Electronic Signatures.

EESSI' s priorities are:

Security requirements for signature products

Certification/registration of conformance products and

services for electronic signatures

Security Management and Certificate Policy for

CSPs issuing qualified certificates

Signature creation and verification

Electronic signature syntax and

encoding formats and technical

aspects of signature polices

A standard for the use of X.509

public key certificates as

qualified certificates

Protocol to interoperate with a

Time-stamping Authority.



4/6

The Standardization Organizations involved

CEN (Comit europen de normalisation) isone of the three recognized European

standards bodies,

and coversstandardization in

areas other than the

electrotechnical and

communications fields.

In the fast-moving

domain of information

and communications

technologies (ICT), CEN

has created the

Information Society

Standardization System

(CEN/ISSS). In addition to thetraditional CEN Technical

Committees, this makes use of open

workshops which are created whenever there is an

identified need and which are open to all interested

parties. Their deliverables are published by CEN as CEN

Workshop Agreements (CWAs).

CEN/ISSS Workshop E-SIGN is responsible for the part of

the EESSI work programme dealing with quality and

functional standards for signature creation and

verification products, as well as quality and functional

standards for CSPs. The Workshop's responsibilities

under EESSI include:

Security requirements for trustworthy systems andproducts

Security requirements for secure signature creation

devices

Signature creation environment

Signature verification process and environment

Conformity assessment of products and services for

electronic signatures.

Detailed information about the work of WS E-SIGN and

a registration form for participation are available at

http://www.cenorm.be/isss/Workshop/e-sign/Default.htm.

The European TelecommunicationsStandards Institute (ETSI) is a

recognized European Standardization

Body, and produces a wide range of standards and other

technical documentation as Europe's contribution to

world-wide standardization in telecommunications and

the related fields of broadcasting and information

technology. A non-profit making organization based in

Sophia Antipolis, France, ETSI unites nearly 900

members from over 50 countries inside and outside

Europe, and represents manufacturers, network operators,

administrations, service providers, research bodies and

users.

Within ETSI, the Electronic Signature Infrastructure (ESI)

Working Group deals with activities related to the

Electronic Signature. Its responsibilities under EESSI

include:

The use of X.509 public key certificates as quali fiedcertificates

Security Management and Certificate Policy for CSPs

issuing qualified certificates

Electronic signature syntax and encoding formats and

technical aspects of signature polices

Protocol to interoperate with a Time-stamping

Authority.

Security Management and Certificate Policy for CSPs

issuing other than qualified certificates

Security management and policy requirements for

CSPs issuing time stamps

Electronic Signature syntax and encoding formats in

XML

Signature policies for extended business models

Harmonized provision of CSP status information

Detailed information about ETSI's work on

electronic signatures is publicly

available on the ETSI web site

(http://www.etsi.org/sec/el-sign.htm).

In addition, there is an electronic

'open discussion area', providing

public access to draft documents

and background material, and

supporting the exchange of ideas,

comments and contributions.



5/6

AchievementsPhase 1

Phase 1 of the work, performed in the second half of

1999, was the identification of the EESSI standardization

requirements. At the same time, an ETSI Standard (ES 201

733) on Electronic Signature formats was also completed,

and published in May 2000, defining formats for various

forms of electronic signatures and an experimental format

for signature policies.

Phase 2

The second phase of the work covered activities

performed mainly in 2000 and provided the

specifications required in support of the implementation

of the Electronic Signature Directive, as well as some

supporting specifications. They included:

Policy requirements and security management for

certification authorities issuing qualified certificates.

An ETSI Technical Specification (TS 101 456) waspublished in December 2000, providing a common

policy baseline for CSPs, adherence to which

guarantees users that an electronic signature meets the

requirements of the EU Directive, providing an

essential component for e-Commerce.

Quali fied Certificate Profiles. ETSI TS 101 862 was

also publ ished in December 2000, defining how the

X.509 public key certificate format, which dominates

the Public Key Infrastructure (PKI) market, may be

used to meet the requirements of the EU Directive.

Through the use of this document, parties relying on

Qualified Certificates can verify signatures supported

by Qualified Certificates issued by different CSPs,

improving technical interoperability between CSPs

and signature creation and verification applications.

Security Requirements for Trustworthy Systems

Managing Certificates for Electronic Signatures. Work

in this area will produce two related CWAs: the first,

CWA 14167, was publ ished in June 2001 and

specifies overall security requirements on trustworthy

system components which are used by CSPs to create

Standard and Qualified Certificates; the second, to be

completed by October 2001, defines specific

requirements for the Certifi cation Authority' s

cryptographic modules.

Security Requirements for Secure Signature CreationDevices (SSCDs). Two related CWAs in this area (CWAs14168 and 14169) define security requirements to ensureconformance with the EU Directive and mutualinteroperability.

Format and profil e for Time-stamping. ETSI TS 101 861was approved in November 2000 and publ ication awaitsfinalization of its 'mother' document, the IETF's time-stamping standard. The TS defines the Internetspecification for time-stamping, which is already beingadopted by the main suppliers, improving theinteroperabil ity between applications requiring long termvalidity of electronic signatures and CSPs providing time-stamping services.

Electronic Signature Formats. An amended version ofETSI TS 101 733 was published in December 2000,defining a format for Advanced Electronic Signaturesbased on the existing standard format that dominates thee-mail and document security market (ie CMS - Internet

specification RFC 2630). It also specifies how time-stamping or trusted archiving services may be used toensure that the electronic signature remains valid for longperiods so that it can be presented later as evidence incase of a dispute. ETSI TS 101 733 has been submitted tothe IETF in two separate parts and approved as RFC 3126and RFC 3125, respectively, further promoting theglobalization of EESSI results.

Signature Creation and Validation Process andEnvironment. Although not specifically required forcompl iance w ith the EU Di rective, EESSI consideredthese issues important enough to create two additionalCWAs specifying 'voluntary' security requirements for thesignature creation applications (CWA 14170) and

verification procedures (CWA 14171). These CWAs,finalized in May 2001, offer guidance to ensure thatapplication and computer system environments areimplemented to provide high quality functionality tominimize the chance of a dispute.

Conformance Assessment Guidance. A specificationcomprising five CWAs is in the process of publication asCWA 14172 Parts 1-5, offering ini tial guidance onconformity assessment concerning CertificationAuthorities services and processes for PKI andInformation Security Management, Signature CreationSystems, Signature Verification and Secure SignatureCreation Devices. Discussions are underway concerningthe enhancement of these specifications.



6/6

Current Activities

Phase 3 was initiated in 2001. The Work Plan includes a

number of new items, aimed at answering the market

requirements for different classes of Electronic Signature.

CEN/ISSS is preparing two major new proposals, covering

the extension of secure signature creation requirements

towards specific applications and environments,

including e-Commerce applications (Art 5.2 of the

Directive), and requirements for smart cards used as

secure signature creation devices. The former work is

expected to be completed early in 2002, the latter

around mid-2002. The CEN/ISSS Electronic Commerce

Workshop is working to provide guidance on electronic

signatures for business users, as a complementary

activity.

In ETSI, the ESI Working Group's standardization

programme for 2001 includes five main tasks: securitymanagement and policy requirements for Certification

Service Providers (CSPs) issuing time stamps; security

management and certificate policy for CSPs issuing other

than qualified certificates; Electronic Signature syntax

and encoding formats in XML; technical aspects of

signature policies; and the

provision of

harmonized

CSP status

information.

Electronic signatures offer

the solution to a major

obstacle to the

'e-society'. Until

now, it has been

very difficul t to

ensure that

documents sent

electronically actually

have the same validity

as hand-written, signed

documents. Many

countries have provided the

legal framework for formal documents such as contracts

to be signed electronically: now, for many purposes, the

traditional validi ty of hand-signed paper documents

applies to electronic signatures. This will help to ensure

that business, citizens and Government can conduct

transactions at Internet speeds rather than relying onponderous paperwork.

In the context of this legislation in Europe, EESSI is

seeking to provide the necessary secure technical

framework to accompany it. Clearly, the future use of

electronic signatures will depend on the availability of

products and services meeting the specifications, but the

groundwork is being laid.

A Global InitiativeEESSI's activities have been well publicized outside

Europe, links have been established with fora and

consortia world-wide and representatives of international

organizations participate in EESSI's working groups.

Major input has been made and is continuing to be made

by EESSI participants to the IETF's activities in

authentication and electronic signatures and, wherever

possible, EESSI's deliverables have been based on

existing and widely accepted standards. The effect of

EESSI is not confined, therefore, to Europe; EESSI does

not work in isolation but is a major contributor to the

emergence of a global playing field for electronic

signatures, opening up world markets for electronic

commerce and helping to safeguard secure electronic

document exchange.


e-signatures the real final 1008011 - eeurope

Documents