www.thalesgroup.com/esecurity

8 N

o b 0

6 / C

EN

/ISS

S

ETSI STF 305: Procedures for Handling Advanced Electronic Signatureson Digital Accounting

CEN/ISSS Workshop on Electronic Invoices

Nick Pope – Thales e-SecuritySTF 305 Team Leader

www.thalesgroup.com/esecurity2

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Specialist Task Force - Terms of Reference

Propose drafts to ETSI Technical Committee onElectronic Signatures and Infrastructures for:

Technical Report on Best Practices for handling electronic signatures and signed data for digital accounting

Technical Specification on Policy requirements for trust service providers signing and/or storing data for digital accounting

www.thalesgroup.com/esecurity3

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Approach

Study intoNational PracticesFor Accounting &Digital Accounting

UKFrance

Italy SpainGermany

Best Practices forHandling signed data for

Digital Accounting

Policy Requirements forTrusted Service Providers

Signing / Storing DataFor Digital Accounting

www.thalesgroup.com/esecurity4

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Approach

Study intoNational PracticesFor Accounting &Digital Accounting

UKFrance

Italy SpainGermany

Best Practices forHandling signed data for

Digital Accounting

EU e-InvoicingRequirements

Policy Requirements forTrusted Service Providers

Signing / Storing DataFor Digital Accounting

Maximum &Minimum

Commonly Acceptable

www.thalesgroup.com/esecurity5

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Targeting Digital Accounting Through e-Invoicing

National accounting practices widely vary Council Directive 2001/115/EC + CWA 15579

provide common requirement for signed VAT Invoices Took e-Invoicing requirements as common basis

for Digital Accounting

www.thalesgroup.com/esecurity6

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Basic Model

www.thalesgroup.com/esecurity7

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Trusted Service Provider Model

www.thalesgroup.com/esecurity8

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Use Scenarios

Main Target: Pan European Trade supported by two external

TSPs

Other potential National Trade supported by TSP(s)

Large Company Internal Service

www.thalesgroup.com/esecurity9

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Advantages of applying Best Practice / Policy

Targeted Security controls Ensure that documents are kept over

necessary period Ensure that singing keys are held

& ,maintained securely Reduce revocation management

Ensure that security of documents is properly maintained

Access security Storage security Signature validity

www.thalesgroup.com/esecurity10

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft Technical Report (TR)

Based on ISO/IEC 17799 + ISO/IEC 27001 Information Security Management System

Specific Controls & Objectives for:

Signature

Maintenance of Signature over storage period

Storage

Reporting to authorities

Scanning paper originals

+ ISO/IEC 17799 standard objectives

www.thalesgroup.com/esecurity11

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft TR - Signature

Maximum Identified Practices Advanced Electronic Signature Qualified Certificate Secure Signature Creation Device Registration – ID documents & authorisation Timely revocation

Minimum Identified Practices Advanced Electronic Signature CA meets recognised policy requirements Sole control requirement met Nationally “Acceptable” registration Nationally “Acceptable” revocation

www.thalesgroup.com/esecurity12

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft TR – Signature (continued)

Commonly Acceptable Practice for Trusted Service Provider (TSP) offering signing / storage services: Advanced Electronic Signature

Qualified CA or CA meets recognised policy requirements

SSCD or Sole control requirement met

Registration – ID documents & authorisation

Timely revocation

www.thalesgroup.com/esecurity13

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft TR – Signature Maintenance

Maximum Identified practices Technical / organisational procedures to assure signature

verifiable throughout storage period

Minimum identified practices Nationally acceptable practices

Commonly Acceptable for TSP Technical / organisational procedures to assure signature

verifiable throughout storage period

www.thalesgroup.com/esecurity14

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft TR – Storage

Maximum Identified practices Authorised access via secure channel Authentication, Integrity &

optional content commitment (non-repudiation) Assure viewer available through lifetime Held on long term media / copied to assure no loss of data Held in original format – no macros / hidden code Confidentiality of company information by separation

Minimum identified practices No remote access required – local access as authorised Authentication & integrity in line with national rules No specific requirement regarding readability Owner liable for any loss of data No special requirement regarding format Confidentiality maintained in storage

www.thalesgroup.com/esecurity15

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft TR – Storage

Commonly Acceptable Practices for TSPs Authorised access via secure channel

Authentication, Integrity & optional content commitment (non-repudiation)

Assure viewer available through lifetime

Held on long term media / copied to assure no loss of data

Held in original format – no macros / hidden code

Confidentiality by logical or physical separation

www.thalesgroup.com/esecurity16

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft TR – Reporting

Maximum Identified practices Signed & Use secure channels (e.g. SSL)

Minimum identified practices Use secure channels

Commonly Acceptable for TSP Signed & Use secure channels (e.g. SSL)

www.thalesgroup.com/esecurity17

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft TR – Scanned Document

Maximum Identified practices Assertion (e.g. signature) that true copy

Minimum identified practices Assured by good practice

Commonly Acceptable for TSP Good practice & assertion where required

www.thalesgroup.com/esecurity18

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft TR – ISO 17799 Objectives & Controls

Maximum Identified practices ISO 17799 compliance / national rules

+ Specific controls for trusted personnel & components

Minimum identified practices ISO 17799 desired

Commonly Acceptable for TSP ISO 17799 Conformance Recommended / national rules

+ Specific controls for trusted personnel & components

www.thalesgroup.com/esecurity19

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Draft Technical Specification

Targeted just at Trust Service Provider (TSP)

= Commonly acceptable practices from Technical Report worded in terms of specific requirements (shall)

Two levels recognised: Normalised (Advanced Electronic Signature) Extended (Qualified Electronic Signature)

www.thalesgroup.com/esecurity20

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

Status

Drafts out for review and comment by 12-Jan-2007: http://portal.etsi.org/docbox/esi/Open/SODA/

Final ratification & publication end Q1 2007

Comments / Questions ?

nick.pope@thales-esecurity.com

www.thalesgroup.com/esecurity21

8No b

06 /

CE

N/ IS

SS

ETSI STF 305

ETSI STF 298 – Advanced Electronic Signature Profiles

ETSI Profiles for Advanced Electronic Signatures TS 102 734 – Profiles of CMS (RFC 3852)

Advanced Electronic Signatures based on TS 101 733 (CAdES) TS 102 904 – Profiles of XML Advanced Electronic Signatures

based onTS 101 903 (XAdES)

Profiles for Government E-Invoicing Baseline for other applications

Short term & Long term