CEN/ISSS Task 2. e-Invoicing & e-Signatures

e-Invoicing & e-Signatures

e-Invoicing & e-Signatures

Georg LindsbergerCEN/ISS EUROPEAN WORKSHOP

April 2006, Brussels

CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels

AgendaAgenda

Part 1:Issuing and receiving electronically signed invoicesPart 2:Advanced Electronic Signature used for electronic invoicesPart 3:Verification and documentation of the integrity and authenticity


Basic Legal RequirementsBasic Legal Requirements

Authenticity of the origin and integrity of the contents of electronic invoices have to be guaranteed

Member States may however ask for the advanced electronic signature to be based on a qualified certificate and created by a secure signature creation device

Storage:authenticity of the origin and integrity of the content of the invoices, as well as their readability, must be guaranteed throughout the storage period

Service providers:Seller, buyer, third party i.e. service provider - is enabled to issue an electronic invoice

Invoice formats:Formats of the electronic invoices are not specified in the Directive but in certain Member States legal obligations exist that the electronic invoice has to be machine readable


Issuing e-InvoicesIssuing e-Invoices

1. Generation of the electronic invoices;2. Generation of the electronic signatures for

the invoices;3. Archiving the electronically signed

invoices;4. Transmitting the electronically signed

invoices to the customers/suppliersService ProviderRequirements


Receiving e-InvoicesReceiving e-Invoices

1. Signature verification 2. Documentation of the integrity and

authenticity3. Archiving the electronically signed

invoices


Pre-conditionsPre-conditionsSignature generation:

it must be possible to generate the signatures for electronic invoicing in a batch process

Storage:additional information should be added ensuring the invoice was valid at issuance time - verification data

Invoice formats:static non modifiable document formats are highly recommendedsome applicable laws outright forbid the use of macros and hidden codes

Service Provider:a third party is empowered to endorse the signature of such an invoice with its own certificateservice providers should be able to sign the invoices using their own signing key pair

Advanced Electronic Signature Used for Electronic Invoices

Advanced Electronic Signature Used for Electronic Invoices


AdES Bound to a PersonAdES Bound to a Person

Using advanced electronic signatures within the meaning of Article 2 (2) of Directive [1] means that an electronic signature has to be bound to a personElectronic signature for an electronic invoice can be the signature of a natural or legal person, according to applicable law

If the electronic signature is an electronic signature of a natural person, information should be supplemented that the natural person has acted on behalf of the company issuing the invoices that should be specified in the certificate.

For example, the invoice issuing company might be specified in the “organizationName”


Electronic SealsElectronic Seals

Where qualified signatures are requested by a national legislation, they cannot be given the meaning of commitment to the content of the electronic invoice

Only the purpose of guaranteeing the invoices authenticity and integrity can be assigned to qualified electronic signatures in the domain of e-invoicing

For the purposes of the Directive 2001/115/EC, the term “electronic signature” has the meaning of “electronic seal”


Batch e-Invoice SigningBatch e-Invoice Signing

Without the meaning of commitment to the content, it is easier to deal with batch e-invoice signing.

AdES do not strictly require private keys to be generated and kept in hardware devices, while QES provide this feature as a basic distinction


Certificate Extensions & PoliciesCertificate Extensions & Policies

Service providers should use the certificate extension EinvoicingServiceProvider

Certificates used for electronic invoicing should make use of the certificate extension ElectronicInvoicing

The proposed policy recommendations for electronic invoice certificates should be implemented

Extended key usage: id-kp-eInvoicing. This extension SHOULD be non critical

Verification and Documentation of the Integrity

and Authenticity

Verification and Documentation of the Integrity

and Authenticity


Authentication and integrity have to be guaranteed over the whole storage period of invoices which can be from 5 to 11 years

Electronic invoicing storing systems must ensure that the electronic signature stays verifiable over years

Without the addition of relevant data, like revocation information and information on before and when the signature itself was created, the electronic signature could not be verifiable in thefuture

VerificationVerification


Ogranisational Measures vs.Technical Measures

Ogranisational Measures vs.Technical Measures


FactsFacts

Fetch and store certificate path, suitable certificate revocation information for the entire certificate path (CRL/OCSP responses), TST chain, TST certificate path, suitable TST certificate revocation information for the TST certificate path (CRL/OCSP responses)

Apply and store TST on the ES;or countersign the invoice and apply a TST and store the whole of it;or implement equivalent measures

Basic invoice signature storage

TL-3TL-2TL-1Storage Requirements


Ensuring stored invoices are long term valid depends on both organisational and technical measuresDepending on the trust level of the organisation additional technical measures should be applied

FactsFacts


Resume Resume

Requirements for e-signatures for e-invoices are clarified (incl. electronic seals)Certificate extensions proposed to ease the processing of the signatures on e-invoicesClarified verification process

Q&AQ&A

Georg LindsbergerCEN/ISS EUROPEAN WORKSHOP

April 2006, Brussels

CEN/ISSS Task 2. e-Invoicing & e-Signatures

Business

Transcript of CEN/ISSS Task 2. e-Invoicing & e-Signatures