ETSI STF 305: Procedures for Handling Advanced Electronic Signatures on Digital Accounting
description
Transcript of ETSI STF 305: Procedures for Handling Advanced Electronic Signatures on Digital Accounting
www.thalesgroup.com/esecurity
8 N
o b 0
6 / C
EN
/ISS
S
ETSI STF 305: Procedures for Handling Advanced Electronic Signatureson Digital Accounting
CEN/ISSS Workshop on Electronic Invoices
Nick Pope – Thales e-SecuritySTF 305 Team Leader
www.thalesgroup.com/esecurity2
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Specialist Task Force - Terms of Reference
Propose drafts to ETSI Technical Committee onElectronic Signatures and Infrastructures for:
Technical Report on Best Practices for handling electronic signatures and signed data for digital accounting
Technical Specification on Policy requirements for trust service providers signing and/or storing data for digital accounting
www.thalesgroup.com/esecurity3
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Approach
Study intoNational PracticesFor Accounting &Digital Accounting
UKFrance
Italy SpainGermany
Best Practices forHandling signed data for
Digital Accounting
Policy Requirements forTrusted Service Providers
Signing / Storing DataFor Digital Accounting
www.thalesgroup.com/esecurity4
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Approach
Study intoNational PracticesFor Accounting &Digital Accounting
UKFrance
Italy SpainGermany
Best Practices forHandling signed data for
Digital Accounting
EU e-InvoicingRequirements
Policy Requirements forTrusted Service Providers
Signing / Storing DataFor Digital Accounting
Maximum &Minimum
Commonly Acceptable
www.thalesgroup.com/esecurity5
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Targeting Digital Accounting Through e-Invoicing
National accounting practices widely vary Council Directive 2001/115/EC + CWA 15579
provide common requirement for signed VAT Invoices Took e-Invoicing requirements as common basis
for Digital Accounting
www.thalesgroup.com/esecurity6
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Basic Model
www.thalesgroup.com/esecurity7
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Trusted Service Provider Model
www.thalesgroup.com/esecurity8
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Use Scenarios
Main Target: Pan European Trade supported by two external
TSPs
Other potential National Trade supported by TSP(s)
Large Company Internal Service
www.thalesgroup.com/esecurity9
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Advantages of applying Best Practice / Policy
Targeted Security controls Ensure that documents are kept over
necessary period Ensure that singing keys are held
& ,maintained securely Reduce revocation management
Ensure that security of documents is properly maintained
Access security Storage security Signature validity
www.thalesgroup.com/esecurity10
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft Technical Report (TR)
Based on ISO/IEC 17799 + ISO/IEC 27001 Information Security Management System
Specific Controls & Objectives for:
Signature
Maintenance of Signature over storage period
Storage
Reporting to authorities
Scanning paper originals
+ ISO/IEC 17799 standard objectives
www.thalesgroup.com/esecurity11
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft TR - Signature
Maximum Identified Practices Advanced Electronic Signature Qualified Certificate Secure Signature Creation Device Registration – ID documents & authorisation Timely revocation
Minimum Identified Practices Advanced Electronic Signature CA meets recognised policy requirements Sole control requirement met Nationally “Acceptable” registration Nationally “Acceptable” revocation
www.thalesgroup.com/esecurity12
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft TR – Signature (continued)
Commonly Acceptable Practice for Trusted Service Provider (TSP) offering signing / storage services: Advanced Electronic Signature
Qualified CA or CA meets recognised policy requirements
SSCD or Sole control requirement met
Registration – ID documents & authorisation
Timely revocation
www.thalesgroup.com/esecurity13
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft TR – Signature Maintenance
Maximum Identified practices Technical / organisational procedures to assure signature
verifiable throughout storage period
Minimum identified practices Nationally acceptable practices
Commonly Acceptable for TSP Technical / organisational procedures to assure signature
verifiable throughout storage period
www.thalesgroup.com/esecurity14
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft TR – Storage
Maximum Identified practices Authorised access via secure channel Authentication, Integrity &
optional content commitment (non-repudiation) Assure viewer available through lifetime Held on long term media / copied to assure no loss of data Held in original format – no macros / hidden code Confidentiality of company information by separation
Minimum identified practices No remote access required – local access as authorised Authentication & integrity in line with national rules No specific requirement regarding readability Owner liable for any loss of data No special requirement regarding format Confidentiality maintained in storage
www.thalesgroup.com/esecurity15
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft TR – Storage
Commonly Acceptable Practices for TSPs Authorised access via secure channel
Authentication, Integrity & optional content commitment (non-repudiation)
Assure viewer available through lifetime
Held on long term media / copied to assure no loss of data
Held in original format – no macros / hidden code
Confidentiality by logical or physical separation
www.thalesgroup.com/esecurity16
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft TR – Reporting
Maximum Identified practices Signed & Use secure channels (e.g. SSL)
Minimum identified practices Use secure channels
Commonly Acceptable for TSP Signed & Use secure channels (e.g. SSL)
www.thalesgroup.com/esecurity17
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft TR – Scanned Document
Maximum Identified practices Assertion (e.g. signature) that true copy
Minimum identified practices Assured by good practice
Commonly Acceptable for TSP Good practice & assertion where required
www.thalesgroup.com/esecurity18
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft TR – ISO 17799 Objectives & Controls
Maximum Identified practices ISO 17799 compliance / national rules
+ Specific controls for trusted personnel & components
Minimum identified practices ISO 17799 desired
Commonly Acceptable for TSP ISO 17799 Conformance Recommended / national rules
+ Specific controls for trusted personnel & components
www.thalesgroup.com/esecurity19
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Draft Technical Specification
Targeted just at Trust Service Provider (TSP)
= Commonly acceptable practices from Technical Report worded in terms of specific requirements (shall)
Two levels recognised: Normalised (Advanced Electronic Signature) Extended (Qualified Electronic Signature)
www.thalesgroup.com/esecurity20
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
Status
Drafts out for review and comment by 12-Jan-2007: http://portal.etsi.org/docbox/esi/Open/SODA/
Final ratification & publication end Q1 2007
Comments / Questions ?
www.thalesgroup.com/esecurity21
8No b
06 /
CE
N/ IS
SS
ETSI STF 305
ETSI STF 298 – Advanced Electronic Signature Profiles
ETSI Profiles for Advanced Electronic Signatures TS 102 734 – Profiles of CMS (RFC 3852)
Advanced Electronic Signatures based on TS 101 733 (CAdES) TS 102 904 – Profiles of XML Advanced Electronic Signatures
based onTS 101 903 (XAdES)
Profiles for Government E-Invoicing Baseline for other applications
Short term & Long term