Specialist Task Force 524:
Standards for eIDAS trust services including electronic signatures – trust services for validation SA/ETSI/GROW/000/2015-09-split 1
Who we are:
What we do
The STF 524 is in charge of producing standards for TSPs providing AdES digital signature validation services. This is to support the requirements of advanced electronic seals and advanced electronic signatures as identified in the eIDAS Regulation (EU No. 910/2014) in a distributed and mobile environment.
These standards should align with the requirements of the eIDAS Regulation, supporting both advanced and qualified electronic signatures and seals through use of ETSI standards for AdES Digital Signatures (as specified in ETSI ENs 319 122, 319 132 and 319 142), whilst also meeting the requirements for the general commercial use of such services within a global context. It is outside the scope of this action as to what trust services supported by this work may be considered as a qualified trust service or not, but the aim is that it should not be precluded that such trust services may be qualified.
note: the term ades digital signature is used to refer to a digital signature conforming to one of the etsi standard formats called cades (etsi en 319 122), xades (etsi en 319 132) or pades (etsi en 319 142). these signature formats may be used to meet the requirements of advanced electronic signatures and advanced electronic seals as identified in the eidas regulation.
This work will encompass:
1. Security and policy requirements for the operation of trust service providers offering AdES digital signature validation services. This standard will specify policy and security requirements for signature validation service, building on the “general policy requirements” specified in EN 319 401 and “requirements for signature validation” specified in ETSI TS 119 101 as they relate to TSPs. This is aimed at services supporting the validation of digital signatures in accordance with EN 319 102-1 and the requirements of the eIDAS Regulation for validation of electronic signatures and seals (both advanced and qualified).
2. A standard for AdES digital signature validation report. This document will specify a XML format for reporting the validation of a CAdES, PAdES and XAdES digital signature. This specification will be aligned with the requirements specified in EN 319 102 part 1.
3. A standard for protocols for TSPs providing AdES digital signature validation services and related architecture for the distributed environment. The architecture will identify the basic elements of the distributed support by third parties (TSP or otherwise) for AdES digital signatures validation. The specification of standard protocols that support interactions between these elements will aim at maximising interoperability.
Why we do it
Regulation (EU) No 910/2014 has identified the building of trust in the online environment as being key to economic and social development. It introduces new types of trust services, among which signature validation services. Whilst the Regulation provides a common set of requirements it does not identify how these requirements may be met with existing technology. To support the implementation of the Regulation, which is highly technical, further standardisation work is needed in particular with regard to the planned secondary legislation which extensively refers to the availability of standards as possible means to meet the regulatory requirements.
A number of different specifications were produced covering different aspects of the provision of electronic signature validation services; policy and security requirements for application for signature validation, policy and security requirements for TSP, signature formats, procedures for validation, verification reports, etc. but nowadays there is a lack of a coherent set of standards that fully address all the provisioning of the service by a TSP, including not only transport protocols, formats of messages, but also a coherent and complete set of security and policy requirements for the provision of this kind of trust service within an architecture whose basic elements of the distributed support for AdES digital signatures validation are clearly identified, as well as the interaction between them.
In addition, most of them were originally produced before the publication of the Regulation (EU) No 910/2014. This essentially means that at present there is a lack of standards supporting all the relevant aspects for the provision of electronic signature validation services able to support the legal provisions laid down in the Regulation (EU) No 910/2014.
A consistent set of standards for the provision of signature validation as a service needs to be available to ensure solutions that are interoperable and provide consistent levels of trust. Without such standards the market will fragment.
How we do it
Coordination with various stakeholders will be necessary to achieve the best outcome of this work and the widest possible collection of views amongst all parties concerned. In particular, the STF will aim to continue liaison with obvious stakeholders including the Member State and EU commission representatives through the eIDAS (technical) experts group, eSENS, PEPPOL, SPOCS, FESA, STORK, IETF, OASIS, ISO, W3C, CAB Forum. The STF will report the milestones to the ETSI ESI Technical Committee (TC ESI), according to a planned agenda (see Time Plan below). The TC ESI will play an active role in steering and contributing to this work.
Stakeholders will be consulted at various points during the work. They will in particular be consulted when drafts of the deliverables are issued for public comments to get their comments and feedback (this may not apply to all deliverables). The drafts will therefore be made publicly available on the ETSI TC-ESI open server area at a number of stages throughout its development when agreed by TC-ESI. Electronic comments will be encouraged via the contact list. A register of comments received through this list will be maintained by the STF.
An open promotional workshop will be organised to which all stakeholders (e.g. Member State and EU commission representatives, Industry reference groups, market leaders, EU projects) will be invited. The approach to TSPs providing signature validation, from the protocol and security policy viewpoint will be presented at this workshop. Information collected at the workshop and from public review will be fed back into the deliverables. The workshop report and documentation will be distributed to ETSI TC-ESI members and will be made publicly available.
The E-SIGNATURES_NEWS mailing list that was set up during phase I of the execution of Mandate M/460 will continue to be used to keep stakeholders informed on the progress of the work.
Earlier standardisation work under Mandate M/460 will provide a background for all the above tasks. In addition, a study on the requirements of support of digital signatures in mobile environments was carried out (SR 019 020) to the objective of applying the trust services to the mobile environment. Also, in particular:
“Policy and security requirements for trust service providers providing AdES digital signature validation services”, will specify policy and security requirements building on the general policy requirements specified in EN 319 401 for signature validation service. This is aimed at services supporting the validation of digital signatures in accordance with EN 319 102-1 and this will take into account the relevant requirements for signature validation specified in ETSI TS 119 101 as they relate to TSPs.
The specific risks associated with validation services will be analysed and specific controls needed to address those risks will be identified.
“Procedures for creation and validation of AdES digital signatures; signature validation report validation report”, will specify a XML format for reporting the validation of a CAdES, PAdES and XAdES digital signature aligned with the requirements specified in EN 319 102 part 1. The validation report will include the signature status indication as defined in ETSI EN 319 102-1 (TOTAL PASSED, TOTAL FAILURE, INDETERMINATE). The STF will analyse the different signatures validation report both specified by other standardization organisations, and by stakeholders.
Special attention will be paid to the OASIS DSS-X “Profile for Comprehensive Multi-Signature Verification Reports Version 1.0” Committee Specification 01, which defines a XML format for reporting on the validation process carried out on several signatures applied to the same document. This format allows from the most basic reports to the most complex including almost any kind of processing detail. The STF will assess the features offered by this profile against the needs raised by the validation algorithm, result statuses, and result sub-indications specified within EN 319 102-1, for identifying missing features within the OASIS DSS-X profile and assess the worthiness of extending it or defining a profile.
The STF will assess other validation reports proposals as available and widespread. The validation report format selection will be based on the technical suitability for covering the needs imposed by the EN 319 102-1 and the degree of international acceptance by stakeholders.
This work will coordinate with any activity concerning Plugtests for signature validation.
The STF will ensure the consistency between the output of the work performed on “Protocol profiles for trust service providers providing AdES digital signature validation services”.
“Protocol profiles for trust service providers providing AdES digital signature validation services”, will specify protocols for accessing trust services providing signature validation services. The STF starting point will be:
• The OASIS DSS core and the OASIS DSS and OASIS DSS-X profiles, which are expected to be the primary source for the standardized protocol.
• W3C XML "Key Management Specification”, which allows only certificate validation. This could be sufficient for cases where the signatures themselves are processed on the device.
• IETF RFC 3029: “Data Validation and Certification Server protocols”.
• IETF RFC 5055: “Server-Based Certificate Validation Protocol”.
The STF will specify the requirements for the protocols/profiles to be defined, and will correlate them with the features provided by the different sources listed above.
The STF will then decide about the number of protocol/profiles and their specific features in the light of the technical suitability and the usage among stakeholders of the protocols on which they are based.
The protocols/profiles standardized could consist in referencing some protocols/profiles, building new profiles based on combinations of already existing protocols/profiles, or a combination of both.
Deliverables
Below follows the list of deliverables to be produced by the STF 524, as per its Terms of Reference:
| DTS/ESI-0019102-2 |
TS 119 102-2 |
Procedures for creation and validation of AdES Digital Signatures. Part 2 - Signature Validation Report |
| DTS/ESI-0019441 |
TS 119 441 |
Policy requirements for TSP providing signature validation services |
| DTS/ESI-0019442 |
TS 119 442 |
Protocol for TSPs providing signature validation services |
Time plan
Below follows the time plan for this STF:
28/02/2017: outline drafts.
30/11/2017: stable drafts for public review.
Between 31/08/2017 & 31/08/2018: workshop.
31/08/2018: publication.
For further details, or if you wish to be involved in the work of the STF, please contact the STF
Leader: Sylvie Lacroix at Sylvie.lacroix@sealed.be