STFbreadcrumb separatorSTFsbreadcrumb separatorSTF Homepagesbreadcrumb separatorSTF427

Specialist Task Force 427:
Quick fixes to electronic signatures standards

Who we are:

Team Leader: Nick Pope, Thales    (Overall & QF1)  nick.pope@thales-esecurity.com
Stefan Santesson, 3xA Security AB (QF2) stefan@aaa-sec.com
Peter Lipp, IAIK   (QF3) peter.lipp@iaik.tugraz.at
Ernst Giessmann, Deutsche Telekom AG (QF4) ErnstG.Giessmann@t-systems.com
Team Members: Juan Carlos Cruellas Ibarz, UPC   cruellas@ac.upc.edu
Olivier Delos, Sealed  olivier.delos@sealed.be
Sylvie Lacroix, Sealed  sylvie.lacroix@sealed.be
Arno Fiedler, Nimbus Technologieberatung  arno.fiedler@nimbus-berlin.com
Ernst Giessmann, Deutsche Telekom AG  ErnstG.Giessmann@t-systems.com
Peter Lipp, IAIK   peter.lipp@iaik.tugraz.at
Julien Stern, Cryptolog  julien.stern@cryptolog.com
Moez BenMBarka, Cryptolog  moez.benmbarka@cryptolog.com
Beatrice Peirani, Gemalto  Beatrice.PEIRANI@gemalto.com
Istvan Renyi, NMHH  renyi@nmhh.hu
Stefan Santesson, 3xA Security AB  stefan@aaa-sec.com

What we do:

This STF is to provide for “quick fixes” to ensure that the deficiencies identified in studies in on the standardisation aspects of e-signatures and Cross-Border Interoperability of eSignature (CROBIES) are addressed as soon as possible, in parallel with establishing a more long term Rationalised Framework for eSignature standardisation. This will ensure that known technical areas that are inhibiting cross-border interoperability are addressed before there is further divergence in implementations.   This STF is one of a set of STFs to establish the Rationalised Framework for eSignature standardisation (STF 425), define a common profile for advanced electronic signatures (STF 426), and address immediate requirements for interoperability testing (STF 428).

The following areas identified as requiring “quick fixes” are addressed by sub-groups within this STF:

QF1) General Guidance and Requirements on Certificate Service Provider (CSP) conformity  assessment

The objective of this quick fix is to produce an ETSI Technical Specification (ETSI TS) updating CWA 14172-2 and CWA 14172-8 to provide a common basis for guidance on conformance assessment, including requirements on auditors, for all forms CSPs including qualified, nonqualified, time-stamp, and validation authorities. This is required to provide a common framework for guidance on CSP Issuing Qualified Certificates (as identified in the deliverable of CROBIES WP1) which can also meet the urgent market need for guidance of conforming assessment of other forms of CSP (e.g. CSP issuing Extended Validation Certificates). This is expected to include the use of auditors' reports with a criteria conformance checklist.

QF2) Interoperable qualified certificate profile

The objective of this quick fix is to update the qualified certificate profile standards ETSI TS 101 862 and ETSI TS 102 280 to address concerns identified in the CROBIES report. This includes issues related to identification of legal and physical entities in relation to these standards as well as updated requirements on current standardized information, which identifies that a certificate is a qualified certificate and to link the certificate with use of a Secure Signature Creation Device (SSCD), which is needed to avoid uncertainty over the acceptability of the signature in relation to legal requirements.

QF3) Procedures for Signature Verification

The objective of this quick fix is to develop a technical specification specifying how to verify a digital signature within a given policy context. This is required because signature verification is depending on many different standards and other influencing factors and there is currently no common basis for verification. To verify an advanced electronic signature, knowledge of XAdES (XML Advanced Electronic Signature)/CAdES (CMS Advanced electronic signature) or PAdES (PDF Advanced electronic signature) together with standards on TSLs, signature policies or qualified certificates (in addition to basic standards like X.509, CMS or XML-Signature) can be necessary and there is no coherent description of how the different aspects are brought together to make a verification decision, particularly when verifying signature held over the medium to long term. This document will provide requirements for conducting advanced electronic signatures verification.

QF4) Signature algorithms maintenance

The objective of this quick fix is to maintain the guidance on signature algorithms given in ETSI TS 102 176-1. It is important that the maintenance of this guidance is continued due to the progress of cryptographic analysis and the discovery of weaknesses in signature algorithms meaning that use of an old version could lead to potential weaknesses in system depending on this specification.

For more details, see our STF 427 Terms of Reference

Why we do it:

The Directive 1999/93/EC on a Community framework for electronic signatures was adopted by the European Parliament and the Council in December 1999. The purpose of the Directive is to establish a legal framework for eSignature and for certification-services providers in the internal market. Several internal market instruments (e.g. Services Directive, Public Procurement, eInvoicing) rely in their functioning on the framework set by the Directive. Activities in CEN and ETSI, initiated under the European Electronic Signature Standardization Initiative (EESSI), produced a set of standards addressing the requirements for implementing the electronic signatures Directive. Following on from studies on the standardisation aspects of e-signatures and Cross-Border Interoperability of eSignature (CROBIES), and other EU activities applying electronic signatures, the need has been identified for a “Rationalised European eSignature Standardisation Framework” to be implemented in a 4 year programme. This framework is to ensure that all the necessary standards are provided in a clear, coherent and accessible framework to maximise the interoperability, including progression of existing specifications to European Norms and the provision of implementation guidelines.

As well as recognising the need for a rationalised framework, the need was identified that certain areas of standardisation relating to electronic signatures should be updated as soon as possible to ensure that deficiencies identified in the existing standards are addressed. For example, certain details of profiling Certificate standards require further clarification to achieve full interoperability, a basis for conformance assessment and testing has yet to be established for all areas of eSignature standardisation, and certain specifications that have lapsed because of lack of support, need to be brought up to date with current practice. Awaiting the development of the Rationalised Framework before addressing these deficiencies will inhibit the use of electronic signatures in a way that is interoperable across Europe and result in further divergence of implementations of the eSignatures Directive.

This STF is to establish “quick fixes” to ensure that the deficiencies identified in studies in on the standardisation aspects of e-signatures and Cross-Border Interoperability of eSignature (CROBIES) are addressed as soon as possible, in parallel with establishing a more long term Rationalised Framework for eSignature standardisation. This will ensure that known technical areas that are inhibiting cross-border interoperability are addressed before there is further divergence in implementations.

How we do it:

The STF is organised as four sub-groups each addressing one of the quick fixes (QF1 to QF4) identified above.  The STF will work in closely with its partner on the rationalised framework CEN and consult with major stakeholders such as Services Directive expert group, PEPPOL, SPOCS, FESA, STORK, IETF, OASIS, ISO, W3C, and CAB Forum.  The work of this STF will also disseminate through the open workshop organised through STF 425.

Deliverables:

The STF will produce the following deliverables:

D1 (QF1): ETSI TS on Conformity Assessment requirements and guidance

The first draft TS on Conformity Assessment (based on CWA 14172-2) is available to Stakeholders until 11th November, along with a request for public comment on CSP Assessment through CSP Supervisory Schemes, through the following link:

Draft TS Certification Service Provider Conformance Assessment: Part 1: General requirements and guidance for CSP Conformance Assessment

D2 (QF1): European Norm on Policy requirements for certification authorities issuing qualified certificates updating
TS 101 456 into EN (EN 301 456).

D3 (QF1): European Norm on Policy requirements for certification authorities issuing qualified certificates updating
TS 102 042 into EN (EN 302 042).

D4 (QF2): European Norm on Qualified Certificate profile updating TS 101 862 into EN 301 862.

D5 (QF2): Revised TS on Certificate Profile for Certificates Issued to Natural Persons updating TS 102 280

D6: (QF3): TS on Signature verification procedures and policies superseding CEN CWA 14171

D7: (QF4): Revised TS on Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms updating TS 102 176-1

Time plan:

The final text of the TS documents (D1, D5, D6 and D7) and the draft EN documents for formal EN processing (D2, D3, D4) are planned to be available end January 2012.

Final ENs (D2, D3, D4) are aimed to be ready for publication in February 2013.

How to contact us:

If you would like more information please contact the STF Leader:
    nick.pope@thales-esecurity.com

 

This information is based upon STF working assumptions.
The views expressed do not necessarily represent the position of ETSI in this context.

Last updated: 2012-05-11 16:41:46