iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
SIST

SIST-TP CEN/TR 419010:2017

(Main)

Framework for standardization of signatures - Extended structure including electronic identification and authentication

Framework for standardization of signatures - Extended structure including electronic identification and authentication

The regulation on electronic identification and trusted eServices (eIDAS regulation) clearly extends the current Electronic Signature Directive from electronic signature towards electronic identification and electronic authentication. These two topics are closely linked to electronic signature and are considered in this context in this document. There are many documents, standards, industrial initiatives and European projects on identification and authentication, but the scope here is limited to electronic signature context, and wider to electronic transactions in the internal market.
The present Technical Report is twofold.
It firstly does a brief analysis of the implementing acts on electronic identities CIR 2015/1501 [29] and CIR 2015/1502 [30] and how this is addressed by the eID interoperability framework [31]. It secondly establishes what areas of existing standards are impacted by the eID framework and what further areas of standardization could assist nations in providing eID services.

Rahmen für die Normung von Signaturen - Erweiterte Struktur einschließlich elektronischer Identifizierung und Authentifizierung

Cadre pour la normalisation des signatures - Structure étendue incluant l'identification et l'authentification électronique

Krovna določila za standardizacijo podpisov - Razširjena struktura, vključno z elektronsko identifikacijo in avtentifikacijo

Uredba o elektronski identifikaciji in zaupanja vrednih elektronskih storitvah (uredba eIDAS) jasno razširja sedanjo direktivo o elektronskem podpisu iz elektronskega podpisa v elektronsko identifikacijo in avtentifikacijo. Ti dve temi sta tesno povezani z elektronskim podpisom in se v tem dokumentu upoštevata v tem kontekstu. Obstaja veliko dokumentov, standardov, industrijskih pobud in evropskih projektov na področju identifikacije in avtentifikacije, vendar je področje uporabe omejeno na kontekst elektronskega podpisa in širše na elektronske transakcije na notranjem trgu.
To tehnično poročilo je sestavljeno iz dveh delov.
Najprej na kratko analizira izvedbena akta o elektronskih identitetah CIR 2015/1501 [29] in CIR 2015/1502 [30] ter kako to tematiko obravnava okvir za interoperabilnost eID [31]. Nato ugotavlja, na katera področja obstoječih standardov vpliva okvir eID in katera nadaljnja področja standardizacije bi lahko državam pomagala pri zagotavljanju storitev eID.

General Information

Status
Published
Publication Date
06-Sep-2017
ICS
35.040.01 - Information coding in general
Technical Committee
ITC - Information technology
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
13-Jun-2017
Due Date
18-Aug-2017
Completion Date
07-Sep-2017
Directive
910/2014 - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing directive 1999/93/EC
Mandate
M/460 - Standardisation Mandate to the European Standardisation Organizations CEN, CENELEC and ETSI in the field of Information and Communication Technologies applied to Electronic Signatures
Ref Project
CEN/TR 419010:2017 - Framework for standardization of signatures - Extended structure including electronic identification and authentication

Buy Standard

TP CEN/TR 419010:2017TP CEN/TR 419010:2017
PreviousNext
Technical report
TP CEN/TR 419010:2017
English language
15 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST-TP CEN/TR 419010:2017
01-oktober-2017
.URYQDGRORþLOD]DVWDQGDUGL]DFLMRSRGSLVRY5D]ãLUMHQDVWUXNWXUDYNOMXþQR]
HOHNWURQVNRLGHQWLILNDFLMRLQDYWHQWLILNDFLMR
Framework for standardization of signatures - Extended structure including electronic
identification and authentication
Rahmen für die Normung von Signaturen - Erweiterte Struktur einschließlich
elektronischer Identifizierung und Authentifizierung
Cadre pour la normalisation des signatures - Structure étendue incluant l'identification et
l'authentification électronique
Ta slovenski standard je istoveten z: CEN/TR 419010:2017
ICS:
35.040.01 Kodiranje informacij na Information coding in general
splošno
SIST-TP CEN/TR 419010:2017 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TP CEN/TR 419010:2017

---------------------- Page: 2 ----------------------

SIST-TP CEN/TR 419010:2017


CEN/TR 419010
TECHNICAL REPORT

RAPPORT TECHNIQUE

May 2017
TECHNISCHER BERICHT
ICS 35.030; 35.240.30
English Version

Framework for standardization of signatures - Extended
structure including electronic identification and
authentication
Cadre pour la normalisation des signatures - Structure Rahmen für die Normung von Signaturen - Erweiterte
étendue incluant l'identification et l'authentification Struktur einschließlich elektronischer Identifizierung
électronique und Authentifizierung


This Technical Report was approved by CEN on 17 April 2017. It has been drawn up by the Technical Committee CEN/TC 224.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2017 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 419010:2017 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Terms and definitions . 5
3 Symbols and abbreviations . 6
4 Overview of the eID landscape in official documents . 7
4.1 Overview of CIR 2015/1502 . 7
4.2 Overview of CIR 2015/1501 . 8
4.3 Overview of Interoperability Framework . 8
5 Impact on standards currently Identified in the ETSI/CEN framework for
standardization of signatures . 8
5.1 General . 8
5.2 Impact on standards in area 1 . 9
5.3 Impact on standards in area 2 . 9
5.4 Impact on standards in area 3 . 10
5.5 Impact on standards in area 4 . 11
5.6 Impact on standards in area 5 . 11
5.7 Impact on standards in area 6 . 11
6 Further standardization support for national eID . 11
6.1 General . 11
6.2 Policy Requirements for Identity Provider related services . 11
6.3 Devices . 12
Bibliography . 13

2

---------------------- Page: 4 ----------------------

SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
European foreword
This document (CEN/TR 419010:2017) has been prepared by Technical Committee CEN/TC 224
“Personal identification and related personal devices with secure element, systems, operations and
privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
This document has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association.
3

---------------------- Page: 5 ----------------------

SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
Introduction
The Digital Agenda for Europe mentions in Pillar I (Digital Single Market) the Action 8 (Revision of the
eSignature Directive), and this includes mutual recognition of electronic identification.
The first phase of Standardization Mandate M/460 [27], issued by the Commission to CEN, CENELEC
and ETSI for updating the existing eSignature standardization deliverables, produced a rationalized
framework to be the entry point for electronic signature standardization and overcome the complexity
of standardization landscape within the context of the Signature Directive 1999/93/EC [26], taking into
account possible revisions to this Directive, and proposes a future work programme to address any
elements identified as missing in this rationalized framework.
To take into account the needs for electronic identification and authentication, identified as a gap from
the ETSI/CEN framework for standardization of signatures ETSI/TR 119 000 [23], it was decided to
study the standardization landscape around electronic identification and authentication as distinct from
electronic signatures, identifying gaps and needs for standardization.
The Commission adopted the Regulation (EU) 910/2014 [27] on electronic identification and trust
services for electronic transactions in the internal market on 23rd July 2014, to provide a legal
framework which includes consistent and coherent provisions on electronic identification and trust
services in order to overcome the deficiencies of the eSignatures Directive 1999/93/EC [26] and to
provide legal measures on cross-border mutual recognition and acceptance of national eIDs.
The Commission published CIR 2015/1502 [30] on assurance levels for electronic identification means
and CIR 2015/1501 [29] on interoperability framework to help the development of interoperable
identity schemes across MS.
The eIDAS Expert Group has published a set of technical specifications [31] for the eIDAS
interoperability framework, including a document of architecture and a document of cryptographic
requirements, to complement the CIR 2015/1501 [29]. This is considered to address the
interoperability requirements for use of eIDs across Europe.
This document analyses the impact of these two CIRs firstly on the already published standards
identified in the ETSI/CEN framework for standardization of signatures ETSI/TR 119 000 [23] and
secondly on potential requirements for further standards for harmonizing national approaches to
identification and authentication as a new area in the ETSI/CEN framework for standardization of
signatures ETSI/TR 119 000 [23].
4

---------------------- Page: 6 ----------------------

SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
1 Scope
The regulation on electronic identification and trusted eServices (eIDAS regulation) clearly extends the
current Electronic Signature Directive from electronic signature towards electronic identification and
electronic authentication. These two topics are closely linked to electronic signature and are considered
in this context in this document. There are many documents, standards, industrial initiatives and
European projects on identification and authentication, but the scope here is limited to electronic
signature context, and wider to electronic transactions in the internal market.
The present Technical Report is twofold.
It firstly does a brief analysis of the implementing acts on electronic identities CIR 2015/1501 [29] and
CIR 2015/1502 [30] and how this is addressed by the eID interoperability framework [31]. It secondly
establishes what areas of existing standards are impacted by the eID framework and what further areas
of standardization could assist nations in providing eID services.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE Reg stands for the eIDAS Regulation [28], ISO for ISO/IEC 29115 [40] and CIR for CIR 2015/1501 [29]
or CIR 2015/1502 [30]). Refer also to ETSI/TR 119 001 [24].
2.1
Authentication (ISO)
verification that an entity is the claimed one
2.2
Authentication (Reg)
electronic process that enables the electronic identification of a natural or legal person, or the origin
and integrity of data in electronic form to be confirmed
2.3
Authentication factor (ISO)
piece of information and/or process used to authenticate or verify the identity of an entity
Note 1 to entry: Authentication factors are divided into four categories:
— something an entity has (e.g. device signature, passport, hardware device containing a credential, private
key);
— something an entity knows (e.g. password, PIN);
— something an entity is (e.g. biometric characteristic); or
— something an entity typically does (e.g. behaviour pattern).
2.4
Authentication factor (CIR)
factor confirmed as being bound to a person, which falls into any of the following categories:
— ‘possession-based authentication factor’ means an authentication factor where the subject is
required to demonstrate possession of it;
5

---------------------- Page: 7 ----------------------

SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
— ‘knowledge-based authentication factor’ means an authentication factor where the subject is
required to demonstrate knowledge of it;
— ‘inherent authentication factor’ means an authentication factor that is based on a physical attribute
of a natural person, and of which the subject is required to demonstrate that they have that physical
attribute
2.5
Identity (ISO)
set of attributes related to an entity
Note 1 to entry: Within a particular context, an identity can have one or more identifiers to allow an entity to be
uniquely recognized within that context.
2.6
Electronic identification (Reg)
process of using person identification data in electronic form uniquely representing either a natural or
legal person, or a natural person representing a legal person
2.7
Node (CIR)
connection point which is part of the electronic identification interoperability architecture and is
involved in cross-border authentication of persons and which has the capability to recognize and
process or forward transmissions to other nodes by enabling the national electronic identification
infrastructure of one MS to interface with national electronic identification infrastructures of other MSs
2.8
Node Operator (CIR)
entity responsible for ensuring that the node performs correctly and reliably its functions as a
connection point
2.9
Level of eID assurance (Reg)
degree of confidence in electronic identification means in establishing the identity of a person, thus
providing assurance that the person claiming a particular identity is in fact the person to which that
identity was assigned
Note 1 to entry: The regulation defines three levels: low, substantial and high; these are detailed in
CIR 2015/1502 [30].
2.10
Signatory (Reg)
natural person who creates an electronic signature
3 Symbols and abbreviations
For the purpose of this document, the following abbreviations apply.
CC Common Criteria
CIR Commission Implementing Regulation
eSENS Electronic Simple European Networked Services
IAS Identification, Authentication, Signature
6

---------------------- Page: 8 ----------------------

SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
ICC Integrated Circuit Card
IdP Identity Provider
MAC Message Authentication Code
MNO Mobile Network Operator
MRED Machine-Readable Electronic Documents
MS Member State
NIST National Institute of Standards and Technology
PIN Personal Identification Number
PP Protection Profile
QAA Quality of Authentication Assurance (STORK)
QSCD Qualified Signature/Seal Creation Device
RA Registration Authority
RF Rationalized Framework
RP Relying Party
SAD Signature Activation Data
SAML Security Assertion Markup Language
SAP Signature Activation Protocol
SCA Signature-Creation Application
SE Secure Element
SIM Subscriber Identity Module
SP Service Provider
SSCD Secure Signature Creation Device
STORK Secure identiTy acrOss boRders linKed
TLS Transport Layer Security
TR Technical Report
TS Technical Specification
TSP Trust Service Provider
TSCM Trustworthy Signature Creation Module
TTP Trusted Third Party
4 Overview of the eID landscape in official documents
4.1 Overview of CIR 2015/1502
CIR 2015/1502 [30] describes technical specifications and procedures for the three assurance levels of
the Regulation (low, substantial and high) for electronic identification means issued by a MS having
notified its electronic identification scheme.
The document details requirements for:
— enrolment (application, registration, identity proofing and verification),
7

---------------------- Page: 9 ----------------------

SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
— electronic identification means management (characteristics, design, issuance, delivery, activation,
suspension, revocation, reactivation, renewal and replacement),
— authentication (using dynamic authentication at level substantial),
— and management and organization (including compliance and audit).
The international standard ISO/IEC 29115 [40] and the European project STORK (and its QAA levels)
have been taken into account. It is suggested to apply ISO/IEC 27000 [38] and ISO/IEC 20000 [37]
series’ principles and methodologies for information security and service.
4.2 Overview of CIR 2015/1501
CIR 2015/1501 [29] describes technical and operational requirements of the interoperability
framework to ensure interoperability of notified identification schemes within MS.
It introduces nodes (and nodes operators, see Clause 2 on definitions) as being central for the
interconnection of MS electronic identification schemes. It describes the minimum data set for
identifying a natural or legal person. It binds this with CIR 2015/1502 [30] and provides requirements
for data privacy (no personal data storage at nodes), confidentiality and integrity (of the data
exchanged between nodes). The document refers to ISO/IEC 27001 [39] for node operators of nodes
providing authentication.
4.3 Overview of Interoperability Framework
CIR 2015/1501 has been completed by a complete interoperability framework document (and a
reference implementation) established by the Commission in cooperation with MS. The interoperability
framework [31] includes:
a) An Interoperability Architecture [32] which specifies the components for interoperability between
national eID schemes under the eIDAS regulation. This i
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

SIST
SIST EN 419231:2019(Main)
Protection profile for trustworthy systems supporting time stamping
EN 419231:2019

This European Standard specifies a protection profile for trustworthy systems supporting time stamping.

  • Standard
    63 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/TS 419221-6:2019(Main)
Conditions for use of EN 419221-5 as a qualified electronic signature or seal creation device
CEN/TS 419221-6:2019

This document specifies conditions for use of an EN 419221-5 certified device in the case the signatory or seal creator has direct local control of the cryptographic module with the aim of being recognised as a qualified seal and/or signature creation device as defined in Regulation EU 910/2014 [1].
This document is aimed at use by entities other than trust service providers. Trust service providers can use EN 419221-5 directly without the need to take into account specific conditions as specified in the present document.

  • Technical specification
    9 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 419241-2:2019(Main)
Trustworthy Systems Supporting Server Signing - Part 2: Protection profile for QSCD for Server Signing
EN 419241-2:2019

The scope of proposed 419 241 part 2 (PP TSCM) covers security requirements to reach compliance with Annex II of Regulation No 910/2014 of the remote (qualified TSP operated) parts of the system, other than those relating to Signature Activation Data (SAD) management and the operation of the Signature Activation Protocol (SAP), assuming use of a cryptographic module conforming to EN 419 221-5. EN 419 241 part 2 will be balloted simultaneously with EN 419241 Part 3 Protection profile for Signature Activation Data management and Signature Activation Protocol(PP-SAD+SAP). These two new parts of EN 419 241, used in conjunction with the protection for PP for Cryptographic Module for Trust Services (EN 419 221-5), will contain security requirements for level 2 (sole control) as specified in TS 419 241 in a formal manner aligned with common criteria. These two new parts of EN 419 241, with EN 419 221-5, will support the certification of a system for remote qualified electronic signature or seal creation devices (remote QSCD) which meet the requirements of EU Regulation No 910/2014: The electronic signature creation data can be reliably protected by the legitimate signatory (sole control) against use by others, where the generation and management of the signature creation data is carried out by a qualified trust service provider on behalf of a signatory.

  • Standard
    75 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TP CEN/TR 419040:2018(Main)
Rationalized structure for electronic signature standardization - Guidelines for citizens
CEN/TR 419040:2018

This Technical Report aims to help citizens to understand the relevance of using electronic signature within their day-to-day lives. It explains the legal and the technical backgrounds of electronic signatures.
This document gives guidance on the use of electronic signatures and addresses typical practical questions the citizen may have on how to proceed to electronically sign, where to find the suitable applications and material.
NOTE   It is probably more valuable for citizens to understand the value of electronically signing or sealing than understanding the standardization landscape in background.

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TP CEN/TR 419030:2018(Main)
Rationalized structure for electronic signature standardization - Best practices for SMEs
CEN/TR 419030:2018

This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in order to integrate e-Signatures in this process. It is not intended to be a guide for SMEs active in the development of electronic signatures products and services - they should rather rely on the series EN 319 x00 for building their offer - but it is a guide for SMEs CONSUMING e-Signature products and services.
This document builds on FprCEN/TR 419040, "Guidelines for citizens", explaining the concept and use of electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate for their needs, extends the work to specific use-case scenarios, paying special attention to technologies and solutions, and addresses other typical concrete questions that SMEs need to answer before any making any decisions (such as the question of recognition of their e-Signature by third parties, within their sector, country or even internationally).
Once the decision is taken to deploy e-Signatures in support of their business, SMEs will then typically collaborate with their chosen providers of e-Signature products or services, which can be done on the basis of ETSI 19 100, "Business driven process for implementing generation and validation of electronic signatures in electronic business", that helps enterprises fulfil their business requirements.  The present document presents the concept and use of the standards relevant for SMEs developed under the Rationalised Framework to SMEs.

  • Technical report
    30 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 419221-5:2018(Main)
Protection profiles for Trust Service Provider Cryptographic modules - Part 5: Cryptographic Module for Trust Services
EN 419221-5:2018

This new part of TS 419 221 (419221-5) specifies a protection profile for cryptographic modules used by trust service providers supporting electronic signing and sealing operations and authentication services.  This protection profile includes support for protected backup of keys.
This protection profile is aimed at supporting trust services providers as identified by proposed regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS).
Note: This regulation is proposed to replace Directive 1999/93.  Has been approved by trialogue between the Council, Commission and parliament, the Committee of Permanent [Council] Representatives (COREPER) and is due to be put forward to the European Parliament on 3rd April.
Trust service providers targeted include those at supporting time-stamping, electronic seals and electronic signatures.

  • Standard
    79 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TP CEN/TR 419200:2017(Main)
Guidance for signature creation and other related devices
CEN/TR 419200:2017

The present Technical Report provides guidance on the selection of standards and options for the signature/seal creation and other related devices (area 2) as identified in the framework for standardization of signatures: overview ETSI/TR 119 000 [16].
The present Technical Report describes the Business Scoping Parameters relevant to this area (see Clause 5) and how the relevant standards and options for this area can be identified given the Business Scoping Parameters (Clause 6).
The target audience of this document includes:
-   business managers who potentially require support from electronic signatures/seals in their business and will find here an explanation of how electronic signatures/seals standards can be used to meet their business needs;
-   application architects who will find here material that will guide them throughout the process of designing a system that fully and properly satisfies all the business and legal/regulatory requirements specific to electronic signatures/seals, and will gain a better understanding on how to select the appropriate standards to be implemented and/or used;
-   developers of the systems who will find in this document an understanding of the reasons that lead the systems to be designed as they were, as well as a proper knowledge of the standards that exist in the field and that they need to know in detail for a proper development.

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/TS 419221-4:2017(Main)
Protection Profiles for TSP cryptographic modules - Part 4: Cryptographic module for CSP signing operations without backup
CEN/TS 419221-4:2016

This Technical Specification specifies a protection profile for cryptographic modules used by certification service providers (as specified in Directive 1999/93) for signing operations, without key backup. Target applications include root certification authorities (certification authorities which issue certificates to other CAs and is at the top of a CA hierarchy) and other certification service providers where there is a high risk of direct physical attacks against the module.

  • Technical specification
    47 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/TS 419221-3:2017(Main)
Protection Profiles for TSP Cryptographic modules - Part 3: Cryptographic module for CSP key generation services
CEN/TS 419221-3:2016

This Technical Standard specifies a protection profile for cryptographic module for CSP key generation services.

  • Technical specification
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/TS 419221-1:2017(Main)
Protection Profiles for TSP cryptographic modules - Part 1: Overview
CEN/TS 419221-1:2016

This Technical Specification provides an overview of the protection profiles specified in other parts of FprCEN/TS 419221.

  • Technical specification
    12 pages
    English language
    sale 10% off
    e-Library read for
    1 day