8 Nob 06 / CEN/ISSS www.thalesgroup.com/esecurity ETSI STF 305: Procedures for Handling Advanced Electronic Signatures on Digital Accounting CEN/ISSS Workshop.

Slides:

Advertisements

Similar presentations

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Advertisements

Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, György Endersz,

Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Archiving for legal purposes How to implement the new Belgian legislation to destroy physical invoices and use an electronic archive.

Mountain View 25, 26 Sept 2007 The importance of incorporating XAdES extensions into ongoing XML-Sig work W3C Workshop on Next Steps for XML Signature.

Dematerialization of Organisations’ Key Business Processes Security and e-Invoicing ATHENEE PALACE HILTON, Bucuresti September 21 st 2004 Genovel Iovu.

GMP Document and Record Retention

Naklo, A.Komšo 1 eInvoices and Tax Regulation Andja Komšo Tax Administration.

Legal Reflexions concerning Digital Archiving Jos Dumortier K.U.Leuven University – Belgium Interdisciplinary Centre for Law & ICT (ICRI) ECPRD twin seminar.

Summary of ETSI/ESI activities Andrea Caccia ETSI/ESI TB member Note: This document expresses only the views of its author.

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

© ETSI 2012 All rights reserved EUROPEAN UNION MANDATE/460 Kloster Banz Presented by Arno Fiedler, Member of European Telecommunications Standards.

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

Host of the 13 th ECRF Annual Conference - Budapest 2010.

PAPERLESS BUSINESS in GEORGIAN FINANCIAL SECTOR NANA ENUKIDZE - Advisor to the Governor.

M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

EESSI Overview - 1August 2002 EESSI European Electronic Signature Standardisation Initiative Implementing Electronic Signature.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

Can PKI be made simple enough to be used by non-experts? Signature formats and context Antonio Lioy ( polito.it ) Politecnico di Torino Dip. Automatica.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Proposal for an achievable, cost effective Security Concept for EOBRs C. Hardinge / A. Lindinger.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

ELECTRONIC COMMUNICATION ACT 2000 Raashida & Sangeetha.

1. 2 ECRF survey - Electronic signature Mr Yves Gonner Luxembourg, June 12, 2009.

Situation november / december DRAFT Emile Bartolé CEN/WS XBRL: Improving transparency in financial and business reporting CWA2 Situation 1CWA2.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Electronic invoicing in the light of the VAT Directive 2001/115/EC Anna Nordén Conference on the Legal Aspects of an E-Commerce Transaction The Hague 27.

Digital Signature Technologies & Applications Ed Jensen Fall 2013.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

OASIS OASIS Digital Signature Services Juan Carlos Cruellas Juan Carlos Cruellas Andreas Kuehne Stefan Drees Ernst Jan van Nigtevecht.

© Obelis s.a CODE OF CONDUCT of Authorised Representative services under the Council Directive 93/42/EEC, Directive 98/79/EC and Council Directive.

Chinese-European Workshop on Digital Preservation, Beijing July 14 – Network of Expertise in Digital Preservation 1 Trusted Digital Repositories,

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Best Practices: Financial Resource Management February 2011.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Risks of data manipulation and theft Gateway Average route travelled by an sent via the Internet from A to B Washington DC A's provider Paris A.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Massella Ducci Teri Italian approach to long-term digital preservation Policies for Digital Preservation ERPANET Training Seminar.

Riccardo Genghini - Ws E-Sign Chairman – IETF PKIX San Francisco March Electronic Signature infrastructure for Europe Riccardo Genghini Cen/Isss.

Part 11, Electronic Records; Electronic Signatures

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden.

State of e-Authentication in Higher Education August 20, 2004.

ISO/IEC 27001:2013 Annex A.8 Asset management

Information Security Systems Cost Effective Authenticity & Integrity in CEN/FISCALIS eInvoicing Good Practice Guidelines Nick Pope – Principal Consultant,

Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.

E-SIGNED DocFlow SYSTEM in GEORGIAN FINANCIAL SECTOR NANA ENUKIDZE – E-Business Development Consultant.

Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,

OASIS Juan Carlos Cruellas – UPC Stefan Drees - DSS-X co-chair Nick Pope – Thales eSecurity OASIS Digital Signature Services and ETSI standards Juan Carlos.

Presented by : Piero Milani ( InfoCamere - Italy)Piero Milani InfoCamere - Italy VCD Signature & VCD Verification strategy as seen by InfoCamere ( WP1.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.

TAG Presentation 18th May 2004 Paul Butler

OASIS Digital Signature Services and ETSI standards Juan Carlos Cruellas – UPC Stefan Drees - DSS-X co-chair Nick Pope – Thales.

Content of Tender Dossier Instructions to Tenderers

TAG Presentation 18th May 2004 Paul Butler

Formats for long term signatures

Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop

Milan Zoric Centre for Testing and Interoperability ETSI

PKI (Public Key Infrastructure)

Presentation transcript:

8 Nob 06 / CEN/ISSS ETSI STF 305: Procedures for Handling Advanced Electronic Signatures on Digital Accounting CEN/ISSS Workshop on Electronic Invoices Nick Pope – Thales e-Security STF 305 Team Leader

1 8Nob06 / CEN/ISSS ETSI STF Specialist Task Force - Terms of Reference Propose drafts to ETSI Technical Committee on Electronic Signatures and Infrastructures for: Technical Report on Best Practices for handling electronic signatures and signed data for digital accounting Technical Specification on Policy requirements for trust service providers signing and/or storing data for digital accounting

2 8Nob06 / CEN/ISSS ETSI STF Approach Study into National Practices For Accounting & Digital Accounting UK France Italy Spain Germany Best Practices for Handling signed data for Digital Accounting Policy Requirements for Trusted Service Providers Signing / Storing Data For Digital Accounting

3 8Nob06 / CEN/ISSS ETSI STF Approach Study into National Practices For Accounting & Digital Accounting UK France Italy Spain Germany Best Practices for Handling signed data for Digital Accounting EU e-Invoicing Requirements Policy Requirements for Trusted Service Providers Signing / Storing Data For Digital Accounting Maximum & Minimum Commonly Acceptable

4 8Nob06 / CEN/ISSS ETSI STF Targeting Digital Accounting Through e-Invoicing National accounting practices widely vary Council Directive 2001/115/EC + CWA provide common requirement for signed VAT Invoices Took e-Invoicing requirements as common basis for Digital Accounting

5 8Nob06 / CEN/ISSS ETSI STF Basic Model

6 8Nob06 / CEN/ISSS ETSI STF Trusted Service Provider Model

7 8Nob06 / CEN/ISSS ETSI STF Use Scenarios Main Target: Pan European Trade supported by two external TSPs Other potential National Trade supported by TSP(s) Large Company Internal Service

8 8Nob06 / CEN/ISSS ETSI STF Advantages of applying Best Practice / Policy Targeted Security controls Ensure that documents are kept over necessary period Ensure that singing keys are held &,maintained securely Reduce revocation management Ensure that security of documents is properly maintained Access security Storage security Signature validity

9 8Nob06 / CEN/ISSS ETSI STF Draft Technical Report (TR) Based on ISO/IEC ISO/IEC Information Security Management System Specific Controls & Objectives for: Signature Maintenance of Signature over storage period Storage Reporting to authorities Scanning paper originals + ISO/IEC standard objectives

10 8Nob06 / CEN/ISSS ETSI STF Draft TR - Signature Maximum Identified Practices Advanced Electronic Signature Qualified Certificate Secure Signature Creation Device Registration – ID documents & authorisation Timely revocation Minimum Identified Practices Advanced Electronic Signature CA meets recognised policy requirements Sole control requirement met Nationally “Acceptable” registration Nationally “Acceptable” revocation

11 8Nob06 / CEN/ISSS ETSI STF Draft TR – Signature (continued) Commonly Acceptable Practice for Trusted Service Provider (TSP) offering signing / storage services: Advanced Electronic Signature Qualified CA or CA meets recognised policy requirements SSCD or Sole control requirement met Registration – ID documents & authorisation Timely revocation

12 8Nob06 / CEN/ISSS ETSI STF Draft TR – Signature Maintenance Maximum Identified practices Technical / organisational procedures to assure signature verifiable throughout storage period Minimum identified practices Nationally acceptable practices Commonly Acceptable for TSP Technical / organisational procedures to assure signature verifiable throughout storage period

13 8Nob06 / CEN/ISSS ETSI STF Draft TR – Storage Maximum Identified practices Authorised access via secure channel Authentication, Integrity & optional content commitment (non-repudiation) Assure viewer available through lifetime Held on long term media / copied to assure no loss of data Held in original format – no macros / hidden code Confidentiality of company information by separation Minimum identified practices No remote access required – local access as authorised Authentication & integrity in line with national rules No specific requirement regarding readability Owner liable for any loss of data No special requirement regarding format Confidentiality maintained in storage

14 8Nob06 / CEN/ISSS ETSI STF Draft TR – Storage Commonly Acceptable Practices for TSPs Authorised access via secure channel Authentication, Integrity & optional content commitment (non-repudiation) Assure viewer available through lifetime Held on long term media / copied to assure no loss of data Held in original format – no macros / hidden code Confidentiality by logical or physical separation

15 8Nob06 / CEN/ISSS ETSI STF Draft TR – Reporting Maximum Identified practices Signed & Use secure channels (e.g. SSL) Minimum identified practices Use secure channels Commonly Acceptable for TSP Signed & Use secure channels (e.g. SSL)

16 8Nob06 / CEN/ISSS ETSI STF Draft TR – Scanned Document Maximum Identified practices Assertion (e.g. signature) that true copy Minimum identified practices Assured by good practice Commonly Acceptable for TSP Good practice & assertion where required

17 8Nob06 / CEN/ISSS ETSI STF Draft TR – ISO Objectives & Controls Maximum Identified practices ISO compliance / national rules + Specific controls for trusted personnel & components Minimum identified practices ISO desired Commonly Acceptable for TSP ISO Conformance Recommended / national rules + Specific controls for trusted personnel & components

18 8Nob06 / CEN/ISSS ETSI STF Draft Technical Specification Targeted just at Trust Service Provider (TSP) = Commonly acceptable practices from Technical Report worded in terms of specific requirements (shall) Two levels recognised: Normalised (Advanced Electronic Signature) Extended (Qualified Electronic Signature)

19 8Nob06 / CEN/ISSS ETSI STF Status Drafts out for review and comment by 12-Jan-2007: Final ratification & publication end Q Comments / Questions ?

20 8Nob06 / CEN/ISSS ETSI STF ETSI STF 298 – Advanced Electronic Signature Profiles ETSI Profiles for Advanced Electronic Signatures TS – Profiles of CMS (RFC 3852) Advanced Electronic Signatures based on TS (CAdES) TS – Profiles of XML Advanced Electronic Signatures based onTS (XAdES) Profiles for Government E-Invoicing Baseline for other applications Short term & Long term