iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

CEN/TR 419040:2018

(Main)

Rationalized structure for electronic signature standardization - Guidelines for citizens

Rationalized structure for electronic signature standardization - Guidelines for citizens

This Technical Report aims to help citizens to understand the relevance of using electronic signature within their day-to-day lives. It also explains the legal and the technical backgrounds of electronic signatures.
This document gives guidance on the use of electronic signatures and addresses typical practical questions the citizen may have on how to proceed to electronically sign, where to find the suitable applications and material.

Cadre pour la normalisation de la signature électronique - Lignes directrices pour les citoyens

Racionalizirana struktura za standardiziran elektronski podpis - Smernice za državljane

Cilj tega tehničnega poročila je pomoč državljanom pri razumevanju pomembnosti uporabe elektronskega podpisa v njihovem vsakdanjem življenju. Pojasnjuje pravno in tehnično ozadje elektronskih podpisov.
Ta dokument podaja smernice za uporabo elektronskih podpisov ter obravnava pogosta vprašanja državljanov glede začetkov uporabe elektronskega podpisovanja in iskanja ustreznih programov in gradiva.
OPOMBA: Razumevanje vrednosti elektronskega podpisovanja oziroma pečatenja je za državljane verjetno bolj pomembno kot razumevanje standardizacije v ozadju.

General Information

Status
Published
Publication Date
15-May-2018
ICS
35.030 - IT Security
Technical Committee
CEN/TC 224 - Machine-readable cards, related device interfaces and operations
Drafting Committee
CEN/TC 224 - Machine-readable cards, related device interfaces and operations
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
16-May-2018
Due Date
16-Jan-2018
Completion Date
16-May-2018
Directive
910/2014 - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing directive 1999/93/EC
Mandate
M/460 - Standardisation Mandate to the European Standardisation Organizations CEN, CENELEC and ETSI in the field of Information and Communication Technologies applied to Electronic Signatures
Ref Project
SIST-TP CEN/TR 419040:2018 - Rationalized structure for electronic signature standardization - Guidelines for citizens

Buy Standard

TP CEN/TR 419040:2018 - BARVETP CEN/TR 419040:2018 - BARVE
PreviousNext
Technical report
TP CEN/TR 419040:2018 - BARVE
English language
33 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-september-2018
Racionalizirana struktura za standardiziran elektronski podpis - Smernice za
državljane
Rationalized structure for electronic signature standardization - Guidelines for citizens
Cadre pour la normalisation de la signature électronique - Lignes directrices pour les
citoyens
Ta slovenski standard je istoveten z: CEN/TR 419040:2018
ICS:
35.040.01 Kodiranje informacij na Information coding in general
splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN/TR 419040
TECHNICAL REPORT
RAPPORT TECHNIQUE
May 2018
TECHNISCHER BERICHT
ICS 35.030
English Version
Rationalized structure for electronic signature
standardization - Guidelines for citizens
Cadre pour la normalisation de la signature
électronique - Lignes directrices pour les citoyens

This Technical Report was approved by CEN on 9 March 2018. It has been drawn up by the Technical Committee CEN/TC 224.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 419040:2018 E
worldwide for CEN national Members.

Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Abbreviations . 8
5 What are (legally valid) electronic signatures? . 9
5.1 Electronic signatures defined by the EU Regulation N° 910/2014 . 9
5.2 The underlying technology – Public key cryptography and digital signatures . 10
5.2.1 Introduction . 10
5.2.2 How it works . 10
5.2.3 Ensuring trust . 12
5.2.4 Functionalities offered by PKI based technologies: data integrity and authentication
of origin . 13
5.3 Where technical tools meet legal requirements . 13
5.3.1 Introduction . 13
5.3.2 Mapping the legal and the technical concepts . 14
5.3.3 How digital signatures cover the legal requirements for AdESig . 16
5.3.4 How digital signatures cover the legal requirements for QES . 18
5.4 Other use-cases for digital signatures . 19
6 Digital signatures– how does it work in real life applications? . 19
6.1 The signature process . 19
6.2 Creation . 19
6.3 Validation . 21
6.4 Augmentation . 23
7 Digital signatures ancillary services and tools for use in practice . 23
7.1 Introduction . 23
7.2 Identifying the required level of signature . 24
7.2.1 General . 24
7.2.2 Use-cases for QES. 24
7.2.3 Use-cases for non QES . 24
7.3 Identifying required tools and services . 25
7.3.1 Creation . 25
7.3.2 Augmentation – when the signature needs to be preserved . 26
7.3.3 Validation . 26
7.3.4 Preservation. 26
8 In case of dispute: evidence and proofs . 27
8.1 General . 27
8.2 Evidence present in the signed data . 27
8.3 Evidence generally present in the certificate . 28
8.4 Evidence present in the CA’s documentation . 29
8.5 Evidence regarding Certificate Status . 29
8.6 Evidence present in the Signature Policy . 29
8.7 Evidence at the Registration Authority . 30
8.8 Evidence not available through the signed message . 31
9 What about the (international) recognition of electronic signatures? . 31
9.1 Within Europe . 31
9.2 Outside Europe . 31
Bibliography . 33
European foreword
This document (CEN/TR 419040:2018) has been prepared by Technical Committee CEN/TC 224
“Personal identification and related personal devices with secure element, systems, operations and
privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Introduction
Today, it is possible to electronically sign data to achieve the same effects as when using a hand-written
signature. Such electronic signatures benefit from full legal recognition due to the EU Regulation
N° 910/2014 of the European Parliament and of the Council on electronic identification and trust services
for electronic transactions in the internal market [1] (hereafter referred to as EU Regulation N°
910/2014) which addresses various services that can be used to support different types of electronic
transactions and electronic signature in particular.
The use of secure electronic signatures should help the development of online businesses and services in
Europe. The European Commission standards initiative aims at answering immediate market needs by:
— securing online transactions and services in Europe in many sectors: e-business, e-administration, e-
banking, online games, e-services, online contract, etc.;
— contributing to a single digital market;
— creating the conditions for achieving the interoperability of e-signatures at a European level.
Besides the legal framework, the technical framework at the present time is very mature. Citizens
routinely sign data electronically by using cryptographic mechanisms such as, e.g. when they use a credit
card or debit card to make a payment. Electronic signatures implemented by such cryptographic
mechanisms are called “digital signatures”. Appropriate technical methods for digital signature creation,
validation and preservation, as well as ancillary tools and services provided by trust service providers
(TSPs), are specified in a series of documents developed along with the present document.
The present document is part of a rationalized framework of standards (see ETSI TR 119 000 [6])
realized under the Standardization Mandate 460 issued by the European Commission to CEN, CENELEC
and ETSI for updating the existing standardization deliverables.
In this framework, CEN is in charge of issuing Guidelines for electronic signatures implementation. These
guidelines are provided through two documents:
— CEN/TR 419030, “Rationalized structure for electronic signature standardization - Best practices for
SMEs”, aligned with standards developed under the Rationalised Framework as described by
ETSI SR 001 604, and
— CEN/TR 419040, “Rationalized structure for electronic signature standardization - Guidelines for
citizens”, explaining the concept and use of electronic signatures.
These two documents differ slightly from the other documents in the Technical Framework since they go
beyond the technical concept of “digital signature” and deal also with the legal concepts of electronic
signatures and electronic seals. The concept of electronic seal specified in the Regulation, which is
technically close to the electronic signature, is developed in CEN/TR 419030 and not in the present
document as it relates to legal person and not to natural persons as are the citizens The present document
concerning the citizens is focusing on electronic signature that are created by natural persons.
1 Scope
This Technical Report aims to help citizens to understand the relevance of using electronic signature
within their day-to-day lives. It also explains the legal and the technical backgrounds of electronic
signatures.
This document gives guidance on the use of electronic signatures and addresses typical practical
questions the citizen may have on how to proceed to electronically sign, where to find the suitable
applications and material.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
advanced electronic signature
electronic signature which meets the requirements set out in Article 26 of Regulation (EU)
N° 910/2014 [1]
Note 1 to entry: Article 26: An advanced electronic signature shall meet the following requirements:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use
under his/her sole control; and
(d) it is linked to the data signed ther
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
CEN/TR 17982:2023(Main)
European Digital Identity Wallets standards Gap Analysis
SIST-TP CEN/TR 17982:2024

This document identifies relevant existing standards and standards work in progress around European Digital Identity Wallets. It also identifies missing work items and overlaps in standards and is supposed to work as a roadmap for future standardization projects in the area.

  • Technical report
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 419231:2019(Main)
Protection profile for trustworthy systems supporting time stamping
SIST EN 419231:2019

This document specifies a protection profile for trustworthy systems supporting time stamping.

  • Standard
    63 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 419210:2019(Main)
Applicability of CEN Standards to Qualified Electronic Seal Creation Device under the EU Regulation N°910/2014 (eIDAS)
SIST-TP CEN/TR 419210:2019

This document considers requirements of the eIDAS regulation and use cases for qualified electronic seal creation devices and how these requirements may be met by standards.
These use cases will take into account differences in articles 26 and 36 of eIDAS on (sole) control of the signatory and seal creator on its signature / seal creation data, whilst also recognizing the commonalities.
This may possibly lead to identifying requirements for updates to existing standards.
The proposed table of content is the following:
1 Scope
2 References
3 Terms and definitions
3.1 Terminology
3.2 Abbreviations
4 A Consideration of Relevant Regulatory Requirements
5 Use cases
6 Analysis of features of Standard and Use cases
6.1 EN 419 211-x
6.1.1 Main Features relating to use cases
6.1.2 Applicability to use cases
6.2 EN 419 221-5
6.2.1 Main Features relating to use cases
6.2.2 Applicability to use cases
6.3 EN 419 241-1 / -2
6.3.1 Main Features relating to use cases
7 Summary of Conclusions

  • Technical report
    22 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 419241-2:2019(Main)
Trustworthy Systems Supporting Server Signing - Part 2: Protection profile for QSCD for Server Signing
SIST EN 419241-2:2019

The scope of proposed 419 241 part 2 (PP TSCM) covers security requirements to reach compliance with Annex II of Regulation No 910/2014 of the remote (qualified TSP operated) parts of the system, other than those relating to Signature Activation Data (SAD) management and the operation of the Signature Activation Protocol (SAP), assuming use of a cryptographic module conforming to EN 419 221-5. EN 419 241 part 2 will be balloted simultaneously with EN 419241 Part 3 Protection profile for Signature Activation Data management and Signature Activation Protocol(PP-SAD+SAP). These two new parts of EN 419 241, used in conjunction with the protection for PP for Cryptographic Module for Trust Services (EN 419 221-5), will contain security requirements for level 2 (sole control) as specified in TS 419 241 in a formal manner aligned with common criteria. These two new parts of EN 419 241, with EN 419 221-5, will support the certification of a system for remote qualified electronic signature or seal creation devices (remote QSCD) which meet the requirements of EU Regulation No 910/2014: The electronic signature creation data can be reliably protected by the legitimate signatory (sole control) against use by others, where the generation and management of the signature creation data is carried out by a qualified trust service provider on behalf of a signatory.
The scope of proposed 419 241 part 3 (PP-SAD+SAP) covers security requirements to reach compliance with Annex II of Regulation No 910/2014 on the management of the SAD and the operation of the SAP used to provide sole control of the signatory or seal creator for the remote QSCD signing or sealing functions. The proposed parts 2 and 3 are to be independent of specific authentication mechanism and signature activation protocol to allow maximum flexibility with respect to future solutions and to allow supporting several authentication mechanisms. The proposed part 3 is to take into account: a) potential implementations that require dedicated functional components, owned by the signatory or seal creator, which are for the purposes of ensuring sole control, and b) potential implementations that do not require such dedicated functional components but still ensuring sole control of the signatory or seal creator. The proposed part 3 covers requirements up to the interface to the signatory or seal creator needed for authentication and the interface to the signature creation application for selection, checking and display of data to be signed (e. g. a signature creation application as defined in EN 419 111) while requirements on the signature creation application itself are out of scope. It is proposed that part 3 (PP-SAD+SAP) forms the prime reference for server signing that may be certified according to Regulation No 910/2014 including Annex II, and that this part requires components certified according to part 2 (PP TSCM) and EN 419221-5.

  • Standard
    75 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 419241-1:2018(Main)
Trustworthy Systems Supporting Server Signing - Part 1: General System Security Requirements
SIST EN 419241-1:2018

1.1   General
This document specifies security requirements and recommendations for Trustworthy Systems Supporting Server Signing (TW4S) that generate digital signatures.
The TW4S is composed at least of one Server Signing Application (SSA) and one Signature Creation Device (SCDev) or one remote Signature Creation Device.
A remote SCDev is a SCDev extended with remote control provided by a Signature Activation Module (SAM) executed in a tamper protected environment. This module uses the Signature Activation Data (SAD), collected through a Signature Activation Protocol (SAP), in order to guarantee with a high level of confidence that the signing keys are used under sole control of the signer.
The SSA uses a SCDev or a remote SCDev in order to generate, maintain and use the signing keys under the sole control of their authorized signer. Signing key import from CAs is out of scope.
So when the SSA uses a remote SCDev, the authorized signer remotely controls the signing key with a high level of confidence.
A TW4S is intended to deliver to the signer or to some other application, a digital signature created based on the data to be signed.
This standard:
-   provides commonly recognized functional models of TW4S;
-   specifies overall requirements that apply across all of the services identified in the functional model;
-   specifies security requirements for each of the services identified in the TW4S;
-   specifies security requirements for sensitive system components which may be used by the TW4S.
This standard is technology and protocol neutral and focuses on security requirements.
1.2   Outside of the scope
The following aspects are considered outside of the scope of this document:
-   other trusted services that may be used alongside this service such as certificate issuance, signature validation service, time-stamping service and information preservation service;
-   any application or system outside of the TW4S (in particular the signature creation application including the creation of advanced signature formats);
-   signing key and signing certificate import from CAs;
-   the legal interpretation of the form of signature (e.g. electronic signature, electronic seal, qualified or otherwise).
1.3   Audience
This standard specifies security requirements that are intended to be followed by:
-   providers of TW4S systems;
-   Trust Service Providers (TSP) offering a signature creation service.

  • Standard
    43 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 419030:2018(Main)
Rationalized structure for electronic signature standardization - Best practices for SMEs
SIST-TP CEN/TR 419030:2018

This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide for SMEs active in the development of electronic signatures products and services - they should rather rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature products and services.
This document builds on CEN/TR 419040, "Guidelines for citizens", explaining the concept and use of electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate for their needs, extends the work to specific use-case scenarios, paying special attention to technologies and solutions, and addresses other typical concrete questions that SMEs need to answer before any making any decisions (such as the question of recognition of their e-Signature by third parties, within their sector, country or even internationally).
Once the decision is taken to deploy electronic signatures or electronic seals in support of their business, SMEs will then typically collaborate with their chosen providers of e electronic signatures or electronic seals products or services, which can be done on the basis of ETSI TR 119 100 "Guidance on the use of standards for signature creation and validation", that helps enterprises fulfil their business requirements. The present document presents the concepts and use of the standards relevant for SMEs developed under the Rationalised Framework to SMEs.

  • Technical report
    30 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 419010:2017(Main)
Framework for standardization of signatures - Extended structure including electronic identification and authentication
SIST-TP CEN/TR 419010:2017

The regulation on electronic identification and trusted eServices (eIDAS regulation) clearly extends the current Electronic Signature Directive from electronic signature towards electronic identification and electronic authentication. These two topics are closely linked to electronic signature and are considered in this context in this document. There are many documents, standards, industrial initiatives and European projects on identification and authentication, but the scope here is limited to electronic signature context, and wider to electronic transactions in the internal market.
The present Technical Report is twofold.
It firstly does a brief analysis of the implementing acts on electronic identities CIR 2015/1501 [29] and CIR 2015/1502 [30] and how this is addressed by the eID interoperability framework [31]. It secondly establishes what areas of existing standards are impacted by the eID framework and what further areas of standardization could assist nations in providing eID services.

  • Technical report
    15 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 419200:2017(Main)
Guidance for signature creation and other related devices
SIST-TP CEN/TR 419200:2017

The present Technical Report provides guidance on the selection of standards and options for the signature/seal creation and other related devices (area 2) as identified in the framework for standardization of signatures: overview ETSI/TR 119 000 [16].
The present Technical Report describes the Business Scoping Parameters relevant to this area (see Clause 5) and how the relevant standards and options for this area can be identified given the Business Scoping Parameters (Clause 6).
The target audience of this document includes:
-   business managers who potentially require support from electronic signatures/seals in their business and will find here an explanation of how electronic signatures/seals standards can be used to meet their business needs;
-   application architects who will find here material that will guide them throughout the process of designing a system that fully and properly satisfies all the business and legal/regulatory requirements specific to electronic signatures/seals, and will gain a better understanding on how to select the appropriate standards to be implemented and/or used;
-   developers of the systems who will find in this document an understanding of the reasons that lead the systems to be designed as they were, as well as a proper knowledge of the standards that exist in the field and that they need to know in detail for a proper development.

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 419221-1:2016(Main)
Protection Profiles for TSP cryptographic modules - Part 1: Overview
SIST-TS CEN/TS 419221-1:2017

This Technical Specification provides an overview of the protection profiles specified in other parts of CEN/TS 419221.

  • Technical specification
    12 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 419221-3:2016(Main)
Protection Profiles for TSP Cryptographic modules - Part 3: Cryptographic module for CSP key generation services
SIST-TS CEN/TS 419221-3:2017

This Technical Standard specifies a protection profile for cryptographic module for CSP key generation services.

  • Technical specification
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day