CEN/TR 419210:2019

SLOVENSKI STANDARD
01-maj-2019
8SRUDEQRVWVWDQGDUGRY&(1]DNYDOLILFLUDQRHOHNWURQVNRQDSUDYR]DXVWYDUMDQMH
SHþDWDYVNODGX]8UHGER(8ãWH,'$6
Applicability of CEN Standards to Qualified Electronic Seal Creation Device under the
EU Regulation N°910/2014 (eIDAS)
Anwendbarkeit von CEN Normen für qualifizierte elektronische
Siegelerstellungseinheiten unter der eIDAS Verordnung.
Applicabilité des normes CEN aux dispositifs de création de cachet électronique qualifiés
sous la régulation européenne n°910/2014 (eIDAS)
Ta slovenski standard je istoveten z: CEN/TR 419210:2019
ICS:
35.030 Informacijska varnost IT Security
35.240.63 Uporabniške rešitve IT v IT applications in trade
trgovini
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN/TR 419210
TECHNICAL REPORT
RAPPORT TECHNIQUE
March 2019
TECHNISCHER BERICHT
ICS 35.030; 35.240.63
English Version
Applicability of CEN Standards to Qualified Electronic Seal
Creation Device under the EU Regulation N°910/2014
(eIDAS)
Application des normes du CEN aux dispositifs de Anwendbarkeit von CEN Normen für qualifizierte
création de cachets électroniques qualifiés au titre du elektronische Siegelerstellungseinheiten unter der
règlement européen n°910/2014 (eIDAS) Verordnung (EU) Nr. 910/2014 (eIDAS)

This Technical Report was approved by CEN on 18 February 2019. It has been drawn up by the Technical Committee CEN/TC
224.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 419210:2019 E
worldwide for CEN national Members.

Contents
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms, definitions and abbreviations . 5
3.1 Terms and definitions . 5
3.2 Abbreviations . 5
4 A consideration of relevant regulatory requirements . 6
5 Features commonly required by use cases . 8
5.1 Introduction . 8
5.2 Features . 9
5.2.1 Local / Remote . 9
5.2.2 Authentication Shared / Not Shared . 9
5.2.3 Multiple Digital Signatures . 9
5.2.4 Key Shared / Not Shared . 9
5.2.5 Secure Environment . 9
6 Analysis of Standard and Required Features. 10
6.1 EN 419 211-x . 10
6.1.1 General. 10
6.1.2 Regulatory vs Standard Requirements . 10
6.1.3 Applicability to Required Features . 10
6.2 EN 419 221-5 . 11
6.2.1 General. 11
6.2.2 Regulatory vs Standard Requirements . 11
6.2.3 Applicability to Required Features . 12
6.3 EN 419 241-1 / −2 . 15
6.3.1 General. 15
6.3.2 Regulatory vs Standard Requirements . 15
6.3.3 Applicability to Required Features . 16
7 Summary of conclusions . 17
Annex A (informative) Example Use Cases . 18
A.1 General. 18
A.2 Own key: . 18
A.3 Remote Signing . 18
A.4 Shared key, shared authentication . 19
A.5 Shared key, separate authentication . 19
A.6 Empowered Application . 20
A.7 TSP Sealing . 20
Bibliography . 22

European foreword
This document (CEN/TR 419210:2019) has been prepared by Technical Committee CEN/TC 224
“Personal identification, electronic signature and cards and their related systems and operations”, the
secretariat of which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Introduction
EU Regulation No 910/2014 on electronic identification and trust services for electronic transactions in
the internal market (also known as eIDAS)[1] builds on the concept and requirements defined in the
repealed EU Directive 1999/93 on Electronic Signatures [2]. eIDAS defines an electronic seal which
authenticates the origin of data but created under control, as opposed to “sole control” for electronic
signatures, of a legal person (e.g. organization), as opposed to natural person (i.e. individual).
Technically, electronic seals have similar requirements as electronic signatures and both can be based on
digital signatures. eIDAS recognizes a special level of qualified electronic seal which is created using a
qualified seal creation device (QSealCD) and supported by a qualified certificate, in the similar way as a
qualified electronic signature is created using qualified signature creation device (QSigCD) supported by
a qualified certificate. The requirements for a qualified seal creation device are described as “mutatis
mutandis” as for a qualified signature creation device. The requirements for a qualified signature creation
device are considered to be met by the equivalent defined in Directive 1999/93 referred to as a secure
signature creation device (SSCD).
CEN has issued standards EN 419 211 parts 1 to 6, which were initially aimed at SSCD but have been
accepted as applicable to QSigCD and QSealCD (COMMISSION IMPLEMENTING DECISION (EU) 2016/650
of 25 April 2016). Further standards have since been issued EN 419 221 part 5 and EN 419 241 parts 1
and 2 which can also be applied as QSigCD and QSealCD. However, for some use cases of electronic seals
some standards may be considered more appropriate than others.
This document considers the legal requirements and practical use cases against the features of the
standards to assist in selecting the most appropriate standard.
1 Scope
This document considers the legal requirements and practical use cases against the features of the CEN
standards which may be used to support electronic seals in accordance to EU Regulation N° 910/2014
with the aim to provide guidance on the most appropriate standard to use in particular types of usage.
2 Normative references
There are no normative references in this document.
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in EU Regulation N° 910/2014 and
the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
NOTE The term “seal” is used to denote “electronic seal”, and “signature” is used to denote “electronic
signature”.
3.1.1
digital signature
data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit
to prove the source and integrity of the data unit and protect against forgery (e.g. by the recipient)
Note 1 to entry: Digital signature is a technical concept which may be related to the legal concept of electronic
signature or electronic seal as defined in EU Regulation N° 910/2014.
3.1.2
signer
entity being the creator of a digital signature
Note 1 to entry: Signer is a technical concept which may be related to the legal concepts of signatory or creator of a
seal.
3.2 Abbreviations
DTBS Data To Be Signed
DTBS/R Data to be signed or its unique representation
eIDAS EU Regulation N° 910/2014 [1]
SSCD secure signature creation device
TSP trust service provider
QSealCD qualified seal creation device
QSigCD qualified signature creation device
QSCD Either QSealCD or QSigCD
QTSP qualified trust service provider
4 A consideration of relevant regulatory requirements
The following recitals and articles of eIDAS are considered to have impact on the requirements for
electronic seals, which may or may not be supported by a QSealCD, in particular where they differ from
electronic signatures. Those items considered most relevant are underlined.
Recital (51) It should be possible for the signatory to entrust qualified electronic signature creation
devices to the care of a third party, provided that appropriate mechanisms and procedures are
implemented to ensure that the signatory has sole control over the use of his electronic signature creation
data, and the qualified electronic signature requirements are met by the use of the device.
Recital (52) The creation of remote electronic signatures, where the electronic signature creation
environment is managed by a trust service provider on behalf of the signatory, is set to increase in the
light of its multiple economic benefits. However, in order to ensure that such electronic signatures receive
the same legal recognition as electronic signatures created in an entirely user-managed environment,
remote electronic signature service providers should apply specific management and administrative
security procedures and use trustworthy systems and products, including secure electronic
communication channels, in order to guarantee that the electronic signature creation environment is
reliable and is used under the sole control of the signatory. Where a qualified electronic signature has
been created using a remote electronic signature creation device, the requirements applicable to
qualified trust service providers set out in this Regulation should apply.
Recital (59) Electronic seals should serve as evidence that an electr
...