CEN/TS 15130:2006

SLOVENSKI STANDARD
01-januar-2007
3RãWQHVWRULWYH,QIUDVWUXNWXUD]DHOHNWURWHKQLþQH]D]QDPNHSULIUDQNLUDQMX'30
,QIRUPDFLMHYSRGSRURXSRUDEL'30
Postal services - DPM infrastructure - Messages supporting DPM applications
Postalische Dienstleistungen - Infrastruktur für Elektrotechnische Freimachungsvermerke
(DPM) - Nachrichten zur Unterstützung von Anwendungen der DPM
Services postaux - Infrastructure de marque d'affranchissement digitale (DPM) -
Messages prenant en charge les applications DPM
Ta slovenski standard je istoveten z: CEN/TS 15130:2006
ICS:
03.240 Poštne storitve Postal services
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION
CEN/TS 15130
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
April 2006
ICS 03.240
English Version
Postal services - DPM infrastructure - Messages supporting
DPM applications
Postalische Dienstleistungen - Schnittstelle für
Elektrotechnische Signatur
This Technical Specification (CEN/TS) was approved by CEN on 7 May 2005 for provisional application.
The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the CEN/TS can be converted into a European Standard.
CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available
promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS)
until the final decision about the possible conversion of the CEN/TS into an EN is reached.
CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2006 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 15130:2006: E
worldwide for CEN national Members.

Contents Page
Foreword.3
Introduction .4
1 Scope .5
2 Normative references .6
3 Terms and definitions .6
4 Requirements.10
5 Description of the models (system architecture and interaction diagrams).14
Annex A (normative)  Implicit certification process.38
Annex B (normative)  Message structure.40
Annex C (informative)  Development principles.43
Bibliography .44

Foreword
This document (CEN/TS 15130:2006) has been prepared by Technical Committee CEN/TC 331 “Postal
Services”, the secretariat of which is held by NEN.
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to announce this CEN Technical Specification: Austria, Belgium, Cyprus, Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden,
Switzerland and United Kingdom.
Introduction
The purpose of this document is to define a consistent and complete set of messages between vendors and
posts infrastructures in support of DPM applications.
It is assumed that the reader of this document is familiar with computer-related technologies normally used to
design and implement applications requiring an interaction between computer systems. This document makes
use of industry-accepted technical standards and concepts like public key cryptography and communication
protocols.
This document defines the significant content and the format for data exchanges and messages, consistent
with current industry practices. Also, consistent with the concepts of extensibility and flexibility, this document
allows for extensions supporting specific (local) implementations using additional data elements.
1 Scope
This document specifies the information exchanges between various parties' infrastructures that take place in
support of DPM applications. It complements standards that address the design, security, applications and
readability of Digital Postage Marks.
The following items will be addressed by this document:
 identification of parties participating in exchanges of information described by this document;
 identification of functions (interactions, use cases);
 definition of parties’ responsibilities in the context of above functions;
 definition of messages between parties: message meaning and definition of communication protocols to
support each function;
 definition of significant content (payload) for each message;
 security mechanisms providing required security services, such as authentication, privacy, integrity and
non-repudiation.
This document does not address:
 design of DPM supporting infrastructure for applications internal to providers and carriers;
 design of DPM devices and applications for applications internal to end-users.
NOTE Although there are other communications between various parties involved in postal communications, this
document covers only DPM-related aspects of such communications.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, or references to a version number, only the edition cited applies. For undated references and
where there is no reference to a version number, the latest edition of the referenced document (including any
amendments) applies.
ISO/IEC 9798-3, Information technology – Security techniques – Entity authentication – Part 3: Mechanisms
using digital signature techniques
ISO 10126-2, Banking – Procedures for message encipherment (wholesale) – Part 2: DEA algorithm
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

3.1
ascending register value
numerical value that is equal to the total accumulated value of postage that has been accounted for and
printed by the mailing system (usually used in the context of a postage meter or a franking machine)
3.2
authentication
verification of the identity of a person, process or the origin of the data being exchanged
3.3
control sum
sum of the descending register value and ascending register value in a mailing system
3.4
cryptographic material
information used in conjunction with cryptographic methods of protecting information
3.5
cryptographic key
information that uniquely determines a bijection (one-to-one transformation) from the space of messages to
the space of ciphertexts
3.6
Cryptographic Validation Codes
CVC
value, cryptographically derived from selected postal data, which may be used in verifying the integrity of such
data and authenticating its origin
3.7
data integrity
property of a communication channel whereby data has not been altered in an unauthorized manner since the
time it was created, transmitted, or stored by an authorized source
3.8
descending register value
numerical value equal to the total value of unused postage remaining in the mailing system (usually used in
the context of a postage meter or a franking machine)
3.9
Digital Postage Mark
DPM
postmark printed or otherwise attached to a mail item and containing information that may be captured and
used by mail handling organizations and the recipient
3.10
DPM signature verification key
public key that is used for the DPM signature verification
3.11
DPM signing Key
DPM signature generation key
private key that is used for digital signing of DPM information
3.12
DPM verifier
verifier
postal equipment that is used for DPM verification
3.13
Exchange Validation Codes
EVC
code, known to or agreed between a mailer and a licensing post, which when applied to a postal item by the
mailer may be used by the licensing post to authenticate the origin of the item and, under appropriate
circumstances, to verify the integrity of agreed upon DPM data
3.14
implicit certificate
informational element that binds an entity's identity with its public cryptographic key allowing the verification of
the digital signature by another entity using only information contained within the certificate itself
NOTE In Digital Postage Mark verification systems based on public key cryptographic schemes, the verification key
is public and can either be retrieved from a database (explicit certificate) or it can be computed from the information
contained in the Digital Postage Mark (implicit certificate).
3.15
key management infrastructure
systems, policies and procedures used to create, store, distribute and update cryptographic keys
3.16
license
formal permission to account for postal charges and create an agreed upon evidence of payment for such
charges given to qualified mailers by posts, carriers or their authorised agents
3.17
license number
informational element (typically numeric or alphanumeric code) that represents the fact that a mailer has
obtained license from the post or a carrier authorising the mailer to account for postal charges and to print
evidence of a paid postage
3.18
licensing post
postal organisation responsible for issuing licenses to qualified mailers
3.19
MAC key
DPM MAC key
Message Authentication Code (MAC) key used for the protection of the Digital Postal Mark (DPM) in DPM
systems based on symmetric key cryptographic schemes
3.20
mailer
person or organization using the services of a post
3.21
mailing system
system which is used to account and evidence charges for postal services
NOTE Variations of a mailing system include:
 franking machine or postage meter;
 personal computer with specialized software;
 on-line software service
3.22
Message Authentication Code
MAC
value, cryptographically derived from selected data, which allows data integrity and implicit data origin to be
verified
NOTE Since MACs are based on shared secret schemes they allow for weaker (implicit) data origin verification than
digital signatures that are based on public key cryptographic schemes.
3.23
non-repudiation
security service which prevents an entity from denying previous commitments or actions
3.24
parametrisation
process of supplying a system or a device with all input information required for proper operation, involving
assignment of specific numerical values to named variables used in computation of output values such as
data elements of DPM
3.25
post
postal administration
postal authority
organization which has been designated by the UPU member country or territory as an operator responsible
for fulfilling part or all of the member's obligations arising from adherence to the UPU convention and
agreements
3.26
postal code
numeric or alphanumeric value that is uniquely indicative of a geographic location of an element of postal
processing and delivery network, including postal processing facilities, retail offices, delivery units and
individual recipient’s mailboxes
3.27
privacy
confidentiality
security service used to keep the (meaningful) content of the information from all but those authorised to have
it
3.28
public key cryptography
cryptographic system that uses two keys: a public key accessible to all parties and a private or secret key
known only to one party (either the sender or the recipient of the message depending on the use of the
system)
NOTE An important element of the public key system is that the public and private keys are uniquely related to each
other and it is computationally infeasible to compute private key from the knowledge of public key.
3.29
Public Key Infrastructure
PKI
system of digital certificates, certificate authorities, and registration authorities or agents that allows for
authentication of all parties involved in communication and data exchange processes
3.30
symmetric key cryptography
encryption system in which the sender and receiver of a message share a single, common secret information
(key) that is used both to encrypt and decrypt messages that are being exchanged
3.31
time stamp
value of the current time stored by a system to indicate when a certain transaction took place
3.32
Universal Coordinated Time
UCT
universal time, taking into account the addition or omission of leap seconds by atomic clocks each year to
compensate for changes in the rotation of the earth (Greenwich Mean Time updated with leap seconds)
3.33
vendor
provider and/or operator of mailing systems
3.34
World Wide Web Consortium
W3C
international consortium of companies involved with the development of open standards for internet and the
web
3.35
XML
Extensible Mark-up Language
subset of SGML constituting a particular text mark-up language for interchange of structured data
3.36
XML schema
XML schema is an XML language for describing and constraining the content of XML documents
4 Requirements
4.1 Functional structure
This clause covers the organization of the logical layer of communication between post and vendor.
In the context of this document, a typical postal operator or a carrier of physical mail items is organized along
well-defined functional elements. Specifically, typical functional elements are postal operations (including: mail
collection, processing, sorting, transportation and delivery) and system administration and management
control (including finance and marketing).
Since this document defines (for the major part) communications between vendor and post aimed at
supporting postal revenue collection based on DPM, the postal operator is the main recipient and beneficiary
of the information collected and communicated within the DPM supporting infrastructure.
Therefore, the functional requirements are organized to match the functional elements of the postal
organization namely: postal operations and system administration and management control. Accordingly,
Clause 5 of the present document is organized into the following major subclauses:
 key management processes;
 licensing and parameterization of mailing systems;
 data collection and reporting processes;
 audit-related process.
In this organization, key management processes support postal operations while licensing and
parameterization, data collection and audit-related clauses support system administration and management
control.
Postal revenue collection systems that are based on DPM require postal verification of accounting processes
performed by mailers. In practice, this amounts to DPM verification that is performed on individual mail items
and, as such, becomes a part of postal operations.
DPM verification requires that all verification equipment (verifiers) have access to DPM verification keys or key
materials (symmetric or public).
For the purpose of this document these verification keys are supplied to verifiers from postal key management
infrastructure. The postal key management infrastructure in its relation to vendor key management
infrastructure is covered in subsequent clauses of this document.
4.2 Technical requirements
Technical requirements for this document are driven by the needs of posts and vendors to create and operate
a cost-effective, functional and efficient infrastructure which allows them to exchange information as described
in Clause 5.
This infrastructure will allow interoperability between systems owned and operated by vendors and posts
eliminating the need for custom interfaces between specific parties. The use of established technologies and
industry-standard solutions will minimize the cost of such infrastructure. The optimum set of solutions is highly
dependent on specific conditions and the state of the technology at any given time.
Specific performance levels (like scalability, speed, reliability, availability) are outside the scope of this
document, as they evolve quickly and they vary greatly between organizations.
Annex B includes as an example a specific implementation of the transport layer using XML schema standard
for data representation.
4.3 Security requirements
4.3.1 General
This subclause is a review of security requirements which are of specific interest to posts and vendors, in the
context of DPM infrastructure. It includes a discussion of threats, vulnerabilities and approaches to reduce
risks.
4.3.2 Introduction
This clause defines security requirements for the DPM supporting infrastructure and in its general approach
follows Annex C “Security analysis considerations” of EN 14615. 4.3.4 defines threats and countermeasures
that are specific to DPM supporting infrastructure.
Security of the Digital Postage Marks (DPM) rests on the information present in the DPM, and on security of
DPM supporting infrastructure. The DPM information is designed to convince a verifier after it captures and
interprets it that the postal charge accounting for the mail piece has occurred and that the payment has been
made or will be made (depending on the payment arrangement). The basic principle at work here is the notion
that certain information can be known to a mailer’s postage evidencing device only if it has access to a
protected (secret or private) piece of information known as a key. Access to such key shall always trigger an
accounting action that results in a secure accounting for the postal charge (amount) required to be paid for the
service of postal delivery. This secure accounting is performed either by deduction of the computed postage
amount from an accounting register (descending register) responsible for storage of pre-paid funds or simply
by updating a secure non-volatile register (ascending register) by the computed amount or both. Thus the
DPM security and its linkage to a payment mechanism are delivered through secure cryptographic information
processing using a private (secret) key. It is of paramount importance that such keys be securely managed
throughout their use within the system. This document deals with DPM key management system and its
specific arrangements concerning vendor-post interface.
A cryptographic system normally requires a clear definition of the message sender, message communication
channel, message recipient and the message itself. For the purpose of this document both vendor and post
play roles of sender and recipient since they engage in exchange of vital information required for the proper
functioning of a DPM-based payment system. Such exchange is organised by using a public or private
communication network that is referred to as a communication channel. In the process of exchanging required
information vendor and post execute an agreed upon communication protocol normally consisting of a several
rounds of sending and receiving information.
The usual services of information security are entity or message data origin authentication, message data
integrity, message data confidentiality (privacy) and sender non-repudiation (see Bibliography [2] [5] [6] [7] [8]
[9] [10] [11] [12] [13] [14])
4.3.3 Security business objectives, policy and economics
This subclause defines most important security business objectives, policy and economics. Other more
detailed security objectives, policy and economics are application and environment dependent and typically
can be derived from the objectives listed below:
a) postal business objective is to create and maintain cost effective access to postal services for mailers
without negative impact on the quality of service and its ease of use. Specifically, postal revenue
collection including DPM infrastructure security measures shall be balanced against the cost of
implementation and maintenance of secure DPM supporting Infrastructure. This shall be done in such a
way that the overall combined cost of revenue collection including the cost that shall be incurred by post,
vendor and their joint customers is minimal;
b) fundamental security policy and economics requirement is that a postal revenue collection system does
not allow for attacks (resulting in significant revenue losses) that are easy to mount for dishonest mailers
or outside participants and are difficult to detect and protect against for post and vendor. The
qualifications “easy” and “difficult” here are understood in economic terms. “Easy” means that material,
human and timing resources required to mount an attack are relatively low compared with potential
economic rewards for a successful attack. “Difficult” means that those required resources are relatively
high compared to potential rewards. Similarly, countermeasures implemented by vendor and post are
“easy” if they require comparatively low resources for successful detection of an attack and result in
identification and prosecution of perpetrators. Countermeasures that require comparatively large
resources are considered “difficult”. More specifically, there are several fundamental security policy
requirements, namely: 1) the postal accounting systems/devices manufactured and distributed by vendor
shall accurately account for postal funds, 2) the postal accounting systems/devices shall provide all
necessary information for verification of postage payment, 3) the payment verification systems shall be
able to detect postal fraud, identify responsible party or parties and support evidence collection and
prosecution of responsible party or parties and 4) the design of vendor and post infrastructures supporting
DPM shall not allow for “easy” attacks that do not have effective countermeasures (defined as
countermeasures that require small material, human and timing resources);
c) legal framework shall be developed that defines legal recourse against perpetrators of postal fraud in the
digital environment together with required standards of evidence. The legal framework for DPM
infrastructure environment is outside of the scope of this document.
4.3.4 Threats and vulnerabilities (attacks)
Threats correspond to methods of attacking a system with the objective of causing damage to it, its operators
or users. Actual attacks may combine several such methods.
The approach taken in this document is to define only threats and vulnerabilities that are specific to DPM
supporting infrastructure and avoid definition and description of attacks common to all digital communication
systems.
The remainder of this clause is devoted to the identification and brief description of a number of threats that
are specific to DPM supporting infrastructure:
a) collusion involves cooperation between two or more parties with fraudulent intent. It may occur between
mailers, between a mailer and a supplier (vendor), or between one of these and a corrupt postal
employee. For example, an individual employed by one mailer may assist another mailer to generate mail
purporting to originate in his own organization, or a mailer may bribe a postal employee to gain access to
protected information such as key and key material. Collusion attacks can not be totally prevented but at
a minimum postal audit of vendor and mailing system as well as DPM verification processes will support
the detection of collusion;
b) cryptanalysis is the use of mathematical techniques in an attempt to defeat the use of cryptographic
methods, particularly in the context of information security services. It is normally aimed at the recovery of
cryptographic keys by exploiting knowledge of the cryptographic algorithm, data that forms input to and/or
output from the algorithm, or both. DPM infrastructure design and communication protocols employed in
the vendor-post interface described in this document make use of public and symmetric key cryptographic
primitives. This document generally avoids making specific recommendations concerning precise use and
type of cryptographic primitives within key management, data collection and reporting, licensing,
parameterization and audit procedures. For the purpose of this document it is sufficient to describe all
covered protocols and procedures using generic nomenclatures such as public or symmetric key
schemes and thus leaving the choice of specific primitives to qualified designers of the DPM supporting
infrastructure. However, it is strongly recommended that only well-known and tested cryptographic
primitives such as RSA, DSA, ECDSA, Triple DES and AES be used as primitives in the procedures
described in this document. Specific choice of cryptographic primitives should be guided by computational,
interoperability and IT constraints as well as other system requirements known to exist in country-specific
systems.
Recommended implementations of proven cryptographic primitives are described in appropriate ISO,
CEN, ANSI and other national standards and are outside of the scope of this document;
c) illegitimate key access covers access to the secret cryptographic key or keys of a legitimate device or
user by an unauthorized party, thereby allowing the party concerned to masquerade (cryptographically)
as the legitimate device or user. Illegitimate access to cryptographic keys puts at risk any
cryptographically protected features of the system. A properly designed DPM infrastructure system
prevents such access by requiring a sound key management and protection system as described in this
document;
d) Information Technology (IT) system infiltration covers the range of threats that are common to IT
systems. All of the issues associated with IT system infiltration are addressed in separate documents and
are not covered by this document since they are not specific to DPM infrastructure. However, several
classes of threats that are of particular interest in the design, implementation and administration of DPM
supporting infrastructure are briefly described. It is strongly advised that designers of DPM supporting
infrastructure systems review, assess and implement technical and administrative countermeasures
appropriate for their specific IT systems:
1) network tampering covers a range of threats that are both passive and active attacks on
communications channels. Network tampering attacks may be conducted on public networks, such
as the internet, or private networks, such as a vendor or post’s internal network. Monitoring of
network traffic and data in order to gain access to confidential information is a passive attack that
may be accomplished using freely available network administration tools. Active attacks include
injecting data into a communications channel and modifying data on a communications channel.
Injecting data involves inserting additional traffic into a communication channel. The traffic may be a
replay of prior data or newly constructed data. The purpose of injecting data may be to gain access
to services (e.g. replaying an authorization to increase the postage value resident in a mailing
system) or to deny services (e.g. to overwhelm a server with data thereby denying service to others).
Modifying data involves changing the content of data sent via a communication channel before the
intended recipient receives the data (e.g. increasing a credit limit);
2) unauthorized database and server modification covers the range of threats that involve
unauthorized access to computers and databases that implement an IT System in order to modify the
server or database. The access may be local (e.g. from a computer keyboard) or remote (e.g. over a
computer network). For example, modifying a server configuration could enable the unauthorized
viewing of confidential information or the denial of access to authorized parties. Similarly, the
modification of data in a database either directly or by restoring a backup of earlier data could be
used to change privileges (e.g. a credit limit);
3) illegitimate long-term storage access covers the range of threats that involve access and/or
modification of archival data (e.g. backup tapes of servers and databases or even paper records).
Illegitimate access to archival data could reveal confidential information to unauthorized parties.
Unauthorized modification of archival data could be used to obscure evidence of other attacks or
facilitate unauthorized database and server modification;
e) repudiation occurs when one of the parties to a transaction denies his or her involvement in it. For
example, in a Mailing system management system, the sending of a postage value download to a
customer’s meter represents the transfer of money. If the customer subsequently claims that the
download was never received, the postal administration and/or vendor could lose revenue if it is unable to
tie the download transaction to the customer’s subsystem (e.g. through an undeniable audit trail or
transaction history). Similarly, in a system based on postal administration of postage accounting a mailer
could attempt to deny responsibility for the origination of items. Repudiation is addressed in this
document where appropriate by the recommended use (within key management, audit and data reporting
procedures) of proven digital signature primitives and protocols;
f) security system infiltration is defined as penetration of a security system with the objective of disabling
it or reducing its effectiveness. For example, fraudulent DPM public verification key insertion, in which an
unauthorised key value is inserted into the set of legitimate verification keys supported by the security
system, would jeopardize the integrity of a postal revenue collection system. Similarly, some key
management systems recommended in this document and supporting DPMs protected by symmetric key
cryptography require internal postal sharing of a single universal DPM verification key between a server
and multiple verifiers. Although this document is generally not concerned with post’s and vendor’s internal
key management procedures, it is strongly recommended that all DPM verification keys (public or
symmetric) be protected for privacy and checked for authenticity and data integrity before use.
4.3.5 Vendor-post channel
Sound DPM infrastructure in all cases, requires a secure communication channel between the vendor and the
post that can be established using traditional (standard) methods of digital encryption and signature as
described in ISO/IEC 9798-3 and ISO 10126-2. This secure communication channel between the vendor and
the post is referred to as the vendor-post channel. An established secure vendor-post channel provides for
mutual authentication (and non-repudiation when needed) between vendor and post before any transmission
of data occurs in the channel. The channel is also enabled to protect the integrity of all data exchanged
through the channel by allowing both vendor and post to check that received data has not been altered during
transmission process. Finally, the channel is protected against eavesdropping by unauthorized parties, thus
protecting confidentiality (privacy) of the data transmitted through it. The communication protocols described
in this document enable the services of authentication, non-repudiation, data integrity and privacy
independently of each other, as needed. Whenever reference is made to the vendor-post channel and it is not
specified otherwise, it is assumed that all four security services are enabled.
5 Description of the models (system architecture and interaction diagrams)
5.1 Introduction
This clause makes use of models providing description of essential interactions between main components of
the system, and specifically defines information that is created, collected and communicated between vendor
and post.
This document considers two models when describing the system architecture and corresponding information
flow diagrams. The first model is based on Cryptographic Validation Codes (CVC), while the second model
defines a system based on the use of Exchange Validation Codes (EVC), as they are defined in EN 14615.
Both models describe the interaction between three entities:
- vendor;
- postal authority (post);
- mailer (using some mailing system from the vendor).
This document defines the exchanges between the vendor and the post (thick arrow labeled [1] in Figure 1,
below).
Figure 1
5.2 Key management processes
5.2.1 General
In any system which depends on cryptography for its security, the process of managing cryptographic material
is crucial to its success.
The key management process distinctly differs from the actual usage of cryptographic keys. The key
management process deals with the administrative tasks such as creation, publication and management of
keys and certificates. The usage of cryptographic keys deals with the operations involved in creating and
verifying digital signatures and encrypting or decrypting messages.
This subclause addresses the following topics:
 initialization and re-key of the vendor-post key management infrastructure;
 distribution of cryptographic material for DPM protection;
 withdrawal of mailing system.
5.2.2 Initialization and re-key of the vendor-post key management infrastructure
For the purpose of this document, the vendor-post key management infrastructure is defined as keys and
procedures involved in establishing a secure vendor-post communication channel as described in 4.3
“Security requirements”.
The process of initialization is defined as the process of generating and communicating cryptographic keys or
key material between the vendor and the post in a secure manner.
For the purpose of this document, the initialization and the re-key processes are treated as identical. The
request for initialization or re-key may come either from vendor or the post and it is not covered in this
document.
In the case when the vendor is responsible for generating cryptographic key or key material, the vendor is
required to securely communicate the appropriate keys to the post. Similarly, when the post is responsible for
generating cryptographic keys or key material, the post is required to securely communicate the appropriate
keys to the vendor.
NOTE Generation of cryptographic material is usually followed by communication of keys or certificates to the parties
other then the party which originates them. This communication is done using either out-of-band or in-band methods.
Out-of-band communication is usually accomplished through a face-to-face meeting of trusted postal and vendor
representatives. It avoids the use of any electronic network and ensures that the cryptographic material is never exposed
while it is communicated between the post and the vendor. This approach also ensures that the source of the information
is known and trusted. Communication through out-of-band methods is necessary before a secure channel is established
between the post and the vendor. It is used to communicate the cryptographic material needed to establish such a
communication channel. Once a secure channel is established, no more out-of-band communications are necessary.
rd
Other out-of-band methods include: mailing in a tamper evident/resistant enclosure and use of a trusted 3 party (for
example: certificate authority). In-band communication of keys or certificates to be used for the establishment of
communication channels between vendor and post is not recommended.
5.2.3 Distribution of cryptographic material for DPM protection
5.2.3.1 Introduction
This clause covers the creation and distribution of cryptographic keys for mailing systems. Cryptographic keys
are either generated or certified by a postal authority’s infrastructure and are used for the protection of the
Digital Postal Mark (DPM). In the case of public key-based systems DPMs contain a digital signature, whereas
in symmetric key-based systems a message authentication code (MAC) is used.
5.2.3.2 Overview of the process
5.2.3.2.1 General
There are two general categories of cryptographic schemes: public key and symmetric key. Systems designed
to support implementation of public key schemes are known as Public Key Infrastructure (PKI).
5.2.3.2.2 Public key systems
There are two alternatives for certification (authentication) of public keys in a public key-based DPM system.
The first alternative involves a traditional key certification process and is referred to in this document as PKI
certification or explicit certification. The second alternative is known as implicit certification and involves a joint
generation of DPM signing and verification key pair by the vendor and the post. A small value known as an
implicit certificate or optimal mail certificate is included into the DPM. It is computed in such a way that it
1)
allows DPM verifiers to compute DPM signature verification key without access to external databases .
5.2.3.2.3 Public key systems - PKI Certification
As a prerequisite, it is recommended that the vendor-post channel [4.3.4] is used for all communications
required for the PKI certification process. To provide the vendor-post channel capabilities, the following
activities are recommended:
 vendor generates a public key pair for computing digital signatures aimed at signing requests for
certification of mailing system-generated public keys. The private key is referred to as the vendor
signature generation key and the public key is referred to as the vendor signature verification key;

1) Method of PKI certification (a1) requires that the verification yey certificate is either included in the DPM or stored in a
database and retrieved during DPM verification process through an identifier contained in the DPM. If (which is frequently
the case) the verification key certificate is too large to be included in the DPM, then it is stored and (often) retrieved from a
large secure database containing certificates for all registered MEs. Such database is maintained by the post and made
accessible in a real time to all DPM verifiers. This is frequently costly and operationally inconvenient for the post. The
method of implicit certification avoids this difficulty.
 post generates a public key pair for computing signatures aimed at certifying public keys of MEs. The
private key is referred to as the postal signature generation key and the public key is referred to as the
postal signature verification key;
 The post and the vendor have a mechanism to mutually authenticate each others public keys.
NOTE This can be done via traditional PKI mechanisms using X509 certificates.
The generic PKI certification process is as follows:
a) vendor transmits a request for certificate containing DPM signature verification key together with unique
mailing system identification information to the post using the secure vendor-post channel;
b) post returns to the vendor the verification key certificate containing DPM signature verification key and
mailing system unique identification information signed with the postal signature generation key;
c) vendor verifies the DPM signature verification key obtained from the DPM verification key certificate
received from the post. At this point the mailing system’s DPM signing key is ready to be used for DPM
computation and DPM signature verification key is ready be used for DPM verification.
5.2.3.2.4 Public key systems - Implicit certification
A detailed description of implicit certification process is given in Annex B.
As a prerequisite, it is recommended that the vendor-post channel [4.3.5] is used for all communications
required for the implicit certification process. To provide the vendor-post channel capabilities, the following
activities are recommended:
 vendor generates a public key pair for generating signatures. The private key is referred to as the vendor
signature generation key and the public key is referred to as the vendor signature verification key;
 post generates a elliptic curve public key pair for generating implicit certificates. The private key is
referred to as the postal implicit certificate generation key and the public key is referred to as the postal
implicit certificate verification key;
 post and the vendor have a mechanism to mutually authenticate each others public keys.
NOTE 1 This can be done via traditional PKI mechanisms of X509 certificates.
The generic implicit certification process is as follows:
a) post generates a system-wide private/public key pair. The private key and public key of the pair are
referred to as the postal private key and the postal public key respectively. The postal public key is
installed in all verifiers;
b) mailing system computes a random value (referred to as the mailing system’s contribution to implicit
certificate or simply the mailing system’s contribution) within the vendor’s secure infrastructure;
c) mailing system generates an mailing system certificate request message that contains the mailing
system’s contribution to implicit certificate and mailing system’s identity and sends it to the post using
vendor-post channel;
d) post generates a random value (referred to as the postal contribution to implicit certificate or simply the
postal contribution) and computes the implicit certificate using the mailing system’s contribution
(received from the vendor) and postal contribution values. The post then computes the postal input to
the DPM signing key using the postal private key, the implicit certificate and the postal contribution;
e) post sends the postal Input to the DPM signing key and the implicit certificate to the vendor using vendor-
post channel;
f) vendor computes the mailing system’s DPM signing key and DPM verification key using the postal input
to the DPM signing key, the implicit certificate and the postal public k
...