iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

CEN/TR 419030:2018

(Main)

Rationalized structure for electronic signature standardization - Best practices for SMEs

Rationalized structure for electronic signature standardization - Best practices for SMEs

This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide for SMEs active in the development of electronic signatures products and services - they should rather rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature products and services.
This document builds on CEN/TR 419040, "Guidelines for citizens", explaining the concept and use of electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate for their needs, extends the work to specific use-case scenarios, paying special attention to technologies and solutions, and addresses other typical concrete questions that SMEs need to answer before any making any decisions (such as the question of recognition of their e-Signature by third parties, within their sector, country or even internationally).
Once the decision is taken to deploy electronic signatures or electronic seals in support of their business, SMEs will then typically collaborate with their chosen providers of e electronic signatures or electronic seals products or services, which can be done on the basis of ETSI TR 119 100 "Guidance on the use of standards for signature creation and validation", that helps enterprises fulfil their business requirements. The present document presents the concepts and use of the standards relevant for SMEs developed under the Rationalised Framework to SMEs.

Cadre pour la normalisation de la signature électronique - Meilleures pratiques pour les PME

Racionalizirana struktura za standardiziran elektronski podpis - Dobre prakse za MSP

Cilj tega tehničnega poročila je biti vstopna točka v zvezi z elektronskimi podpisi za vsa mala in srednje velika podjetja (SME), ki razmišljajo o ukinitvi potekov dela na osnovi papirja ter iščejo preudarno pravno in tehnično osnovo, da bi v tem postopku integrirali elektronske podpise. Njegov namen ni biti smernica za mala in srednje velika podjetja, aktivna pri razvoju izdelkov in storitev za elektronske podpise – te bi se morale za pripravo ponudbe zanašati na skupino standardov EN 319 x00 – temveč je smernica za mala in srednje velika podjetja, ki UPORABLJAJO izdelke in storitve za elektronske podpise.
Ta dokument nadgrajuje FprCEN/TR 419040, »Smernice za državljane«, z razlago koncepta in uporabe elektronskih podpisov, da bi dodatno pomagal malim in srednje velikim podjetjem razumeti pomembnost uporabe elektronskih podpisov v njihovih poslovnih postopkih. Mala in srednje velika podjetja usmerja v odkrivanje ravni elektronskih podpisov, ki je primerna za njihove potrebe, razširja delo na posebne scenarije primerov uporabe, pri čemer se zlasti posveča tehnologijam in rešitvam, ter obravnava druga tipična konkretna vprašanja, na katera morajo mala in srednje velika podjetja odgovoriti pred kakršnim koli odločanjem (kot je vprašanje priznavanja njihovega elektronskega podpisa s strani tretjih oseb, znotraj njihovega sektorja, države ali celo mednarodno).
Ko je sprejeta odločitev za uvedbo elektronskih podpisov v podporo njihovemu poslovanju, mala in srednje velika podjetja potem tipično sodelujejo z izbranimi ponudniki izdelkov ali storitev elektronskih podpisov, kar se lahko izvaja na osnovi standarda ETSI 19 100, »Poslovno voden postopek za izvedbo ustvarjanja in potrjevanja elektronskih podpisov v elektronskem poslovanju«, ki podjetjem pomaga izpolniti njihove poslovne zahteve.  Ta dokument malim in srednje velikim podjetjem predstavlja koncept in uporabo standardov, razvitih v racionaliziranem okviru, ki so pomembni za mala in srednje velika podjetja.

General Information

Status
Published
Publication Date
15-May-2018
ICS
35.030 - IT Security
Technical Committee
CEN/TC 224 - Machine-readable cards, related device interfaces and operations
Drafting Committee
CEN/TC 224 - Machine-readable cards, related device interfaces and operations
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
16-May-2018
Due Date
16-Jan-2018
Completion Date
16-May-2018
Directive
910/2014 - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing directive 1999/93/EC
Mandate
M/460 - Standardisation Mandate to the European Standardisation Organizations CEN, CENELEC and ETSI in the field of Information and Communication Technologies applied to Electronic Signatures
Ref Project
SIST-TP CEN/TR 419030:2018 - Rationalized structure for electronic signature standardization - Best practices for SMEs

Buy Standard

TP CEN/TR 419030:2018 - BARVETP CEN/TR 419030:2018 - BARVE
PreviousNext
Technical report
TP CEN/TR 419030:2018 - BARVE
English language
30 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-september-2018
Racionalizirana struktura za standardiziran elektronski podpis - Dobre prakse za
MSP
Rationalized structure for electronic signature standardization - Best practices for SMEs
Cadre pour la normalisation de la signature électronique - Meilleures pratiques pour les
PME
Ta slovenski standard je istoveten z: CEN/TR 419030:2018
ICS:
35.040.01 Kodiranje informacij na Information coding in general
splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN/TR 419030
TECHNICAL REPORT
RAPPORT TECHNIQUE
May 2018
TECHNISCHER BERICHT
ICS 35.030
English Version
Rationalized structure for electronic signature
standardization - Best practices for SMEs
Cadre pour la normalisation de la signature
électronique - Meilleures pratiques pour les PME

This Technical Report was approved by CEN on 9 March 2018. It has been drawn up by the Technical Committee CEN/TC 224.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 419030:2018 E
worldwide for CEN national Members.

Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Terms and definitions . 5
3 Abbreviations . 7
4 Electronic seals as per EU Regulation 910/2014. 9
5 SME’s perspective . 10
5.1 Reasons for signing or sealing . 10
5.1.1 General . 10
5.1.2 Electronic signing as a way to confirm a legal commitment or because of a legal
requirement . 11
5.1.3 Electronic signing as a matter of diligence / risk management . 12
5.1.4 Electronic seals as a way to comply with an explicit legal requirement to apply a seal,
stamp or comparable formal requirement . 13
5.1.5 Electronic seals as a way to ensure the integrity and authenticity of a document . 13
5.2 Who signs or seals? . 13
6 Solutions . 14
6.1 General . 14
6.2 Signature creation . 14
6.2.1 General . 14
6.2.2 Remotely managed signature creation application and signature creation device . 16
6.2.3 Remotely managed signature creation device . 17
6.2.4 Remotely managed signature creation . 17
6.2.5 Signature creation application and signature creation device in the hand of the
signatory . 18
6.2.6 Responsibilities of parties . 19
6.2.7 Level of security and assurance on the issued signatures . 20
6.3 Signature validation . 21
6.4 Signature preservation . 21
7 I’m a TSP? . 22
8 Use-cases . 23
8.1 Use-cases where the SME is signing . 23
8.1.1 eInvoicing . 23
8.1.2 eProcurement Directive . 23
8.1.3 Accessing markets across the EU and the impact of the Services Directive . 24
8.2 Use-cases where the SME and the SME’s customers / partners are co-signing or co-
sealing . 25
9 Annex Digital signatures standardization . 26
Bibliography . 30
European foreword
This document (CEN/TR 419030:2018) has been prepared by Technical Committee CEN/TC 224
“Personal identification and related personal devices with secure element, systems, operations and
privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Introduction
Today, it is possible to electronically sign data to achieve the same effects as when using a hand-written
signature. Such electronic signatures benefit from full legal recognition due to the EU Regulation N°
910/2014 of the European Parliament and of the Council on electronic identification and trust services
for electronic transactions in the internal market [1] (hereafter referred to as Regulation (EU) N°
910/2014) which addresses various services that can be used to support different types of electronic
transactions and electronic signatures in particular.
The use of secure electronic signatures should help the development of online businesses and services in
Europe. The European Commission standards initiative aims at answering immediate market needs by:
— securing online transactions and services in Europe in many sectors: e-business, e-administration, e-
banking, online games, e-services, online contract, etc.;
— contributing to a single digital market;
— creating the conditions for achieving the interoperability of electronic signatures at a European level.
Besides the legal framework, the technical framework at the present time is very mature. Citizens
routinely sign data electronically by using cryptographic mechanisms such as, e.g. when they use a credit
card or debit card to make a payment. Electronic signatures implemented by such cryptographic
mechanisms are called “digital signatures”. Appropriate technical methods for digital signature creation,
validation and preservation, as well as ancillary tools and services provided by trust service providers
(TSPs), are specified in a series of document developed along with the present document.
The present document is part of a rationalized framework of standards (see ETSI TR 119 000 [6])
realized under the Standardization Mandate 460 issued by the European Commission to CEN, CENELEC
and ETSI for updating the existing standardization deliverables.
Further support is provided to the emerging cross-border use of eSignatures through other legal and
policy instruments that affect electronic processes being used in the market today (e.g. eInvoicing
Directive [3], Public Procurement Directive [4] and Services Directive [5]).
In this framework, CEN is in charge of issuing Guidelines for electronic signatures implementation. These
guidelines are provided through two documents:
— CEN/TR 419030, “Rationalized structure for electronic signature standardization - Best practices for
SMEs”, aligned with standards developed under the Rationalised Framework as described by
ETSI SR 001 604, and
— CEN/TR 419040, “Rationalized structure for electronic signature standardization - Guidelines for
citizens”, explaining the concept and use of electronic signatures.
The present document builds on CEN/TR 419040.
These two documents differ slightly from the other documents in the Technical Framework since they go
beyond the technical concept of “digital signature” and deal also with the legal concepts of electronic
signatures and electronic seals.
1 Scope
This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is
considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in
order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide
for SMEs active in the development of electronic signatures products and services - they should rather
rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature
products and services.
This document builds on CEN/TR 419040, “Guidelines for citizens”, explaining the concept and use of
electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their
business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate
for their needs, extends the work to specific use-case scenarios, paying special attention to technologies
and solutions, and addresses other typical concrete questions that SMEs need to answer before any
making any decisions (such as the question of recognition of their e-Signature by third parties, within
their sector, country or even internationally).
Once the decision is taken to deploy electronic signatures or electronic seals in support of their business,
SMEs will then typically collaborate with their chosen providers of e electronic signatures or electronic
seals products or services, which can be done on the basis of ETSI TR 119 100 “Guidance on the use of
standards for signature creation and validation”, that helps enterprises fulfil their business requirements.
The present document presents the concepts and use of the standards relevant for SMEs developed under
the Rationalised Framework to SMEs.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
2.1
advanced electronic signature
electronic signature which meets the requirements set out in Article 26 of Regulation (EU)
N° 910/2014 [1]
Note 1 to entry: Article 26: An advanced electronic signature shall meet the following requirements:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use
under his sole control; and
(d) it is linked to the data signed therewith in such a way that any subsequent change in the data are detectable.
[SOURCE: Regulation (EU) N° 910/2014 [1], Article 3 (11)]
2.2
electronic signature (from the regulation)
data in electronic form which is attached to or logically associated with other data in electronic form and
which is used by the signatory to sign
[SOURCE: Regulation (EU) N° 910/2014 [1], Article 3 (10)]
2.3
digital sign
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
CEN/TR 17982:2023(Main)
European Digital Identity Wallets standards Gap Analysis
SIST-TP CEN/TR 17982:2024

This document identifies relevant existing standards and standards work in progress around European Digital Identity Wallets. It also identifies missing work items and overlaps in standards and is supposed to work as a roadmap for future standardization projects in the area.

  • Technical report
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 419231:2019(Main)
Protection profile for trustworthy systems supporting time stamping
SIST EN 419231:2019

This document specifies a protection profile for trustworthy systems supporting time stamping.

  • Standard
    63 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 419210:2019(Main)
Applicability of CEN Standards to Qualified Electronic Seal Creation Device under the EU Regulation N°910/2014 (eIDAS)
SIST-TP CEN/TR 419210:2019

This document considers requirements of the eIDAS regulation and use cases for qualified electronic seal creation devices and how these requirements may be met by standards.
These use cases will take into account differences in articles 26 and 36 of eIDAS on (sole) control of the signatory and seal creator on its signature / seal creation data, whilst also recognizing the commonalities.
This may possibly lead to identifying requirements for updates to existing standards.
The proposed table of content is the following:
1 Scope
2 References
3 Terms and definitions
3.1 Terminology
3.2 Abbreviations
4 A Consideration of Relevant Regulatory Requirements
5 Use cases
6 Analysis of features of Standard and Use cases
6.1 EN 419 211-x
6.1.1 Main Features relating to use cases
6.1.2 Applicability to use cases
6.2 EN 419 221-5
6.2.1 Main Features relating to use cases
6.2.2 Applicability to use cases
6.3 EN 419 241-1 / -2
6.3.1 Main Features relating to use cases
7 Summary of Conclusions

  • Technical report
    22 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 419241-2:2019(Main)
Trustworthy Systems Supporting Server Signing - Part 2: Protection profile for QSCD for Server Signing
SIST EN 419241-2:2019

The scope of proposed 419 241 part 2 (PP TSCM) covers security requirements to reach compliance with Annex II of Regulation No 910/2014 of the remote (qualified TSP operated) parts of the system, other than those relating to Signature Activation Data (SAD) management and the operation of the Signature Activation Protocol (SAP), assuming use of a cryptographic module conforming to EN 419 221-5. EN 419 241 part 2 will be balloted simultaneously with EN 419241 Part 3 Protection profile for Signature Activation Data management and Signature Activation Protocol(PP-SAD+SAP). These two new parts of EN 419 241, used in conjunction with the protection for PP for Cryptographic Module for Trust Services (EN 419 221-5), will contain security requirements for level 2 (sole control) as specified in TS 419 241 in a formal manner aligned with common criteria. These two new parts of EN 419 241, with EN 419 221-5, will support the certification of a system for remote qualified electronic signature or seal creation devices (remote QSCD) which meet the requirements of EU Regulation No 910/2014: The electronic signature creation data can be reliably protected by the legitimate signatory (sole control) against use by others, where the generation and management of the signature creation data is carried out by a qualified trust service provider on behalf of a signatory.
The scope of proposed 419 241 part 3 (PP-SAD+SAP) covers security requirements to reach compliance with Annex II of Regulation No 910/2014 on the management of the SAD and the operation of the SAP used to provide sole control of the signatory or seal creator for the remote QSCD signing or sealing functions. The proposed parts 2 and 3 are to be independent of specific authentication mechanism and signature activation protocol to allow maximum flexibility with respect to future solutions and to allow supporting several authentication mechanisms. The proposed part 3 is to take into account: a) potential implementations that require dedicated functional components, owned by the signatory or seal creator, which are for the purposes of ensuring sole control, and b) potential implementations that do not require such dedicated functional components but still ensuring sole control of the signatory or seal creator. The proposed part 3 covers requirements up to the interface to the signatory or seal creator needed for authentication and the interface to the signature creation application for selection, checking and display of data to be signed (e. g. a signature creation application as defined in EN 419 111) while requirements on the signature creation application itself are out of scope. It is proposed that part 3 (PP-SAD+SAP) forms the prime reference for server signing that may be certified according to Regulation No 910/2014 including Annex II, and that this part requires components certified according to part 2 (PP TSCM) and EN 419221-5.

  • Standard
    75 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 419241-1:2018(Main)
Trustworthy Systems Supporting Server Signing - Part 1: General System Security Requirements
SIST EN 419241-1:2018

1.1   General
This document specifies security requirements and recommendations for Trustworthy Systems Supporting Server Signing (TW4S) that generate digital signatures.
The TW4S is composed at least of one Server Signing Application (SSA) and one Signature Creation Device (SCDev) or one remote Signature Creation Device.
A remote SCDev is a SCDev extended with remote control provided by a Signature Activation Module (SAM) executed in a tamper protected environment. This module uses the Signature Activation Data (SAD), collected through a Signature Activation Protocol (SAP), in order to guarantee with a high level of confidence that the signing keys are used under sole control of the signer.
The SSA uses a SCDev or a remote SCDev in order to generate, maintain and use the signing keys under the sole control of their authorized signer. Signing key import from CAs is out of scope.
So when the SSA uses a remote SCDev, the authorized signer remotely controls the signing key with a high level of confidence.
A TW4S is intended to deliver to the signer or to some other application, a digital signature created based on the data to be signed.
This standard:
-   provides commonly recognized functional models of TW4S;
-   specifies overall requirements that apply across all of the services identified in the functional model;
-   specifies security requirements for each of the services identified in the TW4S;
-   specifies security requirements for sensitive system components which may be used by the TW4S.
This standard is technology and protocol neutral and focuses on security requirements.
1.2   Outside of the scope
The following aspects are considered outside of the scope of this document:
-   other trusted services that may be used alongside this service such as certificate issuance, signature validation service, time-stamping service and information preservation service;
-   any application or system outside of the TW4S (in particular the signature creation application including the creation of advanced signature formats);
-   signing key and signing certificate import from CAs;
-   the legal interpretation of the form of signature (e.g. electronic signature, electronic seal, qualified or otherwise).
1.3   Audience
This standard specifies security requirements that are intended to be followed by:
-   providers of TW4S systems;
-   Trust Service Providers (TSP) offering a signature creation service.

  • Standard
    43 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 419040:2018(Main)
Rationalized structure for electronic signature standardization - Guidelines for citizens
SIST-TP CEN/TR 419040:2018

This Technical Report aims to help citizens to understand the relevance of using electronic signature within their day-to-day lives. It also explains the legal and the technical backgrounds of electronic signatures.
This document gives guidance on the use of electronic signatures and addresses typical practical questions the citizen may have on how to proceed to electronically sign, where to find the suitable applications and material.

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 419010:2017(Main)
Framework for standardization of signatures - Extended structure including electronic identification and authentication
SIST-TP CEN/TR 419010:2017

The regulation on electronic identification and trusted eServices (eIDAS regulation) clearly extends the current Electronic Signature Directive from electronic signature towards electronic identification and electronic authentication. These two topics are closely linked to electronic signature and are considered in this context in this document. There are many documents, standards, industrial initiatives and European projects on identification and authentication, but the scope here is limited to electronic signature context, and wider to electronic transactions in the internal market.
The present Technical Report is twofold.
It firstly does a brief analysis of the implementing acts on electronic identities CIR 2015/1501 [29] and CIR 2015/1502 [30] and how this is addressed by the eID interoperability framework [31]. It secondly establishes what areas of existing standards are impacted by the eID framework and what further areas of standardization could assist nations in providing eID services.

  • Technical report
    15 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 419200:2017(Main)
Guidance for signature creation and other related devices
SIST-TP CEN/TR 419200:2017

The present Technical Report provides guidance on the selection of standards and options for the signature/seal creation and other related devices (area 2) as identified in the framework for standardization of signatures: overview ETSI/TR 119 000 [16].
The present Technical Report describes the Business Scoping Parameters relevant to this area (see Clause 5) and how the relevant standards and options for this area can be identified given the Business Scoping Parameters (Clause 6).
The target audience of this document includes:
-   business managers who potentially require support from electronic signatures/seals in their business and will find here an explanation of how electronic signatures/seals standards can be used to meet their business needs;
-   application architects who will find here material that will guide them throughout the process of designing a system that fully and properly satisfies all the business and legal/regulatory requirements specific to electronic signatures/seals, and will gain a better understanding on how to select the appropriate standards to be implemented and/or used;
-   developers of the systems who will find in this document an understanding of the reasons that lead the systems to be designed as they were, as well as a proper knowledge of the standards that exist in the field and that they need to know in detail for a proper development.

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 419221-4:2016(Main)
Protection Profiles for TSP cryptographic modules - Part 4: Cryptographic module for CSP signing operations without backup
SIST-TS CEN/TS 419221-4:2017

This Technical Specification specifies a protection profile for cryptographic modules used by certification service providers (as specified in Directive 1999/93) for signing operations, without key backup. Target applications include root certification authorities (certification authorities which issue certificates to other CAs and is at the top of a CA hierarchy) and other certification service providers where there is a high risk of direct physical attacks against the module.

  • Technical specification
    47 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 419221-3:2016(Main)
Protection Profiles for TSP Cryptographic modules - Part 3: Cryptographic module for CSP key generation services
SIST-TS CEN/TS 419221-3:2017

This Technical Standard specifies a protection profile for cryptographic module for CSP key generation services.

  • Technical specification
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day