CEN/TR 419200:2017

SLOVENSKI STANDARD
01-oktober-2017
Navodilo za elektronsko podpisovanje in druge podobne operacije
Guidance for signature creation and other related devices
Anleitung zur Signaturerstellung und andere ähnliche Geräte
Lignes directrices pour la création de signatires et autres dispositifs associés
Ta slovenski standard je istoveten z: CEN/TR 419200:2017
ICS:
35.040.01 Kodiranje informacij na Information coding in general
splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN/TR 419200
TECHNICAL REPORT
RAPPORT TECHNIQUE
May 2017
TECHNISCHER BERICHT
ICS 35.030; 35.240.30
English Version
Guidance for signature creation and other related devices
Lignes directrices pour la création de signatires et Anleitung zur Signaturerstellung und andere ähnliche
autres dispositifs associés Geräte

This Technical Report was approved by CEN on 17 April 2017. It has been drawn up by the Technical Committee CEN/TC 224.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2017 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 419200:2017 E
worldwide for CEN national Members.

Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Terms and definitions . 6
3 Symbols and abbreviations . 7
4 Some concepts related to signature creation and other related devices . 8
4.1 Different types of signatures and seals . 8
4.2 Signature versus seal . 8
4.3 What are a signature creation device or other related devices . 8
4.3.1 General . 8
4.3.2 Qualified electronic signature creation device . 8
4.3.3 Qualified electronic seal creation device . 10
4.4 Trusted versus un-trusted environment for electronic signature . 10
4.5 Mobile environment . 11
5 Types of services related to signature – Scoping factors . 11
5.1 General . 11
5.2 Services related to signature for a QSCD . 12
5.2.1 General . 12
5.2.2 Signature service . 12
5.2.3 Privacy aspects . 12
5.2.4 Identification service . 14
5.2.5 Authentication service . 14
5.2.6 Other potential services . 14
5.3 Services related to signature for a TSP. 16
5.3.1 General . 16
5.3.2 Signature service . 16
5.3.3 Certification Authority service . 17
5.3.4 Other services . 17
6 Selecting the Most Appropriate Standards and options . 17
6.1 Sub-Areas of Standardization . 17
6.1.1 General . 17
6.1.2 Policy and security Requirements . 18
6.1.3 Technical Specifications . 20
6.1.4 Conformity Assessment . 20
6.1.5 Interoperability Testing . 20
6.2 Selection of standards . 21
Annex A (informative) Business aspects/ Use cases from signature creation devices view . 22
A.1 General . 22
A.2 Telecommunications . 22
A.3 Identity . 22
A.4 Health . 23
A.5 Corporate . 23
A.6 Bank . 24
Annex B (informative) Illustration of Application of Standards . 25
B.1 General . 25
B.2 Telecommunications . 25
B.2.1 First example . 25
B.2.2 Second example . 25
B.3 Identity . 25
B.3.1 General . 25
B.3.2 First example . 26
B.3.3 Second example . 26
B.3.4 Third example . 27
B.4 Health . 27
B.4.1 First example . 27
B.4.2 Second example . 28
B.5 Corporate . 28
B.5.1 First example . 28
B.5.2 Second example . 28
B.6 Bank . 28
B.6.1 First example . 28
B.6.2 Second example . 29
Annex C (informative) Comparison of definitions between Directive 1999/93/EC and
Regulation (EU) 910/2014 . 30
Bibliography . 32

European foreword
This document (CEN/TR 419200:2017) has been prepared by Technical Committee CEN/TC 224
“Personal identification and related personal devices with secure element, systems, operations and
privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
This document has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association.
Introduction
ETSI/TR 119 000 [16] provides a general structure for electronic signatures standardization outlining
existing and potential standards for electronic signatures. This identifies six areas of standardization
with a list of existing and potential future standards in each area.
This guide is part of a series of guidance documents assisting users and their suppliers in identifying the
electronic signature standards and options relevant to their need. Each guide addresses a particular
area as identified in ETSI/TR 119 000 [16].
This series is based on the process of selecting Business Scoping Parameters for each area of
standardization based on an analysis of the business requirements. The selection of these scoping
parameters is based on a process involving an analysis of the business requirements and associated
risks leading to an identification of the policy and security requirements and the resulting Business
Scoping Parameters from which the appropriate standards and options can be selected. Having
identified the requirements in terms of Business Scoping Parameters for an area, each guidance
document provides assistance in selecting the appropriate standards and options for that area. Where
standards and options within one area make use of another area this is stated in terms of Scoping
Parameters of that other area.
This guidance does not include any normative requirements but provides guidance on addressing the
signature creation and other related devices area, on the selection of applicable standards and their
options for a particular business implementation context and associated business requirements and on
the implementation of a standard (or a series of standards).
This area covers signature devices but also electronic signature-related devices including (not
exhaustively) authentication devices, identity devices offering value added services around electronic
signatures. This list can be extended as further services that could be listed for devices are identified.
This general process of the selection of standards and options is described further in
ETSI/TR 119 000:2015, 4.2.6 [16].
1 Scope
The Technical Report provides guidance on the selection of standards and options for the
signature/seal creation and other related devices (area 2) as identified in the framework for
standardization of signatures: overview ETSI/TR 119 000 [16].
The Technical Report describes the Business Scoping Parameters relevant to this area (see Clause 5)
and how the relevant standards and options for this area can be identified given the Business Scoping
Parameters (Clause 6).
The target audience of this document includes:
— business managers who potentially require support from electronic signatures/seals in their
business and will find here an explanation of how electronic signatures/seals standards can be
used to meet their business needs;
— application architects who will find here material that will guide them throughout the process of
designing a system that fully and properly satisfies all the business and legal/regulatory
requirements specific to electronic signatures/seals, and will gain a better understanding on how to
select the appropriate standards to be implemented and/or used;
— developers of the systems who will find in this document an understanding of the reasons that lead
the systems to be designed as they were, as well as a proper knowledge of the standards that exist
in the field and that they need to know in detail for a proper development.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE Legal definitions (from Directive 1999/93/EC [20] or Regulation (EU) 910/2014 [21]) relative to this
document can be found in Annex C.
2.1
secure element
SE
tamper resistant component used to provide security, confidentiality, and multiple application
environment required to support various business models
EXAMPLE UICC, embedded SE, smartSD, smart microSD, etc.
2.2
trusted execution environment
TEE
specific execution environment on the mobile phone (or any connected device) application processor
that is made of both software and, depending of the support of the processor, hardware parts, to
manage the access control to the memory management unit and define a boundary between secure and
unsecure (mobile OS) execution environment
2.3
trusted user interface
TUI
means to securely address user interaction for sensitive applications through the display, keyboard,
microphone, etc.
3 Symbols and abbreviations
For the purposes of this document, the following symbols and abbreviations apply.
C/S Client/Server
CC Common Criteria
CSP Certification Service Provider
CV Card Verifiable (certificate)
HIC Health Insurance Card
HPC Health Provider Card
IAS Identification, Authentication and Signature
IBAN International Bank Account Number
ICC Integrated Circuit Card
MNO Mobile Network Operator
PIN Personal Identification Number
PIV Personal Identity Verification (card)
PK Public Key
PP Protection Profile
QSCD Qualified electronic Signature Creation Device
SC Sole Control
SCA Signature-Creation Application
SCC Sole Control Component
SCDev Signature Creation Device
SE Secure Element
SIM Subscriber Identity Module
SSA Server Signing Application
SSCD Secure Signature Creation Device
SSH Secure Shell protocol
SSL Secure Sockets Layer protocol
STIC Système de Traitement des Infractions Constatées (system for processing recorded
infringements)
SVA Signature-Validation Application
SWIFT Society for Worldwide Interbank Financial Telecommunication
TEE Trusted Execution Environment
TLS Transport Layer Security protocol
TSCM Trustworthy Signature Creation Module
TSP Trust Service Provider
TUI Trusted User Interface (in the context of TEE)
TW4S Trustworthy Systems Supporting Server Signing
UICC Universal Integrated Circuit Card
4 Some concepts related to signature creation and other related devices
4.1 Different types of signatures and seals
Regulation (EU) 910/2014 [21] introduces several levels for signatures, starting from “basic” electronic
signature up to advanced electronic signature. An advanced electronic signature created by a qualified
electronic signature creation device and based on a qualified certificate is equivalent to a hand-written
signature.
Regulation (EU) 910/2014 [21] introduces the notion of electronic seal, and gives several levels as for
electronic signatures, starting from “basic” electronic seal up to advanced electronic seal. An advanced
electronic seal created by a qualified electronic seal creation device and based on a qualified certificate
can benefit from the presumption of integrity and correctness of origin of the data to which the seal is
linked. The intention is e.g. to allow companies to issue business documents (e.g. invoices) matching EU
legal requirements.
4.2 Signature versus seal
An electronic seal is the electronic equivalent of a seal or stamp which applied on a document
guarantees its origin and integrity.
A seal can be viewed as an authority's proof of a document's content integrity, authenticity and level of
authority, while a signature is a person's or legal entity’s commitment to the content of a document. A
seal is created by a legal person (e.g. the tax revenue officer) and it expresses the will of the authority
(the state) in whose name the seal-creator acts. A signature always expresses the will of the signer
himself. Technically this means that a signature will always be confirmed by an explicit user verification
entry (e.g. PIN verification); this will not be systematically the case for a seal
(see EN 419212-2:2014 [26], Annex B, Table 1).
In the rest of this document there will be no particular notion of a seal since it technically compares to
the signature and does not need additional specific standards.
4.3 What are a signature creation device or other related devices
4.3.1 General
The term “signature creation or other related devices” encompasses the signature creation device and
other signature-related devices including identification device, authentication device, seal device or
signature verification device (see Clause 5 for security services around electronic signature).
4.3.2 Qualified electronic signature creation device
An advanced electronic signature based on a qualified certificate and created by a qualified electronic
signature creation device (QSCD) is equivalent to a hand-written signature and is legally recognized.
Such QSCD is defined by Regulation (EU) 910/2014 as the following:
Qualified electronic signature creation device is an electronic signature creation device that meets
the following requirements (Annex II):
1. Qualified electronic signature creation devices shall ensure, by appropriate technical and procedural
means, that at least:
(a) the confidentiality of the electronic signature creation data used for electronic signature creation
is reasonably assured;
(b) the electronic signature creation data used for electronic signature creation can practically occur
only once;
(c) the electronic signature creation data used for electronic signature creation cannot, with
reasonable assurance, be derived and the electronic signature is reliably protected against
forgery using currently available technology;
(d) the electronic signature creation data used for electronic signature creation can be reliably
protected by the legitimate signatory against use by others.
2. Qualified electronic signature creation devices shall not alter the data to be signed or prevent such
data from being presented to the signatory prior to signing.
3. Generating or managing electronic signature creation data on behalf of the signatory may only be
done by a qualified trust service provider.
4. Without prejudice to point (d) of point 1., qualified trust service providers managing electronic
signature creation data on behalf of the signatory may duplicate the electronic signature creation
data only for back-up purposes provided the following requirements are met:
(a) the security of the duplicated data sets must be at the same level as for the original data sets;
(b) the number of duplicated data sets shall not exceed the minimum needed to ensure continuity of
the service.
The first part of the definition (points 1. and 2.) are almost all the same as in
Directive 1999/93/EC [20], and a common interpretation is to implement it as a Secure Element.
In the EN 419212 series [4] “Application Interfaces for secure elements used as Qualified electronic
Signature (Seal-) Creation Devices”, the device is clearly assimilated to a SE and the document describes
all functional and security mechanisms, protocols and APDU commands to implement the European
legal framework for electronic signatures. A SE compliant to the standard will be able to produce a
“Qualified electronic signature” that fulfils the requirements of Regulation (EU) 910/2014 [21] and
therefore can be considered equivalent to a hand-written signature.
1)
In SSCD PP EN 419211 [3] “Protection profiles for secure signature creation device “, smart card is
indicated as a typical example for SSCD. Moreover, all products certified against the previous version of
SSCD PP (CWA 14169) are smart cards, see for example French certification body ANSSI web site
http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-conformes-sscd.html, German
certification body BSI web site https://www.bsi.bund.de/certified_products/digital_signature, or more
generic Common Criteria list of signature products web site
http://www.commoncriteriaportal.org/products.
According to Article 51 (1) in the Regulation (EU) 910/2014 [21], an SSCD compliant with
Directive 1999/93/EC [20] is compliant with the Regulation. This is highlighted by the study done by
IAS experts team on behalf of the Commission to support the implementation of the eIDAS
Regulation (EU) 910/2014 [21]: the documents SMART 2012/0001 [22] and [23] establish the
1)
SSCD PP EN 419211 [3] is compliant (except for terminology ) to Regulation (EU) 910/2014 [21] and
can be used as such as a reference for certification of QSCD. A Technical Report will detail the matching
for terminology between Directive 1999/93/EC [20] and Regulation (EU) 910/2014 [21] (to be
published by CEN/TC 224 WG17).
The second part of the definition (points 3. and 4.) clearly indicates that the generation and
management of electronic signature can be done on behalf of the signatory, using a remote server. ETSI
ESI is defining architecture and policy requirements in case of mobile environment

1) The SSCD PP EN 419211 has been finalized within Directive 1999/93/EC context. It is nevertheless compliant with the
Regulation 910/2014/EU, except for the terminology (a TR will be provided by CEN for the mapping), and applicable as such.
(see ETSI SR 019 020 [11]). CEN/TC 224/WG 17 is working on the extension of the security
requirements for trustworthy systems supporting server signing (CEN/TS 419241 [7]) to a protection
profile to address this case (see 5.3.2).
4.3.3 Qualified electronic seal creation device
An advanced electronic seal based on a qualified certificate and created by a qualified electronic seal
creation device is legally recognized. Such device is defined by Regulation (EU) 910/2014 [21] as the
following:
Qualified electronic seal creation device is an electronic seal creation device that meets the same
previous requirements, since Article 29 shall apply mutatis mutandis.
As already mentioned, a seal can be technically addressed by available signature standards, including
the QSCDs’ ones the EN 419211 series [3] and EN 419212 series [4].
4.4 Trusted versus un-trusted environment for electronic signature
Two environments can be distinguished with respect to signature creation applications.
If the SCA is in a trusted environment, the environment is considered to be trusted by the user. Device
authentication is not required as the end-user knows the environment that s(he) will apply for
signature. See Figure 1.
Figure 1 — Trust of the environment
If the SCA is in an un-trusted environment, a device authentication will be used if the operating
environment of the QSCD cannot be entirely trusted by the user. This can be the case in public signature
terminals or other devices that cannot provide an a-priori secure channel. See Figure 2.

Figure 2 — Communication in untrusted environment
After successful device authentication, session keys are available on both sides to be used in subsequent
protected transmissions (with secure messaging).
An example of a trusted environment is an environment not connected to the external world (inside an
administration office).
The examples for an un-trusted environment are:
— SCA and QSCD are not at the same location;
— usage of biometrics if the sensor is off-card;
— usage of contactless cards.
4.5 Mobile environment
Mobile devices such as smart phones or tablets have been conquering the market over the past 5 years,
giving the opportunity to the end-user to perform electronic transactions including eBanking or
eGovernment. It is clearly a huge vector of deployment for electronic signature, and the European
Commission put emphasis on it when proposing Regulation (EU) 910/2014 [21].
Electronic trusted services may be performed at local level (e.g. through classical QSCD where the user
directly controls the use of the signing or other key through, e.g. the SIM card or whatever SE is
available in the mobile device) or at remote level through a mobile or conventional network (e.g. server
signing).
A mobile device is made of various elements, including SE(s) (at least one SIM/UICC), whose security
(tamper-resistance) and certification level (Common Criteria up to EAL4+ or EAL5+ level, with
resistance to high attack potential) are well-established. Mobile devices are gaining security robustness
with the Trusted Execution Environment and the Trusted User Interface standardized in
GlobalPlatform, and could deliver qualified electronic signatures.
CEN/TC 224 and ETSI TC ESI are extending the current standards to the mobile environment or
creating new ones when necessary. This is addressed in detail in Clause 6.
— The security requirements for a remote solution are described in CEN/TS 419241 [7].
— The different architectures are described in ETSI SR 019 020 [11], including local signing (signature
is performed from the mobile device, taking benefits from the various certified elements TEE, SE),
and remote signing (signature is performed remotely on behalf of the signatory, see also server
signing 5.3.2).
— The EN 419212 series [4] presents the local signing solution (to be done with a classical QSCD) and
the remote signing solution with a SE to authenticate the signatory to the remote server and
activate the signature.
5 Types of services related to signature – Scoping factors
5.1 General
When attempting to implement electronic signatures in a business context a number of Business
Scoping Parameters purely inherent to this context need to be taken into account, otherwise the risk of
deploying a system that does not properly support the business in one way or the other is extremely
high. These Business Scoping Parameters will condition the whole system lifecycle from its inception to
its deployment and maintenance. They, in consequence, will highly impact the selection of the right
standards that deal with the direct management of electronic signatures, namely with: their generation,
their formats, their contents, their relative placement and relationship, their placement with respect to
the signed data object(s), their resilience to time (longevity) or to cryptanalysis advances, and their
validation.
Each of these Business Scoping Parameters can be seen as a key element of the standards selection
process, independent of other Business Scoping Parameters. In consequence in order to conduct a
proper standards selection process it is necessary first to analyse these Business Scoping Parameters
and second to use them as inputs in the selection process itself.
This clause enumerates and provides details of the business context related parameters that have a
direct impact in the selection of standards that directly deal with the management of electronic
signatures.
5.2 Services related to signature for a QSCD
5.2.1 General
This chapter focuses on the case where the signing device is owned by the end-user (e.g. SE used as a
QSCD). The remote signing case with TSP is dealt in 5.3.
A signature creation device providing digital signature may also provide other services, including
authentication, identification…; see below.
5.2.2 Signature service
Signature service encompasses several steps for the signature creation device:
1) Choice for cryptographic algorithms (including signature, hash and padding:
The choice of cryptographic algorithms may be done according to national legislation. The
document [18] can be used to select signature suites.
2) Device authentication:
A device authentication is performed when the environment where the signature device is being
used is not known to be trustable. This is typical for public environment (e.g. airport, shopping
mall, POS). Only in trusted environment a device authentication can be skipped (see [3]).A display
message can be shown on the terminal screen to inform the end-user that a device authentication is
in place and s(he) can continue entering the credentials (e.g. a PIN or password) since the
environment is safe.
3) Activation of the digital signature service;
4) User verification (e.g. PIN or password verification):
User verification is needed to create a qualified electronic signature;
5) Selection of keys and certificates;
6) Signature generation.
5.2.3 Privacy aspects
This section describes privacy aspects in case the signing device is owned by the end-user (e.g. SE used
as a QSCD). But privacy is also an issue for other solutions.
Privacy is to be considered when a card holder is exposed to an environment that can read privacy
parameters from the signing device ahead of any device authentication. Such privacy parameters can be
the unique signing device ID or other personalized parameters that allow a tracking and profiling of the
signing device holder.
For instance, if the nationality of a signing device holder can be identified by the nature of the signing
device description parameters (e.g. algorithm ID), then a signing device holder of certain nationality can
be exposed to observation.
All signing devices implement a signature application and differ in the combination of privacy and
security features. A card with contact interface that is used in a trusted environment does not need any
device authentication. In contrast, contactless cards are vulnerable to skimming and eavesdropping
attacks and hence will require protection. Reading signing device ID, or cryptographic objects can be a
possible start for a non-privacy protecting device. Instead a password based mechanism can be
involved which does not allow to address the signing device unless a password is entered first.
These different situations are illustrated in Figure 3 below, where the blue arrow indicates that device
authentication can be performed either after the selection of the signature application or before.
Figure 3 — Flow for signature generation depending of environment and privacy requirements
Privacy is addressed in Regulation (EU) 910/2014 [21] in Article 5 and mentions accordance for the
processing of personal data with Directive 95/46/EC (a draft Regulation has been proposed).
5.2.4 Identification service
SEs are for a long time used as identification devices and standardized as such in different markets: SIM
card for mobile telephony (standardized by ETSI and 3GPP), banking card for secure payment (e.g.
standardized by EMVCo), government products (e.g. ePassports, biometric passports, tachographs,
eResident permits, eID cards, eDriving licences, eHealthcare cards, eVoting cards), corporate products
(e.g. PIV card standardized by NIST).
QSCDs implemented by SE could be used to provide identification services in the context of the
Regulation (EU) 910/2014 [21].
5.2.5 Authentication service
Device authentication will occur in an un-trusted environment, where the security is not guaranteed
between the different communicating parties. This device authentication results in session keys
generation, to establish a secure channel (e.g. Secure Messaging is applied for every subsequent
operation) and protect communications (integrity and/or confidentiality). For performance reasons,
the keys used for this secure messaging are symmetric keys.
5.2.6 Other potential services
5.2.6.1 Client/Server authentication
This service typically applies in case the signing device is a SE used as a QSCD.
For proving access rights to components such as servers, a Client/Server authentication can be
performed between a remote server and a PC to establish a secure channel. In this case, the signing
device is used as a crypto toolbox for the client authentication. See the example in Figure 4.

Figure 4 — Example of client/server authentication
Relevant authentication protocols are e.g. the PK Kerberos protocol (for logon authentication,
see RFC 4120), the TLS protocol (Transport Layer Security protocol, see RFC 5246) or the SSH protocol
(Secure Shell protocol, see RFC 4251).
5.2.6.2 Role authentication
This service typically applies in case the signing device is a SE used as a QSCD.
The C/S authentication is based on an Internal Authentication protocol whereby the server
authenticates the signing device. For this purpose, the server reads the signing device’s certificate
(usually a X.509 certificate) that can provide extension (according X.509) denoting the role with which
the owner of the signing device is endowed to access some reserved data hosted on the server. The
differential access to these data are controlled by the server according to the rules defined by the
certificate extensions.
5.2.6.3 Symmetric key transmission between a remote server and a signature creation device
This service typically applies in case the signing device is a SE used as a QSCD.
The key decipherment service consists in decrypting a symmetric key (K.sym in Figure 5) that is
encrypted with asymmetric cryptography. This symmetric key will be used to cipher (long) messages
(doc in Figure 5). This operation combines the advantages of the two methods: using the symmetric
cryptography for performances (ciphering long messages) and using the asymmetric cryptography for
key management in an open environment (where users do not know each other).
This is described in the Figure below, where the signing device is a SE used as a QSCD. The following
notations are used:
— E[K](m) means encryption with the key K of the message m. Typically the key can be symmetric
(K.sym) or asymmetric (public key part PuK.KE, private key part PrK.KE).
— doc stands for the document to be encrypted.

Figure 5 — Key decipherment and Document decipherment
The key decipherment service can be used for application level encryption key decipherment,
application level key agreement, key agreement or key exchange in Kerberos’ pre authentication phase
or electronic vault.
5.2.6.4 Signature verification
Signature verification can be processed by a signing device (using the digital signature algorithm,
available for signature service). To verify a digital signature under a signer’s document the following
data elements are necessary for the signing device:
— the digest or data to be hashed;
— the public key of the signatory;
— the digital signature.
5.3 Services related to signature for a TSP
5.3.1 General
This subclause focuses on the case where the signing device is not owned by the end-user, but activated
remotely through the TSP.
A TSP providing a signature service may provide other services, including certificates, time-stamping,
etc.; see below. More generally, the case for TSP providing digital signature and other services is
detailed in ETSI/TR 119 400 [19], with all references to ETSI applicable documents.
5.3.2 Signature service
Remote signing, or server signing, is another way to create advanced electronic signature with a
centralized solution, as described in 4.3 (see Article 26 of the eIDAS Regulation (EU) 910/2014 [21],
“and advanced electronic signature… is created using electronic signature creation data that the
signatory can, with a high level of confidence, use under his sole control”). The user (or legal entity)
delegates the signature process to a remote server, and activates the process of signing, to guarantee
the sole control property.
The security analysis of possible solutions is currently under development in CEN/TC 224 WG17, with
the drafting of one or several PPs to encompass the different elements of the complete server signing
solution (trustworthy signature creation module TSCM and sole control component SCC). And providing
some authentication levels with different levels of sole control.
The following Figure 6 shows the architecture and scope of requirements for the server signing
different elements, aiming at providing a qualified solution (level 2 of sole control).

Figure 6 — Scope of requirements for server signing solution
5.3.3 Certification Authority service
This section concerns trustworthy systems managing certificates for digital signatures or website
authentication.
Regulation (EU) 910/2014 [21] defines the certification authority in the scope of electronic signature as
a trusted service provider (TSP).
In Directive 1999/93/EC [20], Annex II was covering the requirements to be fulfilled by a TSP to deliver
a qualified certificate and be able to obtain a legal signature. There is no such an Annex in the
Regulation (EU) 910/2014 [21] but the requirements for a QTSP can be found in Article 24.
5.3.4 Other services
The other trust services related to signature for a TSP described in [19] include signature validation
service and issuance of time stamps service.
6 Selecting the Most Appropriate Standards and options
6.1 Sub-Areas of Standardization
6.1.1 General
The following table from Rationalized Framework [16] shows the various standards (already published
or to be developed) in the field of signature creation and other related devices. For the various
standards (already published or to be developed) in the field of TSP supporting digital signatures and
other services, refer to ETSI/TR 119 400 [19].
Table 1 — Standards for signature creation and other related devices

6.1.2 Policy and security Requirements
Policy and Security Requirements for Signature Creation Devices
In the field of implementing or selecting signature creation and other related devices, several standards
for policy and security requirements are applicable:
a) EN 419211 series Protection Profiles for Secure Signature Creation Devices:
This multi-part document provides several Protection Profiles for different types of devices:
1) a device implementing key generation and signature should follow EN 419211-2.
2) A device implementing key import and signature should follow EN 419211-3.
3) The extensions (EN 419211-4, -5, -6) are necessary to cover trusted communication in both
cases.
b) TR 419 21x Title to be defined:
This document is a companion document for the EN 419211 series to match the terminology
between Directive 1999/93/EC and Regulation (EU) 910/2014, since the EN 419
...