Framework for standardization of signatures - Extended structure including electronic identification and authentication

The regulation on electronic identification and trusted eServices (eIDAS regulation) clearly extends the current Electronic Signature Directive from electronic signature towards electronic identification and electronic authentication. These two topics are closely linked to electronic signature and are considered in this context in this document. There are many documents, standards, industrial initiatives and European projects on identification and authentication, but the scope here is limited to electronic signature context, and wider to electronic transactions in the internal market.
The present Technical Report is twofold.
It firstly does a brief analysis of the implementing acts on electronic identities CIR 2015/1501 [29] and CIR 2015/1502 [30] and how this is addressed by the eID interoperability framework [31]. It secondly establishes what areas of existing standards are impacted by the eID framework and what further areas of standardization could assist nations in providing eID services.

Rahmen für die Normung von Signaturen - Erweiterte Struktur einschließlich elektronischer Identifizierung und Authentifizierung

Cadre pour la normalisation des signatures - Structure étendue incluant l'identification et l'authentification électronique

Krovna določila za standardizacijo podpisov - Razširjena struktura, vključno z elektronsko identifikacijo in avtentifikacijo

Uredba o elektronski identifikaciji in zaupanja vrednih elektronskih storitvah (uredba eIDAS) jasno razširja sedanjo direktivo o elektronskem podpisu iz elektronskega podpisa v elektronsko identifikacijo in avtentifikacijo. Ti dve temi sta tesno povezani z elektronskim podpisom in se v tem dokumentu upoštevata v tem kontekstu. Obstaja veliko dokumentov, standardov, industrijskih pobud in evropskih projektov na področju identifikacije in avtentifikacije, vendar je področje uporabe omejeno na kontekst elektronskega podpisa in širše na elektronske transakcije na notranjem trgu.
To tehnično poročilo je sestavljeno iz dveh delov.
Najprej na kratko analizira izvedbena akta o elektronskih identitetah CIR 2015/1501 [29] in CIR 2015/1502 [30] ter kako to tematiko obravnava okvir za interoperabilnost eID [31]. Nato ugotavlja, na katera področja obstoječih standardov vpliva okvir eID in katera nadaljnja področja standardizacije bi lahko državam pomagala pri zagotavljanju storitev eID.

General Information

Status
Published
Publication Date
06-Sep-2017
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
13-Jun-2017
Due Date
18-Aug-2017
Completion Date
07-Sep-2017

Buy Standard

Technical report
SIST-TP CEN/TR 419010:2017
English language
15 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST-TP CEN/TR 419010:2017
01-oktober-2017
.URYQDGRORþLOD]DVWDQGDUGL]DFLMRSRGSLVRY5D]ãLUMHQDVWUXNWXUDYNOMXþQR]
HOHNWURQVNRLGHQWLILNDFLMRLQDYWHQWLILNDFLMR

Framework for standardization of signatures - Extended structure including electronic

identification and authentication
Rahmen für die Normung von Signaturen - Erweiterte Struktur einschließlich
elektronischer Identifizierung und Authentifizierung

Cadre pour la normalisation des signatures - Structure étendue incluant l'identification et

l'authentification électronique
Ta slovenski standard je istoveten z: CEN/TR 419010:2017
ICS:
35.040.01 Kodiranje informacij na Information coding in general
splošno
SIST-TP CEN/TR 419010:2017 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST-TP CEN/TR 419010:2017
---------------------- Page: 2 ----------------------
SIST-TP CEN/TR 419010:2017
CEN/TR 419010
TECHNICAL REPORT
RAPPORT TECHNIQUE
May 2017
TECHNISCHER BERICHT
ICS 35.030; 35.240.30
English Version
Framework for standardization of signatures - Extended
structure including electronic identification and
authentication

Cadre pour la normalisation des signatures - Structure Rahmen für die Normung von Signaturen - Erweiterte

étendue incluant l'identification et l'authentification Struktur einschließlich elektronischer Identifizierung

électronique und Authentifizierung

This Technical Report was approved by CEN on 17 April 2017. It has been drawn up by the Technical Committee CEN/TC 224.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,

Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,

Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels

© 2017 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 419010:2017 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

Introduction .................................................................................................................................................................... 4

1 Scope .................................................................................................................................................................... 5

2 Terms and definitions ................................................................................................................................... 5

3 Symbols and abbreviations ......................................................................................................................... 6

4 Overview of the eID landscape in official documents ........................................................................ 7

4.1 Overview of CIR 2015/1502 ........................................................................................................................ 7

4.2 Overview of CIR 2015/1501 ........................................................................................................................ 8

4.3 Overview of Interoperability Framework .............................................................................................. 8

5 Impact on standards currently Identified in the ETSI/CEN framework for

standardization of signatures ..................................................................................................................... 8

5.1 General ................................................................................................................................................................ 8

5.2 Impact on standards in area 1 .................................................................................................................... 9

5.3 Impact on standards in area 2 .................................................................................................................... 9

5.4 Impact on standards in area 3 ................................................................................................................. 10

5.5 Impact on standards in area 4 ................................................................................................................. 11

5.6 Impact on standards in area 5 ................................................................................................................. 11

5.7 Impact on standards in area 6 ................................................................................................................. 11

6 Further standardization support for national eID ........................................................................... 11

6.1 General ............................................................................................................................................................. 11

6.2 Policy Requirements for Identity Provider related services ....................................................... 11

6.3 Devices ............................................................................................................................................................. 12

Bibliography ................................................................................................................................................................. 13

---------------------- Page: 4 ----------------------
SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
European foreword

This document (CEN/TR 419010:2017) has been prepared by Technical Committee CEN/TC 224

“Personal identification and related personal devices with secure element, systems, operations and

privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent

rights.

This document has been prepared under a mandate given to CEN by the European Commission and the

European Free Trade Association.
---------------------- Page: 5 ----------------------
SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
Introduction

The Digital Agenda for Europe mentions in Pillar I (Digital Single Market) the Action 8 (Revision of the

eSignature Directive), and this includes mutual recognition of electronic identification.

The first phase of Standardization Mandate M/460 [27], issued by the Commission to CEN, CENELEC

and ETSI for updating the existing eSignature standardization deliverables, produced a rationalized

framework to be the entry point for electronic signature standardization and overcome the complexity

of standardization landscape within the context of the Signature Directive 1999/93/EC [26], taking into

account possible revisions to this Directive, and proposes a future work programme to address any

elements identified as missing in this rationalized framework.

To take into account the needs for electronic identification and authentication, identified as a gap from

the ETSI/CEN framework for standardization of signatures ETSI/TR 119 000 [23], it was decided to

study the standardization landscape around electronic identification and authentication as distinct from

electronic signatures, identifying gaps and needs for standardization.

The Commission adopted the Regulation (EU) 910/2014 [27] on electronic identification and trust

services for electronic transactions in the internal market on 23rd July 2014, to provide a legal

framework which includes consistent and coherent provisions on electronic identification and trust

services in order to overcome the deficiencies of the eSignatures Directive 1999/93/EC [26] and to

provide legal measures on cross-border mutual recognition and acceptance of national eIDs.

The Commission published CIR 2015/1502 [30] on assurance levels for electronic identification means

and CIR 2015/1501 [29] on interoperability framework to help the development of interoperable

identity schemes across MS.

The eIDAS Expert Group has published a set of technical specifications [31] for the eIDAS

interoperability framework, including a document of architecture and a document of cryptographic

requirements, to complement the CIR 2015/1501 [29]. This is considered to address the

interoperability requirements for use of eIDs across Europe.

This document analyses the impact of these two CIRs firstly on the already published standards

identified in the ETSI/CEN framework for standardization of signatures ETSI/TR 119 000 [23] and

secondly on potential requirements for further standards for harmonizing national approaches to

identification and authentication as a new area in the ETSI/CEN framework for standardization of

signatures ETSI/TR 119 000 [23].
---------------------- Page: 6 ----------------------
SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
1 Scope

The regulation on electronic identification and trusted eServices (eIDAS regulation) clearly extends the

current Electronic Signature Directive from electronic signature towards electronic identification and

electronic authentication. These two topics are closely linked to electronic signature and are considered

in this context in this document. There are many documents, standards, industrial initiatives and

European projects on identification and authentication, but the scope here is limited to electronic

signature context, and wider to electronic transactions in the internal market.
The present Technical Report is twofold.

It firstly does a brief analysis of the implementing acts on electronic identities CIR 2015/1501 [29] and

CIR 2015/1502 [30] and how this is addressed by the eID interoperability framework [31]. It secondly

establishes what areas of existing standards are impacted by the eID framework and what further areas

of standardization could assist nations in providing eID services.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

NOTE Reg stands for the eIDAS Regulation [28], ISO for ISO/IEC 29115 [40] and CIR for CIR 2015/1501 [29]

or CIR 2015/1502 [30]). Refer also to ETSI/TR 119 001 [24].
2.1
Authentication (ISO)
verification that an entity is the claimed one
2.2
Authentication (Reg)

electronic process that enables the electronic identification of a natural or legal person, or the origin

and integrity of data in electronic form to be confirmed
2.3
Authentication factor (ISO)

piece of information and/or process used to authenticate or verify the identity of an entity

Note 1 to entry: Authentication factors are divided into four categories:

— something an entity has (e.g. device signature, passport, hardware device containing a credential, private

key);
— something an entity knows (e.g. password, PIN);
— something an entity is (e.g. biometric characteristic); or
— something an entity typically does (e.g. behaviour pattern).
2.4
Authentication factor (CIR)

factor confirmed as being bound to a person, which falls into any of the following categories:

— ‘possession-based authentication factor’ means an authentication factor where the subject is

required to demonstrate possession of it;
---------------------- Page: 7 ----------------------
SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)

— ‘knowledge-based authentication factor’ means an authentication factor where the subject is

required to demonstrate knowledge of it;

— ‘inherent authentication factor’ means an authentication factor that is based on a physical attribute

of a natural person, and of which the subject is required to demonstrate that they have that physical

attribute
2.5
Identity (ISO)
set of attributes related to an entity

Note 1 to entry: Within a particular context, an identity can have one or more identifiers to allow an entity to be

uniquely recognized within that context.
2.6
Electronic identification (Reg)

process of using person identification data in electronic form uniquely representing either a natural or

legal person, or a natural person representing a legal person
2.7
Node (CIR)

connection point which is part of the electronic identification interoperability architecture and is

involved in cross-border authentication of persons and which has the capability to recognize and

process or forward transmissions to other nodes by enabling the national electronic identification

infrastructure of one MS to interface with national electronic identification infrastructures of other MSs

2.8
Node Operator (CIR)

entity responsible for ensuring that the node performs correctly and reliably its functions as a

connection point
2.9
Level of eID assurance (Reg)

degree of confidence in electronic identification means in establishing the identity of a person, thus

providing assurance that the person claiming a particular identity is in fact the person to which that

identity was assigned

Note 1 to entry: The regulation defines three levels: low, substantial and high; these are detailed in

CIR 2015/1502 [30].
2.10
Signatory (Reg)
natural person who creates an electronic signature
3 Symbols and abbreviations
For the purpose of this document, the following abbreviations apply.
CC Common Criteria
CIR Commission Implementing Regulation
eSENS Electronic Simple European Networked Services
IAS Identification, Authentication, Signature
---------------------- Page: 8 ----------------------
SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)
ICC Integrated Circuit Card
IdP Identity Provider
MAC Message Authentication Code
MNO Mobile Network Operator
MRED Machine-Readable Electronic Documents
MS Member State
NIST National Institute of Standards and Technology
PIN Personal Identification Number
PP Protection Profile
QAA Quality of Authentication Assurance (STORK)
QSCD Qualified Signature/Seal Creation Device
RA Registration Authority
RF Rationalized Framework
RP Relying Party
SAD Signature Activation Data
SAML Security Assertion Markup Language
SAP Signature Activation Protocol
SCA Signature-Creation Application
SE Secure Element
SIM Subscriber Identity Module
SP Service Provider
SSCD Secure Signature Creation Device
STORK Secure identiTy acrOss boRders linKed
TLS Transport Layer Security
TR Technical Report
TS Technical Specification
TSP Trust Service Provider
TSCM Trustworthy Signature Creation Module
TTP Trusted Third Party
4 Overview of the eID landscape in official documents
4.1 Overview of CIR 2015/1502

CIR 2015/1502 [30] describes technical specifications and procedures for the three assurance levels of

the Regulation (low, substantial and high) for electronic identification means issued by a MS having

notified its electronic identification scheme.
The document details requirements for:
— enrolment (application, registration, identity proofing and verification),
---------------------- Page: 9 ----------------------
SIST-TP CEN/TR 419010:2017
CEN/TR 419010:2017 (E)

— electronic identification means management (characteristics, design, issuance, delivery, activation,

suspension, revocation, reactivation, renewal and replacement),
— authentication (using dynamic authentication at level substantial),
— and management and organization (including compliance and audit).

The international standard ISO/IEC 29115 [40] and the European project STORK (and its QAA levels)

have been taken into account. It is suggested to apply ISO/IEC 27000 [38] and ISO/IEC 20000 [37]

series’ principles and methodologies for information security and service.
4.2 Overview of CIR 2015/1501

CIR 2015/1501 [29] describes technical and operational requirements of the interoperability

framework to ensure interoperability of notified identification schemes within MS.

It introduces nodes (and nodes operators, see Clause 2 on definitions) as being central for the

interconnection of MS electronic identification schemes. It describes the minimum data set for

identifying a natural or legal person. It binds this with CIR 2015/1502 [30] and provides requirements

for data privacy (no personal data storage at nodes), confidentiality and integrity (of the data

exchanged between nodes). The document refers to ISO/IEC 27001 [39] for node operators of nodes

providing authentication.
4.3 Overview of Interoperability Framework

CIR 2015/1501 has been completed by a complete interoperability framework document (and a

reference implementation) established by the Commission in cooperation with MS. The interoperability

framework [31] includes:

a) An Interoperability Architecture [32] which specifies the components for interoperability between

national eID schemes under the eIDAS regulation. This i
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.