Download
1 / 21
210 likes | 219 Views
This workshop explores best practices for handling signed data in digital accounting, including procedures for handling advanced electronic signatures and policy requirements for trusted service providers. It also examines national practices for accounting and digital accounting in Italy, Germany, Spain, France, and the UK.
E N D
CEN/ISSS Workshop on Electronic Invoices ETSI STF 305: Procedures for Handling Advanced Electronic Signatureson Digital Accounting Nick Pope – Thales e-SecuritySTF 305 Team Leader www.thalesgroup.com/esecurity
Specialist Task Force - Terms of Reference • Propose drafts to ETSI Technical Committee onElectronic Signatures and Infrastructures for: • Technical Report on Best Practices for handling electronic signatures and signed data for digital accounting • Technical Specification on Policy requirements for trust service providers signing and/or storing data for digital accounting www.thalesgroup.com/esecurity
Approach Italy Germany Spain France UK Study into National Practices For Accounting & Digital Accounting Best Practices for Handling signed data forDigital Accounting Policy Requirements for Trusted Service Providers Signing / Storing Data For Digital Accounting www.thalesgroup.com/esecurity
Approach Italy Germany Spain France UK Study into National Practices For Accounting & Digital Accounting Maximum & Minimum Best Practices for Handling signed data forDigital Accounting EU e-Invoicing Requirements Commonly Acceptable Policy Requirements for Trusted Service Providers Signing / Storing Data For Digital Accounting www.thalesgroup.com/esecurity
Targeting Digital Accounting Through e-Invoicing • National accounting practices widely vary • Council Directive 2001/115/EC + CWA 15579provide common requirement for signed VAT Invoices • Took e-Invoicing requirements as common basis for Digital Accounting www.thalesgroup.com/esecurity
Basic Model www.thalesgroup.com/esecurity
Trusted Service Provider Model www.thalesgroup.com/esecurity
Use Scenarios • Main Target: • Pan European Trade supported by two external TSPs • Other potential • National Trade supported by TSP(s) • Large Company Internal Service www.thalesgroup.com/esecurity
Advantages of applying Best Practice / Policy Targeted Security controls • Ensure that documents are kept over necessary period • Ensure that singing keys are held & ,maintained securely • Reduce revocation management • Ensure that security of documents is properly maintained • Access security • Storage security • Signature validity www.thalesgroup.com/esecurity
Draft Technical Report (TR) Based on ISO/IEC 17799 + ISO/IEC 27001 Information Security Management System Specific Controls & Objectives for: • Signature • Maintenance of Signature over storage period • Storage • Reporting to authorities • Scanning paper originals + ISO/IEC 17799 standard objectives www.thalesgroup.com/esecurity
Draft TR - Signature • Maximum Identified Practices • Advanced Electronic Signature • Qualified Certificate • Secure Signature Creation Device • Registration – ID documents & authorisation • Timely revocation • Minimum Identified Practices • Advanced Electronic Signature • CA meets recognised policy requirements • Sole control requirement met • Nationally “Acceptable” registration • Nationally “Acceptable” revocation www.thalesgroup.com/esecurity
Draft TR – Signature (continued) • Commonly Acceptable Practice for Trusted Service Provider (TSP) offering signing / storage services: • Advanced Electronic Signature • Qualified CA or CA meets recognised policy requirements • SSCD or Sole control requirement met • Registration – ID documents & authorisation • Timely revocation www.thalesgroup.com/esecurity
Draft TR – Signature Maintenance • Maximum Identified practices • Technical / organisational procedures to assure signature verifiable throughout storage period • Minimum identified practices • Nationally acceptable practices • Commonly Acceptable for TSP • Technical / organisational procedures to assure signature verifiable throughout storage period www.thalesgroup.com/esecurity
Draft TR – Storage • Maximum Identified practices • Authorised access via secure channel • Authentication, Integrity & optional content commitment (non-repudiation) • Assure viewer available through lifetime • Held on long term media / copied to assure no loss of data • Held in original format – no macros / hidden code • Confidentiality of company information by separation • Minimum identified practices • No remote access required – local access as authorised • Authentication & integrity in line with national rules • No specific requirement regarding readability • Owner liable for any loss of data • No special requirement regarding format • Confidentiality maintained in storage www.thalesgroup.com/esecurity
Draft TR – Storage • Commonly Acceptable Practices for TSPs • Authorised access via secure channel • Authentication, Integrity & optional content commitment (non-repudiation) • Assure viewer available through lifetime • Held on long term media / copied to assure no loss of data • Held in original format – no macros / hidden code • Confidentiality by logical or physical separation www.thalesgroup.com/esecurity
Draft TR – Reporting • Maximum Identified practices • Signed & Use secure channels (e.g. SSL) • Minimum identified practices • Use secure channels • Commonly Acceptable for TSP • Signed & Use secure channels (e.g. SSL) www.thalesgroup.com/esecurity
Draft TR – Scanned Document • Maximum Identified practices • Assertion (e.g. signature) that true copy • Minimum identified practices • Assured by good practice • Commonly Acceptable for TSP • Good practice & assertion where required www.thalesgroup.com/esecurity
Draft TR – ISO 17799 Objectives & Controls • Maximum Identified practices • ISO 17799 compliance / national rules • + Specific controls for trusted personnel & components • Minimum identified practices • ISO 17799 desired • Commonly Acceptable for TSP • ISO 17799 Conformance Recommended / national rules • + Specific controls for trusted personnel & components www.thalesgroup.com/esecurity
Draft Technical Specification • Targeted just at Trust Service Provider (TSP) • = Commonly acceptable practices from Technical Report worded in terms of specific requirements (shall) • Two levels recognised: • Normalised (Advanced Electronic Signature) • Extended (Qualified Electronic Signature) www.thalesgroup.com/esecurity
Status • Drafts out for review and comment by 12-Jan-2007: http://portal.etsi.org/docbox/esi/Open/SODA/ • Final ratification & publication end Q1 2007 • Comments / Questions ? • nick.pope@thales-esecurity.com www.thalesgroup.com/esecurity
ETSI STF 298 – Advanced Electronic Signature Profiles • ETSI Profiles for Advanced Electronic Signatures • TS 102 734 – Profiles of CMS (RFC 3852) Advanced Electronic Signatures based on TS 101 733 (CAdES) • TS 102 904 – Profiles of XML Advanced Electronic Signatures based onTS 101 903 (XAdES) • Profiles for • Government • E-Invoicing • Baseline for other applications • Short term & Long term www.thalesgroup.com/esecurity
