Sophia Antipolis, France, 2 April 2019
The signer relies on a third-party trust service to manage its signing key and digitally sign documents under its control. To guarantee that the cloud-based signature creation environment is reliable and that the signing key is used under the control of the signer, the provider of the remote digital signature service has to apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels.
“This is an important step forward for security in deploying digital signatures which takes into account the move to cloud-based services and mobile devices. These standards enable a new way of implementing Trust Services which greatly simplifies their use and provides an important toolset to counter growing Internet fraud targeting online business and government”, says Nick Pope, ETSI TC ESI Vice Chair.
ETSI TS 119 431 parts 1 and 2 define those policy and security requirements which can be used by Conformity Assessment Bodies to certify that a trust service provider follows best practices for the operation of such cloud-based signature creation services, in particular in the context of the eIDAS Regulation (EU) 910/2014. ETSI’s work complements the CEN publications EN 419241-1:2018 (general requirements for trustworthy systems supporting server signing) and EN 419241-2:2019 (protection profile for a qualified electronic signature creation device (QSCD) for server signing), which provide the essential core of secure signing in the cloud.
ETSI TS 119 432 specifies the protocol allowing a client application to request the creation of a digital signature to a server. This specification establishes a protocol for secure communication between the different components needed to create a secure digital signature in the cloud, in line with the security standards laid down in the eIDAS Regulation. Two bindings are specified for this protocol: XML, which builds on the OASIS DSS-v2.0 specification, and JSON, which builds on the Cloud Signature Consortium (CSC) specification. ETSI collaborated with OASIS and CSC to produce its protocol specification.
About ETSI
ETSI provides members with an open and inclusive environment to support the timely development, ratification and testing of globally applicable standards for ICT-enabled systems, applications and services across all sectors of industry and society. We are a not-for-profit body with more than 850 member organizations worldwide, drawn from 64 countries and five continents. Members comprise a diversified pool of large and small private companies, research entities, academia, government and public organizations. ETSI is one of only three bodies officially recognized by the EU as a European Standards Organization (ESO).
For more information please visit: www.etsi.org
Contact
Claire Boyer
Mob: +33 (0)6 87 60 84 40
Email: [email protected]
