Qualified Validation Services for Qualified Electronic Signatures and Qualified Electronic Seals

Prime minister

Agence nationale de la sécurité des systèmes d’information

Qualified validation services for qualified electronic signatures and qualified electronic seals

Criteria for assessing compliance with the eIDAS regulation

Based on French version 1.0 of 3 January 2017

VERSION HISTORY DATE VERSION DOCUMENT CHANGES EDITOR

16/06/2016 0.8 Working version for comments. ANSSI Version for application on 31 January 2017.

Amendments: - Details relating to the inclusion into the trusted list; - Amendment to the requirements relating to the preservation of data; - Supplements relating to the verification of time stamp modules; 03/01/2017 1.0 - Modification of the requirements relating to the ANSSI freshness of revocation status information; - Details relating to the verification of the qualified status of the signature certificate or of the seal to the retrieval of the identity of the seal signatory or creator; - Minor modifications and clarifications.

Comments on this document should be sent to:

Agence nationale de la sécurité des systèmes d’information SGDSN/ANSSI 51 boulevard de La Tour-Maubourg 75700 Paris 07 SP [email protected]

Qualified validation services for qualified electronic signatures and qualified electronic seals – Criteria for conformity assessment with the eIDAS regulation Version Date Circulation criterion Page 1.0 03/01/2017 PUBLIC 2/13

CONTENTS

I. Introduction ...... 4 I.1. Subject ...... 4 I.2. Legal framework ...... 4 I.3. Updating ...... 4 I.4. Acronyms...... 4 II. Requirements relating to qualified validation services for qualified electronic signatures and seals ...... 5 II.1. Qualification terms ...... 5 II.1.1. Qualification process ...... 5 II.1.2. Considerations relating to the inclusion into the trusted list ...... 5 II.2. Criteria for conformity assessment ...... 6 II.3. Supplements to standards [EN_319_401] and [EN_319_102] ...... 7 II.3.1. Supplements relating to the supply of the result of the validation of a qualified electronic signature or seal 7 II.3.2. Supplements relating to the signature or to the seal of the validation report ...... 7 II.3.3. Supplements relating to the protection of the validation applications ...... 7 II.3.4. Supplements relating to the preservation of information issued and received ...... 8 II.3.5. Supplements relating to service continuity and to the termination of the activity of the TSP...... 8 II.3.6. Supplements relating to the presumed date and time of the creation of the qualified electronic signature and electronic seal ...... 9 II.3.7. Supplements relating to the freshness of the revocation information ...... 9 II.3.8. Supplements relating to the qualified status of the signature or seal certificate and of the signature or seal creation device ...... 10 II.3.9. Supplements relating to the verification of the qualified status of the trust service provider that issued the signature or seal certificate ...... 10 II.3.10. Supplements relating to the identity of the signatory or creator of the seal ...... 11 Appendices ...... 12 I. Appendix 1 Documentary references ...... 12 II. Appendix 2 Coverage of the requirements of the [eIDAS] regulation ...... 13

I. Introduction

I.1. Subject Within the framework of the [eIDAS] regulation, ANSSI, designated as a supervisory body by the note from the French authorities [NOTIFICATION], has the task of supervising compliance with the requirements of the regulation by the qualified trust service providers and the conformity of the qualified trust services they provide. This note describes the criteria for conformity assessment with the requirements of the [eIDAS] regulation of the qualified validation services for qualified electronic signatures and qualified electronic seals. These requirements apply in cumulative manner with those described in the note [PSCO_QUALIF], applicable to all qualified trust service providers.

I.2. Legal framework The qualified validation services for qualified electronic signatures and qualified electronic seals implemented by a trust service provider which comply with the requirements specified in chapter II of this document make it possible to provide a legal certainty concerning the validity of the qualified electronic signatures and qualified electronic seals such as defined by the [eIDAS] regulation.

I.3. Updating The opportunity to update this document is evaluated by ANSSI and can in particular result from a change in the regulatory or standards framework linked to the [eIDAS] regulation or from a change in the state of the art. ANSSI specifies the effective date of each update and the particulars for transition where applicable.

I.4. Acronyms The acronyms used in this reference document are:

ANSSI Agence Nationale de la Sécurité des Systèmes d’Information (National Cybersecurity Agency of France). CSPN Certification de Sécurité de Premier Niveau (first level security certification). OCSP Online Certificate Status Protocol. TSP Trust Service Provider.

II. Requirements relating to qualified validation services for qualified electronic signatures and seals II.1. Qualification terms

II.1.1. Qualification process The process for qualifying a validation service for qualified electronic signatures and seals is part of the process of qualifying a trust service provider, such as described in note [PSCO_QUALIF].

II.1.2. Considerations relating to the inclusion into the trusted list A qualified validation service for qualified electronic signatures and seals is identified in the trusted list: - by means of the electronic certificate used to apply the seal of the TSP on the validation report; or - by means of the electronic certificate from a certification authority operated under the responsibility of the qualified TSP, solely for its own needs, and not issuing any certificates for non-qualified validation services. In the first case, if several certificates for electronic seals are implemented for the same qualified validation service, this gives rise to the inclusion of several services in the trusted list. In the second case, the conformity assessment must make it possible to demonstrate that this certification authority issues certificates only for the exclusive attention of trust services operated by the qualified TSP, and that the latter has set up appropriate organisational and technical measures in order to ensure that none of the certificates issued is used by a non-qualified validation service.

II.2. Criteria for conformity assessment The assessment must make it possible to demonstrate compliance with the requirements of the [eIDAS] regulation that apply to the qualified validation services for qualified electronic signatures and seals, specified in the following articles:  24(2).e Use of trustworthy systems and products, security and reliability of the processes;  24(2).h Preservation of the data of an electronic signature and electronic seal validation service;  24(2).i Termination plan of an electronic signature and electronic seal validation service;  32(1) Validation process of a qualified electronic signature, making it possible to verify that: o 32(1).a: The certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Appendix I; o 32 (1).b The qualified certificate was issued by a qualified trust service provider and was valid at the time of signing; o 32(1).c: The signature validation data corresponds to the data provided to the relying party; o 32(1).d: The unique set of data representing the signatory in the certificate is correctly provided to the relying party; o 32(1).e: The use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing; o 32(1).f: The electronic signature was created by a qualified electronic signature creation device; o 32(1).g: The integrity of the signed data has not been compromised; o 32(1).h: The requirements relating to the advanced electronic signature (art.26) were satisfied at the time of the signature;  33(1).a Compliance with the requirements that are the subject of article 32, paragraph 1;  33 (1).b Supplying to relying parties of the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service;  40 Mutatis mutandis application of articles 32 and 33 to the validation of qualified electronic seals.

Compliance with the requirements of standard [EN_319_401] relating to the preservation of data and to the termination plan, the validation process defined in [EN_319_102] and the supplements mentioned in chapter II.3 of this document, makes it possible to provide a presumption of compliance with these requirements.

II.3. Supplements to standards [EN_319_401] and [EN_319_102]

II.3.1. Supplements relating to the supply of the result of the validation of a qualified electronic signature or seal The validation process must make it possible to supply to the relying party the result of the validation process in an automated manner, which is reliable, efficient and bearing the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service. Standard [EN_319_102] specifies that the result of the validation process is provided via a validation report which allows for a detailed study of the decisions taken during the validation phase and the justification for the validation status. Requirement: The TSP must allow access to the signature or seal validation service, and make this validation report available to relying parties in an automated manner. In order to guarantee the proper interpretation of the validation report, the TSP must also render public its validation policy for qualified electronic signatures or qualified electronic seals.

II.3.2. Supplements relating to the signature or to the seal of the validation report The validation process must make it possible to supply to the relying party the result of the validation process in an automated manner, which is reliable, efficient and bearing the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service. Requirement: The cryptographic modules used to apply the advanced electronic signature or the advanced electronic seal of the service provider on the validation report of the qualified electronic signature or the qualified electronic seal, must be compliant with the rules defined in note [PSCO_QUALIF]; It is recommended that the certificate on which the electronic signature or electronic seal is based is a qualified certificate.

II.3.3. Supplements relating to the protection of the validation applications The qualified validation service provider must demonstrate the setting up of technical and organisational measures that make it possible to reduce the risks weighing down on the application used for the validation. Requirement: It is recommended that the signature or seal validation application has been the subject of a first level security certification (CSPN) according to a security target verified by ANSSI.

II.3.4. Supplements relating to the preservation of information issued and received The requirements of clause 7.10 of standard [EN_319_401] apply. The qualified validation service provider must preserve for a minimum period of seven (7) years after the validation date of the qualified electronic signature or of the qualified electronic seal, all pertinent information concerning the data issued and received, in particular for the purpose of providing evidence in legal proceedings. The qualified validation service provider specifies in its general terms and conditions, the preservation time that is actually applied as well as the particulars for reversibility and portability. Requirement: All pertinent information, forwarded by the applicant or collected electronically for the validation of the electronic signature or electronic seal, must be preserved for seven (7) years, including at least: - The date and time of the validation of the qualified electronic signature or seal; - The data provided by the applicant for the signature or seal validation (value of the electronic signature or of the electronic seal if the latter can be separated from the signed document or single representation of the signed document otherwise) as well as the identity of the applicant if the latter has been the subject of an identification for access to the service; - The external data (trusted lists, lists of revoked certificates, OCSP responses, …) used to validate the signature or the seal; - The report containing the result of the validation of the qualified electronic signature or seal.

II.3.5. Supplements relating to service continuity and to the termination of the activity of the TSP The requirements of clauses 7.11 and 7.12 of standard [EN 319 401] apply. In the event of activity termination, the TSP must destroy the private keys used to sign the validation reports.

II.3.6. Supplements relating to the presumed date and time of the creation of the qualified electronic signature and electronic seal The validation process must make it possible to attest that:  the certificate on which the signature or the seal is based, was, at the time of the signature or the creation of the seal, a qualified electronic signature certificate or a qualified electronic seal certificate;  the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing or the creation of the seal; This requirement makes it necessary to know the date and the time of the creation of the qualified electronic signature or the qualified electronic seal in order to be able to verify:  that the certificate was indeed within its period of validity;  that the certificate was not revoked;  that the service provider that issued the certificate was indeed in the trusted list, and that the corresponding certificate issuance service did indeed have qualified status; at the time of the creation of the qualified electronic signature or the qualified electronic seal.

Requirement: The reference date and time for the validation are the date and time at which the electronic signature or the electronic seal is supplied to the validation service in the following cases: - There is no date and time associated with the signature or the seal; or - The date and time are in the signature or the seal in the form of attributes filled in by the signatory. If the date and time are associated with the signature or with the seal by means of non-qualified electronic time stamp, it is the responsibility of the qualified validation service provider to accept or not as a validation reference this date and time. In case of non-acceptance, the reference date and time are those of the time of validation. The TSP must render public its policy for accepting non-qualified time stamps (including the particulars for verifying electronic time stamp tokens). If the date and time are associated with the signature or with the seal by a qualified electronic time stamp, this date and time are taken as reference for the validation. The TSP must perform all of the technical operations that are required to validate the time stamp token, in particular: - the verifications relating to the encryption (verification of the hash value and of the signature mentioned in the time date token); and - the verifications of the information relating to the qualified electronic time date service in the trusted list, in accordance with the requirements of standard [TS_119_612] (qualified status of the service, presence of the certificate of the electronic time stamp unit or of the issuing certification authority in this list).

II.3.7. Supplements relating to the freshness of the revocation information The validation service must systematically poll the most recent information made available by the issuing certification authority of the qualified certificate. If this authority makes an OCSP responder service available, it is recommended to rely on the latter.

II.3.8. Supplements relating to the qualified status of the signature or seal certificate and of the signature or seal creation device The validation process must make it possible to attest that:  the certificate on which the signature or the seal is based, was, at the time of the signature or the creation of the seal, a qualified electronic signature certificate or a qualified electronic seal certificate;  The electronic signature or the electronic seal was created by a qualified electronic signature / seal creation device. Requirement: The presence of the following certificate extensions, valuated in the manner provided for in standard [EN_319_412-5], must be verified: - "id-etsi-qcs-QcCompliance"; - "id-etsi-qcs-QcSSCD". The presence of the extension "id-etsi-qcs-QcType" and the proper valuation thereof should be verified, but for reasons of compatibility with the certificates issued in terms of directive 1999/93/EC, the absence of this extension should not result in a rejection of the signature or the seal. In the case where this extension is absent from the certificate, the trusted list must contain an extension "additionalServiceInformation", valuated in the manner provided for in chapter 5.5.9.4 of standard [TS_119_612] ("http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSignatures").

II.3.9. Supplements relating to the verification of the qualified status of the trust service provider that issued the signature or seal certificate The validation process must make it possible to attest that:  the certificate on which the signature or the seal is based, was, at the time of the signature or the creation of the seal, a qualified electronic signature certificate or a qualified electronic seal certificate;  the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing or the creation of the seal; The verification of the trusted list makes it possible to ensure that the qualified electronic signature or seal certificate was issued by a qualified trust service provider, for which:  the field "Service Type Identifier" is valuated in the following way: "URI: http://uri.etsi.org/TrstSvc/Svctype/CA/QC";  the field "Service Digital Identity" contains the certificate of a Certification Authority starting from which a validation path can be built to the qualified signature or seal certificate.

Requirement: This verification must: - take as a reference the date and time of the beginning of the validity mentioned in the qualified certificate in order to determine if, on the presumed date of issuance of the certificate, the trust service provider that issued the certificate was qualified; - take as a reference the date and the time identified in accordance with the rules of chapter II.3.6 of this document, in order to determine if, on the presumed date of the creation of the signature or of the seal, the trust service provider that issued the certificate was qualified; - exploit if necessary the information on the history of the qualified trust service statuses in the trusted lists, in accordance with clauses 5.5.9, 5.5.10 and 5.6 of standard [TS_119_612].

II.3.10. Supplements relating to the identity of the signatory or creator of the seal The validation process makes it possible to attest that:  The unique set of data representing the signatory in the certificate is correctly provided to the relying party;  The use of a pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of the signature.

Requirement: The presence of the field "Subject", valuated in the manner provided for by standards [EN_319_412-2] and [EN_319_412-3], must be verified1. The identity extracted from the field "Subject", and an indication relating to the use of a pseudonym where applicable, must be specified in the validation report.

1 These standards represent a good practice but are not of mandatory application. The validation process must be able to tolerate differences to the latter as long as the requirement of the [eIDAS] regulation is satisfied. For example, a qualified electronic signature certificate could contain an attribute commonName, but not an attribute givenName or surname. Qualified validation services for qualified electronic signatures and qualified electronic seals – Criteria for conformity assessment with the eIDAS regulation Version Date Circulation criterion Page 1.0 03/01/2017 PUBLIC 11/13

Appendices

I. Appendix 1 Documentary references

Reference Document Regulation 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive [eIDAS] 1999/93/EC. Available on http://www.europa.eu ETSI EN 319 401 V2.1.1 (2016-02): Electronic Signatures and Infrastructures (ESI); [EN 319 401] General Policy Requirements for Trust Service Providers. ETSI EN 319 412-2 V2.1.1 (2016-02): [EN_319_412-2] Part 2: Certificate profile for certificates issued to natural persons. ETSI EN 319 412-3 V1.1.1 (2016-02): [EN_319_412-3] Part 2: Certificate profile for certificates issued to legal persons. ETSI EN 319 412-5 V2.1.1 (2016-02): [EN_319_412-5] Part 5: QCStatements. Draft ETSI EN 319 102-1 V1.0.0 (2015-07): Electronic Signatures and Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital [EN_319_102] Signatures; Part 1: Creation and Validation.

Note from the French authorities of 17 February 2015 to the Commission, [NOTIFICATION] designating ANSSI as the supervisory body in terms of the eIDAS regulation. Qualified trust service providers - Criteria for assessing compliance with the eIDAS [PSCO_QUALIF] regulation, current version. Available at http://www.ssi.gouv.fr ETSI TS 119 612 V2.1.1 (2015-07): Electronic Signatures and Infrastructures (ESI); [TS_119_612] Trusted Lists.

II. Appendix 2 Coverage of the requirements of the [eIDAS] regulation

Article Requirement of the Applicable clauses of Applicable chapters of eIDAS regulation European standards this document 24(2).e Use of trustworthy systems and [EN_319_401] Chapters II.3.2 and II.3.3 products Clause 7.7 24(2).h Preservation of information issued and [EN_319_401] Chapter II.3.3 received by the trust service provider Clause 7.0

24(2).i Service continuity following the [EN_319_401] No supplement to the standard termination of the trust service Clause 7.12 provider 32(1).a Qualification of the certificate at [EN_319_102] Chapters II.3.6 and II.3.8 the time of signing Clauses 5.2.6, 5.6.2 32(1).b Issuance of the certificate by a [EN_319_102] Chapters II.3.6, II.3.7 and II.3.9 qualified TSP and validated at the time Clauses 5.2.5, 5.2.6, 5.6.2 of signing 32(1).c Correspondence of the signature [EN_319_102] No supplement to the standard validation data with the data Clause 5.2.7 provided to the relying party

32(1).d Correct supplying to the relying [EN_319_102] Chapter II.3.10 party of the unique set of data Clause 5.2.3 representing the signatory in the certificate 32(1).e Clear indication to the relying Not covered Chapter II.3.10 party of the use of a pseudonym, where applicable 32(1).f Creation of the electronic signature Not covered Chapter II.3.8 by a qualified electronic signature creation device

32(1).g Non-compromise of the integrity of [EN_319_102] No supplement to the standard the signed data Clause 5.2.7 32(1).h Compliance with the requirements for Not covered Considered as covered by the other advanced electronic signatures control points 33(1).b Supply to the relying parties of the Not covered Chapters II.3.1 and II.3.2 result of the validation process, signed or sealed electronically by the service provider 40 Mutatis mutandis application of articles 32 and 33 to the validation of qualified electronic