Prime minister Agence nationale de la sécurité des systèmes d’information Qualified validation services for qualified electronic signatures and qualified electronic seals Criteria for assessing compliance with the eIDAS regulation Based on French version 1.0 of 3 January 2017 VERSION HISTORY DATE VERSION DOCUMENT CHANGES EDITOR 16/06/2016 0.8 Working version for comments. ANSSI Version for application on 31 January 2017. Amendments: - Details relating to the inclusion into the trusted list; - Amendment to the requirements relating to the preservation of data; - Supplements relating to the verification of time stamp modules; 03/01/2017 1.0 - Modification of the requirements relating to the ANSSI freshness of revocation status information; - Details relating to the verification of the qualified status of the signature certificate or of the seal to the retrieval of the identity of the seal signatory or creator; - Minor modifications and clarifications. Comments on this document should be sent to: Agence nationale de la sécurité des systèmes d’information SGDSN/ANSSI 51 boulevard de La Tour-Maubourg 75700 Paris 07 SP [email protected] Qualified validation services for qualified electronic signatures and qualified electronic seals – Criteria for conformity assessment with the eIDAS regulation Version Date Circulation criterion Page 1.0 03/01/2017 PUBLIC 2/13 CONTENTS I. Introduction ........................................................................................................................................................ 4 I.1. Subject ........................................................................................................................................................ 4 I.2. Legal framework ......................................................................................................................................... 4 I.3. Updating ..................................................................................................................................................... 4 I.4. Acronyms.................................................................................................................................................... 4 II. Requirements relating to qualified validation services for qualified electronic signatures and seals ................. 5 II.1. Qualification terms ..................................................................................................................................... 5 II.1.1. Qualification process .......................................................................................................................... 5 II.1.2. Considerations relating to the inclusion into the trusted list ............................................................... 5 II.2. Criteria for conformity assessment ............................................................................................................. 6 II.3. Supplements to standards [EN_319_401] and [EN_319_102] ................................................................... 7 II.3.1. Supplements relating to the supply of the result of the validation of a qualified electronic signature or seal 7 II.3.2. Supplements relating to the signature or to the seal of the validation report ...................................... 7 II.3.3. Supplements relating to the protection of the validation applications ................................................ 7 II.3.4. Supplements relating to the preservation of information issued and received ................................... 8 II.3.5. Supplements relating to service continuity and to the termination of the activity of the TSP............ 8 II.3.6. Supplements relating to the presumed date and time of the creation of the qualified electronic signature and electronic seal ............................................................................................................................... 9 II.3.7. Supplements relating to the freshness of the revocation information ................................................. 9 II.3.8. Supplements relating to the qualified status of the signature or seal certificate and of the signature or seal creation device ...................................................................................................................................... 10 II.3.9. Supplements relating to the verification of the qualified status of the trust service provider that issued the signature or seal certificate .............................................................................................................. 10 II.3.10. Supplements relating to the identity of the signatory or creator of the seal ..................................... 11 Appendices ............................................................................................................................................................... 12 I. Appendix 1 Documentary references ........................................................................................................... 12 II. Appendix 2 Coverage of the requirements of the [eIDAS] regulation ......................................................... 13 Qualified validation services for qualified electronic signatures and qualified electronic seals – Criteria for conformity assessment with the eIDAS regulation Version Date Circulation criterion Page 1.0 03/01/2017 PUBLIC 3/13 I. Introduction I.1. Subject Within the framework of the [eIDAS] regulation, ANSSI, designated as a supervisory body by the note from the French authorities [NOTIFICATION], has the task of supervising compliance with the requirements of the regulation by the qualified trust service providers and the conformity of the qualified trust services they provide. This note describes the criteria for conformity assessment with the requirements of the [eIDAS] regulation of the qualified validation services for qualified electronic signatures and qualified electronic seals. These requirements apply in cumulative manner with those described in the note [PSCO_QUALIF], applicable to all qualified trust service providers. I.2. Legal framework The qualified validation services for qualified electronic signatures and qualified electronic seals implemented by a trust service provider which comply with the requirements specified in chapter II of this document make it possible to provide a legal certainty concerning the validity of the qualified electronic signatures and qualified electronic seals such as defined by the [eIDAS] regulation. I.3. Updating The opportunity to update this document is evaluated by ANSSI and can in particular result from a change in the regulatory or standards framework linked to the [eIDAS] regulation or from a change in the state of the art. ANSSI specifies the effective date of each update and the particulars for transition where applicable. I.4. Acronyms The acronyms used in this reference document are: ANSSI Agence Nationale de la Sécurité des Systèmes d’Information (National Cybersecurity Agency of France). CSPN Certification de Sécurité de Premier Niveau (first level security certification). OCSP Online Certificate Status Protocol. TSP Trust Service Provider. Qualified validation services for qualified electronic signatures and qualified electronic seals – Criteria for conformity assessment with the eIDAS regulation Version Date Circulation criterion Page 1.0 03/01/2017 PUBLIC 4/13 II. Requirements relating to qualified validation services for qualified electronic signatures and seals II.1. Qualification terms II.1.1. Qualification process The process for qualifying a validation service for qualified electronic signatures and seals is part of the process of qualifying a trust service provider, such as described in note [PSCO_QUALIF]. II.1.2. Considerations relating to the inclusion into the trusted list A qualified validation service for qualified electronic signatures and seals is identified in the trusted list: - by means of the electronic certificate used to apply the seal of the TSP on the validation report; or - by means of the electronic certificate from a certification authority operated under the responsibility of the qualified TSP, solely for its own needs, and not issuing any certificates for non-qualified validation services. In the first case, if several certificates for electronic seals are implemented for the same qualified validation service, this gives rise to the inclusion of several services in the trusted list. In the second case, the conformity assessment must make it possible to demonstrate that this certification authority issues certificates only for the exclusive attention of trust services operated by the qualified TSP, and that the latter has set up appropriate organisational and technical measures in order to ensure that none of the certificates issued is used by a non-qualified validation service. Qualified validation services for qualified electronic signatures and qualified electronic seals – Criteria for conformity assessment with the eIDAS regulation Version Date Circulation criterion Page 1.0 03/01/2017 PUBLIC 5/13 II.2. Criteria for conformity assessment The assessment must make it possible to demonstrate compliance with the requirements of the [eIDAS] regulation that apply to the qualified validation services for qualified electronic signatures and seals, specified in the following articles: 24(2).e Use of trustworthy systems and products, security and reliability of the processes; 24(2).h Preservation of the data of an electronic signature
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages13 Page
-
File Size-