E-Signatures Bro 10/8/01 11:44 am Page 1

European
Telecommunications
CEN/ISSS Standards Institute
Rue de Stassart 36 F-06921 Sophia Antipolis
B-1050 Brussels Cedex, France
Belgium Tel +33 4 92 94 42 00
Email: isss@cenorm.be Fax +33 4 92 94 43 33
Tel +32 2 550 08 13
Fax +32 2 550 09 66 infocentre@etsi.fr
www.cenorm.be/isss www.etsi.org

Chairman of CEN/ISSS Chairman of ETSI’s

Workshop E-SIGN ESI Working Group
Riccardo Genghini György Endersz
SNG Telia Research AB
riccardo.genghini@sng.it gyorgy.g.endersz@telia.se

EESSI
http://www.ict.etsi.org/eessi/EESSI-homepage.htm
Chairman of EESSI
Claude Boulle, Bull c.boulle@frlv.bull.fr
EESSI Secretariat
Yves Chauvel,ETSI Secretariat yves.chauvel@etsi.fr
Giulia Cipressi, CEN/ISSS guilia.cipressi@cenorm.be

CEN Workshop Agreements are available from the national standards

bodies in countries in the European Union, in the European Free Trade
Association and the Czech Republic. Those relevant to electronic
Electronic Signatures
signatures will shortly be made available for downloading free of charge
from the CEN web site.

Individual ETSI deliverables are available free of charge from the

Publications download area of the ETSI web site. A full set of ETSI
deliverables is obtainable by subscription to the ETSI Documentation
Service offered on the web site.

– available for all

The eEurope initiative seeks to ensure that Europe reaps the benefits of the
Information Society in a cohesive and non-divisive way. It intends to
ensure equal access by Europe's citizens, to promote computer literacy
and, crucially, to create a partnership environment between the users and
providers of the systems based on trust and enterprise. Its ultimate
objective is to bring everyone in Europe - every citizen, every school,
every company - on-line as quickly as possible.

August 2001
E-Signatures Bro 10/8/01 11:44 am Page 3
The Internet has created a borderless space for
information exchange, and the keyword for the
deployment of Internet applications is trust. The EU
Electronic Signature Directive has established the legal
framework for the recognition of electronic signatures.
Reliable electronic signatures are essential in the
creation of open markets, enabling the development of
cross-border trust services and increasing
competitiveness, with consequent benefit to service
providers, manufacturers and, ultimately, the whole user
community.
The work of CEN/ISSS and ETSI in providing technical
specifications and guidance material for their
implementation is therefore crucial to the future of
e-Commerce.
Why Electronic Signatures?
The modern world is in the middle of a
communications revolution. The
Internet is opening up a host of
new possibilities, national and
international barriers to trade
are crumbling and electronic
commerce is emerging as the
future way of doing business.
Trust is essential to the success
and continued expansion of
electronic commerce. What is
needed is the electronic equivalent of a
written signature to validate transactions. The
way would then lie open to exploit the Internet for
secure document exchange, for example, for purchase
requisitions, contracts and invoice applications.
To date, the most common form of electronic signature is
the digital signature, which is created and verified by
means of cryptography mathematics. Digital signatures
use a public key cryptography which employs
mathematical algorithms using two different but
mathematically related keys: a private key for creating a
digital signature and a public key to verify it.
Taking Action
Authentication systems do exist, but their development
and use are still in the introductory stage; there is no
complete set of agreed technical specifications governing
their usage. This lack of industry standards to support the
use of electronic signatures and public key certificates is
one of the greatest impediments to electronic commerce.
Recognising that growth of the Internet and
developments in e-Commerce offer an unrivalled
opportunity for economic integration, the European
Union has published the Electronic Signature Directive,
aimed at providing a common framework for electronic
signatures and an open environment and infrastructure
for secure electronic transactions.
In response, industry and the European standardization
bodies have come together under the auspices of the
Information and Communication Technologies Standards
Board (ICTSB) to examine Europe's future standardization
needs in this area. Whilst some standardization projects
were underway at national, regional and international
levels, none met the need for a coherent set of
specifications to help companies implement the
Directive. In January 1999, therefore, a new initiative
was launched – the European Electronic Signature
Standardization Initiative (EESSI). Its task is to identify the
standardization activities necessary to enable electronic
signatures and to monitor the implementation of a work
programme to meet this need.
The goal is to provide a set of standards
and to harmonize specifications at
the international level to maximize
market take-up. EESSI has no
desire to 're-invent the wheel'
and, wherever possible, new
standards are being built on
existing specifications from the
International Telecommunication
Union (ITU), the International
Organization for Standardization
(ISO) and the Internet Engineering Task
Force (IETF).
E-Signatures Bro 10/8/01 11:44 am Page 5
Involving all the Stakeholders
The standardization initiative
addresses two major aspects of
openness: one is to facilitate fast and
easy establishment of trust between
parties who want to do business on-
line; the other is to provide for the
technical compatibility of services and
components. In such an environment, new
business relationships can be easily established
and the risk involved with investments by corporations as
well as by private users is minimized. An open
environment is favourable for public services to the
citizen and for all kinds of business activity.
The alternative is an environment governed by
proprietary solutions, creating a great many isolated
islands, lack of flexibility and aggregated costs for users
and service providers alike.
The EESSI work programme is being implemented under
the supervision of a Steering Committee which gathers
together representatives of the major market players
including industry, service providers, vendors, users and
consumers, national authorities and other interested
organizations. The necessary standards are being
developed within the Information Society Standardization
System of the European Committee for Standardization
(CEN/ISSS) and the European Telecommunications
Standards Institute (ETSI). These two bodies work in close
co-operation with each other and with other
standardization organizations around the world as
appropriate.
Electronic Signature work relevant to EESSI follows a
number of core principles, usual in CEN/ISSS and ETSI
Technical Bodies:
• Openness - all interested parties have been invited to
participate in EESSI activities
• Transparency - Work Programmes are publicly
available on both CEN's and ETSI's web sites and
all EESSI drafts are submitted for public comment
• Consensus - all decisions under the Initiative are
made by consensus
• Effectiveness and relevance - the scope and schedule
of all deliverables under EESSI are defined in response
to market needs and regulatory requirements
Market analysts agree that the two pioneer segments in
authentication services are large financial institutions and
government or public service organizations (including
local, regional and central governments and healthcare
and social services). The collaboration of all relevant
stakeholders is regarded as essential to the successful
standardization of electronic signatures. By involving all
interested parties, a common and harmonized framework
should be agreed and interoperability, at least within
Europe, ensured.
The Task
EESSI's first recommendations, made in July 1999,
contained an overview of the requirements for standards
related activities and drew up a detailed work
programme to meet these needs. Three key areas were
identified:
• Quality and functional standards for Certification
Service Providers (CSPs)
• Quality and functional standards for Signature
Creation and Verification Products
• Interoperable standardization requirements for
Electronic Signatures.
EESSI's priorities are:
• Security requirements for signature products
• Certification/registration of conformance products and
services for electronic signatures
• Security Management and Certificate Policy for
CSPs issuing qualified certificates
• Signature creation and verification
• Electronic signature syntax and
encoding formats and technical
aspects of signature polices
• A standard for the use of X.509
public key certificates as
qualified certificates
• Protocol to interoperate with a
Time-stamping Authority.
E-Signatures Bro 10/8/01 11:44 am Page 7

The Standardization Organizations involved The European Telecommunications

CEN (Comité européen de normalisation) is
one of the three recognized European
standards bodies,
and covers
standardization in
areas other than the
electrotechnical and
communications fields.
In the fast-moving
domain of information
and communications
technologies (ICT), CEN
has created the
Information Society
Standardization System
(CEN/ISSS). In addition to the
traditional CEN Technical
Committees, this makes use of open
workshops which are created whenever there is an
identified need and which are open to all interested
parties. Their deliverables are published by CEN as CEN
Workshop Agreements (CWAs).
CEN/ISSS Workshop E-SIGN is responsible for the part of
the EESSI work programme dealing with quality and
functional standards for signature creation and
verification products, as well as quality and functional
standards for CSPs. The Workshop's responsibilities
under EESSI include:
• Security requirements for trustworthy systems and
products
• Security requirements for secure signature creation
devices
• Signature creation environment
• Signature verification process and environment
• Conformity assessment of products and services for
electronic signatures.
Detailed information about the work of WS E-SIGN and
a registration form for participation are available at
http://www.cenorm.be/isss/Workshop/e-sign/Default.htm.
Standards Institute (ETSI) is a
recognized European Standardization
Body, and produces a wide range of standards and other
technical documentation as Europe's contribution to
world-wide standardization in telecommunications and
the related fields of broadcasting and information
technology. A non-profit making organization based in
Sophia Antipolis, France, ETSI unites nearly 900
members from over 50 countries inside and outside
Europe, and represents manufacturers, network operators,
administrations, service providers, research bodies and
users.
Within ETSI, the Electronic Signature Infrastructure (ESI)
Working Group deals with activities related to the
Electronic Signature. Its responsibilities under EESSI
include:
• The use of X.509 public key certificates as qualified
certificates
• Security Management and Certificate Policy for CSPs
issuing qualified certificates
• Electronic signature syntax and encoding formats and
technical aspects of signature polices
• Protocol to interoperate with a Time-stamping
Authority.
• Security Management and Certificate Policy for CSPs
issuing other than qualified certificates
• Security management and policy requirements for
CSPs issuing time stamps
• Electronic Signature syntax and encoding formats in
XML
• Signature policies for extended business models
• Harmonized provision of CSP status information
Detailed information about ETSI's work on
electronic signatures is publicly
available on the ETSI web site
(http://www.etsi.org/sec/el-sign.htm).
In addition, there is an electronic
'open discussion area', providing
public access to draft documents
and background material, and
supporting the exchange of ideas,
comments and contributions.
E-Signatures Bro 10/8/01 11:44 am Page 9
Achievements
Phase 1
Phase 1 of the work, performed in the second half of
1999, was the identification of the EESSI standardization
requirements. At the same time, an ETSI Standard (ES 201
733) on Electronic Signature formats was also completed,
and published in May 2000, defining formats for various
forms of electronic signatures and an experimental format
for signature policies.
Phase 2
The second phase of the work covered activities
performed mainly in 2000 and provided the
specifications required in support of the implementation
of the Electronic Signature Directive, as well as some
supporting specifications. They included:
• Policy requirements and security management for
certification authorities issuing qualified certificates.
An ETSI Technical Specification (TS 101 456) was
published in December 2000, providing a common
policy baseline for CSPs, adherence to which
guarantees users that an electronic signature meets the
requirements of the EU Directive, providing an
essential component for e-Commerce.
• Qualified Certificate Profiles. ETSI TS 101 862 was
also published in December 2000, defining how the
X.509 public key certificate format, which dominates
the Public Key Infrastructure (PKI) market, may be
used to meet the requirements of the EU Directive.
Through the use of this document, parties relying on
Qualified Certificates can verify signatures supported
by Qualified Certificates issued by different CSPs,
improving technical interoperability between CSPs
and signature creation and verification applications.
• Security Requirements for Trustworthy Systems
Managing Certificates for Electronic Signatures. Work
in this area will produce two related CWAs: the first,
CWA 14167, was published in June 2001 and
specifies overall security requirements on trustworthy
system components which are used by CSPs to create
Standard and Qualified Certificates; the second, to be
completed by October 2001, defines specific
requirements for the Certification Authority's
cryptographic modules.
• Security Requirements for Secure Signature Creation
Devices (SSCDs). Two related CWAs in this area (CWAs
14168 and 14169) define security requirements to ensure
conformance with the EU Directive and mutual
interoperability.
• Format and profile for Time-stamping. ETSI TS 101 861
was approved in November 2000 and publication awaits
finalization of its 'mother' document, the IETF's time-
stamping standard. The TS defines the Internet
specification for time-stamping, which is already being
adopted by the main suppliers, improving the
interoperability between applications requiring long term
validity of electronic signatures and CSPs providing time-
stamping services.
• Electronic Signature Formats. An amended version of
ETSI TS 101 733 was published in December 2000,
defining a format for Advanced Electronic Signatures
based on the existing standard format that dominates the
e-mail and document security market (ie CMS - Internet
specification RFC 2630). It also specifies how time-
stamping or trusted archiving services may be used to
ensure that the electronic signature remains valid for long
periods so that it can be presented later as evidence in
case of a dispute. ETSI TS 101 733 has been submitted to
the IETF in two separate parts and approved as RFC 3126
and RFC 3125, respectively, further promoting the
globalization of EESSI results.
• Signature Creation and Validation Process and
Environment. Although not specifically required for
compliance with the EU Directive, EESSI considered
these issues important enough to create two additional
CWAs specifying 'voluntary' security requirements for the
signature creation applications (CWA 14170) and
verification procedures (CWA 14171). These CWAs,
finalized in May 2001, offer guidance to ensure that
application and computer system environments are
implemented to provide high quality functionality to
minimize the chance of a dispute.
• Conformance Assessment Guidance. A specification
comprising five CWAs is in the process of publication as
CWA 14172 Parts 1-5, offering initial guidance on
conformity assessment concerning Certification
Authorities services and processes for PKI and
Information Security Management, Signature Creation
Systems, Signature Verification and Secure Signature
Creation Devices. Discussions are underway concerning
the enhancement of these specifications.
E-Signatures Bro 10/8/01 11:44 am Page 11
Current Activities
Phase 3 was initiated in 2001. The Work Plan includes a
number of new items, aimed at answering the market
requirements for different classes of Electronic Signature.
CEN/ISSS is preparing two major new proposals, covering
the extension of secure signature creation requirements
towards specific applications and environments,
including e-Commerce applications (Art 5.2 of the
Directive), and requirements for smart cards used as
secure signature creation devices. The former work is
expected to be completed early in 2002, the latter
around mid-2002. The CEN/ISSS Electronic Commerce
Workshop is working to provide guidance on electronic
signatures for business users, as a complementary
activity.
In ETSI, the ESI Working Group's standardization
programme for 2001 includes five main tasks: security
management and policy requirements for Certification
Service Providers (CSPs) issuing time stamps; security
management and certificate policy for CSPs issuing other
than qualified certificates; Electronic Signature syntax
and encoding formats in XML; technical aspects of
signature policies; and the
provision of
harmonized
CSP status
information.
Electronic signatures offer
the solution to a major
obstacle to the
'e-society'. Until
now, it has been
very difficult to
ensure that
documents sent
electronically actually
have the same validity
as hand-written, signed
documents. Many
countries have provided the
legal framework for formal documents such as contracts
to be signed electronically: now, for many purposes, the
traditional validity of hand-signed paper documents
applies to electronic signatures. This will help to ensure
that business, citizens and Government can conduct
transactions at Internet speeds rather than relying on
ponderous paperwork.
In the context of this legislation in Europe, EESSI is
seeking to provide the necessary secure technical
framework to accompany it. Clearly, the future use of
electronic signatures will depend on the availability of
products and services meeting the specifications, but the
groundwork is being laid.
A Global Initiative
EESSI's activities have been well publicized outside
Europe, links have been established with fora and
consortia world-wide and representatives of international
organizations participate in EESSI's working groups.
Major input has been made and is continuing to be made
by EESSI participants to the IETF's activities in
authentication and electronic signatures and, wherever
possible, EESSI's deliverables have been based on
existing and widely accepted standards. The effect of
EESSI is not confined, therefore, to Europe; EESSI does
not work in isolation but is a major contributor to the
emergence of a global playing field for electronic
signatures, opening up world markets for electronic
commerce and helping to safeguard secure electronic
document exchange.