COURTESY TRANSLATION



Similar documents
Courtesy Translation

Qualified Electronic Signatures Act (SFS 2000:832)

Merchants and Trade - Act No 28/2001 on electronic signatures

2002 No. 318 ELECTRONIC COMMUNICATIONS. The Electronic Signatures Regulations 2002

In accordance with article 11 of the Law on Electronic Signature (Official Gazette of the Republic of Serbia No. 135/04), REGULATION

CERTIMETIERSARTISANAT and ELECTRONIC SIGNATURE SERVICE SUBSCRIPTION CONTRACT SPECIFIC TERMS AND CONDITIONS

Electronic Documents Law

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

ETSI TS V1.1.1 ( ) Technical Specification

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

Courtesy Translation

Federal law on certification services in the area of the electronic signature

ETSI TS V1.4.3 ( )

BSI-PP for. Protection Profile Secure Signature-Creation Device Type 1, Version developed by

Protection Profile Secure Signature-Creation Device Type 3

4. Laying of orders and regulations before Houses of Oireachtas.

Qualified mobile electronic signatures: Possible, but worth a try?

COMMISSION OF THE EUROPEAN COMMUNITIES

ACT. of 15 March 2002

Protection Profiles for TSP cryptographic modules Part 1: Overview

TTP.NL Guidance ETSI TS

ELECTRONIC SIGNATURE LAW

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

ETSI TS V2.1.1 ( ) Technical Specification

The Global Standard for Digital Transaction Management. Legal Aspects

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

ICCS Convention No. 28 Only the French original is authentic

The public official, an implicit model for the certification of private documents

SSLPost Electronic Document Signing

Law Governing Framework Conditions for Electronic Signatures and Amending Other Regulations

REPUBLIC OF LITHUANIA. LAW ON ELECTRONIC SIGNATURE

SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER

and the President has proclaimed the following Law:

CROATIAN PARLIAMENT 242

GRTGAZ NETWORK TRANSMISSION CONTRACT

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

LAW. ON ELECTRONIC SIGNATURE (Official Gazette of the Republic of Montenegro 55/03 and 31/05)

Joint Interpretation Library. Security Evaluation and Certification of Digital Tachographs

Guidelines for the use of electronic signature

OBJECTS AND REASONS

Public Audit (Wales) Act 2004

ETSI TS : Electronic Signatures and Infrastructures (ESI): Policy

THE LAW OF THE REPUBLIC OF ARMENIA ON ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE CHAPTER 1. GENERAL PROVISIONS. Article 1. The subject of the Law

ELECTRONIC COMMERCE AND ELECTRONIC SIGNATURE ACT (ZEPEP-UPB1) (Official consolidated text)

Land Registry. Version /09/2009. Certificate Policy

DIRECTIVE 2014/32/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Official Journal of the European Union. (Acts whose publication is obligatory)

CHAPTER Verification of non-existence of the grounds for exclusion. Article 1

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

FREE SOFTWARE LICENSING AGREEMENT CeCILL

General Requirements for Accreditation of ASNITE. Testing Laboratories of Information Technology. (The 12th Edition) November 1, 2014

ELECTRONIC SIGNATURE LAW. (Published in the Official Journal No 25355, ) CHAPTER ONE Purpose, Scope and Definitions

Developing a new Protection Profile for (U)SIM UICC platforms. ICCC 2008, Korea, Jiju Septembre 2008 JP.Wary/M.Eznack/C.Loiseaux/R.

DIRECTIVES. DIRECTIVE 2009/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 April 2009 on the legal protection of computer programs

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

of 28 September 2007 (Status as of 1 April 2010)

REGULATION (EEC) No 2309/93

CCBE questionnaire on professional indemnity insurance for lawyers requesting registration under the Establishment directive (98/5/CE)

ELECTRONIC TRANSACTIONS LAW N0 (85) OF Article (1)

CeCILL FREE SOFTWARE LICENSE AGREEMENT

On Data Protection and the Detailed and Uniform Data Management Regulation

Guidelines on operational functioning of colleges

Standard conditions of the Electricity Distribution Licence

Code of Practice on Electronic Invoicing in the EU

Korean National Protection Profile for Voice over IP Firewall V1.0 Certification Report

JOINT AGREEMENTS. - Cyclistes Professionnels Associés [Associated Professional Riders], hereinafter referred to as CPA,

2016 No. 696 ELECTRONIC COMMUNICATIONS. The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016

The Hague Convention on the Civil Aspects of International Child Abduction

FSSC Q. Certification module for food quality in compliance with ISO 9001:2008. Quality module REQUIREMENTS

Trenitalia S.p.A. REGULATIONS FOR ACCESSING THE PURCHASING PORTAL OF TRENITALIA

Guidelines Related To Electronic Communication And Use Of Secure Central Information Management Unit Office of the Prime Minister

Certification Report - Firewall Protection Profile and Firewall Protection Profile Extended Package: NAT

The newly adopted Luxembourg Law on electronic archiving. Luxembourg has taken a crucial step towards a paperless office.

Ordinance on Specialised Waste Management Companies (Entsorgungsfachbetriebeverordnung - EfbV) *) of 10 September 1996

Patent Cooperation Treaty (PCT)

Secure Signature Creation Device Protect & Sign Personal Signature, version 4.1

on Electronic Signature and change to some other laws (Electronic Signature Act) The Parliament has hereby agreed on this Act of the Czech Republic:

The Charter Code governing the traceability of addresses used for the direct or indirect collection of data

ETSI TS V2.1.2 ( )

1 L.R.O Electronic Transactions CAP. 308B ELECTRONIC TRANSACTIONS

Smart Open Services for European Patients Open ehealth initiative for a European large scale pilot of patient summary and electronic prescription

Obligation to publish the annual accounts and consolidated accounts of foreign companies

Federal Electronic Signature Law. (Signature Law - SigG)

Informative material for MSS service providers on the frequency use authorisation procedure in Hungary and their related obligations

14. CONVENTION ON THE SERVICE ABROAD OF JUDICIAL AND EXTRAJUDICIAL DOCUMENTS IN CIVIL OR COMMERCIAL MATTERS 1. (Concluded 15 November 1965)

Law Concerning Electronic Signatures and Certification Services (Unofficial Translation)

Protocol No. 14 to the Convention for the Protection of Human Rights and Fundamental Freedoms, amending the control system of the Convention

Transcription:

PREMIER MINISTRE Secrétariat général de la défense nationale Paris, 7 April 2003 872 /SGDN/DCSSI/SDR Reference : SIG/P/01.1 Direction centrale de la sécurité des systèmes d information PROCEDURE CERTIFICATION OF THE CONFORMITY OF ELECTRONIC SIGNATURE CREATION DEVICES Subject : Certification of the conformity of electronic signature creation devices Application : From 7 April 2003 Circulation : Public COURTESY TRANSLATION 51 boulevard de La Tour-Maubourg - 75700 PARIS 07 SP

Modifications Version Date Modifications 1 7/04/2003 In the light of the opinion issued by the Management Board 2/2 SIG/P/01.1

TABLE OF CONTENTS 1. PURPOSE OF THE PROCEDURE... 4 2. CONTEXT... 4 2.1. Legal context... 4 2.2. The Two Levels for Electronic Signatures... 4 2.2.1. The Simple Electronic Signature... 4 2.2.2. The Presumed Reliable Electronic Signature... 4 2.3. The European Context... 5 3. PROCEDURE FOR AWARDING A CERTIFICATE OF CONFORMITY... 5 3.1. Requirements Concerning the Secure Electronic Signature Creation Device... 5 3.2. Insertion in the French Certification Scheme... 5 3.3. Format of the Certificate of Conformity... 5 3.4. Conditions for Awarding a Certificate of Conformity... 6 3.5. Organisms Awarding the Certificate of Conformity... 6 3.6. Validity of the Certificate of Conformity... 6 4. DCSSI S RECOMMENDATIONS... 7 4.1. Recommendations Concerning Protection Profiles... 7 4.2. Recommendation Concerning Cryptographic Algorithms... 7 4.3. Requirements Concerning Other Protection Profiles or Security Targets... 7 4.4. Use of Other Certification Standards... 7 APPENDIX A TABLE SHOWING RECOMMENDED PROTECTION PROFILES... 8 APPENDIX B ABBREVIATIONS... 9 APPENDIX C REFERENCES... 10 SIG/P/01.1 3/3

1. Purpose of the Procedure This procedure defines the procedure for awarding a certificate of conformity to the requirements of article 3.I of French decree no. 2001-272 of 30 March 2001, relating to electronic signatures, for secure electronic signature creation devices. 2. Context 2.1. Legal context The European directive of 13 December 1999 on a European framework for electronic signatures was transposed by French law no. 2000-230 of 13 March 2000 and application decree no. 2001-272 of 30 March 2001. French law no. 2000-230 defines two levels of electronic signature processes recognised by the law, presented in paragraph 2.2 : simple electronic signatures, presumed reliable electronic signatures. French decree no. 2001-272 states the conditions required for an electronic signature to be presumed reliable. One of these conditions is that the secure signature creation device (SSCD) be certified as conforming to the requirements laid down in appendix III of the European Directive and reiterated in art. 3.I of decree no. 2001-272. 2.2. The Two Levels for Electronic Signatures 2.2.1. The Simple Electronic Signature Article 4 of French law no. 2000-230 of 13 March 2000 defines an electronic signature in the following terms (courtesy translation): If it [the signature] is electronic, it consists in using a reliable means of identification guaranteeing its link with the action to which it is attached. At this level, the electronic signature process is not presumed reliable but the text thus signed in electronic form may not be refused as evidence in court if the process makes it possible to identify the signatory and guarantee the link with the action signed. In the event of a dispute, it is up to the signatory to prove the reliability of the electronic signature process used. 2.2.2. The Presumed Reliable Electronic Signature Article 4 of French law no. 2000-230 of 13 March 2000 specifies that the burden of proof may be inversed in the event of a dispute under certain conditions defined by decree (courtesy translation): This process is presumed reliable, until proven to the contrary, if the electronic signature is created, the identity of the signatory assured and the integrity of the action guaranteed, under terms fixed by order with obligatory consultation of the Council of State. Article 2 of the French decree of 30 March 2001 defines the conditions under which the electronic signature process is considered reliable: the electronic signature is secure, the signature creation device used to establish the electronic signature is secure, verification of the electronic signature is based on use of a qualified electronic certificate. This procedure shall only address the condition stated in the second point. In order for a signature creation device to be recognised as secure, it must fulfil a certain number of requirements described in art. 3.I of decree no. 2001-272 (cf. 3.1) and be certified as conforming to these requirements. The purpose of this document is to describe the procedure by which the DCSSI awards certificates of conformity. 4/4 SIG/P/01.1

2.3. The European Context The DCSSI bases its work on that of the EESSI (European Electronic Signature Standardization Initiative), a European standardization initiative launched by the European Commission following European Directive 1999/93/EC. The EESSI has produced several documents, some of which have been applied by the DCSSI. In accordance with Directive 1999/93/EC, the European Commission should have published standards in the Official Journal of the European Union, after consultation of the Committee created in article 9 of the directive and composed of Member State representatives. Devices certified as conforming to these standards will be presumed to conform to the requirements the directive. The European Commission has to date not, however, published any decision on this subject. In accordance with article 3.II.2 of decree no. 2001-272 (transposition of article 3.4 of the European directive), this certificate of conformity is recognised in each Member State. 3. Procedure for Awarding a Certificate of Conformity 3.1. Requirements Concerning the Secure Electronic Signature Creation Device Article 3.I of French decree no. 2001-272 lays down the requirements that the secure electronic signature creation device must fulfil (courtesy translation): A secure electronic signature creation device must: 1. Guarantee via technical means and appropriate procedures that the electronic signature creation data: a. Cannot be established more that once and that its confidentiality is ensured; b. Cannot be discovered by deduction and that the electronic signature is protected against any forgery; c. Can be adequately protected by the signatory against any use by a third party. 2. Not entail any alteration of the content to be signed or prevent the signatory from having full knowledge thereof before signing. The requirements listed above shall hereinafter be referred to as the requirements of the decree. The SSCD shall be considered as consisting of the module making it possible to create the electronic signature creation and verification data and generate the electronic signature. We therefore exclude from the scope of the SSCD the application piloting the afore-mentioned module, the operating system on which the application is installed as well as all devices found in the SSCD s environment. On the other hand, the transmission channel between the SSCD and the electronic signature application must be secure, i.e. the integrity of the data to sign transmitted by the application to the SSCD must be protected, unless the SSCD is in a protected environment (with the service provider s premises). This requirement is only verified during the evaluation of the SSCD if the latter is to be used in an open environment (with the final user). 3.2. Insertion in the French Certification Scheme In the framework of French decree no. 2002-535, the evaluation of the device must take place in a DCSSIlicensed evaluation facility. These evaluation facilities conduct evaluations following standardised criteria: either the ITSEC (used less and less) or the ISO/IEC 15408 standard (also called Common Criteria (CC)). The evaluation ensures that a product conforms to a security target, which itself may conform to a protection profile. The evaluation is conducted prior to the awarding of a certificate of conformity to the decree and must be based on a security target which covers fully the requirements of the decree and which offers an acceptable level of assurance according to the chosen environment. 3.3. Format of the Certificate of Conformity The certificate of conformity awarded by the DCSSI is in the form of a separate document in addition to the CC or ITSEC certificate awarded for the product itself. SIG/P/01.1 5/5

The certificate of conformity mentions the functions for which it is awarded and the certification report relating to the CC or ITSEC certification on which it is based. If the sponsor only has part of the device evaluated (electronic signature creation data generation function or electronic signature creation function), it will be awarded a certificate mentioning the function covered by the device. The device must be used with another device that has also obtained a certificate of conformity mentioning the other, complementary function. 3.4. Conditions for Awarding a Certificate of Conformity The evaluation of the module may give rise to two scenarios: The security target, drawn up by the evaluation sponsor, conforms to one of the protection profiles recommended by the DCSSI. In this case, the security target is presumed to conform to the requirements of the decree, and the certificate of conformity may be attributed after the evaluation and certification of the device based on this security target; The sponsor may propose a security target which does not conform to one of the protection profiles recommended by the DCSSI. In this case, it must prove that the target fulfils the requirements of decree no. 2001-272. The DCSSI awards the conformity certificate if this proof is supplied and if the device is certified based on this security target. In addition, the certificate of conformity to the decree is only awarded after the DCSSI accepts the algorithms used. Cryptographic analysis is obligatory and is carried out by the DCSSI according to an application note on cryptology for the scheme. If the device has been awarded a CC or ITSEC certificate by another country, the DCSSI reserves the right to conduct an analysis of the algorithms used before awarding the certificate of conformity to decree no. 2001-272. 3.5. Organisms Awarding the Certificate of Conformity Article 3.II of French decree no. 2001-272 specifies the terms according to which the electronic signature creation device is certified as conforming to the requirements of the decree, as follows (courtesy translation): A secure electronic signature creation device must be certified as conforming to the requirements defined in I: 1. Either by the Prime Minister, under the terms set forth in decree no. 2002-535 of 18 April 2002 relating to evaluation and certification of security provided by information technology products and systems. The awarding of the certificate of conformity is made public. 2. Or by a body appointed to this effect by an EC Member State. Decree no. 2002-535 appoints the DCSSI to this effect. 3.6. Validity of the Certificate of Conformity The certificate of conformity to the decree is linked to the CC or ITSEC certificate. However, the state of the art with regard to attacks, for which the CC or ITSEC certificate is awarded, can evolve very quickly. As a result of this, the CC or ITSEC certificate, on the basis of which the certificate of conformity is awarded, must be subject to a monitoring process which is defined in a procedure under the certification scheme. The DCSSI can, therefore, at any time demand an additional evaluation of the device if it considers that the state of the art has significantly changed. The certificate of conformity is revoked in the event of a failure in the monitoring process or of any fact brought to the attention of the DCSSI calling into question the module s conformance to the requirements laid down by the decree. 6/6 SIG/P/01.1

4. DCSSI s Recommendations 4.1. Recommendations Concerning Protection Profiles The DCSSI recommends protection profiles, set forth in the table in Appendix A, taking into account the environment in which the target is used and the functions for which they have been written. There are two types of environment: The environment of the final user, The environment of the certification service provider (CSP). On the other hand, a complete secure electronic signature creation device must ensure at least the following functions: Generation of electronic signature creation data (security key) and verification data (public key), Electronic signature creation data. Each of these functions can be executed by a separate module and give rise to a certificate of conformity (cf. 3.3). 4.2. Recommendation Concerning Cryptographic Algorithms The DCSSI encourages using the document produced by the EESSI on algorithms recommended for electronic signatures entitled Algorithms and Parameters for Secure Electronic Signatures. This guide: Lists existing acceptable algorithms for electronic signatures and the minimum size of keys to use for these algorithms, States the length of validity of the recommended algorithms. For each request for a certificate of conformity to the decree, the DCSSI demands a cryptographic analysis (cf 3.4), which must attain level high. 4.3. Requirements Concerning Other Protection Profiles or Security Targets In the event that the sponsor proposes a target which does not conform to one of the protection profiles recommended by the DCSSI, the proposed security target must observe the following minimum requirements: The security objectives of the target must cover the requirements laid down by the decree; The assurance requirements of the security target must correspond to level EAL 4+. Depending on the environment of the SSCD under evaluation, Level EAL 4 must be supplemented by at least: In an open environment: AVA_MSU.3, AVA_VLA.4, In a protected environment: ADV_IMP.2, AVA_CCA.1, AVA_VLA.4. For an evaluation according to the ITSEC, the assurance level must be E3 high and the assurance components required must be examined on a case-by-case basis through cooperation between the evaluation sponsor and the DCSSI. 4.4. Use of Other Certification Standards If the device concerned has already been certified according to a standard other than the ITSEC or the CC, the DCSSI examines the additional evaluations needed in order to award the certificate of conformity on a case-by-case basis, and the sponsor must supply the DCSSI with all documents necessary in order to carry out this examination, such as the evaluation report. The DCSSI examines situations not covered by this procedure on a case-by-case basis. On the other hand, any dispute or disagreement concerning the awarding of the certificate of conformity to the decree shall be brought to the attention of the certification management board. SIG/P/01.1 7/7

Appendix A Table Showing Recommended Protection Profiles Protection profile used PP SSCD type1 Secure Signature Creation Device type1 PP SSCD type2 Secure Signature Creation Device type2 PP SSCD type3 Secure Signature Creation Device type3 PP MCSO Cryptographic Module for CSP Key Generation Services PP CMCKG Crytographic Module for CSP Key Generation Services EESSI standard no. CWA 14169 Appendix A CWA 14169 Appendix B CWA 14169 Appendix C CWA 14167-2 CWA 14167-3 (pending) Environment concerned Electronic signature creation and verification data generation function (1) Electronic signature creation function (2) Conformance to French decree no. 2001-272 (art. 3.I) User Yes No Conformance for the function (1) User No Yes Conformance for the function (2) User Yes Yes Conformance Certification service provider Certification service provider Yes Yes Conformance Yes No Conformance for the function (1) 8/8 SIG/P/01.1

Appendix B CC CEM CMCKG COFRAC DCSSI IT ITSEC ITSEM MCSO PSC / CSP SSCD Abbreviations Common Criteria Common Evaluation Methodology Cryptographic Module for CSP Key Generation Services Comité Français d Accréditation / French accreditation board Direction Centrale de la Sécurité des Systèmes d Information / Central Directorate for Information Systems Security Instruction Technique / Technical Instruction Information Technology Security Evaluation Criteria Information Technology Security Evaluation Methodology Module for CSP Signing Operation Prestataire de Service de Certification / Certification Service Provider Secure Signature Creation Device / Dispositif sécurisé de création de signature SIG/P/01.1 9/9

Appendix C References Directive 1999/93/CE of the European Parliament and Council of 13 December 1999 on a Community framework for electronic signatures. French law 2000-230 of 13 March 2000 Defining the adaptation of the law of proof to information technologies and relating to electronic signatures. French decree 2001-272 of 30 March 2001 Enacted to implement article 1316-4 of the French Civil Code relating to electronic signatures, modified by article 20 of decree 2002-535. French decree 2002-535 of 18 April 2002 Relating to evaluation and certification of security provided by information technology products and systems. CWA 14169 CWA 14167-2 CWA 14167-3 ITSEC ISO/IEC 15408 European Committee for Standardization CEN/ISS : Security Requirements of Secure Signature Creation Devices (SSCD) SSCD-PP European Committee for Standardization CEN/ISS : Security Requirements of Cryptographic Module for CSP Signing Operations MCSO-PP European Committee for Standardization CEN/ISS : Security Requirements of Cryptographic Module for CSP Key Generation Services CMCKG-PP Information technology security evaluation criteria (ITSEC), version 1.2, June 1991. Information technology Security techniques Evaluation criteria for IT security : ISO/IEC 15408-1:1999(E) : Part 1 : Introduction and general model ; ISO/IEC 15408-2:1999(E) : Part 2 : Security functional requirements ; ISO/IEC 15408-3:1999(E) : Part 3 : Security assurance requirements. CC Common Criteria for Information Technology Security Evaluation : Part 1 : Introduction and general model, version 2.1, August 1999 ; Part 2 : Security functional requirements, version 2.1, August 1999 ; Part 3 : Security assurance requirements, version 2.1, August 1999. 10/10 SIG/P/01.1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information