1 / 21

Best Practices for Handling Signed Data in Digital Accounting

This workshop explores best practices for handling signed data in digital accounting, including procedures for handling advanced electronic signatures and policy requirements for trusted service providers. It also examines national practices for accounting and digital accounting in Italy, Germany, Spain, France, and the UK.

sharpj
Download Presentation

Best Practices for Handling Signed Data in Digital Accounting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CEN/ISSS Workshop on Electronic Invoices ETSI STF 305: Procedures for Handling Advanced Electronic Signatureson Digital Accounting Nick Pope – Thales e-SecuritySTF 305 Team Leader www.thalesgroup.com/esecurity

  2. Specialist Task Force - Terms of Reference • Propose drafts to ETSI Technical Committee onElectronic Signatures and Infrastructures for: • Technical Report on Best Practices for handling electronic signatures and signed data for digital accounting • Technical Specification on Policy requirements for trust service providers signing and/or storing data for digital accounting www.thalesgroup.com/esecurity

  3. Approach Italy Germany Spain France UK Study into National Practices For Accounting & Digital Accounting Best Practices for Handling signed data forDigital Accounting Policy Requirements for Trusted Service Providers Signing / Storing Data For Digital Accounting www.thalesgroup.com/esecurity

  4. Approach Italy Germany Spain France UK Study into National Practices For Accounting & Digital Accounting Maximum & Minimum Best Practices for Handling signed data forDigital Accounting EU e-Invoicing Requirements Commonly Acceptable Policy Requirements for Trusted Service Providers Signing / Storing Data For Digital Accounting www.thalesgroup.com/esecurity

  5. Targeting Digital Accounting Through e-Invoicing • National accounting practices widely vary • Council Directive 2001/115/EC + CWA 15579provide common requirement for signed VAT Invoices • Took e-Invoicing requirements as common basis for Digital Accounting www.thalesgroup.com/esecurity

  6. Basic Model www.thalesgroup.com/esecurity

  7. Trusted Service Provider Model www.thalesgroup.com/esecurity

  8. Use Scenarios • Main Target: • Pan European Trade supported by two external TSPs • Other potential • National Trade supported by TSP(s) • Large Company Internal Service www.thalesgroup.com/esecurity

  9. Advantages of applying Best Practice / Policy Targeted Security controls • Ensure that documents are kept over necessary period • Ensure that singing keys are held & ,maintained securely • Reduce revocation management • Ensure that security of documents is properly maintained • Access security • Storage security • Signature validity www.thalesgroup.com/esecurity

  10. Draft Technical Report (TR) Based on ISO/IEC 17799 + ISO/IEC 27001 Information Security Management System Specific Controls & Objectives for: • Signature • Maintenance of Signature over storage period • Storage • Reporting to authorities • Scanning paper originals + ISO/IEC 17799 standard objectives www.thalesgroup.com/esecurity

  11. Draft TR - Signature • Maximum Identified Practices • Advanced Electronic Signature • Qualified Certificate • Secure Signature Creation Device • Registration – ID documents & authorisation • Timely revocation • Minimum Identified Practices • Advanced Electronic Signature • CA meets recognised policy requirements • Sole control requirement met • Nationally “Acceptable” registration • Nationally “Acceptable” revocation www.thalesgroup.com/esecurity

  12. Draft TR – Signature (continued) • Commonly Acceptable Practice for Trusted Service Provider (TSP) offering signing / storage services: • Advanced Electronic Signature • Qualified CA or CA meets recognised policy requirements • SSCD or Sole control requirement met • Registration – ID documents & authorisation • Timely revocation www.thalesgroup.com/esecurity

  13. Draft TR – Signature Maintenance • Maximum Identified practices • Technical / organisational procedures to assure signature verifiable throughout storage period • Minimum identified practices • Nationally acceptable practices • Commonly Acceptable for TSP • Technical / organisational procedures to assure signature verifiable throughout storage period www.thalesgroup.com/esecurity

  14. Draft TR – Storage • Maximum Identified practices • Authorised access via secure channel • Authentication, Integrity & optional content commitment (non-repudiation) • Assure viewer available through lifetime • Held on long term media / copied to assure no loss of data • Held in original format – no macros / hidden code • Confidentiality of company information by separation • Minimum identified practices • No remote access required – local access as authorised • Authentication & integrity in line with national rules • No specific requirement regarding readability • Owner liable for any loss of data • No special requirement regarding format • Confidentiality maintained in storage www.thalesgroup.com/esecurity

  15. Draft TR – Storage • Commonly Acceptable Practices for TSPs • Authorised access via secure channel • Authentication, Integrity & optional content commitment (non-repudiation) • Assure viewer available through lifetime • Held on long term media / copied to assure no loss of data • Held in original format – no macros / hidden code • Confidentiality by logical or physical separation www.thalesgroup.com/esecurity

  16. Draft TR – Reporting • Maximum Identified practices • Signed & Use secure channels (e.g. SSL) • Minimum identified practices • Use secure channels • Commonly Acceptable for TSP • Signed & Use secure channels (e.g. SSL) www.thalesgroup.com/esecurity

  17. Draft TR – Scanned Document • Maximum Identified practices • Assertion (e.g. signature) that true copy • Minimum identified practices • Assured by good practice • Commonly Acceptable for TSP • Good practice & assertion where required www.thalesgroup.com/esecurity

  18. Draft TR – ISO 17799 Objectives & Controls • Maximum Identified practices • ISO 17799 compliance / national rules • + Specific controls for trusted personnel & components • Minimum identified practices • ISO 17799 desired • Commonly Acceptable for TSP • ISO 17799 Conformance Recommended / national rules • + Specific controls for trusted personnel & components www.thalesgroup.com/esecurity

  19. Draft Technical Specification • Targeted just at Trust Service Provider (TSP) • = Commonly acceptable practices from Technical Report worded in terms of specific requirements (shall) • Two levels recognised: • Normalised (Advanced Electronic Signature) • Extended (Qualified Electronic Signature) www.thalesgroup.com/esecurity

  20. Status • Drafts out for review and comment by 12-Jan-2007: http://portal.etsi.org/docbox/esi/Open/SODA/ • Final ratification & publication end Q1 2007 • Comments / Questions ? • nick.pope@thales-esecurity.com www.thalesgroup.com/esecurity

  21. ETSI STF 298 – Advanced Electronic Signature Profiles • ETSI Profiles for Advanced Electronic Signatures • TS 102 734 – Profiles of CMS (RFC 3852) Advanced Electronic Signatures based on TS 101 733 (CAdES) • TS 102 904 – Profiles of XML Advanced Electronic Signatures based onTS 101 903 (XAdES) • Profiles for • Government • E-Invoicing • Baseline for other applications • Short term & Long term www.thalesgroup.com/esecurity

More Related