ETSI TR 119 000: “Rationalised Framework for Electronic Signature Standardisation”


Merece la pena echar un vistazo al informe técnico TR 119 000 porque describe la estructura completa del nuevo conjunto de estándares aplicables a la firma electrónica, a partir del esfuerzo de Mandato M460, desarrollado en paralelo con la gestión de aprobación del nuevo reglamento europeo de firma electrónica: REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on electronic identification and trust services for electronic transactions in the internal market

(se incluye un resumen amplio a continuación, con algunos fallos de formato que iré corrigiendo con el tiempo)

As a response to the adoption of Directive 1999/93/EC [i.1] on a Community framework for electronic signatures in 1999, and in order to facilitate the use and the interoperability of eSignature based solution, the European Electronic Signature Standardization Initiative (EESSI) was set up to coordinate the European standardization organisations CEN and ETSI in developing a number of standards for eSignature products.

Commission Decision 2003/511/EC [i.2], on generally recognised standards for electronic signature products, was adopted by the Commission following the results of the EESSI. This decision fostered the use of eSignature by publishing “generally recognised standards” for electronic signature products in compliance with article 3(5) of the Directive but has a limited impact on the mapping of the current state of the European standardisation on eSignatures, which also covers ancillary services to eSignature, and the legal provisions and requirements laid down in Directive 1999/93/EC [i.1].

Emerging cross-border use of eSignatures and the increasing use of several market instruments (e.g. Services Directive [i.3], Public Procurement [i.4] and [i.5], eInvoicing [i.6]) that rely in their functioning on eSignatures and the framework set by the Signature Directive emphasized problems with the mutual recognition and cross-border interoperability of eSignature.

Intending to address the legal, technical and standardisation related causes of these problems, the Commission launched a study on the standardisation aspects of eSignature [i.7] which concluded that the multiplicity of standardization deliverables together with the lack of usage guidelines, the difficulty of access and lack of business orientation is detrimental to the interoperability of eSignature, and formulated a number of recommendations to mitigate this. Also due to the fact that many of the documents have yet to be progressed to full European Norms (ENs), their status may be considered to be uncertain. The Commission also launched the CROBIES study [i.8] to investigate solutions addressing some specific issues regarding profiles of secure signature creation devices, supervision practices as well as common formats for trusted lists, qualified certificates and signatures.

In line with Standardisation Mandate 460 [i.9], consequently issued by the Commission to CEN, CENELEC and ETSI for updating the existing eSignature standardisation deliverables, CEN and ETSI have set up the eSignature Coordination Group in order to coordinate the activities achieved for Mandate 460. One of the first tasks in the current document establishes a rationalised framework to overcome these issues within the context of the Signature Directive, taking into account possible revisions to this Directive, and proposes a future work programme to address any elements identified as missing in this rationalise framework. The following web site was set up in the framework in Mandate 460: http://www.e-signatures-standards.eu/.

In June 2012, the European Commission has issued a proposal for a regulation on electronic identification and trust services for electronic transactions in the internal market [i.22] which is aimed to supersede the Directive 1999/93/EC [i.1]. This brings within the scope of regulation additional services for identification and as authentication alongside electronic signatures and defines additional forms of qualified certificates.

The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area.
[i.1]  Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.
[i.2]  Commission Decision 2003/511/EC of 14.7.2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council.
[i.3]  Directive 1998/34/EC of the European Parliament and the Council of 22.6.1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services.
[i.4]  Directive 2004/18/EC of the European Parliament and Council of 31.3.04 on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts.
[i.5]  Directive 2004/17/EC of the European Parliament and Council of 31.3.04 coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors.
[i.6]  Council Directive 2006/112/EC of 28.11.06 on the common system of value added tax.
[i.7]  “Study on the standardisation aspects of e-signatures”, SEALED, DLA Piper et al, 2007. NOTE: Available at:

http://ec.europa.eu/information_society/policy/esignature/docs/standardisation/report_esign_standard.pdf

[i.8]  “CROBIES: Study onCross-Border Interoperability of eSignatures”, Siemens, SEALED and TimeLex, 2010. NOTE: Available at: http://ec.europa.eu/information_society/policy/esignature/crobies_study/index_en.htm

[i.9]  Mandate M460: “Standardisation Mandate to the European Standardisation Organisations CEN, CENELEC and ETSI in the Field of Information and Communication Technologies Applied to Electronic Signatures”.
[i.10]  ISO/IEC 27000: “Information technology — Security techniques — Information security management systems — Overview and vocabulary”.
[i.11]  IETF RFC 3647: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework”.
[i.12]  W3C Recommendation: “XML Signature Syntax and Processing (Second Edition)”, 10 June 2008.
[i.13]  ISO 32000-1: “Document management — Portable document format — Part 1: PDF 1.7″.
[i.14]  Commission Decision 2011/130/EU of 25 February 2011 establishing minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market.
[i.15]  Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market.
[i.16]  IETF RFC 3161 (August 2001): “Internet X.509 Public Key Infrastructure Time-Stamp Protocol”.
[i.17]  CCMB-2006-09-001: “Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; Version 3.1, Revision 3″, July 2009.
[i.18]  ITU-T Recommendation X.509/ISO/IEC 9594-8: “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks”.
[i.19]  Commission Decision 2009/767/EC of 16 October 2009 setting out measures facilitating the use of procedures by electronic means through the ‘points of single contact’ under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market.
[i.20]  Commission Decision 2010/425/EU of 28 July 2010 amending Decision 2009/767/EC as regards the establishment, maintenance and publication of trusted lists of certification service providers supervised/accredited by Member States.
[i.21]  ITU-T Recommendation X.1254/ISO/IEC DIS 29115: “Information technology – Security techniques – Entity authentication assurance framework”.
[i.22]  Brussels, 4.6.2012 COM(2012) 238 final, Proposal for a regulation of the european parliament and of the council on electronic identification and trust services for electronic transactions in the internal market.
[i.23]  ETSI TR 119 001:” Rationalised Framework for Electronic Signature Standardisation: Definitions and abbreviations.”

Definitions

  • advanced electronic signature: electronic signature which meets the following requirements:

a)  it is uniquely linked to the signatory;
b)  it is capable of identifying the signatory;
c)  it is created using means that the signatory can maintain under his sole control; and
d)  it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

  • certificate: electronic attestation which links signature verification data to an entity or a legal or natural person and confirms the identity of that entity or legal or natural person
  • certification service provider: entity or legal or natural person who issues certificates or provides other servicesrelated to electronic signatures
  • certificate validation:process of checking that a certificate or certificate path is validelectronic signature (eSignature): data in electronic form which are attachedto or logically associated with other electronic data and which serve as a method of authentication
  • qualified certificate: certificate which meets the requirements laid down in Annex I of Directive 1999/93/EC [i.1] andis provided by a certification service provider who fulfils the requirements laid down in Annex II of Directive1999/93/EC [i.1]
  • qualified electronic signature:advanced electronic signature which is based on a qualified certificate and which is created by a secure signature creation device
  • secure signature creation device:signature creation device which meets the requirements laid down in Annex III of Directive 1999/93/EC [i.1]
  • signatory:person who holds a signature creation device and acts either on his own behalf or on behalf of the natural orlegal person or entity he represents
  • signature creation data:unique data, such as codes or private cryptographic keys, which are used by the signatory tocreate an electronic signature
  • signature creation device:configured software or hardware used to implement the signature-creation data signature validation:process of checking that a signature is valid including overall checks of the signature againstlocal or shared signature policy requirements as well as certificate validation and signature (cryptographic) verification
  • signature verification:process of checking the cryptographic value of a signature using signature verification data signature verification data:data, such as codes or public cryptographic keys, which are used for the purpose of verifying an electronic signature
  • signature verification device:configured software or hardware used toimplement the signature-verification data
  • Data Preservation Service Provider (DPSP):Trust Application Service Provider which provides Trust Services towhich data, among which documents, is entrusted in an agreed form (digital or analogue) for being securely kept indigital form for a period of time specified in the applicable agreement .NOTE:  This service is expected to be able to exhibit all preserved data at any moment during, or at the end of, thepreservation period.
  • registered e-mail:enhanced form of mail transmitted by electronic means (e-mail) which provides evidence relating to the handling of an e-mail including proof of submission and delivery
  • registered electronic delivery: enhanced form of electronic delivery which provides evidence of relating to the handling of electronic messages including proof of submission and delivery
  • registered electronic delivery service provider:trust application service provider which provides registered electronicdelivery trust services
  • registered e-mail service provider:trust application service provider which provides registered e-mail trust services signature generationservice provider:trust service provider which provides trust services that allow secure remotemanagement of signatory’s signature creation device and generation of electronic signatures by means of such a remotely managed device
  • signature policy: set of rules for the creation and validation of one (or more interrelated) electronic signature(s) that defines the technical and procedural requirements for creation, validation and (long term) management of this (those) electronic signature(s), in order to meet a particular business need, and under which the signature(s) can be determined to be valid.

NOTE 1: When validated against a signature policy X, the validity of an electronic signature is a relative concept and will be determined against the rules defined by such a policy. The same signature can be determined as valid against signature policy X while being invalid against signature policy Y. The notion of Signature Policy here should be clearly dissociated from a legal purpose document. While the Signature Policy is expected to further precise the context in which the underlying signatures are to be considered as valid in a specific context (e.g. business process, a specific application), their potential legal effect and value will be driven by the applicable laws and/or contractual relationships between the parties involved and concerned by the signatures. Closed user group domains of application should be clearly distinguished from a purely open context to which generally applicable laws may address.

NOTE 2:  A Signature Policy covers the three following aspects related to the management of each of the considered electronic signature(s):

1.  a Signature Creation Policy: part of the Signature Policy, which specifies the technical and procedural requirements onthe signer in creating a signature;
2.  a Signature Validation Policy: part of the Signature Policy, which specifies the technical and procedural requirements on the verifier when validating a signature; and
3.  a Signature (LTV) Management Policy: part of the Signature Policy, which specifies the technical and procedural requirements on the long term management and preservation of a signature.

  • signature validation service provider: trust service provider offering services in relation to validation of Electronic Signatures
  • time-stamping service provider: trust service provider which issues time-stamp tokens. NOTE:  This entity may also be referred to as a Time-Stamping Authority.
  • time-stamp token:data object that binds a representation of a datum to a particular time, thus establishing evidence that the datum existed before that time
  • trust application service provider: trust service provider operating a value added Trust Service based on Electronic Signatures that satisfies a business requirement that relies on the generation/verification of Electronic Signatures in its daily routine. NOTE:  This covers namely services like registered electronic mail and other type of e-delivery services, as well as long term storage services related to signed data and Electronic Signatures.
  • trust service:electronic service which enhances trust and confidence in electronic transaction. NOTE:  Such Trust Services are typically but not necessarily using cryptographic techniques or involving confidential material.
  • trust service provider:entity which provides one or more electronic Trust Service. NOTE:  See annex A for discussion on certification service provider and Trust Service Provider.
  • trust service status list:list of the trust service status information, protected to assure its authenticity and integrity, from which interested parties may determine whether a trust service has been assessed as operating in conformity with recognised criteria for a given class of trust service
  • trust service status list provider:trust service provider issuing a Trust Service Status List
  • trust service token:physical or binary (logical) object generated or issued as a result of the use of a Trust Servic. NOTE:  Examples of binary Trust Service Tokens are certificates, CRLs, Time-Stamp Tokens, OCSP responses, evidence of delivery issued by a REM Service Provider.
  • trusted list:profile of the trust service status list that is the national supervision/accreditation status list of certification services from Certification Service Providers, which are supervised/accredited by the referenced Member State for compliance with the relevant provisions laid down in Directive 1999/93/EC [i.1]

Abbreviations

  • AdES  Advanced Electronic Signature
  • AdESQC
    Advanced Electronic Signature supported by a Qualified Certificate  ANSSI  (French) Agence national de la Sécurité de Systèmes d’Information
  • API  Application Program Interface
  • ASiC  Associated Signature Containers
  • BES  Basic Electronic Signature (used with CAdES/XAdES and PAdES)
  • BSI  Bundesamt für Sichereit (German Federal Office for Information Security)
  • CA Certification Authority
  • CAB Forum  CA Browser Forum
  • CAdES  CMS Advanced Electronic Signature
  • CD  [European] Commission Decision
  • CEN  Comité Européen de Normalisation
  • CMS  Cryptographic Message Syntax
  • CRL Certificate Revocation List
  • CSP  Certification Service Provider
  • CWA CEN Workshop Agreement
  • DIS Draft International Standard
  • DPS  Data Preservation System
  • DPSP  Data Preservation Service Provider
  • DSS  Digital Signature Standard (as published by OASIS)
  • E-CODEX  e-Justice Communication via Online Data Exchange
  • EESSI  European Electronic Signature Standardization Initiative
  • EN European Norm
  • EPES  Explicit Policy Electronic Signature (used with CAdES / XAdES and PAdES)
  • ETSI  European Telecommunications Standards Institute
  • HSM  Hardware Security Module
  • HTTP  Hypertext Transfer Protocol
  • IAS  Identification, Authentication and Digital Signature
  • IDPF  International Digital Publishing Forum
  • ISO  International Organization for Standardization
  • LoA  Level of Assurance
  • LTV  Long term Validation (used with PAdES)
  • MTM Mobile Trusted Module
  • NFC  Near Field Communication
  • OCSP  Online Certificate Status Protocol
  • OASIS  Organization for the Advancement of Structured Information Standards
  • OEBPS  Open E-Book Publishing Structure
  • PAdES  PDF Advanced Electronic Signature
  • PKC  Public Key Certificate
  • PEPPOL  Pan-European Public eProcurement On-Line
  • PP Protection Profile
  • QC Qualified Certificate
  • QES  Qualified Electronic Signature
  • RED  Registered Electronic Delivery
  • REM  Registered Electronic Mail
  • REM-MD  Registered Electronic Mail – Management Domain
  • SCA Signature Creation Application
  • SGSP  Signature Generation Service Provider
  • SOGIS  Senior Officials Group – Information Systems Security
  • SP Signature Policy
  • SR Special Report
  • SCD  Signature Creation Device
  • SSCD  Secure Signature Creation Device
  • SMIME  Secure Multi-Purpose Internet Mail Extensions
  • SMTP  Simple Mail Transfer Protocol
  • SOAP  Simple Object Access Protocol
  • SPOCS  Simple Procedures Online for Cross-border Services
  • STORK  Secure identity across borders linked) being the most relevant
  • SSL Secure Socket Layer
  • SVA Signature Validation Application
  • SVSP  Signature Validation Service Provider
  • TASP  Trust Application Service Provider
  • TC Technical Committee
  • TOE  Target of Evaluation
  • TEE  Trusted Execution Environment
  • TL Trusted List
  • TR Technical Report
  • TS Technical Specification
  • TSL  Trust Service Status List
  • TSP  Trust Service Provider
  • TSPPKC  Trust Service Provider issuing Public Key Certificates
  • TSPQC  Trust Service Provider issuing Qualified Certificates
  • TSSLP  Trust Service Status List Provider
  • TSSP  Time-Stamping Service Provider
  • UPU  Universal Postal Union
  • USB  Universal Serial Bus
  • WI Work Item
  • XAdES  XML Advanced Electronic Signature
  • XSL eXtensible Stylesheet Language
  • XML eXtensible Markup Language
  • XMLDSig  XML Digital Signature

Document Types

The documents required for standardisation of each of the different electronic signature functional areas have been  organised around the following five types of documents:

  1. Guidance:This type of documents does not include any normative requirements but provides business driven guidance on addressing the eSignature (functional) area, on the selection of applicable standards and their options for a particular business implementation context and associated business requirements, on the implementation of a standard (or a series of standards), on the assessment of a business implementation against  a standard (or a series of standards), etc.
  2. Policy & Security Requirements:This type of document specifies policy and security requirements for  services and systems, including protection profiles. This brings together use of other technical standards and  the security, physical, procedural and personnel requirements for systems implementing those technical  standards.
  3. Technical Specifications:This type of document specifies technical requirements on systems. This includes  but is not restricted to technical architectures (describing standardised elements for a system and their  interrelationships), formats, protocols, algorithms, APIs, profiles of specific standards, etc.
  4. Conformity Assessment:This type of document addresses requirements for assessing the conformity of a  system claiming conformity to a specific set of technical specifications, policy or security requirements  (including protection profiles when applicable). This primarily includes conformity assessment rules (e.g.  common criteria evaluation of products or assessment of systems and services).
  5. Testing Compliance & Interoperability:This type of document addresses requirements and specifications  for setting-up interoperability tests or testing systems or for setting-up tests or testing systems that will provide  automated checks of compliance of products, services or systems with specific set(s) of technical specifications.

Numbering Scheme

A consistent numbering for such documentation was searched with the aim to identify a single and consistent series of  eSignature standards and with the aim to enable each document to keep the same number whatever maturity level it  reaches through its lifetime. The numbering scheme being used is defined as follows:

  • DD L19 xxx-z

Where:

  • DD  indicates the deliverable type in the standardisation process (SR, TS, TR and EN)
  • L
    when set to 4: identifies a CEN deliverable,
    when set to 0, 1, 2, or 3: identifies an ETSI deliverable and the type of deliverable in the  standardisation process

019 for ETSI published Special Reports (SR)
119 for ETSI published Technical Specification (TS) and Technical Report (TR)
219 for ETSI published Standard (ES) and ETSI Guide (EG)
319 for ETSI published European Norm (EN)
419 for CEN published Technical Specification (TS) or European Norm (EN)

  • 19  indicates the series of standardisation documents related to eSignatures
    ETSI/CEN may further extend this numbering system in line with their own practices.
  • xxx  indicates the serial number (000 to 999):

where Xxx identifies the area:

0-generic to a number of areas;
1-Signature Creation and Validation;
2-Signature Creation Devices;
3-cryptographic suites;
4-Trust Service Providers  supporting eSignatures;
5-Trust Application Service Providers;
6-Trust Service Status Lists Providers);

where xXx identifies a sub-area within the identified area, or 0 for documents generic to a given area;
where xxX identifies the type of document:

0-Guidance;
1-Policy and Security Requirements;
2-Technical Specifications;
3-Conformity Assessment;
4- Testing Compliance and Interoperability.

  • -z  identifies multi-parts as some documents may be multi-part documents.

Additional numbering for identifying parts and versions will be in line with ETSI or CEN conventions depending on which organisation publishes the document.

Defined documents: Generic

Guidance

TR 119 000  Rationalised structure for Electronic Signature Standardisation
This document provides the framework for the x19 000 series of documents on Electronic Signature standardisation. It  specifies the schema for electronic signature standardisation. It also provides the basis for the provision of business guidance provided in the other areas and reference the business guidance for signature creation and validation (TR 119  100) as the recommended starting point for the analysis of requirements in particular for those target audiences being  stakeholders wishing to introduce and implement eSignatures in a business electronic process. It includes a basic  classification on assurance levels to be used across all the areas. In addition, it establishes definitions of commonly  applicable terms.
TR 419 010  Extended Rationalised structure including IAS
This document proposes an extension for the Rationalised structure for Electronic Signature Standardisation to cover  Electronic Identification, Authentication and Signatures.
SR 019 020  Rationalised Framework of Standards for AdES in Mobile environments
This document will provide details on the framework of standards (including potential architectures and relevant  scenarios) required for the creation and validation of advanced electronic signatures in the mobile environment  (Advanced Electronic Signatures in Mobile Environments).

Policies

TR 119 001  Rationalised Framework for Electronic Signature Standardisation: Definitions and  abbreviations
This document will list all definitions & abbreviations used in documents of the rationalised framework and serve as  reference. Documents from the rationalised framework will either include definitions / abbreviations by reference to TR  119 001 and/or by copying definitions from TR 119 001.

Defined documents: Signature generation and validation

Guidance

TR 119 100  Business Driven Guidance for implementing Signature Creation and Validation
This document provides business guidance for the use of electronic signature standards from the viewpoint of signature
creation and validation. This will include guidance on selection between the different signature formats. It proposes a
business driven process for implementing generation and validation of electronic signatures in electronic
business. Starting from their business model, stakeholders are guided for properly specifying all the relevant parameters
(hereafter “Business Scoping Parameters”) regarding the creation and the validation of electronic signatures for the
specific addressed application / business processes. Finally, stakeholders are guided for making the best choice among
the wide offer of standards from the Rationalised Framework of European Standards for Electronic Signatures in order
to ensure the best implementation of electronic signatures within the addressed application / business processes.
The process proposed by this guidance is defined in a way that ensures to stakeholders a proper and consistent treatment
of all the Business Scoping Parameters, explicitly taking into account:
•   parameters directly dependant on the specific application or business process,
•   parameters derived from the regulatory/legal framework where the business must be conducted,
•   parameters inherent to the different types of signing entities, as well as
•   other aspects that do not fall within the above three listed categories but are important to be addressed when
implementing electronic signatures.
The purported audience of this document is rather wide and includes different readers’ profiles:

1)  Business managers who potentially require support from electronic signatures in their business will find here
an understandable explanation of how electronic signatures standards may be used to meet their business
needs.
2)  Application architects who will find here material that will guide them throughout the difficult process of
designing a system that fully and properly satisfies all the business and legal/regulatory requirements specific
to electronic signatures, and will gain a better and understanding on how to select the proper standards to be
implemented and/or used.
3)  Developers of the systems who will find in this document an understanding of the business driven approach
underlying the decisions made by the business managersand application architects on the scoping parameters
to be used when creating and validating electronic signatures in the concerned business processes, as well as a
proper knowledge of the standards that exist in the field and that they must know in detail for a proper
development.
Policy and Security Requirements
EN 319 101  Policy and Security Requirements for Electronic Signature Creation and Validation
This document provides policy and security requirements for electronic Signature Creation and Validation
(Applications). This includes procedural aspects that are not directly machine processable, as well as aspects which may
be defined in a machine processable way (see EN 319 172). This includes requirements for the secure operation of
signature creation and validation applications such as might be provided by an information security management
system.
This document includes a template for a Human readable document covering the rules to be applied on the electronic
signatures to be considered in a business e-process environment.
NOTE:  This takes into account the standards for Information Security Management Systems in ISO 27000 [i.10]
and templates for practice statements as in RFC 3647 [i.11].
EN 419 111  Protection Profiles for Signature Creation & Validation Applications
This is a multi-part document covering the following topics:
•  Introduction: this document is an introduction that defines the security requirements for Signature Creation
Applications (SCA) and Signature Validation Applications (SVA). It defines terms used in all parts, the
SCA/SVA, their functions, and their environment.
•  Core PP for an Signature Creation Application: this document specifies a protection profile for an SCA. It
defines security requirements for SCA conformity from the perspective of a security evaluation. The Target of
Evaluation (TOE) considered in this Protection Profile (PP) corresponds to software, running on an operating
system and hardware, the Signature Creation Platform. The TOE, using services provided by the Signature
Creation Platform and by an SSCD allows the signatory to generate an electronic signature.
•  Extensions to Core PP for an SCA.
•  Core PP for an SVA: this document specifies a protection profile for an SVA. It defines security
requirements for SVA conformity from the perspective of a security evaluation. The Target of Evaluation
(TOE) considered in this PP corresponds to software, running on an operating system and hardware, the
Signature Validation Platform. The TOE, using services provided by the Signature Validation Platform and by
the environment allows the verifier to check an electronic signature.
•  Extensions to Core PP for an SVA.
Technical Specifications
EN 319 102  Procedures for Signature Creation and Validation
This document specifies procedures for creation and validation of an AdvancedElectronic Signature within a given
policy context. This document specifies support for validation of XAdES (XML Advanced Electronic Signature),
CAdES (CMS Advanced electronic signature), PAdES (PDFAdvanced electronic signature), AdES in Mobile
environments and ASiC (Associated Signature Containers) signatures taking into account use of Trusted Lists. This

includes a standardised structure for a list of the criteria to be checked for validation, and for the report resulting from
validation.
EN 319 122  CMS Advanced Electronic Signatures (CAdES)
This multipart document contains all the specifications related to Advanced Electronic Signatures built on top of CMS
signatures by incorporation of signed and unsigned attributes. It includes the base specification and associated profiles,
and in particular:
•  an Overview of CAdESand its profiles, and the relationship between them.
•  CMS Advanced Electronic Signatures (CAdES) – Core specifications:This document specifies the format
for a set of attributes that are added to CMS signatures to become CMS Advanced Electronic Signatures. It
also specifies requirements on their construction and incorporation to the signature as signed or unsigned
attributes.
•  CAdES Baseline Profile:This document specifies a profile identifying a minimum set of options that are
appropriate for maximizing interoperability between CAdES signatures.
NOTE 1:  The baseline profile defines a baseline profile for CAdES that provides the basic features necessary for a
wide range of business and governmental use cases for electronic procedures and communications to be
applicable to a wide range of communities when there is a clear need for interoperability of AdES
signatures to be interchanged across borders. In particular it takes into account needs for interoperability
of AdES signatures used in electronic documents issued by competent authorities to be interchanged
across borders in the context of the European Services Directive [i.15].
NOTE 2: When no specific use case would have requirements not satisfied by the baseline profile, no other specific
profile will be added. Should it be otherwise, new profiles would be build on the baseline profile, unless
the actual requirements would avoid it.
EN 319 132  XML Advanced Electronic Signatures (XAdES)
This multipart document contains all the specifications related to Advanced Electronic Signatures built on top of XML
signatures by incorporation of signed and unsigned properties.It includes the base specification and associated profiles,
and in particular:
•  an Overview of XAdESand its profiles, and the relationship between them.
•  XML Advanced Electronic Signatures (XAdES) – Core specifications:This document specifies the format
for a set of properties that are added to XML Signatures for becoming an XML Advanced Electronic
Signature. It also specifies requirements on their construction and incorporation (distributed or not-distributed)
to the signature as signed or unsigned properties.
NOTE 1:  This will need to take account of updates to XMLDSig [i.12].
•  XAdES Baseline Profile:This document specifies a profile identifying a common set of options that are
appropriate for maximizing interoperability between XAdES signatures.
NOTE 2:  The baseline profile defines a baseline profile for XAdES that provides the basic features necessary for a
wide range of business and governmental use cases for electronic procedures and communications to be
applicable to a wide range of communities when there is a clear need for interoperability of AdES
signatures to be interchanged across borders. In particular it takes into account needs for interoperability
of AdES signatures used in electronic documents issued by competent authorities to be interchanged
across borders in the context of the European Services Directive [i.15].
NOTE 3: When no specific use case would have requirements not satisfied by the baseline profile, no other specific
profile will be added. Should it be otherwise, new profiles would be build on the baseline profile, unless
the actual requirements would avoid it.

EN 319 142  PDF Advanced Electronic Signatures (PAdES)
This multipart document contains all the specifications related to Advanced Electronic Signatures embedded within
PDF documents. It includes the base specification and associated profiles, and in particular.
•  PAdES Overview – a framework document for PAdES:This document provides a framework for the set of
profiles for PAdES. It provides a general description of support for signatures in PDF documents including use
of XML signatures to protect XML data in PDF documents; it also lists the features of the different profiles
specified in other parts of the document; finally it describes how the profiles may be used in combination.
•  PAdES Basic – Profile based on ISO 32000-1 [i.13]: This document profiles the use of PDF signatures,
based on CMS, as described in ISO 32000-1 [i.13], for its use in any application areas where PDF is the
appropriate technology for exchangeof digital documents including interactive forms.
•  PAdES Enhanced – PAdES-BES and PAdES-EPES Profiles:This document profiles the use of PDF
Signatures specified in ISO 32000-1 [i.13] with an alternative signature encoding to support signature formats
equivalentto the signature forms CAdES-BES, CAdES-EPES and CAdES-T as specified in EN 319 122.
•  PAdES Long Term – PAdES-LTV Profile:This document profiles the electronic signature formats found in
ISO 32000-1 [i.13] to support Long Term Validation (LTV) of PDF signatures. It specifies a profile to support
the equivalent functionality to the signature forms CAdES-X Long and CAdES-A as specified in EN 319 122
in a single profile PAdES-LTV, by incorporation ofnewly specified PDF objects conveying the required
validation material.
•  PAdES for XML Content – Profiles for XAdES signatures:This document defines profiles for the usage of
XAdES signatures, as defined in EN 319 132, for signing XML content within the PDF containers, including
the following situations:
-  One XML document (compliant with an arbitrary XML language, like Universal Business Language for
e-Invoicing) that is completely or partially signed with at least one enveloped XAdES signature and that
is incorporated within a PDF container.
-  Signed (with XML Sig or XAdES signature) dynamic XML Forms Architecture forms.
•  Visual Representations ofElectronic Signatures:This document specifies requirements and
recommendations for the visual representations of Advanced Electronic Signatures (AdES) in PDFs. This
covers:
-  Signature appearance: The visual representation of the human act of signing placed within a PDF
document at signing time and linked to an Advanced Electronic Signature.
-  Signature validation representation: The visual representation of the validation of an Advanced
Electronic Signature.
•  PAdES Baseline Profile:This document specifies a profile identifying a common set of options that are
appropriate for maximizing interoperability between PAdES signatures.
NOTE 1:  The baseline profile defines a baseline profile for PAdES that provides the basic features necessary for a
wide range of business and governmental use cases for electronic procedures and communications to be
applicable to a wide range of communities when there is a clear need for interoperability of AdES
signatures to be interchanged across borders. In particular it takes into account needs for interoperability
of AdES signatures used in electronic documents issued by competent authorities to be interchanged
across borders in the context of the EU Services Directive [i.15].
NOTE 2: When no specific use case would have requirements not satisfied by the baseline profile, no other specific
profile will be added. Should it be otherwise, new profiles would be build on the baseline profile, unless
the actual requirements would avoid it.
TS 119 152  Architecture for Advanced Electronic Signatures in Mobile Environments
This document will identifies the architectural components, protocol requirements and sequence of interactions
required for scenarios based on those in SR 019 020
EN 319 162  Associated Signature Containers (ASiC)

This multipart document contains all the specifications related to the so-called Associated Signature Container. That is
containers that bind together a number of signed data objects with Advanced Electronic Signatures applied to them or
time-stamp tokens computed on them. This document includes the base specification and associated profiles, and in
particular:
•  an Overview of ASiCand its profiles, and the relationship between them.
•  Associated Signature Containers (ASiC) – Core specifications:This document specifies the format for a
single container binding together a number of signed objects (e.g. documents, XML structured data,
spreadsheet, multimedia content) with either AdvancedElectronic Signatures or time-stamps. This uses
package formats based on ZIP and supports the following signature and time-stamp token formats: CAdES
signature(s) as specified in EN 319 122, XAdES detached signature(s) as specified in EN 319 132; and RFC
3161 [i.16] time-stamp tokens.
•  ASiC Baseline Profile:This document specifies a profile identifying a common set of options that are
appropriate for maximizing interoperability between ASiC containers.
NOTE 1:  The baseline profile defines a baseline profile for ASiC that provides the basic features necessary for a
wide range of business and governmental use cases for electronic procedures and communications to be
applicable to a wide range of communities when there is a clear need for interoperability of AdES
signatures, on which ASiC is based, to be interchanged across borders. In particular it takes into account
needs for interoperability of AdES signatures used in electronic documents issued by competent
authorities to be interchanged across borders in the context of the European Services Directive [i.15].
NOTE 2: When no specific use case would have requirements not satisfied by the baseline profile, no other specific
profile will be added. Should it be otherwise, new profiles would be build on the baseline profile, unless
the actual requirements would avoid it..
EN 319 172  Signature Policies
This document addresses signature policies to be used in the management of electronic signatures within extended
business models. This is a multi-part document whose internal structure is shown below:
•  Part 1 – Signature Policies:This document elaborates the concept of signature policy documents, addresses
relevant aspects of their usage, and specifies the constituent parts of a signature policy and their semantics.
This provides a standardised table of content for human readable. It also includes a common EU signature
policy which may be used for qualified electronic signatures and advanced electronic signatures supported by
qualified certificates in Europe.
•  Part 2 – XML format for Signature Policies:This document specifies a XML format for those parts of the
Signature Policy that may be structured and are worth to be automatically processed by both signing and
verifying applications. This document also specifies the processes to be performed by the aforementioned
applications while using this format during the generation or the validation of electronic signatures.
•  Part 3 – ASN.1 format for Signature Policies:This document specifies an ASN.1 format for those parts of
the Signature Policy that may be structured and are worth to be automatically processed by both signing and
verifying applications. This document also specifies the processes to be performed by the aforementioned
applications while using this format during the generation or the validation of electronic signatures.
Conformity Assessment
EN 319 103  Conformity Assessment for Signature Creation and Validation Applications (& Procedures)
This document introduces the three aspects of assessment detailed in separate specifications:
a)  Assessment of user environment against policy requirements: the conformity rules for assessing conformity of
SCA or SVA against Policy Requirements. This will show the complete process for performing complete
assessment and make some reference to other conformity assessment guidance (including technical
specifications, protection profiles, signature policies.
b)  Assessment of products and applications for electronic signature creation and validation against protection
profiles.
c)  Assessment of conformity to Advanced Electronic Signature formats and protocols.

d)  Assessment of conformity of a specific machine processable signature policy to the business process policy
requirements.
NOTE:  Assessment may require use of testing compliance or interoperability.
Testing Conformance & Interoperability
TS 119 104  General requirements on Testing Conformance & Interoperability of Signature Creation and
Validation
This set of documents specifies general requirements for testing conformance and interoperability of signature creation
and validation applications.
As a general principle, TS 119×04 documents are meant to group common requirements to all potential sub-parts with
regards to testing conformance & interoperability. It could also be used as an introductory document to how testing
conformance & integrity is dealt with in the sub-areas (e.g. general principles and requirements for PlugTests).
TS 119 124  CAdES Testing Conformance & Interoperability
This document provides technical specifications for helping implementers and accelerating the development of CAdES
signature creation and validation applications. The test results may also be used in conformity assessment for signature
creation and validation applications (EN 319 103) with policies requiring conformity to CAdES formats and
procedures. First, it will define test suites as completelyas possible for supporting the organization of interoperability
testing events where different CAdES related applications may check their actual interoperability. Additionally, it will
include the specifications required for building up software tools for actually testing technical conformance of CAdES
signatures against the relevant CAdES related technical specifications.
This is a multi-part document covering the following topics:
•  Test suites for testing interoperability of CAdES signatures:This document would be used by those
entities interested in testing the interoperability of tools that generate and verify CAdES signatures not
adhering to any specific profile, but compliant with the mother CAdES specification as defined in EN 319 122.
•  Test suites for testing interoperability of Baseline CAdES signatures:This document would be used by
those entities interested in testing the interoperability of tools that generate and verify CAdES signatures that
claim to be compliant with the CAdES Baseline Profile as specified in EN 319 122.
•  Specifications for testing conformance of CAdES Signatures:This document will specify, among other
things, rules for testing conformance of signatures against the CAdES specification. It will allow developing a
tool that can automatically check that a CAdES signature is fully conformant with the relevant aforementioned
specifications, without claiming any statement on its validity.
•  Specifications for testing conformance of Baseline CAdES Signatures:This document will specify, among
other things, rules for testing conformance of signatures against the CAdES Baseline Profile specification. It
will allow developing a tool that canautomatically check that a CAdES Baseline signature is fully conformant
with the relevant aforementioned specifications, without any statement on its validity.
•  Specifications for testing conformance of CAdES Signatures validation:This will allow developing a tool
that can automatically check that a generated CAdES signature is fully conformant with the relevant
aforementioned specifications and validate the signature according to EN 319 102.
NOTE 1:  A study should be made for assessing the need of a separate part for supporting conformance testing of
signature validation.
NOTE 2:  A study should be made for assessing the need of an additional part for supporting the potential
development and/or maintenance of a reference implementation.
TS 119 134  XAdES Testing Conformance & Interoperability
This document provides technical specifications for helping implementers and accelerating the development of XAdES
signature creation and validation applications. The test results may also be used in conformity assessment for signature
creation and validation applications (EN 119 103) with policies requiring conformity to XAdES formats and
procedures. First, it will define test suites as completelyas possible for supporting the organization of interoperability
testing events where different XAdES related applications may check their actual interoperability. Additionally, it will

include the specifications required for building up software tools for actually testing technical conformance of XAdES
signatures against the relevant XAdES related technical specifications.
This is a multi-part document structured as follows:
•  Test suites for testing interoperability of XAdES signatures:This document will be used by entities
interested in testing tools that generate and verify XAdES signatures not adhered to any specific profile, but
compliant with the mother XAdES specification as defined in EN 319 132.
•  Test suites for testing interoperability of Baseline XAdES signatures:This document will be used by
entities interested in testing tools that generate and verify XAdES signatures that claim to be compliant with
the XAdES Baseline Profile as specified in EN 319 132.
•  Specifications for testing conformance of XAdES Signatures:This document will specify, among other
things, rules for testing conformance of signatures against the XAdES specification. It will allow developing a
tool that can automatically check that generated XAdES signatures are fully conformant with the relevant
aforementioned specifications, without any statement on their validity.
•  Specifications for testing compconformance liance of Baseline XAdES Signatures:This document will
specify, among other things, rules for testing conformance of signatures against the XAdES specification. It
will allow developing a tool that canautomatically check that a XAdES Baseline signature is fully conformant
with the relevant aforementioned specifications, without claiming any statement on its validity.
•  Specifications for testing conformance of XAdES Signatures validation:This should allow developing a
tool that could automatically check that the XAdES signatures generated by a certain tool are fully conformant
with the relevant aforementioned specifications and validate the signature according to EN 319 102.
NOTE 1:  A study should be made for assessing the need of a separate part for supporting conformance testing of
signature validation.
NOTE 2:  A study should be made for assessing the need of an additional part for supporting the potential
development and/or maintenance of a reference implementation.
TS 119 144  PAdES Testing Conformance & Interoperability
This document provides technical specifications for helping implementers and accelerating the development of PAdES
signature creation and validation applications. The test results may also be used in conformity assessment for signature
creation and validation applications (EN 319 103) with policies requiring conformity to PAdES formats and procedures.
First, it will define test suites as completely as possible for supporting the organization of interoperability testing events
where different PAdES related applications may check their actual interoperability. Additionally, it will include the
specifications required for building up software tools for actually testing technical conformance of PAdES signatures
against the relevant PAdES related technical specifications.
This is a multi-part document structured as follows:
•  Overview.
•  Test suites for testing interoperability of PAdES signatures:This document will be used by entities
interested in testing tools that generate and verify PAdES signatures not adhered to any specific profile, but
compliant with the mother PAdES specification as defined in EN 319 142.
•  Test suites for testing interoperability of Baseline PAdES signatures:This document will be used by
entities interested in testing tools that generate and verify PAdES signatures that claim to be compliant with
the PAdES Baseline Profile as specified in EN 319 142.
•  Specifications for testing compconformance liance of PAdES Signatures:This document will specify,
among other things, rules for testing conformance of signatures against the PAdES specification. It will allow
developing a tool that can automatically check that generated PAdES signatures are fully onformant with the
relevant aforementioned specifications, without any statement on their validity.
•  Specifications for testing conformance of Baseline PAdES Signatures:This document will specify, among
other things, rules for testing conformance of signatures against the PAdES Baseline Profile specification. It
will allow developing a tool that could automatically check that a PAdES Baseline signature is fully

conformant with the relevant aforementioned specifications, without claiming any statement on their validity
or not.
•  Specifications for testing conformance of PAdES Signatures validation:This will allow developing a tool
that can automatically check that a PAdES signature is fully conformant with the relevant aforementioned
specifications and validates the signature according to EN 319 102.
NOTE 1:  A study should be made for assessing the need of a separate part for supporting conformance testing of
signature validation.
NOTE 2:  A study should be made for assessing the need of an additional part for supporting the potential
development and/or maintenance of a reference implementation.
TS 119 154   Testing Conformance & Interoperability of AdES in Mobile environments
This document will provide technical specifications for helping implementers and accelerating the development of
creation and validation applicationsfor advanced electronic signatures in mobile environments.
TS 119 164  ASiC Testing Conformance & Interoperability
This document provides technical specifications for helping implementers and accelerating the development of ASiC
containers creation and validation applications. The test results may also be used in conformity assessment for signature
creation and validation applications (EN 319 103) with policies requiring conformity to ASiC formats and procedures.
First, it will define test suites as complete as possible for supporting the organization of interoperability testing events
where different ASiC related applications may check their actual interoperability. Additionally, it will include the
specifications required for building software tools for actually testing technical conformance of ASiC against the
relevant ASiC related technical specifications.
This is a multi-part document covering the following topics:
•  Overview.
•  Test suites for testing interoperability of ASiC:This document will be used by entities interested in testing
tools that generate and verify ASiC not adhered to any specific profile, but compliant with the mother ASiC
specification as defined in EN 319 162.
•  Test suites for testing interoperability of Baseline ASiC:This document will be used by entities interested
in testing tools that generate and verify ASiC that claim to be compliant with the ASiC Baseline Profile as
specified in EN 319 162.
•  Specifications for testing conformance of ASiC:This document will specify, among other things, rules for
testing conformance of signatures against the ASiC specification. It will allow developing a tool that can
automatically check that generated ASiC are fully conformant with the relevant aforementioned specifications,
without any statement on their validity.
•  Specifications for testing conformance of Baseline ASiC:This document will specify, among other things,
rules for testing conformance of signatures against the ASiC specification. It will allow developing a tool that
can automatically check that Baseline ASiC are fully conformant with the relevant aforementioned
specifications, without claiming any statement on their validity.
•  Specifications for testing conformance of ASiC validation:This will allow developing a tool that can
automatically check that ASiC are fully conformant with the relevant aforementioned specifications and that
validates the signature according to EN 319 102.
NOTE 1:  A study should be made for assessing the need of a separate part for supporting conformance testing of
signature validation.
NOTE 2:  A study should be made for assessing the need of an additional part for supporting the potential
development and/or maintenance of a reference implementation.
TS 119 174   Testing Conformance & Interoperability of Signature Policies
This document provides technical specifications for helping implementers and accelerating the development of
Signature Policies. The test results may also be used inconformity assessment for signature creation and validation

applications (EN 319 103) with policies requiring conformity to machine processable Signature Polices format
specifications.
First, it will define test suites as complete as possible for supporting the organization of interoperability testing facilities
where different Signature Policy based applications may check their actual interoperability.
Additionally, it will include the specifications required for building software tools for actually testing technical
conformance of machine processable Signature Policies against the relevant technical specifications.

Defined documents: Signature related devices

Guidance
TR 419 200  Business Driven Guidance for Signature Creation and Other Related Devices
This document provides guidance for the selection of standards for electronic signature devices for given business
requirements.
Policy & Security Requirements
Policy and Security Requirements for Signature Creation Devices
No requirement has been identified for this type of document as requirements for the use of signature creation devices is
addressed as part of the policy requirements of the signing environment in EN 319 101.

EN 419 211  Protection Profiles for Secure Signature Creation Devices
This document specifies the security requirements for a SSCD which is the target of evaluation. It follows the rules and
formats of the Common Criteria v3 [i.17].
This is a multi-part document covering the following topics:
•  Part 1- Overview: An introduction to the SSCD protection profiles.
•  Part 2 – Device with key generation:This document specifies a protection profile for an SSCD that performs
its core operations including the generation of signature keys in the device. This profile may be extended
through extensions specified in other parts.
•  Part 3 – Device with key import: This document specifies a protection profile for an SSCD that performs its
core operations including import of the signature key generated in a trusted manner outside the device.
•  Part 4 – Extension for device with key generation and trusted communication with certificate generation
application: This document specifies an extension protection profile for an SSCD with key generation that
support establishing a trusted channel with a certificate-generating application. This profile may be extended
through extensions specified in other parts.
•  Part 5 – Extension for device withkey generation and trusted communication with signature creation
application: This document specifies an extension protection profile for an SSCD with key generation that
additionally supports establishing a trusted channel with a signature-creation application.
•  Part 6 – Extension for device with key import and trusted communication with signature creation
application:This document specifies an extension protection profile for an SSCD with key import that
additionally supports establishing a trusted channel with a signature-creation application.
Additional protection profiles or other form of security certification and security evaluation processes may be required,
to ensure that they offer the relevant level of security, for other types of devices such as, e.g.:
•  Mobile phones with hardware-based security (TEE, MTM, etc.).
•  HSM being recognised as an SSCD.
•  SSCD used for mass signing operations (e.g. for signing a series of documents).
EN 419 221  Protection profiles for TSP Cryptographic modules
This multi-part document specifies protection for cryptographic device devices used by Trust Service Providers. It
covers the following topics:
•   Part 1 – Overview: This part of EN 419 221 provides an overview of the protection profiles specified in other
parts of TS 419 221.
•   Part 2 – Protection profile for Cryptographic module for CSP signing operations with backup – high
security level: This part of EN 419 221 specifies a protection profile for cryptographic modules used by
certification service providers (as specified in Directive 1999/93 [i.1]) for signing operations, with key backup,
at a high level of security. Target applications include root certification authorities (certification authorities
who issue certificates to other CAs and who are at the top of a CA hierarchy) and other certification service
providers where there is a high risk of direct physical attacks against the module.
•   Part 3 – Protection profile for Cryptographic module for CSP key generation services – high security
level: This part of EN 419 221 specifies a protection profile for cryptographic modules used by certification
service providers (as specified in Directive 1999/93 [i.1]) for generating signing keys for use by other parties,
at a high level of security. Target applications include root certification authorities and other certification
service providers where there is a high risk of direct physical attacks against the module.
•   Part 4 – Protection profile for Cryptographic module for CSP signing operations – high security level:
This part of EN 419 221 specifies a protection profile for cryptographic modules used by certification service

providers (as specified in Directive 1999/93 [i.1]) for signing operations, without key backup, at a high level of
security. Target applications include root certification authorities (certification authorities which issue
certificates to other CAs and is at the top of a CA hierarchy) and other certification service providers where
there is a high risk of direct physical attacks against the module.
•   Part 5: Protection profile for Cryptographic module for TSP signing and authentication – moderate
security level: This part of EN 419 221 specifies a protection profile for cryptographic modules used by trust
service providers for signing operations and authentication services at a moderate level of security. This
protection profile includes support for protected backup of keys. The target of this part is:
a)  provision of cryptographic support for TSP signing operations including applications such as
certification authorities who issue qualified and non-qualified certificates to end users, level 1 signing
services as identified in EN 419 241, data “sealing” by or on behalf of a legal entity, time-stamping
services and validation services; and
b)  provision of both symmetric and asymmetric cryptographic support for TSP authentication services ,
for example for authenticating users of signing services as specified in EN 419 241.
This profile assumes that the cryptographic module is in a physically secured environment and that there is a
low risk of untrusted personnel having direct physical access to the device.
EN 419 231  Security requirements for trustworthy systems supporting time-stamping
This document defines security requirements for a time-stamping system which consists of at least a time-stamping unit
(a set of hardware including an internal clock and software creating time-stamp tokens) and of administration and
auditing used to provide time-stamping services.
Informative annexes will provide check lists for conformity assessment.
EN 419 241  Trustworthy Systems Supporting Server Signing
This document is to become a multi-part document including general security requirements and protection profiles for
Trustworthy Systems (TWSs) supporting server signing. The document is intended for use by developers and evaluators
of a Server Signing Application and of its components. The details for this document have yet to be agreed in CEN TC
224 Working Group 17.
EN 419 251  Protection Profiles for Authentication Devices
This multi-part document defines security requirements for conformity of an authentication hardware device (such as,
for example, a smart card or USB token) from the perspective of a security evaluation.
This multi-part document covers the following aspects:
•  Part 1defines a PP for a device with only the core features and key import. It is the minimum product.
•  Part 2defines a PP for a device with key import, key generation, trusted channel with the CA, trusted
channel with the Administration application and administration.
•  Part 3defines additional featuresthat can be added to part 1 or part2 in order to define a new PP with
enhanced features.
EN 419 261  Security Requirements for Trustworthy Systems Managing Certificates for Electronic
Signatures Requirements
This document establishes security requirements for trustworthy systems and technical components that can be used by
a TSP in order to issue qualified and non-qualified certificates.
Technical specifications
EN 419 212  Application Interfaces for Secure Signature Creation Devices
This standard describes an application interface and behaviour of the SSCD in the context of Identification,
Authentication and Electronic Signature (IAS) services.

This is a multi-part document covering the following topics:
•  Part 1: Introduction.
•  Part 2 describesBasic services for electronic signatures:This document specifies mandatory mechanisms
for cryptographic devices such as smart cards, hardware security modules to be used as SSCD, and covers user
validation, signature creation, device authentication, password-based mechanisms, establishment of a secure
channel and key generation.
•  Part 3 describesAdditional servicesin the context of electronic signatures:This document specifies
mechanisms to support services around Identification, Authentication and Digital Signature (IAS) services in
addition to the SSCD mechanisms already described in Part 1 to enable interoperability and usage for IAS
services on a national or European level. It also specifies additional mechanisms like Client/Server
authentication, role authentication, symmetric key transmission between a remote server and a smart card,
signature cryptographic verification, identity management and privacy mechanisms.
•  Part 4 describesContext specific authentication protocols for SSCDs:This document specifies context
specific authentication protocols for SSCDs, covering first the migration to suitable Authentication Protocols,
e.g. for further context specific use for other transport layers e.g. NFC, and second a glossary including the
unambiguous definition of the security properties employed by the proposed protocols.
Conformity Assessment
EN 419 203  Conformity Assessment of Secure Devices and Trustworthy systems
This document provides guidance on conformity assessment of Secure Creation Devices against the specifications
EN 419 211 and guidance on conformity assessment for trustworthy systems against the specifications EN 419 221,
EN 419 231, EN 419 241, EN 419 251 and EN 419 261.The guidance is intended for use by designated bodies,
assessors, evaluators and manufacturers.
Technical Conformance & Interoperability Testing
No requirements identified so far for such a document.

Defined documents: Cryptographic Suites

Guidance
TR 119 300  Business Driven Guidance for Cryptographic Suites
This document provides guidance for the selection of cryptographicsuites for given business requirements.
NOTE:  Regular maintenance of cryptographic suites specifications should be ensured and mechanisms for
ensuring this should be proposed and implemented.

Technical Specifications
TS 119 312  Cryptographic Suites for Secure Electronic Signatures
This document defines a number of cryptographic suites for secure electronic signatures including a list of hash
functions and a list of signature schemes, as well as the recommended combinations of hash functions and signatures in
the form of “signature suites” to support Advanced Electronic Signatures.
Technical Conformance & Interoperability Testing
No requirements identified so far.

Defined documents: TSPs Supporting Electronic Signatures

Guidance
TS 119 400  Business Driven Guidance for TSPs Supporting Electronic Signatures
This document provides guidance for the selection of standards for TSPs for given business requirements.
NOTE:  When there would be a need for identifying and producing specific Business Driven Guidance for specific
types of TSPs supporting electronic signatures, the Rationalised Framework model allows usage of TR
119 410, TR 119 420, TR 119 430, etc. documents for such purpose.

Policy & Security Requirements
EN 319 401  General Policy Requirements for TSPs Supporting Electronic Signatures
This document specifies policy requirements for TSPs Supporting Electronic Signatures that are independent of the type
of TSP.
EN 319 411  Policy & Security Requirements for TSPs Issuing Certificates
This multi-part document specifies policy and security requirements for TSPs issuing certificates. It references
EN 319 401 for generic requirements.
This is a multi-part document including the following topics:
•  Part 1 – Overview: This part provides an overview of the other parts of this document. It also describes the
relationship of the policy requirements defined in this area and the use of secure devices and trustworthy
systems defined in the “Signature Creation and Other Related Device” area.
•  Part 2 – Policy requirements for TSP issuing qualified certificates.
•  Part 3 – Policy requirements for TSP issuing public key certificates.
•  Part 4 – Policy requirements for TSP issuing web site certificates.
•  Part 5 – Policy requirements for TSP issuing Attribute Certificates.
Informative annexes will provide check lists for conformity assessment.
EN 319 421  Policy & Security Requirements for TSPs providing Time-Stamping Services
This document specifies policy requirements for TSPs providing Time-stamping services based on RFC 3161 [i.16]. It
references EN 319 401 for generic requirements.
Similarly to EN 319 411, this multi-part document may be organised to include the following topics:
•  Overview: This part provides an overview of the other parts of this document. It also describes the relationship
of the policy requirements defined in this area and the use of secure devices and trustworthy systems defined
in the “Signature Creation and Other Related Device” area.
•  Policy requirements for TSPs providing Time-stamping services. Informative annexes will provide check lists
for conformity assessment.
EN 319 431  Policy & Security Requirements for TSPs providing Signature Generation Services
This document specifies policy requirements for TSPs providing signature generation services. It references EN
319 401 for generic requirements.
Similarly to EN 319 411, this multi-part document may be organised to include the following topics:
•  Overview: This part provides an overview of the other parts of this document. It also describes the relationship
of the policy requirements defined in this area and the use of secure devices and trustworthy systems defined
in the “Signature Creation and Other Related Device” area.
•  Policy requirements for TSPs providing Signature Generation services. Informative annexes will provide
check lists for conformity assessment.
EN 319 441  Policy & Security Requirements for TSPs providing Signature Validation Services
This document specifies policy requirements for TSPs providing Signature Validation Services. It references EN
319 401 for generic requirements.
Similarly to EN 319 411, this multi-part document may be organised to include the following topics:
•  Overview: This part provides an overview of the other parts of this document. It also describes the relationship
of the policy requirements defined in this area and the use of secure devices and trustworthy systems defined
in the “Signature Creation and Other Related Device” area.

•  Policy & Security requirements for TSPs providing Signature Validation services. Informative annexes will
provide check lists for conformity assessment.
Technical Specifications
EN 319 412  Profiles for TSPs issuing Certificates
This document provides specifications for specific profiles applicable to TSPs issuing certificates including qualified
and other forms of certificates. It provides certificate profiles and a profile extension which aim to facilitate
interoperability of (qualified) certificates issued to natural person, legal person or to organisation as website certificate,
for the purposes of (qualified) electronic signatures, (qualified) electronic seals, peer entity authentication, data
authentication, as well as data confidentiality.
This is a multi-part document including the following topics:
•  Part 1 – Overview.
•  Part 2 – Certificate profile for certificates issued to natural persons.
•  Part 3 – Certificate profile for certificates issued to legal persons.
•  Part 4 – Certificate profile for website certificates issued to organisation (Baseline and Extended Validation).
•  Part 5 – Qualified certificate statements for qualified certificate profiles.
EN 319 422  Profiles for TSPs providing Time-Stamping Services
This document specifies a profile for the format and procedures for time-stamping as specified in RFC 3161 [i.16].
EN 319 432  Profiles for TSPs providing Signature Generation Services
This document specifies a profile for the format and procedures for TSPs providing Signature Generation Services.
EN 319 442  Profiles for TSPs providing Signature Validation Services
This document specifies a profile for the format and procedures for TSPs providing Signature Validation Services.
Conformity Assessment
EN 319 403  Trust Service Provider Conformity Assessment – Requirements for conformity assessment
bodies assessing Trust Service Providers
This document contains requirements for the competence, consistent operation and impartiality of conformity
assessment bodies assessing conformity of Trust Service Providers (TSP) to standardized criteria for the provision of
trust services. Requirements and guidance set out in the present document are independent of the class of trust service
provided.
EN 319 413  Conformity Assessment for TSPs Issuing Certificates
This (multi-part) document specifies requirements and provides guidance for the assessment of TSPs issuing
certificates.
NOTE:  It may be assumed that any requirement relating to completion of conformity testing might be covered
here and reference the appropriate Technical Conformance & Interoperability Testing documents.
This is a multi-part document including the following topics:
•  Conformity Assessment for Policy Requirements for TSP issuing Certificates.
EN 319 423  Conformity Assessment for TSPs providing Time-Stamping Services
This document specifies requirements and provides guidance for the assessment of TSPs providing time-stamping
services.
This is a multi-part document including the following topics:

•  Conformity Assessment for Policy Requirements for TSP providing time-stamping services
EN 319 433  Conformity Assessment for TSPs providing Signature Generation Services
This document specifies requirements and provides guidance for the assessment of TSPs providing Signature
Generation Services.
This is a multi-part document including the following topics:
•  Conformity Assessment for Policy Requirements for TSP providing Signature Generation Services.
EN 319 443  Conformity Assessment for TSPs providing Signature Validation Services
This document specifies requirements and provides guidance for the assessment of TSPs providing Signature Validation
Services.
This is a multi-part document including the following topics:
•  Conformity Assessment for Policy Requirements for TSP providing Signature Validation Services.
Testing Conformance & Interoperability
Not applicable so far.
NOTE:  At the current date, no requirement for such documents has been identified. It may however be the case
that specifications for conformity checker tools could be identified in the future such as conformity
checker for generated Trust Service tokens such as qualified certificates, public key certificates against a
specific profile, or time-stamp tokens.

Defined documents: Trust Application Service Providers

Guidance
TR 119 500  Guidance for Trust Application Service Provider
This document provides guidance for the selection of standards for trusted application service providers for given
business requirements.
The document identifies a number of relevant Trusted Application Services using electronic signatures in different
business areas, and whose provision has already been standardized. Additionally, for each of the services, it provides
guidance for the selection of the suitable standards, ensuring in this way their correct provision and interoperability
across the European Union.
SR 019 530  Study on standardisation requirements for e-Delivery services applying e-Signatures

This document will define Electronic Delivery (e-delivery) services and investigate applicable requirements from those
existing in the market (ETSI, CEN, private standards and pilots’ outcome) proposing rationalised and well organized
requirements for Electronic Delivery Applying Electronic Signatures and its possible relation to Registered E-Mail.
Policy & Security Requirements
EN 319 511  Policy & Security Requirements for Registered Electronic Mail (REM) Service Providers
This document specifies policy and security requirements for REM service providers required to be recognized as a
provider of this type of services. It might define different conformity levels for each style of operation and the
corresponding set of requirements to be satisfied in each level. This document also addresses requirements on
Information Security Management and Security requirements for REM systems. It references EN 319 501 for generic
requirements.
NOTE:  Whether a “Security (Protection) Profile for Trustworthy systems used by REM Service Providers”
should be merged within those specific policy & security requirements is yet to be further analysed.
This multi-part document includes:
•  Overview. This part provides an overview of the other parts of this document. It also describes the relationship
of the policy requirements defined in this area and the use of secure devices and trustworthy systems defined
in the “Signature Creation and Other Related Device” area.
•  Policy requirements for REM Service Providers.
Informative annexes will provide check lists for conformity assessment.
EN 319 521   Policy & Security Requirements for Data Preservation Service Providers (DPSPs)
This document specifies policy and security requirements for DPSPs. It references EN 319 501 for generic
requirements.
It may address specific Information Security Management Systems or Data Preservation Systems (DPS), by specifying
specific security requirements for Data Preservation Service Providers to abide by, when implementing and managing a
DPS, in order to provide Data Preservation Services that are trustable and reliable from the Information Security
viewpoint. This document does not address any archival specific issues, like definition of data metadata structure and
methods to build them, links between data to implement virtual folders, etc.
NOTE:  Whether a “Security (Protection) Profile for Trustworthy systems used by Data Preservation Service
Providers” should be merged within those specific policy & security requirements is yet to be further
analysed.
This multi-part document includes:
•  Overview. This part provides an overview of the other parts of this document. It also describes the relationship
of the policy requirements defined in this area and the use of secure devices and trustworthy systems defined
in the “Signature Creation and Other Related Devices” area.
•  Policy requirements for Data Preservation Service Providers.
Informative annexes will provide check lists for conformity assessment.
Technical Specifications
EN 319 512  Registered Electronic Mail Services
This document provides technical specifications for the provision of Registered Electronic Mail. This is a multi-part
document whose structure is detailed below:
•  Framework, Architecture and Evidence:This is a document structured in three sub-parts, as detailed below:
-  Registered Electronic Mail Overview – a framework document:This document provides an overview
of the whole set of specifications included in the Technical Specification.

Architecture:This document provides an overall view of the standardized service, addressing the
following aspects:
Logical model, namely: components, styles of operation, Roles within a service provider, grouping
of providers in administrative domains.
Interfaces between the different roles and providers.
Relevant events in the data objects flows and the corresponding evidence.
Trust building among providers pertaining to the same or to different administrative domains.
-  Evidence semantics and format:This document fully specifies the set of evidence managed in the
context of the service provision. The document fully specifies the semantics, the components, and the
components’ semantics for all the evidence. The document also specifies different formats for all the
evidence in different syntax, namely: XML, ASN.1 and PDF.
•  Messages formats and bindings:This part specifies different formats for the messages and the different
bindings for different transport protocols. This is a document structured in two sub-parts, as detailed below:
-  SMIME on SMTP. This document specifies the format of the data objects when SMIME structures are
used for conveying them, and when the transport protocol used is SMTP.
-  SOAP on HTTP:This document specifies the format of data objects when SOAP structures are used for
conveying them, and when the transport protocol used is HTTP.
•  Interoperability profiles:This part contains several sub-parts. Each sub-part specifies profile(s) for seamless
exchange of data objects across providers that use different formats and/or transport protocols.
NOTE 1:  Its internal structure will very much depend on the different relevant systems specified and built across
Europe, as during the last years a number of specifications and non interoperable systems based on them,
have been developed.
NOTE 2:  Requirements for support of Registered Electronic Delivery requires further investigation.
EN 319 522  Data Preservation Services through signing
This document specifies technical requirements for services providing document signing in support of data preservation.
It specifies the requirements on the use of electronic signatures and time-stamping to maintain the authenticity and
integrity of documents when stored over long periods. This can be applied to a single document or a set of documents,
including multi-media objects, held in a container. An initial study will identify standardisation requirements and how
this relates to general standardisation for archiving and data preservation.
Conformity Assessment
EN 319 513  Conformity Assessment of Registered Electronic Mail Service Providers
This document specifies requirements and provides guidance for the supervision and assessment of a Registered
Electronic Mail Service Provider based on general requirements and guidance for conformity assessment specified in
EN 19 403.
EN 319 523  Conformity Assessment of Data Preservation Service Providers
This document specifies requirements and provides guidance for the supervision and assessment of a DPSP based on
general requirements and guidance for conformity assessment specified in EN 319 403.
Testing Conformance & Interoperability
TS 119 504  General requirements for Technical Conformance & Interoperability Testing for Trust
Application Service Providers
This document specifies general requirements for specifying technical conformance and interoperability testing for
TASPs.

TS 119 514  Testing Conformance & Interoperability of Registered Electronic Mail Service Providers
This document defines test suites that support interoperabilitytests among entities that plan to provide this type of
services. This is a multi-part document, whose structure is detailed below:
•  Test suites for interoperability testing of providers using same format and transport protocols:This
document is for those providers that implement the service provision using the same combination of format
and transport protocols, i.e. there will be two test-suites one for the providers using SMIME on SOAP and
another for those using SOAP on HTTP.
•  Test suites for interoperability testing of providers using different format and transport protocols: This
document is for those providers that implement the service provision using different combinations of format
and transport protocols. This document defines test-suites for the interoperability profiles for REM.
•  Testing conformance:This document specifies the tests to be performed for checking conformity against EN
319 512. This provides the basis for a tool that automatically checks that the messages and evidence set
generated by a certain provider are fully conformant with the relevant aforementioned specifications.

Defined documents: Trust Service Status Lists Providers

Guidance
TR 119 600  Business Driven Guidance for Trust Service Status Lists Providers
This document provides guidance for the selection of standards for Trusted Service Status Lists Providers for given
business requirements.
Policy & Security Requirements
EN 319 601  General Policy & Security Requirements for Trust Service Status Lists Providers
This document will specify general policy and security requirements for providers issuing status information of trusted
services. It will describe different models on which such providers may operate, how this influences the way the content
of the lists should be interpreted and specific criteria for the provision of revisions to TSL information, which should be
published by the providers.
EN 319 611  Policy & Security Requirements for Trusted List Providers
This document will specify specific policy requirements for issuers of Trusted List, a profile of Trust Service Status
List, as they are defined in CD 2009/767/EC [i.19] as amended by CD 2010/425/EU [i.20]. This would build on the
requirements in EN 319 601.
Technical Specifications
TS 119 602  Trust Service Status Lists Format

This document will contain specifications related to Trust Service Status Information Formats (Trust Service Lists -
TSL). This may be a multi-part document including:
•  Trust Service Status Lists Structure
This part specifies the Trust Service Status List structure. Each of the fields within the TSL is described to a
level of detail sufficient to derive a consistent format specification.
•  ASN.1 Representation of Trust Service Status Lists
This part specifies the ASN.1 structures to be used when implementing an ASN.1-version of TSLs.
•  XML Representation of Trust Service Status Lists
This part specifies the XML structures to be used when implementing an XML-version of TSLs.
TS 119 612  Trusted Lists
This document contains the specifications related to Trusted Lists (TL) for their use in the context of Directive
1999/93/EC [i.1] and of the Services Directive 2006/123/EC [i.14], as they are defined in CD 2009/767/EC [i.19]
amended by CD 2010/425/EU [i.20].
NOTE 1: Migration of this TS as an EN is not planned yet and will depend on the adoption of the proposal for a
regulation on electronic identification and trust services for electronic transactions in the internal market [i.2]
that will supersede Directive 1999/93/EC.
NOTE 2:  As conceptually TL or TSL can be used for providing status information on the approval of any type of
provision of any type of Trust Service Token by any type of Trust Service Provider, the document structure
proposed here is flexible enough to allocate sub-areasto determined categories of such services. As an
example, TL or TSL could be used for publishing in a Europe-wide common way, the status of the
determination of conformity of a signature creation device against the requirements laid down in Annex III of
Directive 1999/93/EC [i.1] (SSCD) made by a Member State Designated Body. It is likely that for such a
purpose, a specific baseline profile of TL specifications as per TS 119 612 would be required.
Conformity Assessment
EN 319 603  General requirements and guidance for Conformity Assessment of TSSLPs
This document will provide the rationale, rules and guidance on conformity assessment concerning the processes and
products around the issuance and processing of Trust Service Status Lists.
EN 319 613  Conformity Assessment of Trusted List Providers
This document will specify the specific conformity rules for assessing conformity against EN 319 612 specifications
related to both the generation and conformity validation of Trusted Lists, a profile of Trust Service Status Lists.
Testing Conformance & Interoperability
TS 119 604  General requirements for Testing Conformance & Interoperability of TSLs
This document will specify general requirements for specifying technical conformance and interoperability testing for
TSLs. This may include test suites and specifications for conformity testing tools testing ASN.1 and /or XML
representation of TSLs. This document will be used by those entities interested in testing tools that generate and verify
Trust Service Status Lists in their ASN.1 or XML representation compliant with the specification TS 119 602. This is a
multi-part document that includes:
•  Testing specifications for technical conformance & interoperability testing of ASN.1 representation of
the Trust Service Status Lists:This document will be used by those entities interested in testing tools that
generate and verify Trust Service Status Lists in its ASN.1 representation conformant with the specification
TS 119 602.
•  Testing specifications for technical conformance & interoperability testing of XML representation of the
Trust Service Status Lists:This document will be used by those entities interested in testing tools that
generate and verify Trust Service Status Lists in their XML representation conformant with the specification
TS 119 602.

TS 119 614  Test suites and tests specifications for Technical Conformance & Interoperability Testing of
Trusted Lists
This document provides technical specifications for helping implementers and accelerating the development of tools for
creating and issuing Trusted Lists. First, it will define test suites as completely as possible for supporting the
organization of interoperability testing events where different Trusted List related applications may check their actual
interoperability. Additionally, it will include the specifications required for building up software tools for actually
testing technical conformance of Trusted Lists against the relevant Trusted List related technical specifications:
•  Test suites for testing interoperability of XML representation of Trusted Lists:This document will be
used by those entities interested in testing tools that generate and verify Trusted Lists in their XML
representation compliant with TS 119 612.
•  Specifications for testing conformance of XML representation of Trusted Lists:This document will
specify, among other things, rules for testing compliance ofTrusted Lists against Trusted List specifications. It
should include not only rules for the static aspects of the Trusted Lists, i.e. the contents of a certain
instantiation of the Trusted List, but also rules for testing dynamic aspects of the Trusted List, i.e. specific
relationships among elements present in consecutive instantiations of one Trusted List as a result of certain
very well specified events (Trusted List life cycle-related rules). It should allow developing a tool that could
automatically check that the Trusted Lists generated by a certain tool are fully conformant with the relevant
aforementioned specifications.

¿Es aplicable la Ley 11/2007 a los colegios profesionales? ¿Y a las cámaras de comercio?


El Artículo 2 (Ámbito de aplicación) de la Ley 11/2007 y su disposición adicional primera  especifican las administraciones publicas obligadas en relación con el despliegue de infraestructuras y procedimientos electrónicos para atender el derecho de los ciudadanos consagrado por dicha ley  a relacionarse con las Administraciones Públicas por medios electrónicos.

Dado que los colegios profesionales y las consejos generales son corporaciones de derecho público (por cierto, también entran en esta categoría las cámaras de comercio y las federaciones deportivas), se aplica de forma restrictiva la normativa administrativa, aunque están sujetas al derecho privado.

Son personas jurídicas que adoptan forma asociativa, creadas, no por un pacto, sino por una ley que determina sus fines, estructura y funcionamiento.

La pertenencia a estas corporaciones es obligatoria para todos aquellos que pretendan ejercer determinadosderechos (p. ej., el ejercicio de una profesión en el caso de los colegios profesionales). La cualidad de miembros se determina en base a una condición objetiva, relacionada con el fin corporativo de que se trate: p. ej., una cualidadprofesional (V. Colegios Profesionales), la cualidad de comerciante o industrial (Cámaras de ComercioIndustria yNavegación), regante de un aprovechamiento colectivo de aguas públicas (V. comunidades de regantes), etc.

Por todo ello, puede afirmarse que la Ley 11/2007 de 22 de junio, de acceso electrónico de los ciudadanos a los Servicios Públicos, no es de aplicación a los Colegios Profesionales (ni a las Cámaras de Comercio).

Digitalización certificada más allá de las facturas


La digitalización certificada apareció en el panorama legal español en la normativa sobre factura, en concreto, la Orden EHA-962/2007. La norma estaba diseñada para documentos de interés tributario, si bien la Resolución de 24 de octubre de 2007, de la Agencia Estatal de Administración Tributaria, se circunscribía más al ámbito de la factura y resultaba menos clara para otros documentos “de interés tributario”.

El desarrollo de la Ley 11/2007 dio lugar al ENI (esquema Nacional de Interoperabilidad) y este a las NTI (Normas Técnicas de Interoperabilidad) y la esperada norma general de digitalización certificada en el sector público no llegó, por lo que los especialistas empezaron a ofrecer servicios que permitían interpretar la posibilidad de digitalización certificada a partir de las NTI existentes, especialmente las siguientes: Digitalización de documentos, Documento electrónico, Expediente electrónico, Procedimientos de copiado auténtico y conversión entre documentos electrónicos, así como desde papel u otros medios físicos a formatos electrónicos, Política de firma electrónica y de certificados de la Administración.

En el sector privado se sucedían las consultas para extender el uso de la digitalización certificada a otros ámbitos diferentes de las facturas, y aunque no ha llegado a publicarse la normativa esperada, se van publicando aspectos sueltos insertados en diferentes normas.

Por ejemplo la digitalización certificada en el marco de la justificación de subvenciones, ya tratadas en este blog hace unas semanas.

En efecto, el apartado cuarto de la Resolución de 19 de septiembre de 2012, de la Presidencia de la Agencia Española de Cooperación Internacional para el Desarrollo, por la que se establecen los requisitos para la justificación de gastos de subvenciones de cooperación internacional para el desarrollo, mediante presentación de documentación digitalizada señala requisitos adicionales para el software de digitalización certificada utilizado en la justificación de subvenciones, de modo que la mayor parte de las soluciones deberán “re-homologarse” con los requisitos extras y realizar una nueva auditoría de la versión actualizada si se amplía para cumplir los nuevos requisitos, porque al introducir cambios se pierde la homologación anteriormente obtenida.

Lo más interesante procede del artículo 25 de la Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo, que marca un conjunto de obligaciones y formas de cumplirlas, para las entidades obligadas:

  • Las entidades de crédito.
  • Las entidades aseguradoras autorizadas para operar en el ramo de vida y los corredores de seguros cuando actúen en relación con seguros de vida u otros servicios relacionados con inversiones, con las excepciones que se establezcan reglamentariamente.
  • Las empresas de servicios de inversión.
  • Las sociedades gestoras de instituciones de inversión colectiva y las sociedades de inversión cuya gestión no esté encomendada a una sociedad gestora.
  • Las entidades gestoras de fondos de pensiones.
  • Las sociedades gestoras de entidades de capital-riesgo y las sociedades de capital-riesgo cuya gestión no esté encomendada a una sociedad gestora.
  • Las sociedades de garantía recíproca.
  • Las entidades de pago y las entidades de dinero electrónico.
  • Las personas que ejerzan profesionalmente actividades de cambio de moneda.
  • Los servicios postales respecto de las actividades de giro o transferencia.
  • Las personas dedicadas profesionalmente a la intermediación en la concesión de préstamos o créditos, así como las personas que, sin haber obtenido autorización como establecimientos financieros de crédito, desarrollen profesionalmente alguna de las actividades a que se refiere la Disposición adicional primera de la Ley 3/1994, de 14 de abril, por la que se adapta la legislación española en materia de Entidades de Crédito a la Segunda Directiva de Coordinación Bancaria y se introducen otras modificaciones relativas al Sistema Financiero.
  • Los promotores inmobiliarios y quienes ejerzan profesionalmente actividades de agencia, comisión o intermediación en la compraventa de bienes inmuebles.
  • Los auditores de cuentas, contables externos o asesores fiscales.
  • Los notarios y los registradores de la propiedad, mercantiles y de bienes muebles.
  • Los abogados, procuradores u otros profesionales independientes cuando participen en la concepción, realización o asesoramiento de operaciones por cuenta de clientes relativas a la compraventa de bienes inmuebles o entidades comerciales, la gestión de fondos, valores u otros activos, la apertura o gestión de cuentas corrientes, cuentas de ahorros o cuentas de valores, la organización de las aportaciones necesarias para la creación, el funcionamiento o la gestión de empresas o la creación, el funcionamiento o la gestión de fideicomisos («trusts»), sociedades o estructuras análogas, o cuando actúen por cuenta de clientes en cualquier operación financiera o inmobiliaria.
  • Las personas que con carácter profesional y con arreglo a la normativa específica que en cada caso sea aplicable presten los siguientes servicios a terceros: constituir sociedades u otras personas jurídicas; ejercer funciones de dirección o secretaría de una sociedad, socio de una asociación o funciones similares en relación con otras personas jurídicas o disponer que otra persona ejerza dichas funciones; facilitar un domicilio social o una dirección comercial, postal, administrativa y otros servicios afines a una sociedad, una asociación o cualquier otro instrumento o persona jurídicos; ejercer funciones de fideicomisario en un fideicomiso («trust») expreso o instrumento jurídico similar o disponer que otra persona ejerza dichas funciones; o ejercer funciones de accionista por cuenta de otra persona, exceptuando las sociedades que coticen en un mercado regulado y estén sujetas a requisitos de información conformes con el derecho comunitario o a normas internacionales equivalentes, o disponer que otra persona ejerza dichas funciones.
  • Los casinos de juego.
  • Las personas que comercien profesionalmente con joyas, piedras o metales preciosos.
  • Las personas que comercien profesionalmente con objetos de arte o antigüedades.
  • Las personas que ejerzan profesionalmente las actividades a que se refiere el artículo 1 de la Ley 43/2007, de 13 de diciembre, de protección de los consumidores en la contratación de bienes con oferta de restitución del precio.
  • Las personas que ejerzan actividades de depósito, custodia o transporte profesional de fondos o medios de pago.
  • Las personas responsables de la gestión, explotación y comercialización de loterías u otros juegos de azar respecto de las operaciones de pago de premios.
  • Las personas físicas que realicen movimientos de medios de pago, en los términos establecidos en el artículo 34.
  • Las personas que comercien profesionalmente con bienes, en los términos establecidos en el artículo 38.
  • Las fundaciones y asociaciones, en los términos establecidos en el artículo 39.
  • Los gestores de sistemas de pago y de compensación y liquidación de valores y productos financieros derivados, así como los gestores de tarjetas de crédito o débito emitidas por otras entidades, en los términos establecidos en el artículo 40.

Dada la amplitud de obligados, cabe pensar que el resto de empresas pueden usar los métodos que se destacan a continuación como “no obligados pero autorizados”.

Artículo 25 Conservación de documentos

1. Los sujetos obligados conservarán durante un período mínimo de diez años la documentación en que se formalice el cumplimiento de las obligaciones establecidas en la presente Ley.

En particular, los sujetos obligados conservarán para su uso en toda investigación o análisis, en materia de posibles casos de blanqueo de capitales o de financiación del terrorismo, por parte del Servicio Ejecutivo de la Comisión o de cualquier otra autoridad legalmente competente:

  • a) Copia de los documentos exigibles en aplicación de las medidas de diligencia debida, durante un periodo mínimo de diez años desde la terminación de la relación de negocios o la ejecución de la operación.
  • b) Original o copia con fuerza probatoria de los documentos o registros que acrediten adecuadamente las operaciones, los intervinientes en las mismas y las relaciones de negocio, durante un periodo mínimo de diez años desde la ejecución de la operación o la terminación de la relación de negocios.

2. Los sujetos obligados, con las excepciones que se determinen reglamentariamente, almacenarán las copias de los documentos de identificación a que se refiere el artículo 3.2 en soportes ópticos, magnéticos o electrónicos que garanticen su integridad, la correcta lectura de los datos, la imposibilidad de manipulación y su adecuada conservación y localización.

En todo caso, el sistema de archivo de los sujetos obligados deberá asegurar la adecuada gestión y disponibilidad de la documentación, tanto a efectos de control interno, como de atención en tiempo y forma a los requerimientos de las autoridades.

Esto es muy importante, porque a falta de una norma más precisa, los principios de la digitalización certificada pueden extenderse a todo tipo de documentos en el sector privado.

La ventaja de un auditor especialista es que puede confirmar que el software utilizado cumple esos requisitos establecidos de forma generalista en base a un marco concreto y bien probado como el definido por la AEAT pero extendido a todo tipo de documento

EADTrust está precisamente ofreciendo este servicio como una extensión a los que ya ofrece de Auditoría de Digitalización Certificada, Auditoría de Digitalización Certificada en el marco del ENI y las NTI, y ahora, Auditoría de Digitalización Certificada en el marco de la normativa de prevención del blanqueo de capitales y de la financiación del terrorismo.

Puede contactar con EADTrust  llamando al 902 365 612 o al 91 716 0555

 

Periodo de vigencia del CSV (Código Seguro de Verificación)


En relación con la implementación de la Ley 11/2007 por parte de las administraciones públicas surgen preguntas como ¿Durante cuanto tiempo se pueden ver en la sede electrónica los documentos electrónicos a través del Código Seguro de Verificación?

La normativa desarrollada no contempla todas las opciones y los organismos tienen que tomar decisiones. Para fijar criterio a la hora de trabajar en las implantaciones de la administración electrónica conviene tener en cuenta los conceptos de la diplomática digital.

En relación con la pregunta indicada, hay que decir que el CSV debe conservarse para siempre. El acceso al documento se limita por la política de gestión documental de la entidad, y debe poder hacerse siempre, bien en la sede electrónica original, bien en el organismo a cargo del archivo.

Hay que hacerse a la idea de que el CSV equivale al número de protocolo de los notarios.

En el ámbito notarial, se puede solicitar copia simple o auténtica de un documento a partir de su matriz en el propio notario que lo protocolizó (cuya identidad equivale a la de la sede electrónica del organsmo) o bien en su sucesor en el protocolo, o bien en el sistema de archivo a largo plazo de protocolos.

En el caso de las administraciones públicas, siempre debe quedar definido en la política de gestión documental el órgano ante el que se puede solicitar el documento una vez superada la fase administrativa en la que el procedimiento esta “vivo” o dentro de los plazos de prescripción.

Y para el “handout” de documentos electrónicos auténticos, cuando deban hacerse cargo de ello los archivos a largo plazo, debe firmarse entre el organismo cedente y el cesionario un documento que refleje las técnicas de preservación documental electrónica previas y futuras y los controles de integridad (hashes y timestampings) de los documentos (o colecciones) transferidos.

Atenea Interactiva organiza cursos de Diplomática Digital. Se puede contactar con el 902 365 612 o el 917160555 para solicitar un curso in-company o para inscribirse en el próximo seminario abierto sobre este tema.

SOA – Service Oriented Architecture y la firma electrónica


Las instituciones, organismos públicos y grandes empresas, usan cada vez más la firma electrónica, por los grandes ahorros que promueve, la eficiencia que añade a los procesos, y por prescripcion legal.

Con 25 millones de DNI electrónicos y casi 5 millones de otros certificados cualificados, se utiliza para identificar y establecer la prestación del consentimiento en miles de documentos electrónicos. Las firmas automatizadas requieren infraestructuras comunes y la mera gestión de políticas de firma hace recomendable en ocasiones utilizar sistemas de firma centralizados aunque los usuarios trabajen en puestos distribuidos en le organzación.

Servicios de gestión centralizada de firmas electrónicas y servicios conexos que forman parte de la arquitectura tecnológica de las organizaciones  se emplean cada vez más, también para garantizar una funcionalidad fluida que no dependa de las múltiples configuraciones de los equipos de los usuarios. La diversidad de equipamientos es con frecuencia causa de fallos de funcionamiento.

Entre los servicios que despliegan las organizaciones, cabe citar los siguientes:

  • Servicios de Firma (DSS).  El servicio de firma automatizada permite firmar documentos XML y PDF, respectivamente con firmas XAdES y PAdES. Los documentos de otro tipo pueden encapsularse en firmas CAdES o firmas XAdES, si bien requerirán de servicios de comprobación compatibles con la técnica de encapsulado.  Este servicio permite también  verificar las firmas de documentos ya firmados. El servicio permite utilizar diferentes claves y certificados, asociados a diferentes políticas, que se gestionan de forma centralizada en un HSM (Hardware Security Module). Se usa, por ejemplo, para automizar el uso de los sellos de órgano.
  • Servicio de Sellado de Tiempo. Este servicio emite y verifica sellos de tiempo sobre protocolo RFC 3161 y (o)  webservice (DSS). Si se usa con un certificado de TSU de una CA apropiada, en el marco de un acuerdo de gestión, estos sellos de tiempo pueden tener valor legal.  El sistema permite sincronización mediante NTP (accediendo a ROA), GPS y DCF77.
  • Servicio de Validación de Certificados. Este servicio permite comprobar la validez de un certificado y extraer la información contenida en él, relativa al titular del mismo (nombre y apellidos, NIF/CIF, ….). Para ello hace uso de consultas OCSP o consultas de certificados revocados según el protocolo definido por la AEAT (ycaestec).
  • Servicio de Copia. Este servicio añade información gráfica (Código QR o PDF 417) relativa a una firma electrónica sobre una copia constatable de un documento electrónico (albalá), facilitando así posteriores procesos de comprobación de documentos electrónicos impresos.
  • Servicio de Potestades. Este servicio permite gestionar y comprobar atribuciones en un marco de gestión de políticas de firma, o en relación con flujos de proceso (worlflows) de diferentes roles del organismo (cargos administrativos, firmantes finales por nombramiento oficial, responsables, apoderados, …).
  • Servicio de Custodia. Este servicio permite almacenar y recuperar documentos almacenados en el Sistema de Constancias (Cartulario). Existen varios tipos de custodia con diferentes restricciones de acceso (o sin restricciones). Se utiliza el concepto de Código Seguro de Verificación.
  • Servicio de Interconexión con otras Redes. Este servicio permite obtener información de validación de certificados y otras informaciones de redes asociadas. En particular existen integraciones con la Red SARA.
  • Servicios de validación de esquemas. Relacionados con documentos intercambiados, frecuentemente en formato XML se trata de validar la correcta formación de los documentos y la cumplimentación de su contenido. Por ejemplo el formato factuare en el caso de las facturas electrónicas.
  • Servicio de Publicación Fehaciente. Este servicio permite obtener certificados que acrediten fehacientemente el momento en el que los documentos son publicados en una Sede Electrónica. Utiliza el sistema de sello de tiempo y permite cumplir el artículo 42 de la Ley de Contratos del Sector Público (en el caso de las administraciones públicas) o la normativa de publicación de convocatorias de juntas de la Ley de Sociedades de Capital (en el caso del sector privado).

Además hay servicios adicionales que proporcionan funcionalidades localizadas en sistemas cliente o servidor, accesibles por otros programas:

  • Ejecutable de firma en cliente: permite la firma de documentos por parte de un usuario, haciendo uso de su clave y sucertificado digital. Existen variantes como por ejemplo el de  firmador java (websigner) y el de firmador de escritorio.
  • Módulos que desarrollan las funcionalidades en forma de API (SDK) para ser invocadas por otras aplicaciones en entorno cliente o en entorno servidor.

Estos conceptos pueden extenderse y se tratan enel Seminario Firma Electrónica en Arquitectura SOA. Os invito a inscribiros.

Custodia Digital Masiva, una de las caras de Big Data.


Estos días, asisto como inversor a las discusiones de los especialistas de EADTrust respecto al problema de la gestión de grandes volúmenes de datos.

Sus discusiones son de tipo técnico, mientras debaten sobre arquitecturas, herramientas, gestores de bases de datos, disponibilidad de sistemas de archivo en la nube, mecanismos de respaldo, tiempo de respuesta en archivo y recuperación, redundancia, alta disponibilidad, resistencia a fallos, direccionamiento, …

Yo aporto mi granito de arena por mi experiencia en sistemas informáticos de grandes entidades, como bancos y telcos y centros de autorización de medios de pago, pero comienzo a entender que algunos de los problemas a los que se enfrentan son de nuevo cuño.

Big data

En efecto, justamente por estas fechas, ha adquirido una relevancia especial el concepto de “Big Data“, una vez identificado por los analistas.

Los grandes volúmenes de datos se han gestionado tradicionalmente con la filosofía de disponibilidad priorizada. El criterio de prioridad consistía, en general, en disponer de los datos recientes de manera inmediata, mientras que los datos más antiguos se envían a un sistema de archivo secundario y terciario. En las grandes instalaciones, esto se traducía en sistemas robotizados que manejaban “containers” de datos, frecuentemente en sistemas magnéticos de almacenamiento secuencial (cintas o sistemas evolucionados de ellas). Y básicamente por el aspecto de los costes de los sistemas de acceso aleatorio que tradicionalmente han sido superiores a los de acceso secuencial.

Sin embargo, desde hace años, esto está cambiando y el coste del almacenamiento de acceso directo ha caido en picado. Ahora es más importante considerar la fiabilidad de los sistemas, y la probabilidad de que se produzcan fallos, con la consiguiente pérdida de la información. La velocidad de acceso adquiere una relevancia distinta, y la redundancia a través de sistemas RAID pasa a ser un requisito de los nuevos sistemas. El almacenamiento de estado sólido ha dejado de ser una promesa y forma parte de la panoplia de recursos de almacenamiento en contextos en los que prima la velocidad y la fiabilidad, si el coste tiene menos relevancia.

Pero cada vez se generan, se almacenan y se procesan más datos, y cada vez más datos tienen que estar disponibles para más personas y más dispositivos que acceden a ellos.  Según palabras de Eric Schmidt, Director General de Google“desde el origen del nacimiento del mundo hasta el año 2003, se generaron cinco exabytes de información. Ahora creamos cinco exabytes cada dos días”.

Recordemos que el exabyte es la unidad de medida de  almacenamiento de información (cuyo símbolo es el EB), equivalente a 1018 bytes y que la secuencia de métricas de almacenamientos (de mil en mil o de 1024 en 1024 según se emplee la terminación “bibyte“) es la siguiente: kilobyte (kB) 103, megabyte (MB) 106gigabyte (GB) 109terabyte (TB) 1012, petabyte (PB) 1015exabyte (EB) 1018zettabyte (ZB) 1021yottabyte (YB) 1024 .

Big Data y el Cartulario Electrónico

En los sistemas de gestión que manejan evidencias electrónicas, los retos son aún más exigentes. Los datos tienen que estar disponibles en los momentos claves, en los que se requiere su carácter de prueba, y esto puede implicar responsabilidades en muchos casos.

Un sistema como el gestionado por EADTrust, requiere muchos componentes: PKI que respalda la identidad de los diferentes módulos e intervinientes, sistemas generadores de sellado de tiempo sincronizados con el ROA que trabajan a alto rendimiento proporcionando sellos de tiempo a sistemas internos y externos, logs estructurados que permiten localizar las evidencias en caso de resolución de litigios, frecuentemente incorporados a actas de funcionamiento e informes periciales, servidores de firma centralizada generando firmas XAdES-XL y PAdES-LTV, HSM (Hardware Security Modules) que custodian las claves privadas, manejadores de metadatos y uno de los elementos clave: el cartulario electrónico.

El Cartulario Electrónico es un sistema de Custodia Digital Masiva de caracter probatorio.

El Cartulario Electrónico es el equivalente electrónico en un sistema privado del Protocolo Notarial, de los fedatarios públicos. Consiste en una colección ordenada de documentos electrónicos, localizables con varios criterios (especialmente el CSV, Código Seguro de Verificación) y que guarda información complementaria en metadatos estáticos y dinámicos que se refieren a aspectos como la endosabilidad, la obliteribilidad o la completitud (llamada, a veces, grapa electrónica).

El Cartulario Electrónico está formado por una Matriz Electrónica de documentos (sobre los que cabría entender que puede aplicarse el difuso concepto de “original“), y un mecanismo de índices que permite localizarlos y actuar sobre ellos para añadir capas, acceder a su contenido final o al de una de las versiones, hacer anotaciones, referenciar otros documentos o referenciar expedientes.

Filosóficamente, el cartulario debe guardar la información para siempre, salvo que por motivos legales deba de ser eliminada, y aun en ese caso, habrá que diferenciar si la eliminación es un borrado o el marcado de una imposibilidad de acceso. Contractualmente, sin embargo, la información se conserva solo durante el período requerido, cuando se presta como servicios de custodia digital para terceros.

Y ese es el reto que apasiona a los técnicos de EADTrust. Los volúmenes actuales de documentos y metadatos gestionados en el Cartulario Electrónico de EADTrust, permiten prever que durante los próximos cinco años la infraestructura desplegada no tendrá problema de gestión a ritmos normales de prestación de servicios. Pero ¿qué sucederá si los servicios de custodia digital, de publicación  fehaciente o de notificaciones fehacientes deben manejar ritmos de transacción de decenas de millones o centenas de millones de documentos por año? Documentos de 100 Kb o de 10Mb, con versiones y enlaces entre ellos.  Con planos, o documentos aministrativos, o contratos, o mensajes, o adjuntos, o libros, o actas,…

Y lo cierto es que algunos de los clientes con los que estamos hablando, podrían perfectamente generar esos volúmenes de operaciones.

Más referencias sobre Big Data

Firma Electrónica en Arquitectura SOA


El 17 de Noviembre de 2011  se celebrará en Madrid el curso de Firma Electrónica en Arquitecturas SOA. Servicios PKI”, que impartiré junto con Fernando Pino. Lo organiza Atenea Interactiva.

Una excelente oportunidad para conocer como se gestiona la firma electrónica en servidor para poder aplicar de forma segura las políticas de firma de la empresa o de las administraciones públicas. Ahorros significativos de costes y optimización de la seguridad respecto al uso de tarjetas de firma electrónica que se comparten o se pierden. Y con las mejores prácticas para la gestión de firmas electrónicas  automatizadas.

Programa del Seminario Firma Electrónica en Arquitectura SOA

1. Service-oriented Architecture

  • Iniciación a SOA
  • Descripción de entornos típicos de SOA

2. Cumplimiento de obligaciones con SOA

  • Sector Privado: cumplimiento de las obligaciones de Interlocución Telemática de la Ley 56/2007 con SOA
  • Sector Público: cumplimiento de las obligaciones de Administración Electrónica de la Ley 11/2007 con SOA
  • Factura electrónica firmada.

3. Conceptos de Firma Electrónica y PKI

  • Propiedad de la Firma Electrónica
  • Conceptos Criptográficos
  • Los Certificados Electrónicos. Tipos
  • El proceso de Firma Electrónica
  • Legislación

4. La Firma Electrónica como elemento de Arquitectura

  • La Firma Electrónica como servicio
  • Servidores de Firma y Validación
  • Repositorios de claves centralizadas
  • Despliegue de PKIs internas
  • Dispositivos criptográficos. HSM

5. Servicios avanzados de PKI

  • Firmas remotas y “upgrade” de firmas
  • Servicios de Validación de firmas y certificados centralizados. CRL, OCSP, SCVP
  • Servicios de Sellado de Tiempo
  • Firma en entornos móviles: posibles enfoques
  • Firma manuscrita digitalizada y servicios PKI avanzados. Unión necesaria

6. Formatos y estándares de firma

  • Tipos de Firma “legales”
  • Formatos básicos
  • Formatos AdES. XAdES, CAdES y PAdES
  • Estándar DSS (Digital Signature Services). Descripción y perfiles
  • Firmas longevas, la importancia de la firma en la conservación de documentos
  • La importancia de las políticas de firma

7. Firma e Identidad Electrónica en las Administraciones Públicas

  • La Firma Electrónica en la Ley 11/2007, el ENI y el ENS. Norma CCN-STIC-807
  • Procesos de firma automatizados. Sello de órgano y CSV
  • Servicios de Firma y Validación disponibles para Administraciones Públicas
  • Identidad Digital y Administración Pública
  • Políticas de firma en las AAPP. Descripción y Diseño
  • Interoperabilidad. TSLs. Proyecto Stork

Firma Electrónica y Diplomática Digital – Seminario para los Archiveros de Navarra


El próximo Viernes, 11 de noviembre de 2011,  de 9:30 a 14:30 horas, impartiré un seminario en el Civivox de Iturrama en la calle  Esquíroz 24, de  Pamplona sobre  Firma Electrónica y Diplomática Digital, auspiciado por la Asociación de Archiveros de Navarra

Estos son los temas que trataré:

1. Conceptos de Diplomática

  • Archivística, Paleografía, Sigilografía
  • Cartularios, Códices Diplomáticos, Tumbos, Becerros
  • Autenticidad de los documentos en papel
  • Partes de un documento
  • Tipos de documentos

2. Marco Legal

  • Normativa en relación con los archivos
  • Normativa en relación con la Firma Electrónica
  • Normativa de Administración Electrónica
  • Normativa sobre Contratación Electrónica
  • Estándares aplicables en la Gestión de Documentos Electrónicos

3. Diplomática Digital

  • Autenticidad de los Documentos Electrónicos. Obliterabilidad, Endosabilidad, Completitud
  • Custodia Digital. Cartulario Digital. Archivo de Constancias Electrónicas. código de Verificación
  • Convivencia de Documentos Electrónicos y de papel. Albalá, copia constatable, Digitalización Certificada. Localizador

4. Firma electrónica

  • Descripción técnica de la Firma Electrónica.
  • Descripción legal de la Firma Electrónica.  Firma Avanzada. Firma Reconocida
  • Prestadores de servicios de certificación en España y en Europa
  • Firma Básica, Fechada, Completa. Conservación de firmas a largo plazo
  • Timestamping. Comprobación de validez de certificados (CRL, OCSP)
  • Dispositivos seguros de creación de firma.

5. Gestión de Documentos en el Sector Público

  • Sede Electrónica. Código seguro de verificación
  • Registro de entrada, registro de salida, registro telemático, interconexión de registros. SICRES
  • Expediente Electrónico
  • Digitalización de Documentos
  • Interoperabilidad de Gestión de Documentos entre Administraciones
  • Clasificación de documentos. Metadatos
  • Notificaciones Fehacientes. Notificaciones Obligatorias

6. Gestión de Documentos en el Sector Privado

  • Contratos. Novación Electrónica. Prestación del consentimiento
  • Digitalización Certificada de facturas. Digitalización Certificada de otros tipos de documentos
  • Uso de la Firma Electrónica. Requisitos de la digitalización de firmas manuscritas para que sea considerada Firma Electrónica avanzada. Tabletas digitalizadoras, bolígrafos electrónicos
  • Notificaciones Fehacientes. Correo Electrónico Certificado.

Es una satisfacción que los Archiveros de Navarra hayan pensado en mi para ello. Eso de ser “profeta en su tierra” no es habitual.

Depósito Legal


En el mismo BOE en el que se publicaron recientemente las normas técnicas de interoperabilidad, se ha publicado la Ley 23/2011, de 29 de julio, de depósito legal, que entrará en vigor el 30 de enero de 2012.

El patrimonio bibliográfico, sonoro, visual, audiovisual y digital de las culturas de España es uno de los más ricos y representativos del mundo y debe ser preservado en beneficio de las generaciones presentes y futuras. Para que éste pueda ser accesible a todos los ciudadanos y contribuya al desarrollo cultural, social y económico de España como sociedad libre y democrática, es preciso contar con la colaboración de editores, impresores, productores, así como del mundo bibliotecario, cuya actuación conjunta resulta imprescindible para conservar ese patrimonio, en unos casos, cediendo en depósito a las Administraciones Públicas ejemplares o copias de todos los recursos de información creados en cualquier soporte o medio que se distribuya públicamente, y en otros, gestionando la accesibilidad universal a esos recursos.

Inicialmente concebido sólo como una figura de control bibliográfico nacional, el depósito legal ha pasado a configurarse en los Estados democráticos como un servicio público gratuito al sector editorial para suministrar originales de obras en dominio público, y como una garantía de la libertad de expresión y del acceso a la información de los ciudadanos y, con el advenimiento de la sociedad del conocimiento, como una pieza del desarrollo económico y social de un país.

La figura del depósito legal fue introducida en España por primera vez en 1616 para las obras impresas en la Corona de Aragón y en 1619 para las obras impresas en la Corona de Aragón y el Reino de Castilla, cuando Felipe III, por Real Decreto de 12 de enero, concede a la Real Biblioteca de El Escorial el privilegio de recibir un ejemplar de cuantos libros se imprimiesen. Felipe V amplía este privilegio mediante Real Cédula de 26 de julio de 1716, a la recién fundada Librería Real, hoy Biblioteca Nacional de España.

Desde aquella fecha ha sido una preocupación constante el cumplimiento de esta obligación, dando lugar a diversas y sucesivas disposiciones. El Decreto de 23 de diciembre de 1957 amplió la variedad de los materiales sujetos al depósito legal y previó la incorporación de otros recursos entonces inexistentes. Con el número de depósito legal y el sistema administrativo desarrollado para su control, se consiguió por primera vez un cumplimiento eficaz del depósito de los materiales.

En el ámbito internacional han sido varios los estudios auspiciados por la UNESCO, siempre en la línea de la profundización y universalización del depósito legal, así como la actividad llevada a cabo en el mismo sentido y sistemáticamente por la Federación Internacional de Asociaciones e Instituciones Bibliotecarias (IFLA).

Asimismo, las formas de expresión intelectual y artística han evolucionado, se han creado nuevos medios de publicación y hoy en día las publicaciones electrónicas forman parte habitual de muchos patrimonios nacionales de obras publicadas, haciendo imprescindible la revisión de las normativas sobre depósito legal.

Como novedad en el caso que nos ocupa cabe resaltar que la ley introduce un cambio de adaptación a la realidad del mundo de las publicaciones, que se basa en el nuevo papel que se atribuye al editor. La presencia del editor como sujeto depositante principal va a significar una gran mejora de las colecciones custodiadas por los centros depositarios, ya que permitirá que los documentos ingresen íntegros, que las publicaciones seriadas no queden faltas de fascículos y, finalmente, que se ingrese todo lo que se edita en España, aun cuando no haya sido producido en su territorio. Además, permitirá que las colecciones de las bibliotecas autonómicas respondan a su realidad editorial.

Por otra parte, conviene insistir en las ventajas que el depósito legal tiene para los obligados a constituirlo, dada su repercusión en el incremento de la visibilidad y publicidad de sus publicaciones, el mejor control bibliográfico que proporciona y la garantía a largo plazo de la disponibilidad de su material, lo que puede tener notable valor cuando el original se ha perdido o destruido.

Debe también destacarse que se ha buscado compatibilizar la prestación del servicio público de la institución jurídica del depósito legal con la reducción de las cargas administrativas al disminuir sustancialmente el número de ejemplares que el sector editorial debe aportar a la Administración.

Otro aspecto novedoso de esta ley es que contempla el depósito de los nuevos soportes de la edición y de los documentos en red. En el ámbito de la Unión Europea se ha propuesto y recomendado la adopción de iniciativas por los Estados miembros en el campo de la conservación digital del material cultural. Las instituciones de la Unión han advertido sobre los desafíos que plantea el depósito del patrimonio bibliográfico, sonoro, visual, audiovisual y digital en un entorno digital y han propuesto soluciones cuyo objetivo es la exploración de nuevas técnicas de recogida de material en línea con fines de difusión y conservación.

En este contexto, la Estrategia Europa 2020 y sus iniciativas emblemáticas, entre otras, la Agenda Digital Europea y la Estrategia de Innovación, recogen el impulso que desde las principales instituciones europeas se pretende dar a la conservación de contenidos digitales con vistas a garantizar su acceso a las generaciones futuras. De este modo, en esta ley se contemplan los supuestos tanto de las publicaciones en forma de ejemplares digitales tangibles, como las publicaciones difundidas únicamente a través de redes electrónicas.

En España, a la necesidad de renovación de contenidos normativos se suma la de adecuar el ordenamiento jurídico del depósito legal al Estado de las Autonomías y a la distribución de competencias entre el Estado y las Comunidades Autónomas. Asimismo, la Ley 10/2007, de 22 de junio, de la Lectura, del Libro y de las Bibliotecas, puso de manifiesto la importancia de elaborar una ley sobre la materia que se adaptase a estas nuevas circunstancias. De este modo, en su disposición adicional primera, se dice que el Gobierno, en el plazo máximo de un año, remitirá un proyecto de ley para adaptar la normativa vigente a la realidad del Estado de las Autonomías, a la aparición de nuevos soportes y a los cambios producidos en el sector editorial.

Desde el punto de vista de la archivística, una gran noticia.

La norma introduce algunas definiciones compatibles con otros desarollos normativos en curso:

  • Documento: Toda información o contenidos, cualquiera que sea su soporte o formato, así como su naturaleza o la forma de expresión utilizada (gráfica, sonora, visual, audiovisual, multimedia, etc.).
  • Documento electrónico: Información o contenido de cualquier naturaleza en soporte electrónico, archivado con un formato determinado y susceptible de identificación y tratamiento diferenciado.
  • Dominio de Internet: Espacio en Internet de una empresa, organización, o de una persona física, asociado a un nombre o una dirección, que permite que su información o contenido, productos o servicios, sean accesibles.
  • Edición: Todos los ejemplares de un recurso bibliográfico, sonoro, visual, audiovisual y digital producidos sustancialmente desde el mismo original y editados por la misma agencia o grupos de agencias o por una persona.
  • Edición paralela: Conjunto de ejemplares de un documento que con el mismo contenido se publican en soportes distintos, tales como revista en papel y microficha, bases de datos en CD y en línea.
  • Editor: Persona natural o jurídica que, por cuenta propia, elige o concibe obras literarias, científicas y en general de cualquier temática, y realiza o encarga los procesos industriales para su transformación en libro o en otro recurso, cualquiera que sea su soporte, con la finalidad de su publicación y difusión o comunicación.
  • Ejemplar: Cada unidad completa dentro de una edición.
  • Impresión bajo demanda: Ejemplar o ejemplares de una edición realizados para responder a pedidos concretos.
  • Impresor: Persona natural o jurídica que, contando con las instalaciones y medios técnicos necesarios, se dedica, exclusiva o principalmente, a la realización e impresión de libros en papel o en cualquier otro soporte susceptible de lectura.
  • Libro: Obra científica, artística, literaria o de cualquier otra índole que constituye una publicación unitaria en uno o varios volúmenes y que puede aparecer impresa o en cualquier soporte susceptible de lectura. Se entienden incluidos en la definición de libro, a los efectos de esta Ley, los libros electrónicos y los libros que se publiquen o se difundan por Internet o en otro soporte que pueda aparecer en el futuro, los materiales complementarios de carácter impreso, visual, audiovisual o sonoro que sean editados conjuntamente con el libro y que participen del carácter unitario del mismo, así como cualquier otra manifestación editorial.
  • Mancheta: Lugar que, en las publicaciones periódicas, proporciona los datos principales de identificación de la publicación.
  • Productor: Persona física o jurídica que asume la iniciativa, la coordinación y el riesgo económico de la producción de obras y contenidos sonoros, visuales, audiovisuales o digitales.
  • Publicación electrónica: Información o contenido de cualquier naturaleza, en un soporte electrónico, archivado con un formato determinado y susceptible de identificación y tratamiento diferenciado, que sea objeto de difusión.
  • Publicación periódica: Toda publicación de cualquier naturaleza que aparece, se distribuye o comunica de forma continuada con una periodicidad establecida.
  • Publicación seriada: Toda obra científica, literaria o de cualquier índole que aparece o se comunica de forma continuada, editada en una sucesión de números o partes separadas, que lleva normalmente una numeración y que no tiene una duración predeterminada.
  • Recurso: Una entidad, tangible o intangible, que recoge el contenido intelectual, artístico o de cualquier índole y que está concebida, producida o editada como una unidad.
  • Recurso continuado: Publicación que se edita a lo largo del tiempo, sin duración predeterminada. Incluye las publicaciones seriadas y los recursos integrables ininterrumpidos.
  • Recurso integrable: Publicación que se completa o modifica por medio de actualizaciones, que no permanecen separadas, sino que se integran en un todo. Pueden ser finitos o continuados. Las hojas sueltas actualizables y los sitios web actualizables constituyen recursos integrables.
  • Recurso multimedia: Recurso constituido por dos o más medios distintos o por formas distintas de un mismo medio y que está concebido para usarse como una unidad.
  • Reedición: Edición que se distingue de las anteriores por algunas modificaciones introducidas en el contenido o en la presentación.
  • Sitio web: Punto de acceso electrónico formado por una o varias páginas electrónicas agrupadas en un dominio de Internet.
  • Soporte tangible: Soporte físico de una obra o contenido tales como papel, disco, etcétera.
  • Soporte no tangible: Soporte virtual de una obra o contenido difundidos a través de redes electrónicas.
  • Versión: Forma de un documento que ha sido modificado sin cambiar su identidad.

De entre los documentos que se depositan, cabe destacar:

k) documentos sonoros,

l) documentos audiovisuales,

m) microformas,

n) documentos electrónicos en cualquier soporte, que el estado de la técnica permita en cada momento, y que no sean accesibles libremente a través de Internet,

ñ) sitios web fijables o registrables cuyo contenido pueda variar en el tiempo y sea susceptible de ser copiado en un momento dado,

o) copia nueva de los documentos íntegros, en versión original, de toda película cinematográfica, documental o de ficción, realizada por un productor con domicilio, residencia o establecimiento permanente en el territorio español y un ejemplar del material publicitario correspondiente.

No serán objeto de depósito legal las siguientes publicaciones:

a) documentos de las Administraciones Públicas de carácter interno o que resulten susceptibles de integración en expedientes administrativos,

b) documentos de instituciones y organizaciones, incluidas las empresariales, que versen únicamente sobre asuntos internos y estén dirigidas al personal de las mismas, tales como circulares, instrucciones o manuales de procedimiento,

c) publicaciones destinadas a concursos de promoción o traslado de los cuerpos o escalas de las distintas administraciones públicas,

d) sellos de correo,

e) impresos de carácter social como invitaciones de boda y bautizo, esquelas de defunción, tarjetas de visita, carnés de identidad, títulos o diplomas,

f) impresos de oficinas, formularios, incluidos los oficiales, cuestionarios y encuestas no cumplimentadas excepto que complementen una obra cuyo contenido sea técnico o científico, por ejemplo, un volumen formado por una recopilación de formularios que acompaña a un libro sobre procedimiento administrativo,

g) publicaciones de impresión bajo demanda,

h) dossieres de prensa,

i) hojas comerciales publicitarias,

j) catálogos comerciales de todo tipo,

k) calendarios y agendas,

l) objetos tridimensionales, aunque acompañen a un documento principal,

m) manuales de instrucciones de objetos, electrodomésticos, maquinaria, o análogos,

n) todo producto de un sistema informático que contenga datos que afecten a la privacidad de personas físicas y jurídicas y cuantos estén incluidos en la normativa de protección de datos personales, y

ñ) programas audiovisuales emitidos por prestadores del servicio de comunicación audiovisual, salvo que sean objeto de distribución.

Constitución del depósito de publicaciones electrónicas.

1. Toda publicación electrónica será depositada de modo que no sea necesaria la introducción de clave alguna para su lectura y con todos los manuales, así como, en su caso, el software que acompañe a la misma, a los solos efectos de investigación y conservación.

2. El sujeto depositante está obligado a facilitar la información necesaria para transferir los datos del soporte original al soporte de conservación.

3. Las publicaciones electrónicas cuyo uso caduque en el tiempo deberán ser entregadas de modo que puedan ser consultadas sin límite de tiempo.

En el plazo máximo de un año el Gobierno, a propuesta del titular del Ministerio de Cultura, regulará mediante Real Decreto y en el ámbito de sus competencias, oídas las Comunidades Autónomas y los sectores implicados, el procedimiento de constitución del depósito de las publicaciones electrónicas.

Aquí tengo mis dudas, porque el Gobierno o los titulares de los Ministerios implicados, nu suelen cumplir los plazos. Aun me acuerdo de los plazos para la obligatoriedad de las facturas electrónicas.

Funcionalidades de BackTrust


BackTrust es una plataforma de servicios (SOA)  asociados a la firma electrónica que puede ser utilizada en entornos de Administración Electrónica y también, en el sector privado, en el marco de las obligaciones de Interlocución Telemática.

Es un producto de Albalia Interactiva, con versiones para plataformas Mainframe (System z), entornos Linux y entornos Windows Server

Entre los servicios que presta BackTrust cabe citar los siguientes:

  • Servicio de Firma (DSS). El servicio de firma automatizada permite firmar documentos XML y PDF, respectivamente con firmas XAdES y PAdES. Los documentos de otro tipo pueden encapsularse en firmas CAdES o firmas XAdES, si bien requerirán de servicios de comprobación compatibles con la técnica de encapsulado.  Este servicio permite también  verificar las firmas de documentos ya firmados. El servicio permite utilizar diferentes claves y certificados, asociados a diferentes políticas, que se gestionan de forma centralizada en un HSM (Hardware Security Module). Se usa, por ejemplo, para automizar el uso de los sellos de órgano.
  • Ejecutable de firma en cliente: permite la firma de documentos por parte de un usuario, haciendo uso de su clave y sucertificado digital. Existen 2 variantes: firmador java (websigner) y firmador de escritorio.
  • Servicio de Sellado. Este servicio emite y verifica sellos de tiempo sobre protocolo RFC 3161 y (o)  webservice (DSS). Si se usa con un certificado de TSU de una CA apropiada, en el marco de un acuerdo de gestión, estos sellos de tiempo pueden tener valor legal.  El sistema permite sincronización mediante NTP (accediendo a ROA), GPS y DCF77.
  • Servicio de Validación Avanzada de Certificados. Este servicio permite comprobar la validez de un certificado y extraer la información contenida en él, relativa al titular del mismo (nombre y apellidos, NIF/CIF, correo electrónico, etc.).
  • Servicio de Copia. Este servicio añade información gráfica (Código QR) relativa a una firma electrónica sobre una copia constatable de un documento electrónico (albalá), facilitando así posteriores procesos de comprobación de documentos electrónicos impresos.
  • Servicio de Potestades. Este servicio permite gestionar y comprobar atribuciones en un marco de gestión de políticas de firma, o en relación con flujos de proceso (worlflows) de diferentes roles del organismo (cargos administrativos, firmantes finales por nombramiento oficial, responsables, apoderados, …).
  • Servicio de Custodia. Este servicio permite almacenar y recuperar documentos almacenados en el Sistema de Constancias (Cartulario). Existen varios tipos de custodia con diferentes restricciones de acceso (o sin restricciones). Se utiliza el concepto de Código Seguro de Verificación.
  • Servicio de Interconexión con otras Redes. Este servicio permite obtener información de validación de certificados y otras informaciones de redes asociadas. En particular existen integraciones con la Red SARA y con el sistema de acceso a información de certificados revocados definido por la AEAT (ycaestec).
  • Servicio de Publicación Fehaciente. Este servicio permite obtener certificados que acrediten fehacientemente el momento en el que los documentos son publicados en una Sede Electrónica. Utiliza el sistema de sello de tiempo y permite cumplir el artículo 42 de la Ley de Contratos del Sector Público (en el caso de las administraciones públicas) o la normativa de publicación de convocatorias de juntas de la Ley de Sociedades de Capital (en el caso del sector privado).

Además de la dispobilidad de funcionalidades en modalidad de servicio SOA, existen módulos que desarrollan las funcionalidades en forma de API (SDK) para ser invocadas por otras aplicaciones en entorno cliente o en entorno servidor. En particular, en entornos EDITRAN, permitiendo la firma y comprobación de firma de mensajes intercambiados entre plataformas de diferente tecnología.

Seguir

Recibe cada nueva publicación en tu buzón de correo electrónico.

Únete a otros 2.249 seguidores