IS 18595 : 2024 Electronic Signatures and Infrastructures (ESI) - Policy and Security Requirements for Applications for Signature Creation and Signature Validation
1 SCOPE
This standard provides general security and policy requirements for applications for signature creation, validation and augmentation.
The present standard is primarily relevant to the following stakeholders:
a) Implementers and providers of applications for signature creation, signature validation and/or signature augmentation, who need to ensure that relevant requirements are covered; and
b) Stakeholders that integrate applications for signature creation, signature validation and/or signature augmentation components with business process software (or use standalone software), who want to ensure proper functioning of the overall signature creation/validation/augmentation process and that the signature creation/validation is done in a sufficiently secure environment.
The present standard is applicable to these stakeholders, and their evaluators (for a selfevaluation or an evaluation by a third party) to have a list of criteria against which to check the implementation.
The requirements cover applications for signature creation, signature validation and/or signature augmentation, such as the implementation and provision of the Signature Creation Application/Signature Validation Application/Signature Augmentation Application (SCA/SVA/SAA) modules, the Driving Application (DA), the communication between the SCA and the signature creation device (SCDev) and the environment in which the SCA/SVA/SAA is used.
It also specifies user interface requirements, while the user interface can be part of the SCA/SVA/SAA or of the DA which calls the SCA/SVA/SAA. Any entity using SCA/SVA/SAA components in its business process acts as driving application.
The standard covers:
a) Legal driven policy requirements;
b) Information security (management system) requirements;
c) Signature creation, signature validation and signature augmentation processes requirements;
d) Development and coding policy requirements; and
e) General requirements.
Protection Profiles (PP) for signature creation applications and signature validation applications are out of scope and are defined in the CEN standard 'Protection Profiles for Signature Creation and Validation Applications' CEN EN 419 111.
2 REFERENCES
The standards listed in Annex A contain provisions, which through reference in this text, constitute provisions of this standard. At the time of publication, the editions indicated were valid. All standards are subject to revision and parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent edition of these standards.
| IS No./Other Publications | Title |
| IS 17802 (Part 1) : 2021 | Accessibility for the ICT products and services : Part 1 requirements |
| IS/ISO 8601-1 : 2019 | Date and time representations for information interchange : Part 1 Basic rules |
| IS/ISO/IEC 27000 | Information technology — Security techniques — Information security management systems — Overview and vocabulary (first revision) |
| IS/ISO/IEC 27001 | Information technology — Security techniques — Information security management systems — Requirements (first revision) |
| IS/ISO/IEC 27002 | Information technology — Security techniques — Code of practice for information security management |
| ISO/IEC 15504 | Information technology — Process assessment |
| CEN EN 419 111 | Protection profiles for signature creation and validation applications |
| CEN EN 419 241 | Security requirements for trustworthy systems supporting server signing |
| ETSI EN 319 122 (all parts) | Electronic Signatures and Infrastructures (ESI); CAdES digital signatures |
| ETSI EN 319 132 (all parts) | Electronic Signatures and Infrastructures (ESI); XAdES digital signatures |
| ETSI EN 319 142 (all parts) | Electronic Signatures and Infrastructures (ESI); PAdES digital signatures |
| ETSI EN 319 162 (all parts) | Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC) |
| ETSI EN 319 401 | Electronic Signatures and Infrastructures (ESI); General policy requirements for trust service providers |
| ETSI TR 119 001 | Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures; Definitions and abbreviations |
| ETSI TS 119 102 (all parts) | Electronic Signatures and Infrastructures (ESI); Procedures for creation and validation of AdES digital signatures |
| ETSI TS 119 104 (all parts) | Electronic Signatures and Infrastructures (ESI); General requirements on testing conformance and interoperability of signature creation and validation |
| ETSI TS 119 124 (all parts) | Electronic Signatures and Infrastructures (ESI); CAdES digital signatures testing conformance and interoperability |
| ETSI TS 119 134 (all parts) | Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signature (XAdES) testing compliance and interoperability |
| ETSI TS 119 144 (all parts) | Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signature (PAdES) testing compliance and interoperability |
| ETSI TS 119 164 (all parts) | Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC) testing compliance and interoperability |