cen/isss task 2. e-invoicing & e-signatures
Post on 20-Aug-2015
285 Views
Preview:
TRANSCRIPT
e-Invoicing & e-Signatures
e-Invoicing & e-Signatures
Georg LindsbergerCEN/ISS EUROPEAN WORKSHOP
April 2006, Brussels
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
AgendaAgenda
Part 1:Issuing and receiving electronically signed invoicesPart 2:Advanced Electronic Signature used for electronic invoicesPart 3:Verification and documentation of the integrity and authenticity
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Basic Legal RequirementsBasic Legal Requirements
Authenticity of the origin and integrity of the contents of electronic invoices have to be guaranteed
Member States may however ask for the advanced electronic signature to be based on a qualified certificate and created by a secure signature creation device
Storage:authenticity of the origin and integrity of the content of the invoices, as well as their readability, must be guaranteed throughout the storage period
Service providers:Seller, buyer, third party i.e. service provider - is enabled to issue an electronic invoice
Invoice formats:Formats of the electronic invoices are not specified in the Directive but in certain Member States legal obligations exist that the electronic invoice has to be machine readable
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Issuing e-InvoicesIssuing e-Invoices
1. Generation of the electronic invoices;2. Generation of the electronic signatures for
the invoices;3. Archiving the electronically signed
invoices;4. Transmitting the electronically signed
invoices to the customers/suppliersService ProviderRequirements
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Receiving e-InvoicesReceiving e-Invoices
1. Signature verification 2. Documentation of the integrity and
authenticity3. Archiving the electronically signed
invoices
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Pre-conditionsPre-conditionsSignature generation:
it must be possible to generate the signatures for electronic invoicing in a batch process
Storage:additional information should be added ensuring the invoice was valid at issuance time - verification data
Invoice formats:static non modifiable document formats are highly recommendedsome applicable laws outright forbid the use of macros and hidden codes
Service Provider:a third party is empowered to endorse the signature of such an invoice with its own certificateservice providers should be able to sign the invoices using their own signing key pair
Advanced Electronic Signature Used for Electronic Invoices
Advanced Electronic Signature Used for Electronic Invoices
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
AdES Bound to a PersonAdES Bound to a Person
Using advanced electronic signatures within the meaning of Article 2 (2) of Directive [1] means that an electronic signature has to be bound to a personElectronic signature for an electronic invoice can be the signature of a natural or legal person, according to applicable law
If the electronic signature is an electronic signature of a natural person, information should be supplemented that the natural person has acted on behalf of the company issuing the invoices that should be specified in the certificate.
For example, the invoice issuing company might be specified in the “organizationName”
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Electronic SealsElectronic Seals
Where qualified signatures are requested by a national legislation, they cannot be given the meaning of commitment to the content of the electronic invoice
Only the purpose of guaranteeing the invoices authenticity and integrity can be assigned to qualified electronic signatures in the domain of e-invoicing
For the purposes of the Directive 2001/115/EC, the term “electronic signature” has the meaning of “electronic seal”
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Batch e-Invoice SigningBatch e-Invoice Signing
Without the meaning of commitment to the content, it is easier to deal with batch e-invoice signing.
AdES do not strictly require private keys to be generated and kept in hardware devices, while QES provide this feature as a basic distinction
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Certificate Extensions & PoliciesCertificate Extensions & Policies
Service providers should use the certificate extension EinvoicingServiceProvider
Certificates used for electronic invoicing should make use of the certificate extension ElectronicInvoicing
The proposed policy recommendations for electronic invoice certificates should be implemented
Extended key usage: id-kp-eInvoicing. This extension SHOULD be non critical
Verification and Documentation of the Integrity
and Authenticity
Verification and Documentation of the Integrity
and Authenticity
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Authentication and integrity have to be guaranteed over the whole storage period of invoices which can be from 5 to 11 years
Electronic invoicing storing systems must ensure that the electronic signature stays verifiable over years
Without the addition of relevant data, like revocation information and information on before and when the signature itself was created, the electronic signature could not be verifiable in thefuture
VerificationVerification
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Ogranisational Measures vs.Technical Measures
Ogranisational Measures vs.Technical Measures
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
FactsFacts
Fetch and store certificate path, suitable certificate revocation information for the entire certificate path (CRL/OCSP responses), TST chain, TST certificate path, suitable TST certificate revocation information for the TST certificate path (CRL/OCSP responses)
Apply and store TST on the ES;or countersign the invoice and apply a TST and store the whole of it;or implement equivalent measures
Basic invoice signature storage
TL-3TL-2TL-1Storage Requirements
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Ensuring stored invoices are long term valid depends on both organisational and technical measuresDepending on the trust level of the organisation additional technical measures should be applied
FactsFacts
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
Resume Resume
Requirements for e-signatures for e-invoices are clarified (incl. electronic seals)Certificate extensions proposed to ease the processing of the signatures on e-invoicesClarified verification process
Q&AQ&A
Georg LindsbergerCEN/ISS EUROPEAN WORKSHOP
April 2006, Brussels
top related