2. Agenda
Part 1:
Issuing and receiving electronically
signed invoices
Part 2:
Advanced Electronic Signature used for
electronic invoices
Part 3:
Verification and documentation of the
integrity and authenticity
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
3. Basic Legal Requirements
Authenticity of the origin and integrity of the contents of electronic invoices have to be
guaranteed
Member States may however ask for the advanced electronic signature to be based on a
qualified certificate and created by a secure signature creation device
Storage:
authenticity of the origin and integrity of the content of the invoices, as well as their
readability, must be guaranteed throughout the storage period
Service providers:
Seller, buyer, third party i.e. service provider - is enabled to issue an electronic
invoice
Invoice formats:
Formats of the electronic invoices are not specified in the Directive but in certain
Member States legal obligations exist that the electronic invoice has to be machine
readable
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
4. Issuing e-Invoices
1. Generation of the electronic invoices;
2. Generation of the electronic signatures for
the invoices;
3. Archiving the electronically signed
invoices;
4. Transmitting the electronically signed
Service Provider invoices to the customers/suppliers
Requirements
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
5. Receiving e-Invoices
1. Signature verification
2. Documentation of the integrity and
authenticity
3. Archiving the electronically signed
invoices
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
6. Pre-conditions
Signature generation:
it must be possible to generate the signatures for electronic
invoicing in a batch process
Storage:
additional information should be added ensuring the invoice was
valid at issuance time - verification data
Invoice formats:
static non modifiable document formats are highly recommended
some applicable laws outright forbid the use of macros and hidden
codes
Service Provider:
a third party is empowered to endorse the signature of such an
invoice with its own certificate
service providers should be able to sign the invoices using their
own signing key pair
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
8. AdES Bound to a Person
Using advanced electronic signatures within the meaning of
Article 2 (2) of Directive [1] means that an electronic signature
has to be bound to a person
Electronic signature for an electronic invoice can be the
signature of a natural or legal person, according to applicable
law
If the electronic signature is an electronic signature of a natural
person, information should be supplemented that the natural
person has acted on behalf of the company issuing the
invoices that should be specified in the certificate.
For example, the invoice issuing company might be specified in
the “organizationName”
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
9. Electronic Seals
Where qualified signatures are requested by a
national legislation, they cannot be given the
meaning of commitment to the content of the
electronic invoice
Only the purpose of guaranteeing the invoices
authenticity and integrity can be assigned to qualified
electronic signatures in the domain of e-invoicing
For the purposes of the Directive 2001/115/EC, the
term “electronic signature” has the meaning of
“electronic seal”
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
10. Batch e-Invoice Signing
Without the meaning of commitment to the content, it
is easier to deal with batch e-invoice signing.
AdES do not strictly require private keys to be
generated and kept in hardware devices, while
QES provide this feature as a basic distinction
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
11. Certificate Extensions & Policies
Service providers should use the certificate
extension EinvoicingServiceProvider
Certificates used for electronic invoicing should make
use of the certificate extension ElectronicInvoicing
The proposed policy recommendations for
electronic invoice certificates should be implemented
Extended key usage: id-kp-eInvoicing.
This extension SHOULD be non critical
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
13. Verification
Authentication and integrity have to be guaranteed over the
whole storage period of invoices which can be from 5 to 11
years
Electronic invoicing storing systems must ensure that the
electronic signature stays verifiable over years
Without the addition of relevant data, like revocation information
and information on before and when the signature itself was
created, the electronic signature could not be verifiable in the
future
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
15. Facts
TL-1 TL-2 TL-3
Storage Requirements
Basic invoice signature storage
Apply and store TST on the ES;
or countersign the invoice and apply a TST and store the
whole of it;
or implement equivalent measures
Fetch and store certificate path, suitable certificate revocation
information for the entire certificate path (CRL/OCSP
responses), TST chain, TST certificate path, suitable TST
certificate revocation information for the TST certificate path
(CRL/OCSP responses)
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
16. Facts
Ensuring stored invoices are long term valid
depends on both organisational and technical
measures
Depending on the trust level of the
organisation additional technical measures
should be applied
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
17. Resume
Requirements for e-signatures for e-invoices
are clarified (incl. electronic seals)
Certificate extensions proposed to ease the
processing of the signatures on e-invoices
Clarified verification process
CEN/ISS EUROPEAN WORKSHOP. April 2006, Brussels
18. Q&A
Georg Lindsberger
CEN/ISS EUROPEAN WORKSHOP
April 2006, Brussels