ETSI TS 119 101 provides general security and policy requirements for applications for signature creation, validation and augmentation.

The present document is primarily relevant to the following actors:

• Implementers and providers of applications for signature creation, signature validation and/or signature augmentation, who need to ensure that relevant requirements are covered.
• Actors that integrate applications for signature creation, signature validation and/or signature augmentation components with business process software (or use standalone software), who want to ensure proper functioning of the overall signature creation/validation/augmentation process and that the signature creation/validation is done in a sufficiently secure environment.

The present document is applicable to these actors, and their evaluators (for a self-evaluation or an evaluation by a third party) to have a list of criteria against which to check the implementation.

The requirements cover applications for signature creation, signature validation and/or signature augmentation, i.e. the implementation and provision of the Signature Creation/Validation/Augmentation Application modules (SCA/SVA/SAA), the driving application (DA), the communication between the SCA and the signature creation device (SCDev) and the environment in which the SCA/SVA/SAA is used. It also specifies user interface requirements, while the user interface can be part of the SCA/SVA/SAA or of the DA which calls the SCA/SVA/SAA. Any entity using SCA/SVA/SAA components in its business process acts as driving application.

The document covers:

• Legal driven policy requirements.
• Information security (management system) requirements.
• Signature creation, signature validation and signature augmentation processes requirements.
• Development and coding policy requirements.
• General requirements.

Protection Profiles (PP) for signature creation applications and signature validation applications are out of scope and are defined in the CEN standard "Protection Profiles for Signature Creation & Validation Applications" [i.9]. General requirements for trust service providers are provided in ETSI EN 319 401 [i.24]. Requirements for trust service providers providing signature creation or validation services are out of scope. Requirements on trust service providers providing signature creation services are to be defined in ETSI TS 119 431 [i.22], with CEN EN 419 241 [i.21] defining requirements for a remote signature creation device. Requirements on trust service providers providing signature validation services are to be defined in ETSI TS 119 441 [i.23].