SIST-TP ISO/TR 17068:2013

TECHNICAL ISO/TR
REPORT 17068
First edition
2012-11-01
Information and documentation -
Trusted third party repository for
digital records
Information et documentation — Référentiel tiers de confiance pour
les enregistrements électroniques
Reference number
©
ISO 2012
© ISO 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any
means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the
address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2012 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Terms and definitions . 1
3 Overview of a TTPR . 3
3.1 Necessity for a TTPR . 3
3.2 Requirements for trustworthiness . 4
3.3 TTPR components . 5
3.4 Characteristics of a TTPR . 6
4 TTPR services . 6
4.1 Service procedure . 6
4.2 TTPR service contracts . 6
4.3 TTPR services. 9
5 System requirements .18
5.1 General .18
5.2 Digital record repository system .18
5.3 Transmitter-receiver system .18
5.4 Network system .19
5.5 Time-stamping system .19
5.6 Trail management system .19
5.7 Security system of network system .20
5.8 Access control equipment .20
5.9 Disaster protection facility .20
5.10 System for certificate issuance and validation of digital record .20
5.11 Backup system .22
5.12 Remote repository system .22
6 Management requirements .22
6.1 General .22
6.2 Client management .22
6.3 Administrator’s role and authority management .23
6.4 Network and security management .23
6.5 Digital record management .24
6.6 Management of transmitted and received messages .26
6.7 Audit record management .27
6.8 Data backup and recovery management .28
6.9 Security management .29
6.10 Migration and receipt management .29
6.11 Client system management .30
Bibliography .32
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from
that which is normally published as an International Standard (“state of the art”, for example), it may
decide by a simple majority vote of its participating members to publish a Technical Report. A Technical
Report is entirely informative in nature and does not have to be reviewed until the data it provides are
considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 17068 was prepared by Technical Committee ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
iv © ISO 2012 – All rights reserved

Introduction
As digital records are the inevitable by-products of various business activities in electronic and/or
digital systems, there is an increasing need to secure the legal admissibility of digital records during
their period of retention. It is internationally agreed that “digital records shall not be denied validity or
1)
enforceability of legal recognition by reason of their format alone” . Despite this, it may be very difficult
for an organization to assert that its digital records are authentic and able to act as effective evidence
of business action over a long period. In many cases legal admissibility of digital records managed by
organizations’ records systems may not be ensured. As a result, there is a growing need for certification
services for digital records by neutral third parties.
In order to protect digital records from business disputes during the period they are required for
sustaining legal obligation and ongoing retention, it is essential to ensure that the authenticity, reliability
and integrity of digital records endures.
Digital signatures are a well-known means of maintaining the integrity of digital records. However, as a
digital signature can only ensure integrity within its validity time (generally one to two years or less),
most digitally signed records cannot ensure their integrity for longer than this validity time. As a result,
it may be very difficult for an individual record system to prove the integrity of their digital records for
the period of retention obligation, where this is longer than the validity period of the digital signature.
A possible solution can be provided by a Trusted Third Party Repository (TTPR) service.
A TTPR is defined as a set of services, systems and personnel that ensure that digital records, entrusted
to it by a client, remain and can be asserted to be reliable and authentic, with the aim of providing
reliable access to managed digital records to its clients for the period of obligation for retention. A TTPR
for digital records should provide trustworthy services for clients, which can be examined by interested
parties (i.e. inspector, auditor, evaluator). These TTPR services are helpful to identify the evidence
admissibility of clients’ digital records as a source of evidence.
This Technical Report describes the specific requirements for the trustworthy services provided by a
TTPR. Its main purpose is to ensure that digital records can retain the relevant evidence and information
in an ensured and trusted manner during the required period of retention.
1) UNCITRAL 200t, United Nations Convention on the Use of Electronic Communication in International Contracts.
TECHNICAL REPORT ISO/TR 17068:2012(E)
Information and documentation - Trusted third party
repository for digital records
1 Scope
This Technical Report details the authorized custody services of a Trusted Third Party Repository
(TTPR) in order to ensure provable integrity and authenticity of the clients’ digital records and serve as
a source of reliable evidence.
It describes the services and processes to be provided by a TTPR for the clients’ digital records during
the retention period, to ensure trust. It also details the criteria of “trustworthiness” and the particular
requirements of TTPR services, hardware and software systems, and management.
This Technical Report has the limitation that the authorized custody of the stored records is between
only the third party and the client.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
client
individual or organization that contracts with the TTPR and obtains permission to use the TTPR services
2.2
client system
hardware and software used by a client to use the service provided by the TTPR
2.3
digital record
information in any format created, received and maintained by digital means, used as evidence and
information by an organization or person, in pursuance of legal obligations or in the transaction of business
NOTE Adapted from ISO 15489-1:2001.
2.4
digital signature
data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit
to prove the source and i
...