Network Working Group C. Wallace Request for Comments: 4810 Cygnacom Solutions Category: Informational U. Pordesch Fraunhofer Gesellschaft R. Brandner InterComponentWare AG March 2007
Network Working Group C. Wallace Request for Comments: 4810 Cygnacom Solutions Category: Informational U. Pordesch Fraunhofer Gesellschaft R. Brandner InterComponentWare AG March 2007
Long-Term Archive Service Requirements
长期档案服务要求
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
Abstract
摘要
There are many scenarios in which users must be able to prove the existence of data at a specific point in time and be able to demonstrate the integrity of data since that time, even when the duration from time of existence to time of demonstration spans a large period of time. Additionally, users must be able to verify signatures on digitally signed data many years after the generation of the signature. This document describes a class of long-term archive services to support such scenarios and the technical requirements for interacting with such services.
在许多情况下,用户必须能够证明在特定时间点存在数据,并能够证明自那时起数据的完整性,即使从存在时间到演示时间的持续时间跨度很大。此外,用户必须能够在签名生成多年后验证数字签名数据上的签名。本文档描述了一类支持此类场景的长期归档服务,以及与此类服务交互的技术要求。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. General Principles . . . . . . . . . . . . . . . . . . . . . . 5 4. Technical Requirements . . . . . . . . . . . . . . . . . . . . 6 4.1. Enable Submission, Retrieval, and Deletion of Archived Data Objects . . . . . . . . . . . . . . . . . . . . . . . 6 4.1.1. Functional Requirements . . . . . . . . . . . . . . . 7 4.1.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Operate in accordance with a long-term archive policy . . 8 4.2.1. Functional Requirements . . . . . . . . . . . . . . . 8 4.2.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 9 4.3. Enable Management of Archived Data Objects . . . . . . . . 9 4.3.1. Functional Requirements . . . . . . . . . . . . . . . 9 4.3.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 9 4.4. Provide Evidence Records that Support Demonstration of Data Integrity . . . . . . . . . . . . . . . . . . . . . . 10 4.4.1. Functional Requirements . . . . . . . . . . . . . . . 10 4.4.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 10 4.5. Support Data Confidentiality . . . . . . . . . . . . . . . 11 4.5.1. Functional Requirements . . . . . . . . . . . . . . . 11 4.5.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 11 4.6. Provide Means to Transfer Data and Evidence from One Service to Another . . . . . . . . . . . . . . . . . . . . 11 4.6.1. Functional Requirements . . . . . . . . . . . . . . . 11 4.6.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 11 4.7. Support Operations on Groups of Data Objects . . . . . . . 12 4.7.1. Functional Requirements . . . . . . . . . . . . . . . 12 4.7.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 12 5. Operational Considerations . . . . . . . . . . . . . . . . . . 12 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 8. Informative References . . . . . . . . . . . . . . . . . . . . 14 Appendix A. Application Scenarios . . . . . . . . . . . . . . . . 15 A.1. Archive Service Supporting Long-Term Non-Repudiation . . . 15 A.2. Pure Long-Term Non-Repudiation Service . . . . . . . . . . 15 A.3. Long-Term Archive Service as Part of an Internal Network . . . . . . . . . . . . . . . . . . . . . . . . . 15 A.4. Long-Term Archive External Service . . . . . . . . . . . . 15
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. General Principles . . . . . . . . . . . . . . . . . . . . . . 5 4. Technical Requirements . . . . . . . . . . . . . . . . . . . . 6 4.1. Enable Submission, Retrieval, and Deletion of Archived Data Objects . . . . . . . . . . . . . . . . . . . . . . . 6 4.1.1. Functional Requirements . . . . . . . . . . . . . . . 7 4.1.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Operate in accordance with a long-term archive policy . . 8 4.2.1. Functional Requirements . . . . . . . . . . . . . . . 8 4.2.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 9 4.3. Enable Management of Archived Data Objects . . . . . . . . 9 4.3.1. Functional Requirements . . . . . . . . . . . . . . . 9 4.3.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 9 4.4. Provide Evidence Records that Support Demonstration of Data Integrity . . . . . . . . . . . . . . . . . . . . . . 10 4.4.1. Functional Requirements . . . . . . . . . . . . . . . 10 4.4.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 10 4.5. Support Data Confidentiality . . . . . . . . . . . . . . . 11 4.5.1. Functional Requirements . . . . . . . . . . . . . . . 11 4.5.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 11 4.6. Provide Means to Transfer Data and Evidence from One Service to Another . . . . . . . . . . . . . . . . . . . . 11 4.6.1. Functional Requirements . . . . . . . . . . . . . . . 11 4.6.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 11 4.7. Support Operations on Groups of Data Objects . . . . . . . 12 4.7.1. Functional Requirements . . . . . . . . . . . . . . . 12 4.7.2. Rationale . . . . . . . . . . . . . . . . . . . . . . 12 5. Operational Considerations . . . . . . . . . . . . . . . . . . 12 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 8. Informative References . . . . . . . . . . . . . . . . . . . . 14 Appendix A. Application Scenarios . . . . . . . . . . . . . . . . 15 A.1. Archive Service Supporting Long-Term Non-Repudiation . . . 15 A.2. Pure Long-Term Non-Repudiation Service . . . . . . . . . . 15 A.3. Long-Term Archive Service as Part of an Internal Network . . . . . . . . . . . . . . . . . . . . . . . . . 15 A.4. Long-Term Archive External Service . . . . . . . . . . . . 15
Digital data durability is undermined by continual progress and change on a number of fronts. The useful lifetime of data may exceed the life span of formats and mechanisms used to store the data. The lifetime of digitally signed data may exceed the validity periods of public-key certificates used to verify signatures or the cryptanalysis period of the cryptographic algorithms used to generate the signatures, i.e., the time after which an algorithm no longer provides the intended security properties. Technical and operational means are required to mitigate these issues. A solution must address issues such as storage media lifetime, disaster planning, advances in cryptanalysis or computational capabilities, changes in software technology, and legal issues.
数字数据的持久性受到多方面不断进步和变化的影响。数据的有效寿命可能超过用于存储数据的格式和机制的寿命。数字签名数据的生存期可能超过用于验证签名的公钥证书的有效期或用于生成签名的加密算法的密码分析期,即算法不再提供预期安全属性的时间。需要技术和操作手段来缓解这些问题。解决方案必须解决存储介质寿命、灾难规划、密码分析或计算能力的进步、软件技术的变化以及法律问题等问题。
A long-term archive service aids in the preservation of data over long periods of time through a regimen of technical and procedural mechanisms designed to support claims regarding a data object. For example, it might periodically perform activities to preserve data integrity and the non-repudiability of data existence by a particular point in time or take actions to ensure the availability of data. Examples of periodic activities include refreshing time stamps or transferring data to a new storage medium.
长期存档服务通过一系列技术和程序机制帮助长期保存数据,这些机制旨在支持有关数据对象的声明。例如,它可能定期执行活动,以在特定时间点保持数据完整性和数据存在的不可抵赖性,或者采取措施确保数据的可用性。定期活动的示例包括刷新时间戳或将数据传输到新的存储介质。
A long-term archive service may be used to provide evidence that supports validation of the existence of documents or assertions of agreements that were originally asserted with digital signatures. Validation may occur at times in the future well beyond the validity period of the private key originally used to generate the signature, or even beyond the time when the algorithms available for digital signatures, message digesting, or data encryption cease to offer effective protection because of improvements in computing speeds and methods.
长期存档服务可用于提供证据,支持验证最初使用数字签名声明的文件或协议声明的存在。验证可能在未来的某个时间发生,远远超过最初用于生成签名的私钥的有效期,或者甚至超过用于数字签名、消息摘要或数据加密的算法由于计算速度和方法的改进而停止提供有效保护的时间。
A long-term archive service may be located within an enterprise network, communicating with local storage mechanisms and other applications, or a long-term archive service may be implemented as an external service accessible via the Internet. A long-term archive service may use functionality, e.g., time stamping, provided by independent service providers.
长期存档服务可以位于企业网络内,与本地存储机制和其他应用程序通信,或者长期存档服务可以作为可通过互联网访问的外部服务来实现。长期存档服务可以使用独立服务提供商提供的功能,例如时间戳。
A primary goal of a long-term archive service is to support the credible assertion of a claim that is currently asserted, at points well into the future. A long-term archive service may support a range of applications, including: wills, land records, medical data, criminal case files, personnel files, and contracts. A long-term archive service may be used by any type of entity, e.g.,
长期存档服务的一个主要目标是支持在未来很长一段时间内对当前主张的主张进行可信的主张。长期档案服务可以支持一系列应用,包括:遗嘱、土地记录、医疗数据、刑事案件档案、人事档案和合同。任何类型的实体均可使用长期存档服务,例如:。,
organizations, citizens, notaries. Examples of long-term archive service usage by submitters include:
组织、公民、公证人。提交者长期使用归档服务的示例包括:
- A company stores contracts using a third party service.
- 公司使用第三方服务存储合同。
- A hospital stores medical data using an internal service.
- 医院使用内部服务存储医疗数据。
- An individual wants to generate evidence of data possession at a particular point in time, e.g., for intellectual property purposes or endorsement of a contract.
- 个人希望在特定时间点生成数据占有的证据,例如,出于知识产权目的或合同背书。
- A law enforcement officer wants to store criminal data such that integrity of the data can be demonstrated years later.
- 执法人员希望存储犯罪数据,以便在数年后证明数据的完整性。
For each of the above examples, there is a corresponding example involving retrievers, e.g., a company retrieves a contract in the case of a dispute or a law enforcement officer prepares information for a criminal trial.
对于上述每个示例,都有一个涉及检索者的相应示例,例如,公司在发生纠纷时检索合同,或者执法人员为刑事审判准备信息。
This document addresses the technical requirements for a long-term archive service.
本文件阐述了长期存档服务的技术要求。
We define the following terms based on their usage in the archiving community, in order to provide a vocabulary for describing requirements and the standards around them.
我们根据以下术语在归档社区中的使用情况定义这些术语,以便提供一个词汇表来描述需求及其周围的标准。
Arbitrator: Principal for whom the validity of archived data characteristics, e.g., origin, integrity or time of existence, must be demonstrated.
仲裁人:必须证明存档数据特征(如来源、完整性或存在时间)有效性的委托人。
Archival Period: The period during which an archived data object is preserved by a long-term archive service.
存档期间:存档数据对象被长期存档服务保留的期间。
Archived Data Object: Data unit to be preserved by a long-term archive service.
存档数据对象:由长期存档服务保存的数据单元。
Archive Package: Collection of information including archived data objects and associated Evidence Record.
归档包:收集信息,包括归档数据对象和相关证据记录。
Cryptographic Maintenance Policy: A set of rules that defines how to maintain the validity of digitally signed objects should one of the hash or asymmetric algorithms used to create a digital signature become weak, or one of the private keys used to create a digital signature be compromised or become weak.
加密维护策略:一组规则,定义在用于创建数字签名的散列或非对称算法之一变弱,或用于创建数字签名的私钥之一受损或变弱时,如何维护数字签名对象的有效性。
Evidence: Information that may be used to demonstrate the validity of an archived data object or related attestations.
证据:可用于证明存档数据对象或相关证明有效性的信息。
Evidence Record: Collection of evidence compiled for one or more archived data objects. An Evidence Record may include acknowledgements from a long-term archive service, time stamps and verification data, such as public-key certificates, revocation information, trust anchors, policy details and role information.
证据记录:为一个或多个存档数据对象编译的证据收集。证据记录可以包括来自长期存档服务的确认、时间戳和验证数据,例如公钥证书、撤销信息、信任锚、策略详细信息和角色信息。
Long-Term Archive Policy: A set of rules that define operational characteristics of a long-term archive service.
长期存档策略:定义长期存档服务的操作特征的一组规则。
Long-Term Archive Service (LTA): A service that is responsible for preserving data for long periods.
长期存档服务(LTA):负责长期保存数据的服务。
Modifier: Principal who modifies attributes associated with an archived data object and/or Evidence Record held by a long-term archive service.
修改人:修改与存档数据对象和/或由长期存档服务保存的证据记录相关的属性的负责人。
Originator: Principal who produces, and possibly digitally signs, an archived data object. The Originator does not necessarily have any relationship with a long-term archive service or any awareness of an Evidence Record associated with the archived data object.
发起人:产生存档数据对象并可能对其进行数字签名的负责人。发起人不一定与长期存档服务有任何关系,也不一定知道与存档数据对象相关的证据记录。
Retriever: Principal who retrieves archived data objects and/or Evidence Records from a long-term archive service.
检索者:从长期存档服务中检索存档数据对象和/或证据记录的负责人。
Submitter: Principal who submits data objects for archiving.
提交者:提交数据对象进行归档的主体。
Time Stamp: An attestation generated by a Time Stamping Authority (TSA) that a data item existed at a certain time. For example, [RFC3161] specifies a structure for signed time stamp tokens as part of a protocol for communicating with a TSA.
时间戳:由时间戳管理机构(TSA)生成的证明数据项在特定时间存在的证明。例如,[RFC3161]指定签名时间戳令牌的结构,作为与TSA通信的协议的一部分。
Time Stamping Authority (TSA): A trusted service that provides attestations of existence of data at particular points in time. For example, [RFC3161] defines protocol elements for interacting with a TSA.
时间戳管理局(TSA):一种可信服务,提供特定时间点数据存在的证明。例如,[RFC3161]定义与TSA交互的协议元素。
A long-term archive service may accept any type of data for preservation. The data might be in any format, whether textual data, images, documents, applications, or compound packages of multiple components. The data may be digitally signed, time stamped, encrypted, or not subject to any cryptographic processing.
长期存档服务可以接受任何类型的数据进行保存。数据可以是任何格式,无论是文本数据、图像、文档、应用程序还是多个组件的复合包。数据可以是数字签名、时间戳、加密的,或者不受任何加密处理的约束。
A long-term archive service may preserve archived data objects as opaque collections of bytes with the primary aim of data integrity.
长期存档服务可以将存档的数据对象保存为不透明的字节集合,其主要目的是数据完整性。
A long-term archive service is not required to operate upon evidence related to the content of archived data objects. Content-focused operations, including data format migration or translation, may be performed by another service. However, an LTA may incorporate support for such services.
不需要长期存档服务来处理与存档数据对象内容相关的证据。以内容为中心的操作,包括数据格式迁移或转换,可以由另一个服务执行。但是,LTA可以包含对此类服务的支持。
Different long-term archive services may establish policies and procedures for archiving data objects over different lengths of time. For example, an LTA may refuse to preserve archived data objects for periods longer than 30 years. Similarly, LTAs may establish policies that limit the types of data that will be accepted for deposit by a particular LTA.
不同的长期存档服务可能会为在不同时间段存档数据对象建立策略和过程。例如,LTA可能会拒绝保存存档数据对象超过30年。类似地,LTA可以制定政策,限制特定LTA接受存放的数据类型。
A long-term archive service provides evidence that may be used to demonstrate the existence of an archived data object at a given time and the integrity of the archived data object since that time. Additionally, the evidence identifies the LTA(s) that have participated in the preservation of the archived data object. If the archived data object itself contains digitally signed data, authentication of the signer is also possible.
长期存档服务提供的证据可用于证明在给定时间存在存档数据对象,以及自该时间以来存档数据对象的完整性。此外,证据还确定了参与保存存档数据对象的LTA。如果存档数据对象本身包含数字签名的数据,也可以对签名者进行身份验证。
A long-term archive service may be an adjunct component of a document management system. In such cases, the Evidence Record generated and maintained by the LTA is a property of data that is otherwise managed by the document management system.
长期存档服务可能是文档管理系统的附属组件。在这种情况下,LTA生成和维护的证据记录是由文件管理系统管理的数据属性。
This section describes the requirements for the protocol for accessing a long-term archive system and for the data formats associated with data preservation.
本节描述访问长期存档系统的协议要求以及与数据保存相关的数据格式要求。
4.1. Enable Submission, Retrieval, and Deletion of Archived Data Objects
4.1. 启用归档数据对象的提交、检索和删除
A long-term archive service must permit clients to request the following basic operations:
长期存档服务必须允许客户请求以下基本操作:
- submit data objects for archive
- 提交要存档的数据对象
- retrieve archived data objects
- 检索存档的数据对象
- delete archived data objects
- 删除存档的数据对象
Following submission, the service must provide an identifier that can be used to retrieve the archived data and/or associated evidence. For example, it may be possible to retrieve archive packages by using a hash value of an archived data object. Possession of this value is not necessarily an authorization to access the associated archived data object or evidence record.
提交后,服务必须提供可用于检索存档数据和/或相关证据的标识符。例如,可以通过使用归档数据对象的哈希值来检索归档包。拥有该值不一定是访问相关存档数据对象或证据记录的授权。
It must be possible to authenticate requests and responses, e.g., to enable LTAs to render an authorization decision. This may be accomplished by using transport security mechanisms. Requests, in particular retrieval or deletion requests, may be rejected if the requestor is not authorized. An authorization policy must be defined and observed by the long-term archive service. An LTA may disallow deletion as a matter of policy.
必须能够对请求和响应进行身份验证,例如,使LTA能够做出授权决策。这可以通过使用传输安全机制来实现。如果请求者未经授权,请求,特别是检索或删除请求,可能会被拒绝。长期存档服务必须定义并遵守授权策略。作为一项政策,LTA可能不允许删除。
The format for the acknowledgements must allow the identification of the archiving provider and the participating client.
确认的格式必须允许识别归档提供商和参与的客户。
The LTA must provide an acknowledgement of the deposit that permits the submitter to confirm the correct data was accepted by the LTA. This proof need not be provided immediately.
LTA必须提供存款确认书,以允许提交人确认LTA接受了正确的数据。无需立即提供此证明。
Submission, retrieval, query state, and deletion of archived data objects are necessary basic functions of a long-term archive service.
归档数据对象的提交、检索、查询状态和删除是长期归档服务必不可少的基本功能。
Deletion may be disallowed due to procedural difficulties in fulfilling the request. For example, an archived data object may be stored on write-once media, along with other records that are not subject to deletion.
由于履行请求过程中的程序困难,可能不允许删除。例如,存档数据对象可能与其他不需要删除的记录一起存储在一次写入介质上。
Acknowledgements may not be provided immediately due to implementation of a grace period. A generic query state mechanism should be provided to address such situations. For example, a
由于实施宽限期,可能不会立即提供确认。应提供通用查询状态机制来解决此类情况。例如,一个
submission response may indicate that a submission has been accepted and a subsequent query state response may indicate a submission has completed all necessary preservation steps.
提交响应可能表示提交已被接受,后续查询状态响应可能表示提交已完成所有必要的保存步骤。
A long-term archive service must operate in accordance with a long-term archive service policy that defines characteristics of the implementation of the long-term archive service. A long-term archive service policy contains several components, including:
长期档案服务必须按照长期档案服务政策运作,该政策定义了长期档案服务实施的特点。长期存档服务策略包含几个组件,包括:
- Archived data object maintenance policy
- 存档数据对象维护策略
- Authorization policy
- 授权策略
- Service policy
- 服务政策
A long-term archive service policy must include specifications of the preservation activities performed for archived data objects subject to the policy. A maintenance policy should define rules for the following operational aspects: preservation activity triggers, default archival period, and default handling upon expiration of archival period.
长期存档服务策略必须包括针对受该策略约束的存档数据对象执行的保存活动的规范。维护策略应定义以下操作方面的规则:保存活动触发器、默认归档期限和归档期限到期时的默认处理。
Maintenance policies should include mechanism-specific details describing LTA operation. For example, where cryptographic mechanisms are employed, a cryptographic maintenance policy ought to be defined.
维护政策应包括描述LTA操作的机制特定细节。例如,在使用加密机制的情况下,应该定义加密维护策略。
An authorization policy should define the entities permitted to exercise services provided by the LTA, including who is permitted to submit, retrieve, or manage specific archived data objects.
授权策略应定义允许执行LTA提供的服务的实体,包括允许提交、检索或管理特定存档数据对象的实体。
A service policy defines the types of services provided by an LTA, including acceptable data types, description of requests that may be accepted, and deletion procedures.
服务策略定义了LTA提供的服务类型,包括可接受的数据类型、可接受请求的描述以及删除过程。
Policies must be unambiguously identified, e.g., by an object identifier. Alternatively, an LTA may support a protocol that permits clients to specify policy parameters explicitly instead of by reference to a policy.
策略必须明确标识,例如通过对象标识符标识。或者,LTA可以支持允许客户端显式指定策略参数而不是通过引用策略的协议。
A long-term archive service must be able to provide information identifying the policies relevant for a given archived data object.
长期存档服务必须能够提供标识与给定存档数据对象相关的策略的信息。
Similar to a certificate policies [RFC3647], which are identified using object identifiers, a long-term archive policy provides a shorthand means of technically identifying a set of rules that govern the operation of a long-term archive service.
与使用对象标识符标识的证书策略[RFC3647]类似,长期存档策略提供了一种从技术上标识管理长期存档服务操作的一组规则的速记方法。
Over the course of many years, the policies under which an LTA operates may undergo modification. Thus, an evidence record may feature multiple indications of policies active at various points during the life of an archived data object.
在多年的过程中,LTA运营所依据的政策可能会发生修改。因此,证据记录可能具有存档数据对象生命周期内不同时间点活动的策略的多个指示。
A long-term archive service must permit clients to request the following basic operations:
长期存档服务必须允许客户请求以下基本操作:
- specify an archival period for submitted data objects
- 为提交的数据对象指定存档期间
- extend or shorten the archival period for an archived data object
- 延长或缩短存档数据对象的存档周期
- specify metadata associated with an archived data object
- 指定与存档数据对象关联的元数据
- specify an archive policy under which the submitted data should be handled
- 指定一个归档策略,在该策略下应处理提交的数据
It should be possible to express an archival period in terms of time, an event or a combination of time and event.
应该可以用时间、事件或时间与事件的组合来表示存档期间。
Submitters should be able to specify metadata that, for example, can be used to enable retrievers to render the data correctly, to locate data in an archive or to place data in a particular context. Examples include, classification codes, type of format, contributors, title, author, and date. Alternatively, such information may be included in the content of an archived data object.
提交者应该能够指定元数据,例如,可以使用元数据使检索器能够正确呈现数据、在存档中定位数据或将数据放置在特定上下文中。例如,分类代码、格式类型、投稿人、标题、作者和日期。或者,这种信息可以包括在归档数据对象的内容中。
If a long-term archive service does not support a requested policy, it must return an error indication. A service must provide an indication of the archive policy enforced by the service.
如果长期存档服务不支持请求的策略,则必须返回错误指示。服务必须提供由该服务强制执行的存档策略的指示。
Submission, retrieval, and deletion of archived data objects are necessary basic functions of a long-term archive service.
归档数据对象的提交、检索和删除是长期归档服务必不可少的基本功能。
Specification and management of the archival period is necessary to avoid unnecessary preservation activities.
为了避免不必要的保存活动,有必要对档案期限进行规范和管理。
4.4. Provide Evidence Records that Support Demonstration of Data Integrity
4.4. 提供支持数据完整性证明的证据记录
A long-term archive service must be capable of providing evidence that can be used to demonstrate the integrity of data for which it is responsible, from the time it received the data until the expiration of the archival period of the data.
长期存档服务必须能够提供证据,证明其负责的数据的完整性,从收到数据到数据存档期结束。
This may be achieved by providing evidence records that support the long-term non-repudiation of data existence at a point in time, e.g., in the case of legal disputes. The evidence record should contain sufficient information to enable the validity of an archived data object's characteristics to be demonstrated to an arbitrator. The characteristics subject to verification will vary. For example, authentication of an originator may not be possible in all cases, e.g., where the object submitted to the archive is not signed or where the object does not include the necessary information to authenticate the object's signer.
这可以通过提供证据记录来实现,这些证据记录支持在某个时间点存在的数据的长期不可否认性,例如,在发生法律纠纷的情况下。证据记录应包含足够的信息,以便能够向仲裁员证明存档数据对象特征的有效性。需要验证的特性将有所不同。例如,并非在所有情况下都可以对发起人进行身份验证,例如,提交给存档的对象没有签名,或者该对象不包含对对象的签名者进行身份验证所需的信息。
Evidence records must be structured such that modifications to an archived data object or its evidence record can be detected, including modifications made by administrators of an LTA.
证据记录的结构必须确保可以检测到对存档数据对象或其证据记录的修改,包括LTA管理员所做的修改。
Supporting non-repudiation of data existence, integrity, and origin is a primary purpose of a long-term archive service. Evidence may be generated, or otherwise obtained, by the service providing the evidence to a retriever. A long-term archive service need not be capable of providing all evidence necessary to produce a non-repudiation proof, and in some cases, should not be trusted to provide all necessary information. For example, trust anchors [RFC3280] and algorithm security policies should be provided by other services. An LTA that is trusted to provide trust anchors could forge an evidence record verified by using those trust anchors.
支持数据存在性、完整性和来源的不可否认性是长期存档服务的主要目的。证据可由向检索者提供证据的服务机构生成或以其他方式获得。长期档案服务不需要能够提供生成不可否认证据所需的所有证据,在某些情况下,不应信任其提供所有必要的信息。例如,信任锚[RFC3280]和算法安全策略应该由其他服务提供。被信任提供信任锚的LTA可以伪造通过使用这些信任锚来验证的证据记录。
Demonstration that data has not been altered while in the care of a long-term archive service is a first step towards supporting non-repudiation of data. Certification services support cases in which data must be modified, e.g., translation or format migration. An LTA may provide certification services.
证明数据在长期存档服务中未被更改是支持数据不可否认性的第一步。认证服务支持必须修改数据的情况,例如翻译或格式迁移。LTA可提供认证服务。
A long-term archive service must provide means to ensure confidentiality of archived data objects, including confidentiality between the submitter and the long-term archive service. An LTA must provide a means for accepting encrypted data such that future preservation activities apply to the original, unencrypted data. Encryption, or other methods of providing confidentiality, must not pose a risk to the associated evidence record.
长期存档服务必须提供确保存档数据对象机密性的方法,包括提交者和长期存档服务之间的机密性。LTA必须提供接受加密数据的方法,以便将来的保存活动适用于原始的未加密数据。加密或其他保密方法不得对相关证据记录构成风险。
A long-term archive service should maintain contact information for the parties responsible for each archived data object so warning messages can be sent when encryption algorithms require maintenance.
长期存档服务应维护负责每个存档数据对象的各方的联系信息,以便在加密算法需要维护时发送警告消息。
Individuals may wish to use the services of a commercial long-term service without disclosing data to the commercial service. However, access to the original data may be necessary to perform some preservation activities.
个人可能希望使用商业长期服务的服务,而不向商业服务披露数据。但是,执行某些保存活动可能需要访问原始数据。
4.6. Provide Means to Transfer Data and Evidence from One Service to Another
4.6. 提供将数据和证据从一个服务转移到另一个服务的方法
It must be possible to submit data along with previously generated evidence, i.e., to support transfer of data from one archive to another. A long-term archive service must support the transfer of archived data objects, evidence and evidence records from one service to another. It must be possible for evidence records to span multiple providers over the course of time, without losing value as evidence.
必须能够将数据与先前生成的证据一起提交,即支持数据从一个存档转移到另一个存档。长期存档服务必须支持将存档数据对象、证据和证据记录从一个服务转移到另一个服务。证据记录必须能够在一段时间内跨越多个提供者,而不会失去作为证据的价值。
Before the end of an archived data object's archival period, a long-term archive service may cease operation. In such cases, it must be possible for the archived data object (and any associated evidence) to be transferred to another service that will continue preservation of the data until the end of the archival period.
在存档数据对象的存档期结束之前,长期存档服务可能会停止运行。在这种情况下,必须能够将存档数据对象(以及任何相关证据)传输到另一个服务,该服务将继续保存数据,直到存档期结束。
Submitters may change service providers before the end of an archived data object's archival period. In such cases, it must be possible for the submitter to transfer an archived data object and all associated evidence from the original LTA to a new LTA.
提交者可以在存档数据对象的存档期结束之前更改服务提供商。在这种情况下,提交人必须能够将存档数据对象和所有相关证据从原始LTA传输到新的LTA。
An LTA should support submission of groups of data objects. Submitters should be able to indicate which data objects belong together, i.e. comprise a group, and retrievers should be able to retrieve one, some or all members of a group of data objects.
LTA应支持数据对象组的提交。提交者应该能够指出哪些数据对象属于一起,即组成一个组,而检索者应该能够检索一组数据对象中的一个、一些或所有成员。
It should be possible to provide evidence for groups of archived data objects. For example, it should be possible to archive a document file and a signature file together such that they are covered by the same evidence record.
应该能够为归档数据对象组提供证据。例如,应该可以将文档文件和签名文件一起归档,以使它们包含在同一证据记录中。
Where an LTA operates upon groups of data objects, non-repudiation proof must still be available for each archived data object separately.
如果LTA对数据对象组进行操作,则每个存档数据对象仍必须单独提供不可否认性证明。
In many cases data objects belong together. Examples include:
在许多情况下,数据对象属于一起。例子包括:
- a document file and an associated signature file, which are two separate objects
- 文档文件和关联的签名文件是两个独立的对象
- TIF-files representing pages of a document
- 表示文档页面的TIF文件
- a document file and an evidence file (possibly generated by another LTA)
- 文件文件和证据文件(可能由另一个LTA生成)
- a document and its translation to another format or language
- 文档及其到另一种格式或语言的翻译
In these cases, it is to the best advantage to handle these data objects as a group.
在这些情况下,最好将这些数据对象作为一个组处理。
A long-term archive service must be able to work efficiently even for large amounts of archived data objects. In order to limit expenses and to achieve high performance, it may be desirable to minimize the use of trusted third parties, e.g., LTA operations should be designed to limit the number of time stamps required to provide the desired level of service.
长期存档服务必须能够高效地工作,即使是对于大量存档数据对象也是如此。为了限制费用和实现高性能,可能需要尽量减少使用受信任的第三方,例如,LTA操作应设计为限制提供所需服务水平所需的时间戳数量。
Necessity to access archived data objects should be minimized. It may only be necessary to access the archived data objects if the archived data objects are requested by users, or if hash algorithms used for indexing, or evidence record generation become insecure.
应尽量减少访问存档数据对象的必要性。只有当用户请求存档数据对象,或者用于索引或证据记录生成的哈希算法变得不安全时,才有必要访问存档数据对象。
An LTA must be capable of operating in accordance with any applicable legal regime. For example, an LTA may be required to reject a deletion request from an authorized requestor if the target of the request has been subpoenaed by law enforcement authorities.
LTA必须能够按照任何适用的法律制度运作。例如,如果请求的目标已被执法当局传唤,则LTA可能需要拒绝授权请求人的删除请求。
Some applications may require processing of a chain of archive policies present in an evidence record, e.g., to ensure that compatible policies were used throughout the lifetime of the archived data objects.
某些应用程序可能需要处理证据记录中存在的一系列存档策略,例如,以确保在存档数据对象的整个生命周期内使用兼容策略。
Data is the principal asset protected by a long-term archive service. The principle threat that must be addressed by a long-term archive service is an undetected loss of data integrity.
数据是受长期存档服务保护的主要资产。长期存档服务必须解决的主要威胁是未检测到的数据完整性丢失。
In cases where signature verification relies on a PKI, certificate revocation could retroactively invalidate previously verified signatures. An LTA may implement measures to support such claims by an alleged signer, e.g., collection of revocation information after a grace period during which compromise can be reported or preservation of subsequent revocation information.
在签名验证依赖PKI的情况下,证书撤销可能会使以前验证的签名追溯失效。LTA可采取措施支持被指控签名人的此类索赔,例如,在宽限期后收集撤销信息,在此宽限期内可以报告妥协或保留后续撤销信息。
When selecting access control mechanisms associated with data stored by a LTA, the lifespan of the archived data object should be considered. For example, the credentials of an entity that submitted data to an archive may not be available or valid when the data needs to be retrieved.
选择与LTA存储的数据相关联的访问控制机制时,应考虑归档数据对象的使用寿命。例如,当需要检索数据时,向存档提交数据的实体的凭据可能不可用或无效。
During the lifespan of an archived data object, formats may cease to be supported. Software components to process data, including content or signatures, may no longer be available. This could be a problem particularly if non-standard formats are used or proprietary processing is employed. The submitter should take care to avoid such problems. For example, the submitter (or other authorized entity) could periodically retrieve data, convert the data, and re-submit it in a new format. Additional mechanisms, applications, or tools may be needed to preserve the value of evidence records associated with the original archived data object.
在存档数据对象的生命周期内,格式可能不再受支持。用于处理数据(包括内容或签名)的软件组件可能不再可用。这可能是一个问题,特别是如果使用非标准格式或使用专有处理。提交者应注意避免此类问题。例如,提交者(或其他授权实体)可以定期检索数据、转换数据并以新格式重新提交。可能需要其他机制、应用程序或工具来保存与原始存档数据对象关联的证据记录的价值。
A long-term archive system may require correlation of different identities that represent the same entity at different points in time. For example, an individual's identity may be represented by different employers at different points in time.
长期存档系统可能需要在不同时间点对代表同一实体的不同身份进行关联。例如,一个人的身份可能在不同的时间点由不同的雇主代表。
A long-term archive system must perform maintenance activities on a schedule that considers factors such as the strength of relevant cryptographic algorithms, lifespan of relevant certification
长期存档系统必须按计划执行维护活动,该计划应考虑相关加密算法的强度、相关认证的寿命等因素
authorities, and revocation status of relevant entities, e.g., timestamp authorities. Standards for use of cryptographic algorithms are expected to be established by organization or governmental bodies, not by individual LTAs.
权限,以及相关实体的撤销状态,例如时间戳权限。密码算法的使用标准预计由组织或政府机构制定,而不是由单个LTA制定。
Thanks to members of the LTANS mailing list for review of earlier drafts and many suggestions. In particular, thanks to Larry Masinter, Denis Pinkas, and Peter Sylvester for review and suggestions.
感谢LTANS邮件列表的成员对早期草案和许多建议进行审查。特别要感谢拉里·马辛特、丹尼斯·平卡斯和彼得·西尔维斯特的评论和建议。
[RFC3161] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato, "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)", RFC 3161, August 2001.
[RFC3161]Adams,C.,Cain,P.,Pinkas,D.,和R.Zuccherato,“互联网X.509公钥基础设施时间戳协议(TSP)”,RFC3161,2001年8月。
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.
[RFC3280]Housley,R.,Polk,W.,Ford,W.,和D.Solo,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)概要”,RFC 32802002年4月。
[RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S. Wu, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework", RFC 3647, November 2003.
[RFC3647]Chokhani,S.,Ford,W.,Sabett,R.,Merrill,C.,和S.Wu,“互联网X.509公钥基础设施证书政策和认证实践框架”,RFC 3647,2003年11月。
Below are several example application scenarios demonstrating one or more of the basic service features mentioned above.
下面是几个示例应用程序场景,演示了上述一个或多个基本服务功能。
A long-term archive service may store data objects, such as signed or unsigned documents, for authenticated users. It may generate time stamps for these data objects and obtain verification data during the archival period or until a deletion request is received from an authorized entity.
长期存档服务可以为经过身份验证的用户存储数据对象,例如已签名或未签名的文档。它可以为这些数据对象生成时间戳,并在存档期间或从授权实体收到删除请求之前获取验证数据。
A long-term archive service may only guarantee non-repudiation of existence of data by periodically generating time stamps and obtaining verification data. It stores data objects (e.g., documents and signatures) locally only for the purpose of non-repudiation and does not function as a document archive for users. It does not support retrieval and deletion of data objects.
长期存档服务只能通过定期生成时间戳和获取验证数据来保证数据的不可否认性。它仅出于不可否认性的目的在本地存储数据对象(如文档和签名),不作为用户的文档存档。它不支持检索和删除数据对象。
A long-term archive service may be part of an enterprise network. The network provider and archive service may be part of the same institution. In this case, the service should obtain non-repudiation evidence from a third party. An internally generated acknowledgement may be viewed worthless.
长期存档服务可能是企业网络的一部分。网络提供商和档案服务可能是同一机构的一部分。在这种情况下,服务应从第三方获取不可否认证据。内部生成的确认可能被视为毫无价值。
A long-term archive service may be provided over the Internet for enterprises or consumers. In this case, archiving and providing evidence (via time stamps or other means) may be adduced by one organization and its own technical infrastructure, without using external services.
可以通过互联网为企业或消费者提供长期的档案服务。在这种情况下,存档和提供证据(通过时间戳或其他方式)可由一个组织及其自身的技术基础设施引用,而无需使用外部服务。
Authors' Addresses
作者地址
Carl Wallace Cygnacom Solutions Suite 5200 7925 Jones Branch Drive McLean, VA 22102
卡尔·华莱士·辛尼亚康解决方案套房5200 7925弗吉尼亚州麦克莱恩琼斯支路22102
Fax: +1(703)848-0960 EMail: cwallace@cygnacom.com
Fax: +1(703)848-0960 EMail: cwallace@cygnacom.com
Ulrich Pordesch Fraunhofer Gesellschaft Rheinstrasse 75 Darmstadt, Germany D-64295
德国达姆施塔特市莱茵大街75号乌尔里希·波尔德什·弗劳恩霍夫·格塞尔沙夫特D-64295
EMail: ulrich.pordesch@zv.fraunhofer.de
EMail: ulrich.pordesch@zv.fraunhofer.de
Ralf Brandner InterComponentWare AG Otto-Hahn-Strabe 3 Walldorf, Germany 69190
Ralf Brandner InterComponentWare AG Otto Hahn Strabe 3 Walldorf,德国69190
EMail: ralf.brandner@intercomponentware.com
EMail: ralf.brandner@intercomponentware.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。