GB/T 42745-2023 Information and documentation - Trusted third party repository for digital records
1 Scope
This document specifies requirements for a trusted third party repository (TTPR) to support the authorized custody service in order to safeguard provable integrity and authenticity of clients’ digital records and serve as a source of reliable evidence.
This document is applicable to retention or repository services for digital records as a source of evidence during the retention periods of legal obligation in both the private and the public sectors.
This document has the limitation that the authorized custody of the stored records is between only the TTPR and the client.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300 Information and documentation - Management systems for records - Fundamentals and vocabulary
ISO 30301 Information and documentation - Management system for records - Requirements
ISO 30302 Information and documentation - Management systems for records - Guidelines for implementation
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
authenticity certificate
document issued to authenticate the digital record in the TTPR
3.2
authenticated copy
digital copy of a digital record (3.5) for which authenticity has been verified before
3.3
client
individual or organization that has an agreement with the TTPR (3.15)
3.4
client system
hardware and software used by a client to use the service provided by the TTPR (3.15)
3.5
digital record
information in any format created, received and maintained by digital means, used as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business, which is packaged with necessary data for submission, dissemination, and archive
[SOURCE: GB/T 26162-2021, 3.14, modified]
3.6
digital signature
data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the digital record to prove integrity of the digital record (3.5)
Note: A data unit is a binary block created cryptographically from original data record.
[SOURCE: GB/T 9387.2-1995, 3.3.26, modified]
3.7
information package
digital record (3.5) and associated description information which is needed to aid in the identification and operation for the authentic and reliable digital records, consisting of the digital record, creator’s digital signature (3.6) and/or a TTPR (3.15) or third party’s timestamp, and the associated preservation description information
Note 1: The information package has associated packaging information used to delimit and identify the digital record and description information of operation such as submission, preservation or dissemination for the authentic and reliable records.
Note 2: See ISO 14721.
3.8
process
series of actions or events taking place in a defined manner leading to the provision of TTPR services (3.16)
3.9
public key certificate
public key of a user, together with some other information, rendered unforgeable by digital signature (3.6) with the private key of the certification authority which issued it
Note: Public key certificates are issued and signed by a certification authority (CA). The entity that receives a certificate from a CA is the subject of that certificate.
3.10
service level agreement; SLA
written agreement between a service provider and a client that documents services and agreed service levels
[SOURCE: GB/T 34405.1-2009, 3.29, modified]
3.11
system
hardware and software of the TTPR (3.15)
3.12
trusted archival information package; TAIP
information package (3.7) which is preserved in a TTPR (3.15) after verification of TSIP (3.14)
3.13
trusted dissemination information package; TDIP
information package (3.7), derived from one or more TAIPs (3.12), received by a client in response to a request to a TTPR (3.15)
3.14
trusted submission information package; TSIP
information package (3.7) that is delivered by a client to a TTPR (3.15) with creator’s and/or sender’s digital signature (3.6) and a TTPR or third party’s timestamp, delivering the time and information of the sender
Note: Herein, the digital signature is prepared using the public key certificate (3.9) and the time stamp is created in accordance with the time stamping module provided by a TTPR.
[SOURCE: ISO/TR 17068:2017, 3.14]
3.15
trusted third party repository; TTPR
third party’s qualified retention service that ensure that the digital records (3.5) entrusted to it by a client remain and are asserted to be reliable and authentic
Note: This has the goal of providing reliable access to managed digital records to its clients in the period of obligation for retention.
3.16
TTPR service
intangible product that is the result of at least one activity performed at the interface between a TTPR (3.15) and a client
[SOURCE: ISO/TR 17068:2017, 3.16]
3.17
third party
person or body that is recognized as being independent of the parties involved, as concerns the issue in question
3.18
trustworthiness
quality [of a TTPR (3.15)] of being dependable and reliable
Note: A trustworthy TTPR is trusted to deliver its services in an authentic manner by following documented policies and processes and ensuring the accuracy, reliability and authenticity of the records in the repository over time.
4 Overview of a TTPR
4.1 Necessity for a TTPR
With the development and advancement of information and communication technology (ICT) over the last two decades, the use of digital records has increased greatly. Accordingly, the number of electronic transactions carried out by individuals and organizations in their daily activities has increased. For example, in international transactions, many documents and records in digital formats are exchanged in order to initiate, process and complete transactions between importers and exporters. Banks are also involved in digital records exchanges to confirm credit or payment. In the health industry, treatment records are exchanged between clinics or patients and insurance companies; order of treatment records are exchanged between general clinics and specialized clinics. These kinds of individual or organizational transactions are very common within one sector or across several industries. During these transactions, digital records is easily copied, modified and distributed by an unauthorized person. This aspect of documents and records retained in digital formats creates the risk of alteration or forgery, and has raised awareness of the need for the secure management and transaction of digital records.
To help prevent possible risks, some countries have enacted laws and regulations requiring provable authenticity, reliability, integrity and accessibility as a precondition for legal effect and enforceability of digital records. These regulations explain the requirements for adopting secured digital records and for judging their evidential admissibility. However, these requirements only typically describe the mandatory characteristics that retained digital records need to have, regardless of an organization’s records management capability. While many organizations have implemented a records system for themselves, implementation of digital records exchange across organizations often faces a number of challenges. Individuals are also limited in their ability to comply with legal requirements for the admissibility of their digital records. This limitation might cause social problems, delay operational processes, reduce efficiency and prevent electronic exchange.
Therefore, as the exchange of secure records becomes more significant for individual and/or organizational collaboration, the social demand for a trustworthy electronic transaction environment has emerged as one of the major issues in digital environments today. Protecting information in digital records is beginning to be regarded as an indispensable precondition for operational efficiency and economic benefit in organizations across all sectors and industries.
One way of resolving this situation is to use a TTPR. A third party is an independent individual or organization that is separate from the direct interests of mutual parties, and that acts as an intermediary when two parties are exchanging digital information in a secure manner. Society and governments shall be in a position to trust the third party. To prevent any complications that can arise during electronic transactions, a TTPR operates systems and facilities and follows well-defined procedures according to the principles and guidelines for managing digital records in a secure manner. During these processes, the TTPR ensures the authenticity, reliability, integrity and usability of digital records, for the period of the agreed service. In addition, the TTPR shall provide an official source of digital records that can be admissible as evidence from a third party in the event of a dispute between parties regarding their records.
Standard
GB/T 42745-2023 Information and documentation—Trusted third party repository for digital records (English Version)
Standard No.
GB/T 42745-2023
Status
valid
Language
English
File Format
PDF
Word Count
16000 words
Price(USD)
480.0
Implemented on
2024-3-1
Delivery
via email in 1~3 business day
Detail of GB/T 42745-2023
Standard No.
GB/T 42745-2023
English Name
Information and documentation—Trusted third party repository for digital records
GB/T 42745-2023 Information and documentation - Trusted third party repository for digital records
1 Scope
This document specifies requirements for a trusted third party repository (TTPR) to support the authorized custody service in order to safeguard provable integrity and authenticity of clients’ digital records and serve as a source of reliable evidence.
This document is applicable to retention or repository services for digital records as a source of evidence during the retention periods of legal obligation in both the private and the public sectors.
This document has the limitation that the authorized custody of the stored records is between only the TTPR and the client.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300 Information and documentation - Management systems for records - Fundamentals and vocabulary
ISO 30301 Information and documentation - Management system for records - Requirements
ISO 30302 Information and documentation - Management systems for records - Guidelines for implementation
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
authenticity certificate
document issued to authenticate the digital record in the TTPR
3.2
authenticated copy
digital copy of a digital record (3.5) for which authenticity has been verified before
3.3
client
individual or organization that has an agreement with the TTPR (3.15)
3.4
client system
hardware and software used by a client to use the service provided by the TTPR (3.15)
3.5
digital record
information in any format created, received and maintained by digital means, used as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business, which is packaged with necessary data for submission, dissemination, and archive
[SOURCE: GB/T 26162-2021, 3.14, modified]
3.6
digital signature
data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the digital record to prove integrity of the digital record (3.5)
Note: A data unit is a binary block created cryptographically from original data record.
[SOURCE: GB/T 9387.2-1995, 3.3.26, modified]
3.7
information package
digital record (3.5) and associated description information which is needed to aid in the identification and operation for the authentic and reliable digital records, consisting of the digital record, creator’s digital signature (3.6) and/or a TTPR (3.15) or third party’s timestamp, and the associated preservation description information
Note 1: The information package has associated packaging information used to delimit and identify the digital record and description information of operation such as submission, preservation or dissemination for the authentic and reliable records.
Note 2: See ISO 14721.
3.8
process
series of actions or events taking place in a defined manner leading to the provision of TTPR services (3.16)
3.9
public key certificate
public key of a user, together with some other information, rendered unforgeable by digital signature (3.6) with the private key of the certification authority which issued it
Note: Public key certificates are issued and signed by a certification authority (CA). The entity that receives a certificate from a CA is the subject of that certificate.
3.10
service level agreement; SLA
written agreement between a service provider and a client that documents services and agreed service levels
[SOURCE: GB/T 34405.1-2009, 3.29, modified]
3.11
system
hardware and software of the TTPR (3.15)
3.12
trusted archival information package; TAIP
information package (3.7) which is preserved in a TTPR (3.15) after verification of TSIP (3.14)
3.13
trusted dissemination information package; TDIP
information package (3.7), derived from one or more TAIPs (3.12), received by a client in response to a request to a TTPR (3.15)
3.14
trusted submission information package; TSIP
information package (3.7) that is delivered by a client to a TTPR (3.15) with creator’s and/or sender’s digital signature (3.6) and a TTPR or third party’s timestamp, delivering the time and information of the sender
Note: Herein, the digital signature is prepared using the public key certificate (3.9) and the time stamp is created in accordance with the time stamping module provided by a TTPR.
[SOURCE: ISO/TR 17068:2017, 3.14]
3.15
trusted third party repository; TTPR
third party’s qualified retention service that ensure that the digital records (3.5) entrusted to it by a client remain and are asserted to be reliable and authentic
Note: This has the goal of providing reliable access to managed digital records to its clients in the period of obligation for retention.
3.16
TTPR service
intangible product that is the result of at least one activity performed at the interface between a TTPR (3.15) and a client
[SOURCE: ISO/TR 17068:2017, 3.16]
3.17
third party
person or body that is recognized as being independent of the parties involved, as concerns the issue in question
3.18
trustworthiness
quality [of a TTPR (3.15)] of being dependable and reliable
Note: A trustworthy TTPR is trusted to deliver its services in an authentic manner by following documented policies and processes and ensuring the accuracy, reliability and authenticity of the records in the repository over time.
4 Overview of a TTPR
4.1 Necessity for a TTPR
With the development and advancement of information and communication technology (ICT) over the last two decades, the use of digital records has increased greatly. Accordingly, the number of electronic transactions carried out by individuals and organizations in their daily activities has increased. For example, in international transactions, many documents and records in digital formats are exchanged in order to initiate, process and complete transactions between importers and exporters. Banks are also involved in digital records exchanges to confirm credit or payment. In the health industry, treatment records are exchanged between clinics or patients and insurance companies; order of treatment records are exchanged between general clinics and specialized clinics. These kinds of individual or organizational transactions are very common within one sector or across several industries. During these transactions, digital records is easily copied, modified and distributed by an unauthorized person. This aspect of documents and records retained in digital formats creates the risk of alteration or forgery, and has raised awareness of the need for the secure management and transaction of digital records.
To help prevent possible risks, some countries have enacted laws and regulations requiring provable authenticity, reliability, integrity and accessibility as a precondition for legal effect and enforceability of digital records. These regulations explain the requirements for adopting secured digital records and for judging their evidential admissibility. However, these requirements only typically describe the mandatory characteristics that retained digital records need to have, regardless of an organization’s records management capability. While many organizations have implemented a records system for themselves, implementation of digital records exchange across organizations often faces a number of challenges. Individuals are also limited in their ability to comply with legal requirements for the admissibility of their digital records. This limitation might cause social problems, delay operational processes, reduce efficiency and prevent electronic exchange.
Therefore, as the exchange of secure records becomes more significant for individual and/or organizational collaboration, the social demand for a trustworthy electronic transaction environment has emerged as one of the major issues in digital environments today. Protecting information in digital records is beginning to be regarded as an indispensable precondition for operational efficiency and economic benefit in organizations across all sectors and industries.
One way of resolving this situation is to use a TTPR. A third party is an independent individual or organization that is separate from the direct interests of mutual parties, and that acts as an intermediary when two parties are exchanging digital information in a secure manner. Society and governments shall be in a position to trust the third party. To prevent any complications that can arise during electronic transactions, a TTPR operates systems and facilities and follows well-defined procedures according to the principles and guidelines for managing digital records in a secure manner. During these processes, the TTPR ensures the authenticity, reliability, integrity and usability of digital records, for the period of the agreed service. In addition, the TTPR shall provide an official source of digital records that can be admissible as evidence from a third party in the event of a dispute between parties regarding their records.
