Semiconductor Equipment and Materials International
3081 Zanker Road
San Jose, CA 95134-2127
Phone:408.943.6900 Fax: 408.943.7943
4845
Background Statement for SEMI Draft Document 4845
NEW STANDARD: SPECIFICATION FOR ORGANIZATION IDENTIFICATION BY DIGITAL CERTIFICATE ISSUED FROM CERTIFICATE SERVICE BODY (CSB) FOR ANTI-COUNTERFEITING TRACEABILITY IN COMPONENTS SUPPLY CHAIN
Note: This background statement is not part of the balloted item. It is provided solely to assist the recipient in reaching an informed decision based on the rationale of the activity that preceded the creation of this document.
Note: Recipients of this document are invited to submit, with their comments, notification of any relevant patented technology or copyrighted items of which they are aware and to provide supporting documentation. In this context, “patented technology” is defined as technology for which a patent has issued or has been applied for. In the latter case, only publicly available information on the contents of the patent application is to be provided.
Background Statement
The electronic component supply chain is frequently contaminated by counterfeit and tainted product. The risk of procuring contaminated goods increases when authorized (certified) distribution networks run out of product. This may occur with supply shortfalls or terminated products. Then, purchasing policy may also force procurement from non-certified distributors. The semiconductor industry currently lacks methods to validate the integrity of goods from non-certified distributors or suppliers. SEMI T20 was formed to solve such this problem.
There are different types of semiconductor devices, whose commercial distributions are diverse. For example, in the semiconductor devices mainly for business-to-business transactions and intended for the use in automobiles and the like, it is required to realize measures against counterfeit products and quality traceability at the same time. Such applications are not supported in SEMI T20.
With an aim to realize the said requirements, this document proposes a mechanism to be offered to the users with such requirements.
If you have questions, please contact to the Device Security Task Force; Takashi Aoki (Email: ) or SEMI Staff (Hirofumi Kanno/ )
The result of this ballot will be reviewed at the Japan Traceability Committee scheduled in April 22, 2011 at SEMI Japan office.
SEMI Draft Document 4845
NEW STANDARD: SPECIFICATION FOR ORGANIZATION IDENTIFICATION BY DIGITAL CERTIFICATE ISSUED FROM CERTIFICATE SERVICE BODY (CSB) FOR ANTI-COUNTERFEITING TRACEABILITY IN COMPONENTS SUPPLY CHAIN
1 Purpose
1.1 Counterfeiting is a serious and growing problem in the worldwide industry. According to this problem, risk on the human life has become extremely high, when such products are used in cars, and medical equipments. One of the effective measures is to identify all the buyers of components using supply chain track and trace system. In order to identify all the buyers of components within logistics, it is necessary to specify the identification of components, container-box, and the organization.
1.2 This specification is related with automation of counterfeit-component track and trace based on X.509 certificate, and the international interoperation.
2 Scope
2.1 Common Form of the Certificate Profile — There is an effective method of using the X.509 certificate[1] for identifying buyers in supply chain track and trace system. It is important that the organization information recorded on the certificate[2] is not only correct but to enable automation of track. Because the profile which X.509 defines has some ambiguity, it is necessary to make profile into a common form for enabling automation of track.
2.2 CSB’s Accreditation Criteria — In order to make the anti-counterfeiting track and trace truly effective, the interoperation of CSB are required. Because the counterfeit component may be mixed in international supply chain, certificate service body (CSB) shall operate the RootCA or IssuingCA which is accredited by the “de jure” and “de facto” criteria upon approval by international anti-counterfeiting framework (to be decided).
NOTICE: SEMI Standards and Safety Guidelines do not purport to address all safety issues associated with their use. It is the responsibility of the users of the documents to establish appropriate safety and health practices, and determine the applicability of regulatory or other limitations prior to use.
3 Referenced Standards and Documents
NOTE 1: The SEMI global Traceability Committee is developing a Specification for Traceability by Self Authentication Service Body and Authentication Service Body intended to be used in conjunction with this document.
3.1 ETSI Standards[3]
ETSI TS 101 456 — Electronic Signatures and Infrastructures (ESI); Policy Requirement for Certification Authorities Issuing Qualified Certificates
ETSI TS 102 042 — Electronic Signatures and Infrastructures (ESI); Policy Requirement for Certification Authorities Issuing Public Key Certificates
3.2 ISO Standards[4]
ISO 3166-1 — Codes for the Representation of Names of Countries and Their Subdivisions – Part 1: Country Codes
3.3 ITU Standard [5]
ITU-T Recommendation X.509 (08/05) — Information Technology – Open Systems Interconnection – The Directory: Authentication Framework
3.4 Other Documents
WebTrust for CA — CA criteria designated from many browsers[6]
NOTICE: Unless otherwise indicated, all documents cited shall be the latest published versions.
4 Terminology
4.1 Abbreviation and Acronyms
4.1.1 CA — certification authority
4.1.2 CSB[7] — certificate service body
4.1.3 TTP — trusted third party
4.2 Definitions
4.2.1 Certificate service body (CSB) — profit and nonprofit body which is issuing certificate.
4.2.2 IssuingCA — issues certificates to users and computers.
4.2.3 RootCA — the cetification authority (CA) that is at the top of a certification hierarchy.
4.2.4 Public RootCA — RootCA by which the certificate is registered into OS or application.
4.2.5 SSL — the protocol which enciphers information and communicates on the Internet; or send/receive exclusively encrypted information.
5 Requirements
5.1 Common Form of the Certificate Profile
5.1.1 The common form which satisfies automation of tracking and the following requirements is shown in Table 1 and Table2.
5.1.1.1 The common form shall be applicable also to an e-mail so that it can use for connection to CSB.
5.1.1.2 The common form shall be compact so that many logs can be recorded into supply chain track and trace system.
5.1.1.3 It shall make the minimum record of the attribute information[8] which is easy to be changed so that a certificate can be used to expiry.
5.1.1.3.1 Organization UnitName1 is the identifier used for search of attribute information managed by CSB.
5.1.1.3.2 Organization UnitName2 is the identifier used for search of attribute information managed by the organization.
Table 1 Basic Certificate Fields
Certificate Fields / Data Type(number of characters) / Definition
* It can use alphanumeric characters (capital letters are included), a period, and parentheses. / Example
For Personnel / For Section/role
Subject
CountryName / Printable String (2) / Mandatory:
The two (Latin alphabet) character country code in Latin alphabet in alpha-2 of ISO3166-1 / JP
StateName / Printable String (24) / Mandatory:
Name of State, Province , etc. / Tokyo
LocalityName / Printable String (24) / Mandatory:
Name of City, etc. / Minato-Ku
OrganizationName / Printable String (56) / Mandatory:
Name of Organization. / JIPDEC
OrganizationUnitName1 / Printable String (32) / Mandatory:
Organization number which CSB manages. .
Prefix OU1- is attached for automation of track. / OU1-1.2.392.200063.80.1.1
OrganizationUnitName2 / Printable String (16) / Mandatory:
Local number which organization manages.
Prefix OU2- is attached for automation of track. / OU2-007
CommonName / Printable String (32) / Mandatory:
Subject’s real name or pseudonym or ID.
Prefix PN- (personal pseudonym), BN- (business pseudonym), BO- (organization/role), or ID- are attached for automation of track. / BN-Smith / BO-Supply(Mngr.)
Table 2 Standard Certificate Extensions
Certificate Fields / Data Type(number of characters) / Definition
* Only small letter / Example
For Personnel / For Section/role
subjectAltName
rfc822Name / IA5String
(64) / Option:
Subject’s e-mail address / /
5.2 CSB’s Accreditation Criteria
5.2.1 The accreditation criteria for CSB which an international anti-counterfeiting framework (to be decided) approves are shown in the following:
· Act
· ETSI-TS-101456
· ETSI-TS-102042
· WebTrust for CA
5.2.2 CSB’s CA shall be chained to the public RootCA designated by the accreditation body which is the member of the international anti-counterfeiting framework (to be decided).
5.2.3 In addition, CSB shall be certified by the certification body accredited by the accreditation body.
5.2.4 The certificate body shall certify CSB by one or more audit license holders relevant to the above-mentioned criteria.
5.2.5 When the audit license holder relevant to the above-mentioned criteria is not in a certification body and is only in the accreditation body, the accreditation body can certify CSB.
SUPPLEMENTARY EXPLANATION
NOTICE: This related information is not an official part of this standard and was derived from (origin of information). This related information was approved for publication by (method of authorization) on (date of approval).
R1-1 The Starting Point
R1-1.1 Counterfeiting is a serious and growing problem in the worldwide electronics industry. According to this problem, risk on the human life has become extremely high, when such products are used in cars, medical equipments. One of the effective measures is to identify all the buyers of components using Supply Chain track and trace system.
Figure R1-1
The Starting Point
R1-2 Relation Between this Specification and the Principle of ISO/PC246
R1-2.1 The following figure refers to a principle of the supply chain track and trace system proposed from AFNOR at ISO/PC246 meeting in March, 2009. In order to identify all the buyers of components within logistics, it is necessary to specify the identification of components, container-box, and the organization.
Figure R1-2
Relation between This Specification and The Principle of ISO/PC246
R1-3 Method of Organization Identification
R1-3.1 There is an effective method of using the X.509 certificate[9] for identifying buyers in supply chain track and trace system. It is important that the organization information recorded on the certificate is not only correct but to enable automation of track.
R1-3.2 The certificate is transmitted to the supply chain track and trace system by SSL client authentication.
R1-3.3 The certificate shall be issued based on the personnel database of the organization.
Figure R1-3
Method of Organization Identification
R1-4 The Advantages of The Method of Using The X.509 Certificate
R1-4.1 Because the organization information on a digital certificate is identified by TTP, we believe it is reliable.
R1-4.2 Because the profile which X.509 defines has some ambiguity, it is necessary to make profile into a common form for enabling automation of track.
R1-4.3 The certificate can be used till its term by avoiding record of the attribute information[10] which is easy to be edited upon necessity.
R1-4.4 Because the X.509 certificates are already supported with common operating systems or many generally available applications software, proposed system could be developed by using them.
R1-5 Common Form for The X.509 Certificate Profile
R1-5.1 The common form shall be applicable also to an e-mail so that it can use for connection to CSB.
R1-5.2 The common form shall be compact so that many logs can be recorded into supply chain track and trace system.
Table R1-1 Basic Certificate Fields
Certificate Fields / Data Type(number of characters) / Definition
* It can use alphanumeric characters (capital letters are included), a period, and parentheses. / Example
For Personnel / For Section/Role
Subject
CountryName / Printable String (2) / Mandatory:
The two (Latin alphabet) character country code in Latin alphabet in alpha-2 of ISO3166-1 / JP
StateName / Printable String (24) / Mandatory:
Name of State, Province , etc. / Tokyo
LocalityName / Printable String (24) / Mandatory:Name of City, etc. / Minato-Ku
OrganizationName / Printable String (56) / Mandatory:
Name of Organization. / JIPDEC
OrganizationUnitName1 / Printable String (32) / Mandatory:
Organization number which CSB manages.
Prefix OU1- is attached for automation of track. / OU1-1.2.392.200063.80.1.1
OrganizationUnitName2 / Printable String (16) / Mandator:
Local number which organization manages.
Prefix OU2- is attached for automation of track. / OU2-007
CommonName / Printable String (32) / Mandatory:
Subject’s real name or pseudonym or ID.
Prefix PN- (personal pseudonym), BN- (business pseudonym), BO- (organization/role), or ID- are attached for automation of track. / BN-Smith / BO-Supply(Mngr.)
Table R1-2 Standard Certificate Extensions
Certificate Fields / Data type(number of characters) / Definition
* Only small letter / Example
For personnel / For section/role
subjectAltName
rfc822Name / IA5String
(64) / Option:
Subject's e-mail address / /
R1-6 OrganizationUnitName1: The Identifier Used for Search of Attribute Information
R1-6.1 It shall make the minimum record of the attribute information[11] which is easy to be changed so that a certificate can be used to expiry.
R1-6.1.1 Organization UnitName1 is the identifier used for search of attribute information managed by CSB.
R1-6.1.2 Organization UnitName2 is the identifier used for search of attribute information managed by the organization.
Figure R1-5
The Example of The Attribute Information Managed by CSB
R1-7 CSB’s Accreditation Criteria
R1-7.1 In order to make the anti-counterfeiting track and trace truly effective, the interoperation of CSB is required. Because the counterfeit component may be mixed in international supply chain, CSB shall operate the RootCA or IssuingCA which is accredited by the following criteria upon approval by international anti-counterfeiting framework (to be decided).
· Act
· ETSI-TS-101456
· ESTI-TS-102042
· WebTrust for CA
R1-7.2 CSB’s CA shall be chained to the public RootCA designated by the accreditation body which is the member of the international anti-counterfeiting framework (to be decided).
R1-7.3 In addition, CSB shall be certified by the certification body accredited by the accreditation body.
R1-7.4 The certificate body shall certify CSB by one or more audit license holders relevant to the above-mentioned criteria.
R1-7.5 When the audit license holder relevant to the above-mentioned criteria is not in a certification body and is only in the accreditation body, the accreditation body can certify CSB.
Figure R1-6
Interoperation of CSB
NOTICE: SEMI makes no warranties or representations as to the suitability of the standards set forth herein for any particular application. The determination of the suitability of the standard is solely the responsibility of the user. Users are cautioned to refer to manufacturer's instructions, product labels, product data sheets, and other relevant literature, respecting any materials or equipment mentioned herein. These standards are subject to change without notice.