ECMA 271 : 2ED 1999

1 Scope
2 Conformance
3 References
4 Definitions
  4.1 Terms defined in this Standard
      4.1.1 EB-class
      4.1.2 CB-class
      4.1.3 PB-class
      4.1.4 Regulatory Board
      4.1.5 Business action
      4.1.6 Originator
      4.1.7 Destination
      4.1.8 Qualification of Originator and Destination
      4.1.9 Attestation of submission
      4.1.10 Attestation of delivery
      4.1.11 Attestation of reception by Destination
      4.1.12 Commitment of Originator
      4.1.13 Customer
      4.1.14 Provider
  4.2 Terms defined in Standard ECMA-205 (COFC)
      4.2.1 Access right
      4.2.2 Administration
      4.2.3 Customer-specifiable
      4.2.4 Identification
      4.2.5 User identifier, user ID
  4.3 Terms defined in other documents
5 Acronyms
6 E - COFC
  6.1 Overview
  6.2 The TOE environment
  6.3 Hierarchical subclasses
  6.4 Usage of the INTERNET
7 The Enterprise Business class (EB-class)
  7.1 The model
  7.2 Commercial security requirements
      7.2.1 Secure user authentication
      7.2.2 Secure client/server communication
      7.2.3 Software integrity
      7.2.4 Availability and reliability
      7.2.5 Accountability and audit
  7.3 Threat analysis
  7.4 Security functionalities
      7.4.1 Identification and authentication
      7.4.2 Access Control
      7.4.3 Client/server communication
      7.4.4 Accountability and audit
      7.4.5 Object reuse
      7.4.6 Accuracy
      7.4.7 Availability and reliability of service
      7.4.8 Key management (if cryptographic means are
             applied by the TOE)
8 The Contract Business class (CB-class)
  8.1 The model
      8.1.1 Exchange of information
      8.1.2 Regulatory Board
      8.1.3 Closed User Group Contract
  8.2 Commercial security requirements
      8.2.1 Authorization of Originator and Destination
      8.2.2 Attestation of submission
      8.2.3 Attestation of delivery
      8.2.4 Attestation of reception by Destination
      8.2.5 Commitment of Originator and Destination
      8.2.6 Chronology of events
      8.2.7 Accountability and audit
      8.2.8 Document integrity
      8.2.9 Document confidentiality
  8.3 Threat analysis
  8.4 Security functionalities
      8.4.1 Access control (user authorization)
      8.4.2 Accountability and audit
9 The Public Business class (PB-class)
  9.1 The model
  9.2 Commercial security requirements
      9.2.1 Multistage identification and authentication
      9.2.2 Interrelated commitments
      9.2.3 Protection against unlawful multiple use of
             unique data
      9.2.4 Unauthorized building of user profiles from
             business data
      9.2.5 Interrelated accountability
  9.3 Threat analysis
  9.4 Security functionalities
      9.4.1 Identification and authentication
      9.4.2 Access control
      9.4.3 Accountability and audit
      9.4.4 Communication of commitment data
      9.4.5 Trust Center security functionalities (key
             management)
Annex A (informative) Examples for the Contract Business
        class (CB-class)
Example 1: Sending a Contract
Example 2: Order placement
Example 3: Submitting an offer
Example 4: Public call for tender
Example 5: Financial order
Annex B (informative) Examples of Customer/Provider
        based business (PB-class)
Scenario 1: Customer/Provider public business
Scenario 2: Customer/Provider public business via a credit
            card organization (CCO)
Scenario 3: Customer/Provider public business with pay-card
Scenario 4: Electronic advertising
Annex C (informative) Terms defined in other documents

Extends the application of ECMA's class of commercial security functions (standard ECMA-205), to a network based system environment. Identified security requirements define a minimal set of security functions that are for interconnected IT systems.