downloads.semi.orgdownloads.semi.org/.../$file/5487.docx · web viewthe criteria which check the...

Background Statement for SEMI Draft Document 5487NEW STANDARD: SPECIFICATION FOR BASIC PROTOCOLS TO SUPPORT THE INTEROPERATION OF TRACEABILITY SYSTEMS NECESSARY FOR MANAGING PRODUCT IDENTITY THROUGHOUT THE LIFE CYCLE OF OBJECTS USING DIGITAL SIGNATURES AND TIME STAMPSNotice: This background statement is not part of the balloted item. It is provided solely to assist the recipient in reaching an informed decision based on the rationale of the activity that preceded the creation of this Document.

Notice: Recipients of this Document are invited to submit, with their comments, notification of any relevant patented technology or copyrighted items of which they are aware and to provide supporting documentation. In this context, “patented technology” is defined as technology for which a patent has issued or has been applied for. In the latter case, only publicly available information on the contents of the patent application is to be provided.

Background Statement

The electronic parts supply chain is frequently contaminated by counterfeit and tainted products. for example, the graph below shows the distribution of counterfeit product incidents of documented by the U.S. Department of Commerce in 2009. The risk of procuring contaminated goods increases when authorized (certified) distribution networks run out of product. This may occur with supply shortfalls or terminated products. Then, purchasing policy may also force procurement from non-certified distributors. The semiconductor industry currently lacks methods to validate the integrity of goods from non-certified distributors or suppliers. SEMI T20 was developed to solve such this problem. There are different types of semiconductor devices, and the commercial distribution channels are diverse. For example, for the semiconductor devices meant mainly for business-to-business transactions, and intended for the use in automobiles and the like, it is required to have in place measures against counterfeit products and quality traceability at the same time. Such applications are not supported in SEMI T20.

With an aim to realize the said requirements, this document proposes a mechanism to be offered to the users with such requirements.

Review and Adjudication InformationTask Force Review Committee Adjudication

Group: Japan PV Traceability TF Japan Traceability CommitteeDate: Friday, April 23, 2013 Friday, April 23, 2013Time & Time zone: 10:30 a.m. to 12:00 a.m. Japan Standard Time 1:00 p.m. to 5:00 p.m. Japan Standard TimeLocation: SEMI Japan Office SEMI Japan OfficeCity, State/Country: Tokyo, Japan Tokyo, JapanLeader(s): Yoichi Iga (Renesus Electronics)

Hirokazu Tsunobuchi (Keyence)Yoichi Iga (Renesus Electronics)Hirokazu Tsunobuchi (Keyence)

Standards Staff: Hirofumi Kanno (SEMI Japan)[email protected]

Hirofumi Kanno (SEMI Japan)[email protected]

This meeting’s details are subject to change, and additional review sessions may be scheduled if necessary. Contact Standards staff for confirmation. Telephone and web information will be distributed to interested parties as the meeting date approaches. If you will not be able to attend these meetings in person but would like to participate by telephone/web, please contact Standards staff.

DRAFTDocument Number:

Date: 5/8/23

SEMI Draft Document 5487NEW STANDARD: SPECIFICATION FOR BASIC PROTOCOLS TO SUPPORT THE INTEROPERATION OF TRACEABILITY SYSTEMS NECESSARY FOR MANAGING PRODUCT IDENTITY THROUGHOUT THE LIFE CYCLE OF OBJECTS USING DIGITAL SIGNATURES AND TIME STAMPS1 Purpose1.1 Counterfeiting is a serious and growing problem in the worldwide. Generally there are a genuine-or-not judging, traceability, and a method like intellectual property negotiation in an anti-counterfeiting.

1.2 This specification prescribes basic procedures which contribute to the interoperability of the traceability using digital signatures and time stamps for the purpose of a contractor certifying that goods purchased are genuine articles and that only the registered organizations are dealing with them. The merits are shown as following.

1: This specification acts towards achieving effect of SEMI T20 and T22.

2: This specification acts as one example which applied SEMI T21 to the anti-counterfeiting system.

1.2.1 Common function — Common function which collaborates with an existing system and makes possible handling of an independent organization like a customhouse.

3: OID is an identifier of an object, such as a part ID or a container box ID. This specification does not define the rules for assigning OID but uses the OID which a brand owner manages / assignees.

1.2.2 Vendor Free — integrity of trace data is made sure by only digital signature and time stamp

1.2.3 Solution Against Aftermarket Problem — This specification can also solve an aftermarket problems (which does not have a brand owner's warranty although it is a genuine article) such as re-distribution or diversion as illustrated in the following diagram.

Consumer A

Consumer B

Distributer

Re-distribution

DiversionOver Production

One ofCounterfeit Problem

Figure 1Aftermarket Problem

2 Scope2.1 This specification prescribes basic procedures which contribute to the interoperability of the traceability system which records such as following data for the purpose of the ability of a contractor that goods purchased are genuine articles and to certify that only the registered organization is dealing with it.

2.1.1 Use OID as data in which it is shown that goods purchased are genuine articles.

4: Brand owner may release the attribute information on parts like R1-2.

2.1.2 Use a digital certificate as data in which it is shown registered organizations.

This is a Draft Document of the SEMI International Standards program. No material on this page is to be construed as an official or adopted Standard or Safety Guideline. Permission is granted to reproduce and/or distribute this document, in whole or in part, only within the scope of SEMI International Standards committee (document development) activity. All other reproduction and/or distribution without the prior written consent of SEMI is prohibited.

Page 1 Doc. jn l SEMI

Semiconductor Equipment and Materials International3081 Zanker RoadSan Jose, CA 95134-2127Phone: 408.943.6900, Fax: 408.943.7943


Date: 5/8/23

5: It is shown in 5.3.1 for details.

2.1.3 Use a time stamp as data to show delivery or registration time.

Physical Example

3)Product certificate

1) White list registration certificate

2)Delivery/ registrationtime

IT Systematizing

⇒ 3)OID

⇒ １)Digital certificate

⇒ 2)Time stamp

Figure 2IT Systematizing

NOTICE: SEMI Standards and Safety Guidelines do not purport to address all safety issues associated with their use. It is the responsibility of the users of the Documents to establish appropriate safety and health practices, and determine the applicability of regulatory or other limitations prior to use.

3 Referenced Standards and Documents3.1 SEMI Standards

SEMI T20 — Specification for Authentication of Semiconductors and Related Products SEMI T21 — Specification for Organization Identification by Digital Certificate Issued from Certificate Service Body (CSB) for Anti-Counterfeiting Traceability in Components Supply ChainSEMI T22 — Traceability by Self Authentication Service Body and Authentication Service Body

3.2 ISO Standards1

ISO/IEC 9594-8 | ITU-T Rec. X,509, Information Technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworksISO 14533-2 Information technology — Long term Signature Profiles – Part 2: Longterm signature profiles for XAdESISO/IEC 27002 Information Technology – Security techniques – Code of practice for information security management

3.3 The European Telecommunications Standards Institute (ETSI) 2

ETSI TS 101456 — Electronic Signatures and Infrastructures (ESI); Policy requirement for certification authorities issuing qualified certificatesETSI TS 102042 — Electronic Signatures and Infrastructures (ESI); Policy requirement for certification authorities issuing public key certificates

3.4 WebTrust 3

WebTrust for CA — CA criteria designated from many browsers.

NOTICE: Unless otherwise indicated, all documents cited shall be the latest published versions.

4 Terminology4.1 Abbreviation and Acronyms

4.1.1 CA — Certification Authority

1 International Organization for Standardization, ISO Central Secretariat, 1 rue de Varembé, Case postale 56, CH-1211 Geneva 20, Switzerland. Telephone: 41.22.749.01.11; Fax: 41.22.733.34.30; http://www.iso.ch

2 ETSI Secretariat, 650, Route des Lucioles 06921 Sophia-Antipolis Cedex, FRANCE Tel.: +33 (0)4 92 94 42 00 Fax: +33 (0)4 93 65 47 16 ; http://www.etsi.org/website/homepage.aspx3 Robert Gold, Managing Partner at Bennett Gold LLP, Chartered Accountants, in Toronto, CANADA Tel.: 416-449-2249 Fax: 416-449-4133 ; http://www.webtrust.net




http://www.iso.ch/


Date: 5/8/23

4.1.2 ID — Identifier

4.1.3 LRA — Local Registration Authority

4.1.4 OID — Object Identifier

4.1.5 P/L — Parts List

4.2 Definitions

4.2.1 CA—Organization which performs the check identity and/or entitlements (RA: Registration Authority), and issue/revoke certificate (IA: Issuing Authority).

6: CSB in SEMI T21 is an organization which issues/revokes certificates. It may be CA, RA, or LRA.

4.2.2 Credential —Set of data presented as evidence of an asserted identity and/or entitlements.

4.2.3 Digital Certificate — Electronic form certificate based on X.509 standard.

4.2.4 LRA — Organization representing the user which is outsourced from CA, performs RA and distributes digital certificates (E. g., personnel section).

4.2.5 OID — OID is an identifier of an object, such as a part ID or a container box ID. This specification does not prescribe any rule of OID but treats OID which a brand owner manages / assigned as it is.

4.2.6 SSL — Protocol which enciphers information and communicates on the Internet; or send/receive exclusively encrypted information.

5 Requirements5.1 Introduction

5.1.1 This specification prescribes the following requirements which contribute to the interoperability of the traceability system which records data such as OIDs, digital certificates and time stamps for the purpose of enabling a contractor to certify that Objects (E.g., Part, Container box) are genuine articles and to certify that only the registered organization is dealing with it.

5.1.1.1 Requirements for Trace Data

5.1.1.1.1 Record Structure

5.1.1.1.2 Lifecycle Procedures

5.1.1.2 Requirements for Traceability System

5.1.1.2.1 Requirements for Registration of Organization

5.1.1.2.2 Access Control

7: It is assumed that an international controller administers the above requirements.

5.1.2 Outline flow of trace is shown in the following figure and R1-2. A distributing system is adopted in order to correspond to a complicated supply chain.

8: It may carry out hosting of the system in a data center.

5.1.2.1 The brand owner P registers ID of a shipment article into the system P through the browser P, and attaches a supply chain log of P.

9: The details of a supply chain log are shown in 5.2.1.4.

5.1.2.2 When parts are delivered, reseller R, copies trace data from the system P through the browser P, and attaches the supply chain log R, and pastes it on the system R through the browser R.

5.1.2.3 Like R, contractor S copies trace data from the system R, attaches the supply chain log S, and pastes on the system S.





Date: 5/8/23

ID Lp Lr LsID Lp LrID Lp

Brand owner ContractorResellerP R S

Browser R･Paste it on R

Browser P

･Copy trace data from PID Lp

ID Lp Lr

1) ID registration3) Supply Chain Log

(Lr)4) Supply Chain Log

(Ls)2) Supply Chain Log

(Lp)

Figure 3Outline Flow of Trace

5.2 Requirements for Trace Data

5.2.1 Record Structure

5.2.1.1 Record structure of trace data is shown in the following.

Primary Key(K)

ID(OID)

P/L Information Supply Chain LogPartNumber(n)

PrimaryKey ofPartInformation(KP)

SupplyChainLogNumber(m)

PrimaryKey ofAttributionInformation(KA)

PrimaryKey ofCertificatesInformation (KC)

Value ofSignatureand Time stamp (ST)

K = OID || n || KP || m || KA || KC || ST | | Supply Chain Log | P/L Information OID

Figure 4Record Structure

10: Primary key is the information for identifying a record uniquely.

11: The combination of KA, KC, and ST is defined as L.

5.2.1.2 ID — Object OID is registered into ID. OID is set to one at one record.

5.2.1.3 P/L Information — P/L information comprises number (n) of the objects identified by OID, and primary keys of their records.





Date: 5/8/23

12: An example when two parts (OIDi, OIDj) are contained in the container box (OIDk) is shown in the following.

13: It means that there is no Part which constitutes an object in the case of n= 0. In addition, in the case of n= 0, it is made into KP=0.

K = OIDk || 2 || Ki || Kj || ･･･Ki = OIDi || 0 || 0 ||･･･Kj = OIDj || 0 || 0 ||･･･

Figure 5Example when two parts are contained in the container box

5.2.1.4 Supply Chain Log — A supply chain log comprises number (m) of registered organizations which registered OID or where the object was delivered, and following logs of each registration organization.

5.2.1.4.1 Primary Key of Attribute Information Record of Registration Organization (KA) — A primary key attribute of the information record is that of a registration organization such it’s location address. KA is an option, and when not using, it is set to 0.

14: Attribute information of a registration organization differs from attribute information of part.

5.2.1.4.2 Primary Key of Verification Information Rerecord concerning Registration Organization’s Digital Signature (KC) — It is a primary key of a verification information record like the digital certificate issued by the registration organization and its revocation list.

5.2.1.4.3 Signature Value and Time Stamp value (ST) — It comprises signature values which can check the integrity of trace data and time stamp values which can check the time into which the signature was made.

15: The object data of the first signature is OID, n, m, and ST of the record pointed at by KP/KA/KC. When a nest further continues, ST of each nested record is included. The data for a signature of the 2nd henceforth is the last ST. Anyway, all the primary keys are the outsides for a signature.

5.2.2 Lifecycle Procedures

5.2.2.1 Life cycle procedure of trace data is a data processing rule of trace data like the following example for the purpose of the correspondence including manufacturing/assembly.

5.2.2.1.1 Through Type Data Processing

5.2.2.1.2 Resale Type Data Processing

5.2.2.1.3 Kitting Type Data Processing

5.2.2.1.4 Subdivide Type Data Processing

5.2.2.2 Through Type Data Processing — Procedure which propagates the original OID along the distribution chain. An example supplied to company S via company P and company R with original OID is shown as following.

K =OIDorg || 0 || 0 || 3 || Lp || Lr || LsFigure 6

Example of Through

5.2.2.3 Resale Type Data Processing — Procedure which changes original OID into a new OID. An example is shown as follows.



IC2 (OIDj)

IC1 (OIDi)

Box(OIDk)



Date: 5/8/23

Knew = OIDnew || 1 || Korg || 1 || LnewKorg = OIDorg || ･･･

Figure 7Example of Resale

5.2.2.4 Kitting Type Data Processing — Procedure which attaches new OID to what performed manufacturing/assembly using two or more original objects. An example is shown as following.

Knew = OIDnew || 2 || Korg1 || Korg2 || 1 || LnewKorg1 = OIDorg1 || ･･･Korg2 = OIDorg2 || ･･･

Figure 8Example of Kitting

5.2.2.5 Subdivide Type Data Processing — Procedure which attaches new OID to each original object divided into two or more. An example is shown as following.

Knew1 = OIDnew1 || 1 || Korg || 1 || LnewKnew2 = OIDnew2 || 1 || Korg || 1 || LnewKorg = OIDorg || ･･･

Figure 9Example of Subdivide

16: Although old trace data is erasable, it is desirable to save for an after-shipment fixed period (E. g., three years) from the trace back's viewpoint.

5.3 Requirements for Traceability System

5.3.1 Requirements for Registration of Organization

5.3.1.1 Requirements for registration of an organization are shown in the following example. The digital certificate is issued by the organization which satisfied these requirements.

17: A digital certificate is issued based on the system/rule authorized by ETSI102042, ETSI101456, or Web Trust for CA. Interoperability image of CA is shown in R1-3.

5.3.1.1.1 The criteria which check the trustworthiness of a purchase company are administered based on a standard such as ISO/IEC 27002 Section 6.2 External Parties.

5.3.1.1.2 In order to protect from physical access without authority, the entrance-exit management and the surveillance of area which perform manufacturing / assembly / storage are administered based on a standard such as ISO/IEC 27002 Chapter 9 Physical and Environmental Security.

5.3.2 Access Control

5.3.2.1 Since client authentication of SSL can use, it is one of the best practice to use a digital certificate for access control.

5.3.2.2 For this reason, digital certificate issued by the registration organization based on SEMI T21 shall be used for the access control of a traceability system.

5.3.2.3 Digital certificate based on SEMI T21 is easy-to-use to access control in the following merits.

5.3.2.3.1 Since the certificate field is common (it is not dependent on CA), access control is made simple.

5.3.2.3.2 An access management can be made simple if the prefix which can identify a user's group is attached to the OrganizationUnitName1 (OU1) field which can set up only CA or designated body. An example of the prefix rule of OU1 is shown as following.

18: A prefix can be attached also to the OrganizationUnitName2 (OU2) field and the Common Name (CN) field which LRA can also set up.

19: An example of operation using SEMI T21 is shown in R1-1.





Date: 5/8/23

Application CodeE.g., ac:Anti-Counterfeiting Traceability

Alphanumeric Small Letter （Default value is OU1）

Application Code 3rd Letter Organization

ac 01289

Designated BodyBrand Owner

ReSellerContractor

Others

Figure 10Example of the Prefix Rule of OU1

RELATED INFORMATION 1





Date: 5/8/23

RELATED INFORMATION 1 SUPPLEMENTARY EXPLANATIONNOTICE: This Related Information is not an official part of SEMI Doc. 5487 and was derived from the work of the global Traceability Technical Committee. This Related Information was approved for publication by full letter ballot procedures on [A&R approval date].

R1-1 Example of Operation using SEMI T21R1-1.1 Since client authentication of SSL can use, it is one of the best practice to use a digital certificate for access control.

R1-1.2 Digital certificate based on SEMI T21 is easy-to-use to access control in the following merits.

R1-1.2.1.1 Since the certificate field is common (it is not dependent on CA), access control is made simple.

R1-1.2.1.2 An access management can be made simple if the prefix which can identify a user's group is attached to the OrganizationUnitName1 (OU1) field which can set up only CA or designated body.

R1-1.2.1.3 A prefix can be attached also to the OrganizationUnitName2 (OU2) field and the Common Name (CN) field which LRA can also set up.

Certificate Fields MaximumCharacters

Described Contents Charge of Registration

Example

SubjectCountryName 2 - 2-Letter Code of ISO 3166-1 (Capital Letter) CA or Designated

BodyJP

StateName 128 - Prefectures (States) where the main office is located. (First Letter must be capital letters.)

CA or DesignatedBody

Tokyo

LocalityName 128 - City, Town, Ward etc. where the main office is located. (First Letter must be capital letters.)


Minato-ku

OrganizationName 64 - Organization Name (Registration Name of DUNS etc.)


JIPDEC

OrganizationUnitName1 64 - Field for Digital Certification (Prefix managed by International (Global) Body must be added.)

- Prefix: 3 alphanumeric small letter ＋hyphen (Default value is OU1-)i, o, v, w, x, y, z must not be used for first letter except for the default value. e.g. ac0-


OU1-1234

OrganizationUnitName2 64 - Field for Digital Certification (Prefix managed by company’s human resources dept. must be added.)

- Prefix: 3 alphanumeric small letter ＋hyphen (Default value is OU2-)First letter must be v, w, x, y or z except for default value. e.g. v00-

LRA such as Human Resources Dept. of the Organization

OU2-5678

CommonName 64 - Subject Name of Certificate Issuance- Prefix code to distinguish the subject might be added.

e.g. of PrefixBN-Name for Business (maiden name)BO-Organization NameID-Number※Suffix code might be added, if necessary.

LRA such as Human Resources Dept. of the Organization

Smith Betty(Supply Mngr.)

Figure R1-1Example of Operation using SEMI T21

R1-2 Interoperability Image of TraceabilityR1-2.1 The image of the framework to which this specification is applied is shown as follows.

R1-2.1.1 The brand owner registers ID of a shipment article into the system, and attaches a supply chain log.

R1-2.1.2 When parts are delivered, reseller copies trace data from the system, and attaches reseller’s supply chain log, and pastes it on the system.

R1-2.1.3 Henceforth, the same processing is continued.





Date: 5/8/23

R1-2.2 An alert system is a system which releases counterfeit product detection information. A brand owner administers alert information as part attribute information, and when opening to the public, a brand owner shall perform access control which considered the damage caused by rumors. The digital certificate based on SEMI T21 can be used also for this access control.

PartsAttribute

Information

Supply Chain

Brand owner ConsumerReseller Contractor

Register Check Check CheckRegister

InternationalControllerTraceability

System

Alert Systeme.g. GIDEP,ERAI

Figure R1-2Interoperability Image of Traceability

R1-3 Interoperability Image of CAR1-3.1 A digital certificate is issued from Certification Authority (CA) or Local Registration Authority (LRA). This framework is shown as following.

R1-3.1.1 CA is an organization which performs the check identity and/or entitlements (RA: Registration Authority), and issue/revoke certificate (IA: Issuing Authority).

R1-3.1.2 LRA is an organization representing the user which is outsourced from CA, performs RA and distributes digital certificates (E. g., personnel section) .

20: CA assumes that it is accredited every year from the organization designated from the international controller. LRA assumes that it is designated from CA every year.





Date: 5/8/23

CA

Employees, etc.

LRA

Personnel DB, etc.

1. Request

2. DownloadEnterprise

3. Distribute

Designate Organization (Every Country)

International Controller

Figure R1-3Interoperability Image of CA

NOTICE: Semiconductor Equipment and Materials International (SEMI) makes no warranties or representations as to the suitability of the Standards and Safety Guidelines set forth herein for any particular application. The determination of the suitability of the Standard or Safety Guideline is solely the responsibility of the user. Users are cautioned to refer to manufacturer’s instructions, product labels, product data sheets, and other relevant literature, respecting any materials or equipment mentioned herein. Standards and Safety Guidelines are subject to change without notice.

By publication of this Standard or Safety Guideline, SEMI takes no position respecting the validity of any patent rights or copyrights asserted in connection with any items mentioned in this Standard or Safety Guideline. Users of this Standard or Safety Guideline are expressly advised that determination of any such patent rights or copyrights, and the risk of infringement of such rights are entirely their own responsibility.


