DIN ISO 14533-1-2015 Processes data elements and documents in commerce industry and administration - Long term signature profiles - Part 1 Long term signature profiles for CMS Adva.pdf

1、May 2015Translation by DIN-Sprachendienst.English price group 12No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 35.

2、240.60!%Ba“2316293www.din.deDDIN ISO 14533-1Processes, data elements and documents in commerce, industry andadministration Long term signature profiles Part 1: Long term signature profiles for CMS Advanced ElectronicSignatures (CAdES) (ISO 14533-1:2014),English translation of DIN ISO 14533-1:2015-05

3、Prozesse, Datenelemente und Dokumente in Handel, Industrie und Verwaltung Langzeit-Signaturprofile Teil 1: Langzeit-Signaturprofile fr CMS-erweiterte elektronische Signaturen (CAdES)(ISO 14533-1:2014),Englische bersetzung von DIN ISO 14533-1:2015-05Processus, lments dinformations et documents dans l

4、e commerce, lindustrie etladministration Profils de signature long terme Partie 1: Profils de signature long terme pour les signatures lectroniques avancesCMS (CAdES) (ISO 14533-1:2014),Traduction anglaise de DIN ISO 14533-1:2015-05www.beuth.deIn case of doubt, the German-language original shall be

5、considered authoritative.Document comprises 24 pages04.15 A comma is used as the decimal marker. Contents Page National foreword .3 Introduction .5 1 Scope .6 2 Normative references .6 3 Terms and definitions 6 4 Symbols .9 5 Requirements 9 6 Long term signature profiles .9 6.1 Defined profiles 9 6.

6、2 Representation of the required level . 10 6.3 Standard for setting the required level 10 6.4 Action to take when an optional element is not implemented . 11 6.5 CAdES-T profile 11 6.6 CAdES-A profile . 13 6.7 Timestamp validation data 15 Annex A (normative) Suppliers declaration of conformity and

7、its attachment . 17 Annex B (normative) Structure of timestamp token 22 Bibliography . 24 2DIN ISO 14533-1:2015-05National foreword The text of this document (ISO 14533-1:2014) has been prepared by Technical Committee ISO/TC 154 “Processes, data elements and documents in commerce, industry and admin

8、istration”. The responsible German body involved in its preparation was the DIN-Normenausschuss Informationstechnik und Anwendungen (DIN Standards Committee Information Technology and selected IT Applications), Working Committee NA 043-03-03 AA Elektronisches Geschftswesen. The text of ISO 14533-1 h

9、as been adopted without any modification. To avoid any falsification of the elements and/or attributes specified for the signature profiles, their names have been left in English, even in the German translation. Furthermore, the target group of IT specialists normally has sufficient knowledge of Eng

10、lish. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. DIN shall not be held responsible for identifying any or all such patent rights. DIN ISO 14533 consists of the following parts, under the general title Processes, data elements

11、 and docu-ments in commerce, industry and administration Long term signature profiles: Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES) Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES) The following part is under preparation: Part

12、 3: Long term signature profiles for PDF Advanced Electronic Signatures (PAdES) 3DIN ISO 14533-1:2015-05 This page is intentionally blank 4DIN ISO 14533-1:2015-05Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 1: Long term signature p

13、rofiles for CMS Advanced Electronic Signatures (CAdES) IntroductionThe purpose of this part of ISO 14533 is to ensure the interoperability of implementations with respect to long term signatures that make electronic signatures verifiable for a long term. Long term signature specifications referenced

14、 by each implementation cover CMS Advanced Electronic Signatures (CAdES) developed by the European Telecommunications Standards Institute (ETSI).5DIN ISO 14533-1:2015-051 ScopeThis part of ISO 14533 specifies the elements, among those defined in CMS Advanced Electronic Signatures (CAdES), that enabl

15、e verification of a digital signature over a long period of time.It does not give new technical specifications about the digital signature itself, nor new restrictions of usage of the technical specifications about the digital signatures which have already existed.NOTE CMS Advanced Electronic Signat

16、ures (CAdES) is the extended specification of Cryptographic message syntax (CMS), used widely.2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applie

17、s. For undated references, the latest edition of the referenced document (including any amendments) applies.ETSI/TS 101 733 v2.2.1 (2013-04), Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)1)3 Terms and definitionsFor the purposes of this document, the fol

18、lowing terms and definitions apply.3.1long term signaturesignature that is made verifiable for a long term by implementing measures to enable the detection of illegal alterations of signature information, including the identification of signing time, the subject of said signature, and validation dat

19、a3.2profilerule used to ensure interoperability, related to the optional elements of referenced specifications, the range of values, etc.3.3required levellevel of requirement for implementing each element constituting a profile1) Available from http:/pda.etsi.org/pda/queryform.asp6DIN ISO 14533-1:20

20、15-053.4cryptographic message syntaxCMSsyntax pertaining to the signature, digest, authentication, and encryption of a given messageNote 1 to entry: Cryptographic message syntax is defined in IETF RFC 5652.3.5CMS advanced electronic signatureCAdESelectronic signature defined in ETSI/TS 101 733 for w

21、hich the signer can be identified and any illegal data alteration detected3.6CAdES with timeCAdES-TCMS advanced electronic signature defined in ETSI/TS 101 733 with information to ascertain signing timeEXAMPLE Signature timestamp.3.7archival CAdESCAdES-ACMS advanced electronic signature defined in E

22、TSI/TS 101 733 with information that enables the detection of any illegal alterations of information pertaining to the signature, including the subject of the signature and validation dataEXAMPLE Archive timestamp.3.8content informationdata structure that defines the content in CMS3.9signed datadata

23、 structure that defines the signed data in CMS or related data3.10signerinfodata structure that defines the signature information for each signer or related data3.11signed attributesignature information that is the subject of a signature3.12unsigned attributesignature information that is not the sub

24、ject of a signatureNote 1 to entry: The signature timestamp and archive timestamp are unsigned attributes.3.13validation datacertificate and revocation information used to validate a signature and timestamp3.14timestamping authorityTSAtrusted third party commissioned to provide proof that certain da

25、ta existed prior to a certain point in time7DIN ISO 14533-1:2015-053.15timestamp tokenTSTdata object that binds a representation of a datum to a particular time, thus establishing evidence that the datum existed before that time3.16signature timestamptimestamp affixed to a signature value in order t

26、o identify the time when the signature existed3.17archive timestamptimestamp affixed to information pertaining to a signature, including the subject of the signature and validation data, in order to enable the detection of any illegal alteration3.18trust anchororigin of trust provided in the form of

27、 a public key certificate or public key used by the validator to validate an electronic signature, and generally a public key certificate issued by a trusted root certification authority3.19trusted third partyTTPsecurity authority or its agent entrusted by another entity in connection with activitie

28、s related to security3.20certification authorityCAcentre that is entrusted with the development and assignment of public key certificatesNote 1 to entry: Certification authorities can, at their discretion, develop and assign keys to entities.3.21certificateinformation on the publicly disclosed key a

29、s a part of an asymmetric key pair for an entity, signed by a certification authority to prevent forgery3.22attribute certificatecertificate containing the job, qualification, position, and other attributes and attribute values3.23revocation informationinformation issued by a certification authority

30、 with respect to a certificate revocated within the effective periodNote 1 to entry: This information can be collated to determine whether the certificate is still in force.3.24enhanced security serviceESSoptional enhanced service related to a signature including, but not limited to, information ide

31、ntifying SigningCertificate and information showing the type of signature8DIN ISO 14533-1:2015-054 SymbolsThe following symbols are used for the “required level”. C: Conditional M: Mandatory O: Optional P: Prohibited (creation or modification)5 Requirements5.1 The generation or validation of CAdES-T

32、 data conforms to this part of ISO 14533 provided that the following requirements are met:a) all processing of elements whose required level is “Mandatory” in the CAdES-T profile, as specified in this part of ISO 14533, shall be included;b) detailed specifications pertaining to the processing of any

33、 element whose required level is “Conditional” in the CAdES-T profile, as specified in this part of ISO 14533, shall be provided.5.2 The generation or validation of CAdES-A data conforms to this part of ISO 14533 provided that the following requirements are met:a) all processing of elements whose re

34、quired level is “Mandatory” in the CAdES-A profile, as specified in this part of ISO 14533, shall be included;b) detailed specifications pertaining to the processing of any element whose required level is “Conditional” in the CAdES-A profile, as specified in this part of ISO 14533, shall be provided

35、.5.3 If first-party conformity assessment is used, the implementer shall make a declaration of conformity to this part of ISO 14533 by disclosing the suppliers declaration of compliance and its attachment (see Annex A) containing a description of implementation status (and the specifications for any

36、 elements “Conditional”).NOTE Figure 1 shows the positioning of the generation and validation of CAdES-T data and CAdES-A data.6 Long term signature profiles6.1 Defined profilesIn order to make electronic signatures verifiable for a long term, signing time shall be identifiable, any illegal alterati

37、ons of information pertaining to signatures, including the subject of information and validation data, shall be detectable, and interoperability ensured. To meet these requirements, this part of ISO 14533 defines the following two profiles with respect to CAdES:a) CAdES-T profile: a profile pertaini

38、ng to the generation and validation of CAdES-T data;b) CAdES-A profile: a profile pertaining to the generation and validation of CAdES-A data.Figure 1 shows the relation between CAdES-T data and CAdES-A data.9DIN ISO 14533-1:2015-05Figure 1 Relation between CAdES-T data and CAdES-A data6.2 Represent

39、ation of the required levelThis part of ISO 14533 defines the following representation methods for the required level (as a profile) of each element constituting CAdES-T data and CAdES-A data.a) Mandatory (M): Elements whose required level is “Mandatory” shall be implemented without fail. If such an

40、 element has optional subelements, at least one subelement shall be selected. Any element whose required level is “Mandatory” and is one of the subelements of an optional element shall be selected whenever the optional element is selected.b) Optional (O): Elements whose required level is “Optional”

41、may be implemented at the discretion of the implementer.c) Conditional (C): Elements whose required level is “Conditional” may be implemented at the discretion of the implementer, provided that detailed specifications for the processing thereof are provided separately.d) Prohibited (P): Elements who

42、se required level is Prohibited shall not be created or modified, may be read.6.3 Standard for setting the required levelThe required level of each element constituting CAdES-T data and CAdES-A data shall be set in accordance with the following requirements.a) The required level shall be “Mandatory”

43、 for elements whose required level is “Mandatory” in the definition of CAdES, and those necessary for the generation and validation of long term signatures. The elements whose required level is “Optional” in the definition of CAdES are defined as “Mandatory”, “Optional” or “Conditional”.b) The requi

44、red level shall be “Conditional” for externally defined elements.EXAMPLE 1 OtherCertificateFormat.c) The required level shall be “Conditional” for elements intended to interact with a certain application.EXAMPLE 2 ContentReference.d) The required level shall be “Conditional” for elements with an ope

45、ration-dependent factor.EXAMPLE 3 Attribute certificate; time mark.NOTE The archiving-type timestamp defined in ISO/IEC 18014-2 is included in “Time mark or other method.”10DIN ISO 14533-1:2015-05e) The required level shall be “optional” for elements only containing reference information.6.4 Action

46、to take when an optional element is not implementedThe following action shall be taken when the CAdES data used in a validation transaction contains an unimplemented element.a) When the required level of an upper-level element is mandatory and one or more subordinate optional elements shall be selec

47、ted, or one or more relevant optional elements shall be selected, the validator shall be cautioned that validation requires implementation of said element(s); otherwise, validation cannot be performed.EXAMPLE In a validation transaction, a BasicOCSPResponse element is detected where only the process

48、ing of CertificateList elements, among all other optional elements in RevocationValues, is implemented.b) When CounterSignature is an unimplemented element, the validator shall be cautioned that validation requires implementation of said element; otherwise, validation cannot be performed.c) Optional

49、 elements other than those specified above may be ignored for implementation.6.5 CAdES-T profile6.5.1 GeneralThe required levels of constituent elements of CAdES-T data are specified in 6.5.2 to 6.5.4.If a certification authority (CA) or other trusted service is trusted to maintain and keep certificates for the signature validation accessible for an appropriate period of time and parties relying on the signature validity know the location where the certificates are a