DIN ISO 14533-2-2015 Processes data elements and documents in commerce industry and administration - Long term signature profiles - Part 2 Long term signature profiles for XML Adva.pdf

1、May 2015Translation by DIN-Sprachendienst.English price group 11No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 35.

2、240.60!%Ba“2316292www.din.deDDIN ISO 14533-2Processes, data elements and documents in commerce, industry andadministration Long term signature profiles Part 2: Long term signature profiles for XML Advanced ElectronicSignatures (XAdES) (ISO 14533-2:2012),English translation of DIN ISO 14533-2:2015-05

3、Prozesse, Datenelemente und Dokumente in Handel, Industrie und Verwaltung Langzeit-Signaturprofile Teil 2: Langzeit-Signaturprofile fr XML-erweiterte elektronische Signaturen (XAdES)(ISO 14533-2:2012),Englische bersetzung von DIN ISO 14533-2:2015-05Processus, lments dinformations et documents dans l

4、e commerce, lindustrie etladministration Profils de signature long terme Partie 2: Profils de signature long terme pour les signatures lectroniques avancesXML (XAdES) (ISO 14533-2:2012),Traduction anglaise de DIN ISO 14533-2:2015-05www.beuth.deIn case of doubt, the German-language original shall be

5、considered authoritative.Document comprises 21 pages04.15 A comma is used as the decimal marker. Contents Page National foreword .3 National Annex NA (informative) Bibliography .4 Introduction .5 1 Scope .6 2 Normative references .6 3 Terms and definitions 6 4 Symbols .7 5 Requirements 7 6 Long term

6、 signature profiles .7 6.1 Defined profiles 7 6.2 Representation of the required level 8 6.3 Standard for setting the required level .8 6.4 Action to take when an optional element is not implemented .9 6.5 XAdES-T profile 9 6.6 XAdES-A profile 11 6.7 Timestamp validation data 13 Annex A (normative)

7、Suppliers declaration of conformity and its attachment . 14 Annex B (normative) Structure of timestamp token 19 Bibliography . 21 2DIN ISO 14533-2:2015-05National foreword The text of this document (ISO 14533-2:2012) has been prepared by Technical Committee ISO/TC 154 “Processes, data elements and d

8、ocuments in commerce, industry and administration”. The responsible German body involved in its preparation was the DIN-Normenausschuss Informationstechnik und Anwendungen (DIN Standards Committee Information Technology and selected IT Applications), Working Committee NA 043-03-03 AA Elektronisches

9、Geschftswesen. The text of ISO 14533-2 has been adopted without any modification. To avoid any falsification of the elements and/or attributes specified for the signature profiles, their names have been left in English, even in the German translation. Furthermore, the target group of IT specialists

10、normally has sufficient knowledge of English. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. DIN shall not be held responsible for identifying any or all such patent rights. The DIN Standard corresponding to the International Sta

11、ndard referred to in this document is as follows: ISO 14533-1 DIN ISO 14533-1 DIN ISO 14533 consists of the following parts, under the general title Processes, data elements and docu-ments in commerce, industry and administration Long term signature profiles: Part 1: Long term signature profiles for

12、 CMS Advanced Electronic Signatures (CAdES) Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES) The following part is under preparation: Part 3: Long term signature profiles for PDF Advanced Electronic Signatures (PAdES) 3DIN ISO 14533-2:2015-05National Annex NA (info

13、rmative) Bibliography DIN ISO 14533-1, Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES) 4DIN ISO 14533-2:2015-05IntroductionThe purpose of this part of ISO

14、14533 is to ensure the interoperability of implementations with respect to long term signatures that make electronic signatures verifiable for a long term. Long term signature specifications referenced by each implementation cover XML Advanced Electronic Signatures (XAdES) developed by the European

15、Telecommunications Standards Institute (ETSI).Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES) 5DIN ISO 14533-2:2015-051 ScopeThis part of ISO 14533 specifi

16、es the elements, among those defined in XML Advanced Electronic Signatures (XAdES), that enable verification of a digital signature over a long period of time.It does not give new technical specifications about the digital signature itself, nor new restrictions of usage of the technical specificatio

17、ns about the digital signatures which has already existed.NOTE XML Advanced Electronic Signatures (XAdES) is the extended specification of XML-Signature Syntax and Processing, used widely.2 Normative referencesThe following referenced documents are indispensable for the application of this document.

18、 For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 14533-1, Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 1: Long term

19、signature profiles for CMS Advanced Electronic Signatures (CAdES)ETSI TS 101 903 v1.4.1 (2009-06), XML Advanced Electronic Signatures (XAdES) 1)3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO 14533-1 and the following apply.3.1XML signaturesignature s

20、yntax and processing for a given messageNOTE XML signature is defined in XML-Signature Syntax and Processing, W3C Recommendation, 12 February 2002.3.2XML advanced electronic signatureXAdESgeneric term for XML advanced electronic signatures defined in ETSI TS 101 903 for which the signer can be ident

21、ified and any illegal data alteration detected3.3XAdES with timeXAdES-TXML advanced electronic signature defined in ETSI TS 101 903 with information to ascertain SigningTime (e.g. signature timestamp)1) Available from http:/pda.etsi.org/pda/queryform.asp.6DIN ISO 14533-2:2015-053.4archival XAdESXAdE

22、S-AXML advanced electronic signature defined in ETSI TS 101 903 with information to enable the detection of any illegal alterations of information pertaining to the signature, including the subject of the signature and validation data (e.g. archive timestamp)3.5signature elementelement that serves a

23、s a route for the XML signature. There may be two or more signature elements for one subject of a signature4 SymbolsThe following symbols are used for the “required level”. C Conditional M Mandatory O Optional5 Requirements5.1 The generation or validation of XAdES-T data conforms to this part of ISO

24、 14533 provided that the following requirements are met:a) all processing of elements whose required level is “Mandatory” in the XAdES-T profile, as specified in this part of ISO 14533, shall be included;b) detailed specifications pertaining to the processing of any element whose required level is “

25、Conditional” in the XAdES-T profile, as specified in this part of ISO 14533, shall be provided.5.2 The generation or validation of XAdES-A data conforms to this part of ISO 14533 provided that the following requirements are met:a) all processing of elements whose required level is “Mandatory” in the

26、 XAdES-A profile, as specified in this part of ISO 14533, shall be included;b) detailed specifications pertaining to the processing of any element whose required level is “Conditional” in the XAdES-A profile, as specified in this part of ISO 14533, shall be provided.5.3 When first-party conformity a

27、ssessment is used, the implementer shall make a declaration of conformity to this part of ISO 14533 by disclosing the suppliers declaration of compliance and its attachment (see Annex A) containing a description of implementation status (and the specifications for any elements “Conditional”).NOTE Fi

28、gure 1 shows the positioning of the generation and validation of XAdES-T data and XAdES-A data.6 Long term signature profiles6.1 Defined profilesIn order to make electronic signatures verifiable for a long term, signing time shall be identifiable, any illegal alterations of information pertaining to

29、 signatures, including the subject of information and validation data, shall be detectable, and interoperability ensured. To meet these requirements, this part of ISO 14533 defines the following two profiles with respect to XAdES:a) XAdES-T profile: a profile pertaining to the generation and validat

30、ion of XAdES-T data;7DIN ISO 14533-2:2015-05b) XAdES-A profile: a profile pertaining to the generation and validation of XAdES-A data.Figure 1 shows the relation between XAdES-T data and XAdES-A data.Generate XAdES-A data Generate XAdES-T data Verify XAdES-T data Verify XAdES-A data XAdES-T data Dat

31、a Archive Timestamp (Distribution) (Archiving) XAdES-A data Figure 1 Relation between XAdES-T data and XAdES-A data6.2 Representation of the required levelThis part of ISO 14533 defines the following representation methods for the required level (as a profile) of each element constituting XAdES-T da

32、ta and XAdES-A data.a) Mandatory (M) Elements whose required level is “Mandatory” shall be implemented without fail. If such an element has optional subelements, at least one subelement shall be selected. Any element whose required level is “Mandatory” and is one of the subelements of an optional el

33、ement shall be selected whenever the optional element is selected.b) Optional (O) Elements whose required level is “Optional” may be implemented at the discretion of the implementer.c) Conditional (c) Elements whose required level is “Conditional” may be implemented at the discretion of the implemen

34、ter, provided that detailed specifications for the processing thereof are provided separately.6.3 Standard for setting the required levelThe required level of each element constituting XAdES-T data and XAdES-A data shall be set in accordance with the following requirements.a) The required level shal

35、l be “Mandatory” for elements whose required level is “Mandatory” in the definition of XAdES, and those necessary for the generation and validation of long term signatures. The elements whose required level is “Optional” in the definition of XAdES are defined as “Mandatory”, “Optional” or “Condition

36、al”.b) The required level shall be “Conditional” for externally defined elements.EXAMPLE OtherCertificateFormat.c) The required level shall be “Conditional” for elements intended to interact with a certain application.EXAMPLE DataObjectFormat.d) The required level shall be “Conditional” for elements

37、 with an operation-dependent factor.EXAMPLES Attribute certificate; time mark.NOTE The archiving-type timestamp defined in ISO/IEC 18014-2 is included in “Time mark or other method.”e) The required level shall be “optional” for elements only containing reference information.8DIN ISO 14533-2:2015-056

38、.4 Action to take when an optional element is not implementedThe following action shall be taken when the XAdES data used in a validation transaction contains an unimplemented element.a) When the required level of an upper-level element is mandatory and one or more subordinate optional elements shal

39、l be selected, or one or more relevant optional elements shall be selected, the validator shall be cautioned that validation requires implementation of said element(s); otherwise, validation cannot be performed.EXAMPLE In a validation transaction, a BasicOCSPResponse element is detected where only t

40、he processing of CertificateList elements, among all other optional elements in RevocationValues, is implemented.b) When CounterSignature is an unimplemented element, the validator shall be cautioned that validation requires implementation of said element; otherwise, validation cannot be performed.c

41、) Optional elements other than those specified above may be ignored for implementation.6.5 XAdES-T profile6.5.1 GeneralThe required levels of constituent elements of XAdES-T data are specified in 6.5.2 and 6.5.3.6.5.2 Signature elementTable 1 specifies the required level of each constituent element

42、of XML signature. The required level shall be “Conditional” for any elements not listed in Table 1.Table 1 Signature elementElement or attribute aRequired level ETSI TS 101 903 v1.4.1 ReferenceId attribute M b4.4ds:SignedInfo M 4.4ds:CanonicalizationMethod M 4.4ds:SignatureMethod M 4.4ds:Reference M

43、 4.4ds:Transforms O 4.4ds:DigestMethod M 4.4ds:DigestValue M 4.4ds:SignatureValue M 4.4ds:KeyInfo O c4.4ds:Object M 4.4aThe prefix “ds” corresponds to the XML signature namespace.b“Optional” in an XML signature, but “Mandatory” in ETSI TS 101 903.cEither ds:KeyInfo or SigningCertificate (Table 3) is

44、 required. If ds:KeyInfo is selected (Mandatory in ETSI TS 101 903 v1.1.1), an X.509 data element defined in the XML signature shall be included as a subelement.9DIN ISO 14533-2:2015-056.5.3 Object element, SignedProperties element, UnsignedProperties elementTables 2, 3 and 4 specify the required le

45、vels of elements that constitute signed properties and unsigned properties. The required level shall be “Conditional” for any signed and unsigned property elements not listed in Tables 2, 3 and 4. NOTE Unsigned property elements not listed in Tables 2, 3 and 4 include, but are not limited to, Comple

46、teCertificateReferences and CompleteRevocationReferences set forth in Table 5. XAdES-T data to which CompleteCertificateReferences and CompleteRevocationReferences are added can be made compliant with the XAdES-T profile by separately providing for the processing of these elements.Table 2 Object ele

47、mentElement Required level Condition ETSI TS 101 903 v1.4.1 ReferenceQualifyingProperties M The Id attribute value of the signature element shall be entered in the target attribute.6.2SignedProperties M 6.2.1UnsignedProperties O 6.2.2QualifyingPropertiesReference C 6.3.2Table 3 SignedProperties elem

48、entElement Required level ETSI TS 101 903 v1.4.1 ReferenceSignedSignatureProperties M 6.2.3SigningTime O a7.2.1SigningCertificate O a,b7.2.2SignaturePolicyIdentifier C 7.2.3SignatureProductionPlace C 7.2.7SignerRole C 7.2.8SignedDataObjectProperties C 6.2.4DataObjectFormat C 7.2.5CommitmentTypeIndic

49、ation C 7.2.6AllDataObjectsTimeStamp C 7.2.9IndividualDataObjectsTimeStamp C 7.2.10aMandatory in ETSI TS 101 903 v1.1.1.bEither SigningCertificate or ds:KeyInfo (Table 1) is required.Table 4 UnsignedProperties elementElement Required level ETSI TS 101 903 v1.4.1 ReferenceUnsignedSignatureProperties M 6.2.5CounterSignature O 7.2.4Trusted time M 7.3SignatureTimeStamp O 7.3Time mark or other method C 7.3UnsignedDataObjectProperties C 6.2.610DIN