ETSI TS 102 778-1-2009 Electronic Signatures and Infrastructures (ESI) PDF Advanced Electronic Signature Profiles Part 1 PAdES Overview - a framework document for PAdES (V1 1 1)《电子.pdf

1、 ETSI TS 102 778-1 V1.1.1 (2009-07)Technical Specification Electronic Signatures and Infrastructures (ESI);PDF Advanced Electronic Signature Profiles;Part 1: PAdES Overview - a framework document for PAdESETSI ETSI TS 102 778-1 V1.1.1 (2009-07)2Reference DTS/ESI-000072-1 Keywords e-commerce, electro

2、nic signature, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of th

3、e present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In

4、 case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of thi

5、s and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as auth

6、orized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2009. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for th

7、e benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Ma

8、rks registered and owned by the GSM Association. ETSI ETSI TS 102 778-1 V1.1.1 (2009-07)3Contents Intellectual Property Rights 4g3Foreword . 4g3Introduction 4g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 7g33 Definitions and abbreviations . 7g33.1 Definitions

9、7g33.2 Abbreviations . 8g34 General Features . 8g34.1 PDF signatures . 8g34.2 PDF Signature types . 9g34.3 PDF Signature Handlers . 10g34.4 PDF serial signatures 10g34.5 PDF signature Validation and Time-stamping . 11g34.6 ISO 19005-1: 2005 (PDF/A-1) . 11g34.7 Signatures on XML Content in PDF 11g35

10、Profiles . 11g35.1 Part 2: PAdES Basic - Profile based on ISO 32000-1 11g35.1.1 Description 11g35.1.2 Features . 12g35.2 Part 3: PAdES Enhanced - PAdES-BES Profile. 12g35.2.1 Description 12g35.2.2 Features . 13g35.3 Part 3: PAdES Enhanced - PAdES-EPES profile . 13g35.3.1 Description 13g35.3.2 Featur

11、es . 14g35.4 Part 4: Long Term - PAdES-LTV Profile 14g35.4.1 Description 14g35.4.2 Features . 15g35.5 Part 5: PAdES for XML Content - Profile for Basic XAdES signatures of XML documents embedded in PDF Containers 15g35.5.1 Description 15g35.5.2 Features . 16g35.6 Part 5: PAdES for XML Content - Prof

12、ile for long-term XAdES signatures of XML documents embedded in PDF containers 17g35.6.1 Description 17g35.6.2 Features . 17g35.7 Part 5: PAdES for XML Content - Profile for Basic XAdES signatures on XFA forms . 17g35.7.1 Description 17g35.7.2 Features . 18g35.8 Part 5: PAdES for XML Content - Profi

13、le for long-term validation XAdES signatures on XFA forms (XAdES-LTV) 18g35.8.1 Description 18g35.8.2 Features . 19g36 Use of Profiles in Combination 19g3History 20g3ETSI ETSI TS 102 778-1 V1.1.1 (2009-07)4Intellectual Property Rights IPRs essential or potentially essential to the present document m

14、ay have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI

15、standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence o

16、f other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The

17、 present document is part 1 of a multi-part deliverable covering PDF Advanced Electronic Signature Profiles, as identified below: Part 1: “PAdES Overview - a framework document for PAdES“; Part 2: “PAdES Basic - Profile based on ISO 32000-1“; Part 3: “PAdES Enhanced - PAdES-BES and PAdES-EPES Profil

18、es“; Part 4: “PAdES Long Term - PAdES-LTV Profile“; Part 5: “PAdES for XML Content - Profiles for XAdES signatures“. Introduction Electronic documents are a major part of a modern companies business. Trust in this way of doing business is essential for the success and continued development of electr

19、onic business. It is, therefore, important that companies using electronic documents have suitable security controls and mechanisms in place to protect their documents and to ensure trust and confidence with their business practices. In this respect the electronic signature is an important security

20、component that can be used to protect information and provide trust in electronic business. The present document is intended to cover electronic signatures for electronic documents. This includes evidence as to its validity even if the signer or verifying party later attempts to deny (i.e. repudiate

21、s; see ISO/IEC 10181-4 i.1) the validity of the signature. Thus, the present document can be used for any document encoded in a Portable Document Format (PDF) produced by an individual and a company, and exchanged between companies, between an individual and a governmental body, etc. The present doc

22、ument is independent of any environment; it can be applied to any environment, e.g. smart cards, GSM SIM cards, special programs for electronic signatures, etc. The European Directive on a community framework for Electronic Signatures defines an electronic signature as: “Data in electronic form whic

23、h is attached to or logically associated with other electronic data and which serves as a method of authentication“. The formats defined in the present document, are able to support advanced electronic signatures as defined in the Directive ISO 32000-1 1 specifies a digital form for representing doc

24、uments called the Portable Document Format (PDF) that enables users to exchange and view electronic documents easily and reliably, independent of the environment in which they were created or the environment in which they are viewed or printed. ETSI ETSI TS 102 778-1 V1.1.1 (2009-07)5ISO 32000-1 1 i

25、dentifies the ways in which an electronic signature, in the form of a digital signature, may be incorporated into a PDF document to authenticate the identity of the user and validate integrity of the documents content. These signatures are based on the same CMS 5 technology and techniques as TS 101

26、733 2 (CAdES), but without the extended signature capabilities of CAdES. ETSI ETSI TS 102 778-1 V1.1.1 (2009-07)61 Scope The present document provides a framework for the set of profiles for PDF (Portable Document Format - as specified in ISO 32000-1 1) Advanced Electronic Signatures specified in th

27、is multi-part deliverable. This multi-part deliverable profiles and extends the support for electronic signatures specified in ISO 32000-1 1 to include the enhanced features for advanced electronic signatures. These profiles include features equivalent to those specified in TS 101 733 2 (CAdES) and

28、TS 101 903 3 (XAdES) and include support for validation of signed documents stored over long periods. The present document: a) Provides a general description of support for signatures in PDF documents including use of XML signatures to protect XML data in PDF documents; b) Lists the features of the

29、PDF profiles specified in other parts of the document; c) Describes how the profiles may be used in combination. The present document is for information only. Reference should be made to the other parts of this deliverable for the normative requirements of each profile. 2 References References are e

30、ither specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. Non-specific reference may be made only to a complete document or a part thereof and only in the following cases: - if it is accept

31、ed that it will be possible to use all future changes of the referenced document for the purposes of the referring document; - for informative references. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOT

32、E: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are indispensable for the application of the present document. For dated references, only the edition cite

33、d applies. For non-specific references, the latest edition of the referenced document (including any amendments) applies. 1 ISO 32000-1: “Document management - Portable document format - Part 1: PDF 1.7“. NOTE: Available at http:/ 2 ETSI TS 101 733: “Electronic Signatures and Infrastructures (ESI);

34、CMS Advanced Electronic Signatures (CAdES)“. 3 ETSI TS 101 903: “XML Advanced Electronic Signatures (XAdES)“. 4 IETF RFC 2315: “PKCS #7: Cryptographic Message Syntax Version 1.5“. 5 IETF RFC 3852 (2004): “Cryptographic Message Syntax (CMS)“. ETSI ETSI TS 102 778-1 V1.1.1 (2009-07)76 ETSI TS 102 778-

35、2: “Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signature Profiles; Part 2: PAdES Basic - Profile based on ISO 32000-1“. 7 ETSI TS 102 778-3: “Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signature Profiles; Part 3: PAdES Enhanced - PAdES-BES

36、and PAdES-EPES Profiles“. 8 ETSI TS 102 778-4: “Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signature Profiles; Part 4: PAdES Long Term - PAdES LTV Profile“. 9 ETSI TS 102 778-5: “Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signature Profiles

37、; Part 5: PAdES for XML Content - Profiles for XAdES signatures“. 2.2 Informative references The following referenced documents are not essential to the use of the present document but they assist the user with regard to a particular subject area. For non-specific references, the latest version of t

38、he referenced document (including any amendments) applies. i.1 ISO/IEC 10181-4: “Information technology - Open Systems Interconnection - Security frameworks for open systems: Non-repudiation framework“. i.2 Adobe XFA: “XML Forms Architecture (XFA) Specification“. i.3 ISO 19005-1 (2005): “Document ma

39、nagement - Electronic document file format for long-term preservation - Part 1: Use of PDF 1.4 (PDF/A-1)“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in 1, 2, 3 and the following apply: certification signature: signature

40、that is used in conjunction with modification detection permissions (MDP) as defined by ISO 32000-1 1, clause 12.8.2.2 conforming signature handler: software application, or part of a software application, that knows how to perform digital signature operations (e.g. signing and/or verifying) in conf

41、ormance with ISO 32000-1 1 and the requirements of the appropriate profile PDF serial signature: specific signature workflow where the second (and subsequent) signers of a PDF not only sign the document but also the signature of the previous signer and any modification that may also have taken place

42、 (e.g. form fill-in) PDF signature: binary data object based on the CMS (see RFC 3852 5) or related syntax containing a digital signature placed within a PDF document structure as specified in ISO 32000-1 1, clause 12.8 with other information about the signature applied when it was first created sig

43、nature dictionary: PDF data structure, of type dictionary, as described in ISO 32000-1 1, clause 12.8.1, table 252 that contains all the information about the Digital Signature signer: entity that creates an electronic signature validation data: data that may be used by a verifier of electronic sign

44、atures to determine that the signature is valid (e.g. certificates, CRLs, OCSP responses) verifier: entity that validates an electronic signature The present document makes use of certain keywords to signify requirements. Below follows their definitions: may: means that a course of action is permiss

45、ible within a profile ETSI ETSI TS 102 778-1 V1.1.1 (2009-07)8shall: means that the definition is an absolute requirement of a profile NOTE: It has to strictly be followed in order to conform to the present document should: Means that among several possibilities one is recommended, in a profile, as

46、particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required NOTE: Implementers may know valid reasons in particular circumstances to ignore this recommendation, but the full implications have to be understood and careful

47、ly weighed before choosing a different course. 3.2 Abbreviations For the purposes of the present document the following abbreviations apply: CAdES CMS Advanced Electronic Signature NOTE: See TS 101 733 2. CMS Cryptographic Message Syntax NOTE: As specified in RFC 3852 5. CRL Certificate Revocation L

48、ist GSM Global System for Mobile communication LTV Long Term Validation MDP Modification Detection Permissions OCSP Online Certificate Status Protocol PAdES PDF Advanced Electronic Signature PAdES-BES PAdES Basic Electronic Signature PAdES-EPES PAdES Explicit Policy Electronic Signature PDF Portable

49、 Document Format PKCS Public Key Cryptography Standards SIM Subscriber Identity Mode UBL Universal Business LanguageXAdES XML Advanced Electronic Signatures NOTE: See TS 101 903 3. XFA XML Forms Architecture XML eXtensible Markup Language 4 General Features 4.1 PDF signatures Digital signatures in ISO 32000-1 1 currently support three activities: adding a digital signature immediately to a document, providing a placeholder field where signatures will go