ETSI TS 119 142-3-2016 Electronic Signatures and Infrastructures (ESI) PAdES digital signatures Part 3 PAdES Document Time-stamp digital signatures (PAdES-DTS) (V1 1 1)《电子签名和基础设施(E.pdf

1、 ETSI TS 119 142-3 V1.1.1 (2016-12) Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 3: PAdES Document Time-stamp digital signatures (PAdES-DTS) TECHNICAL SPECIFICATION ETSI ETSI TS 119 142-3 V1.1.1 (2016-12)2Reference DTS/ESI-000122 Keywords electronic signature, PAdE

2、S, profile, security, time-stamping ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present

3、 document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI.

4、In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the

5、document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: http

6、s:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be

7、 modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the ben

8、efit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 119 142-3 V1.1.1 (2016-12)3Contents Intellectual Property Righ

9、ts 4g3Foreword . 4g3Modal verbs terminology 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions 6g34 General syntax 6g34.1 General requirements for PAdES-DTS signatures . 6g34.2 Extending the validity of PAdES-DTS signatures 6g35 At

10、tributes syntax and semantics . 7g35.1 Extensions dictionary . 7g35.2 Requirements on encryption . 7g36 PAdES-DTS signature profiles 7g36.1 Signature levels 7g36.2 General requirements . 7g36.2.1 Requirements from Part 1 . 7g36.2.2 Notation for requirements . 8g36.3 Requirements on components and se

11、rvices 9g3History 11g3ETSI ETSI TS 119 142-3 V1.1.1 (2016-12)4Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-member

12、s, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant t

13、o the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.

14、 Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 3 of a multi-part deliverable covering the PDF digital signatures (PAdES). Full details of the entire series can be found in part 1

15、2. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not

16、“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction Electronic commerce has emerged as a frequent way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued d

17、evelopment of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect, digital si

18、gnatures are an important security component that can be used to protect information and provide trust in electronic business. The present document is intended to cover digital signatures supported by PKI and public key certificates, and aims to meet the general requirements of the international com

19、munity to provide trust and confidence in electronic transactions, including, amongst other, applicable requirements from Regulation (EU) No 910/2014 i.4. The present document can be used for any transaction between an individual and a company, between two companies, between an individual and a gove

20、rnmental body, etc. The present document is independent of any environment. It can be applied to any environment e.g. smart cards, SIM cards, special programs for electronic signatures, etc. ETSI ETSI TS 119 142-3 V1.1.1 (2016-12)51 Scope The present document specifies a type of PDF digital signatur

21、es, as specified in ISO 32000-1 1, based on time-stamps. It specifies a format for PAdES digital signatures using a Document Time-stamp - as defined in ETSI EN 319 142-1 2 - as a digital signature intended to specifically prove the integrity and existence of a PDF document as defined in ISO 32000-1

22、1, rather than proving any form of authentication or proof of origin. NOTE: This format does not meet the requirements of advanced electronic signature and advanced electronic seal as defined in Regulation (EU) No 910/2014 i.4, as it is not capable of identifying the signer. 2 References 2.1 Normati

23、ve references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) app

24、lies. Referenced documents that are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following r

25、eferenced documents are necessary for the application of the present document. 1 ISO 32000-1: “Document management - Portable document format - Part 1: PDF 1.7“. NOTE: Also available at http:/ 2 ETSI EN 319 142-1: “Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 1: Bu

26、ilding blocks and PAdES baseline signatures“. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest versio

27、n of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document

28、but they assist the user with regard to a particular subject area. i.1 ETSI EN 319 142-2: “Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 2: Additional PAdES signatures profiles“. i.2 IETF RFC 3161 (2001): “Time-Stamp Protocol (TSP)“. i.3 IETF RFC 5816 (2010): “ESSCe

29、rtIDv2 Update for RFC 3161“. i.4 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. ETSI ETSI TS 119 142-3 V1.1.1 (2016-12)63

30、Definitions For the purposes of the present document, the terms and definitions given in ISO 32000-1 1, ETSI EN 319 142-1 2 and the following apply: digital signature: data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and

31、integrity of the data unit and protect against forgery e.g. by the recipient digital signature value: result of the cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipien

32、t PAdES signature: digital signature that satisfies the requirements specified within ETSI EN 319 142-1 2 or ETSI EN 319 142-2 i.1 proof of existence: evidence that proves that an object existed at a specific date/time proof of integrity: evidence that proves the accuracy and completeness of an obje

33、ct (electronic) time-stamp: data in electronic form which binds other electronic data to a particular time establishing evidence that these data existed at that time NOTE: In the case of IETF RFC 3161 i.2 updated by IETF RFC 5816 i.3 protocol, the electronic time-stamp is referring to the timeStampT

34、oken field within the TimeStampResp element (the TSAs response returned to the requesting client). 4 General syntax 4.1 General requirements for PAdES-DTS signatures The type of PAdES signature defined in the present document is called PAdES-DTS and it builds on PDF signatures as specified in ISO 32

35、000-1 1. While other PAdES signature profiles defined in ETSI EN 319 142-1 2 and ETSI EN 319 142-2 i.1 incorporate signed and unsigned attributes aimed at proving the authenticity of the signer by means of a digital certificate issued to a natural or legal person, this PAdES signature profile is bas

36、ed on Document Time-stamp as defined in ETSI EN 319 142-1 2. This means that instead of authenticating the identity of a user and the documents contents, this type of digital signature provides only a proof of integrity of the content represented in the PDF document, and the use of a Document Time-s

37、tamp adds a proof of existence of the document itself. All the following requirements shall apply: a) The Signature Dictionary of a PAdES-DTS signature, as defined in ISO 32000-1 1, clause 12.8.1, table 252, shall be a Document Time-stamp Dictionary as described in clause 5.4.3 of ETSI EN 319 142-1

38、2. b) All the requirements described in clause 5.4.3 of ETSI EN 319 142-1 2 shall apply. c) Other requirements for handling PDF Signatures as specified in ISO 32000-1 1, clause 12.8, shall apply except where overridden by the present document. 4.2 Extending the validity of PAdES-DTS signatures The l

39、ifetime of the protection offered by a PAdES-DTS signature may be further extended beyond the lifetime of its Document time-stamp. In that case, a new Document time-stamp and DSS information shall be added as described in ETSI EN 319 142-1 2, clause 5.4. ETSI ETSI TS 119 142-3 V1.1.1 (2016-12)75 Att

40、ributes syntax and semantics 5.1 Extensions dictionary The extensions dictionary (see ISO 32000-1 1, clause 7.12) should include an entry to identify that a PDF document includes extensions as identified in clause 4.1. NOTE: As an alternative to the above entry, use of extensions as identified in cl

41、ause 4.1 can also be identified by the following entry from Adobe defining equivalent extensions to the PDF document format: 5.2 Requirements on encryption A PDF document can be encrypted to protect its contents from unauthorized access. When encryption and signatures are combined together in a sing

42、le PDF document, encryption shall be applied as described in ETSI EN 319 142-1 2, clause 5.5. 6 PAdES-DTS signature profiles 6.1 Signature levels The profiles in this clause define PAdES signatures based on the building blocks defined in ETSI EN 319 142-1 2. These profiles define two levels of PAdES

43、-DTS signatures. PAdES-DTS-BET level defines requirements for the generation of a basic PAdES-DTS signature providing a proof of existence and integrity of the document. PAdES-DTS-A level defines requirements for the incorporation of electronic time-stamps that allow validation of the PAdES-DTS sign

44、ature long time after its generation. This level aims to tackle the long term availability and integrity of the validation material. 6.2 General requirements 6.2.1 Requirements from Part 1 The requirements given in clauses 4.1, 5.3, 5.4, 5.5 and 6.2.1 of ETSI EN 319 142-1 2 (PAdES Part 1) shall appl

45、y to all levels in this clause. ETSI ETSI TS 119 142-3 V1.1.1 (2016-12)86.2.2 Notation for requirements This clause describes the notation used for defining the requirements of the different PAdES signature levels. The requirements on the elements and services are expressed in tables. A row in the t

46、able either specifies requirements for an element or a service. These tables contain five columns. 1) Column “Elements/Services“: a) In the case where the cell identifies a Service, the cell content starts with the keyword “Service:“ followed by the name of the service. b) In the case where the elem

47、ent provides a service, this cell contains “SPO:“ (for Service Provision Option), followed by the name of the element. c) Otherwise, this cell contains the name of the element. 2) Column “Presence in DTS-BET level“. This cell contains the specification of the presence of element, or the provision of

48、 a service, for PAdES-DTS-BET signatures. 3) Column “Presence in DTS-A level“. This cell contains the specification of the presence of the element, or the provision of a service, for PAdES-DTS-A signatures. 4) Below follows the values that can appear in columns “Presence in DTS-BET level“ and “Prese

49、nce in DTS-A level“: - “shall be present“: means that the element shall be present, and shall be as specified in the document referenced in column “References“, further profiled with the additional requirements referenced in column “Requirements“, and with the cardinality indicated in column “Cardinality“. - “shall be provided“: means that the service identified in the first column of the row shall be provided as further specified in the SPO-related rows. Th