1、 ETSI TR 102 272 V1.1.1 (2003-12)Technical Report Electronic Signatures and Infrastructures (ESI);ASN.1 format for signature policiesETSI ETSI TR 102 272 V1.1.1 (2003-12) 2 Reference DTR/ESI-000022 Keywords ASN.1, IP, electronic signature, security, e-commerce ETSI 650 Route des Lucioles F-06921 Sop
2、hia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org T
3、he present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI p
4、rinters of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.or
5、g/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunica
6、tions Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registe
7、red for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 272 V1.1.1 (2003-12) 3 Contents Intellectual Property Rights5 Foreword.5 Introduction 5 1 Scope 6 2 References 6 3 Definitions and abbreviations.7 3.1 Definitions7 3.2 Abbreviations .8 4 Signature Policy ove
8、rview8 5 Signature policy specification in informal free text form.9 6 Signature policy specification in ASN.1 12 6.1 Overall ASN.1 structure .13 6.2 Signature validation policy.13 6.3 Common Rules.14 6.4 Commitment Rules.14 6.5 Signer and Verifier Rules .15 6.5.1 Signer rules .15 6.5.2 Verifier rul
9、es.16 6.6 Certificate and revocation requirement 16 6.6.1 Certificate requirements16 6.6.2 Revocation requirements 17 6.7 Signing certificate trust conditions.18 6.8 Time-Stamp trust conditions 18 6.9 Attribute trust conditions19 6.10 Algorithm constraints .19 6.11 Signature policy extensions20 Anne
10、x A: ASN.1 modules.21 A.1 Signature policies definitions using X.208 (1988) ASN.1 syntax21 A.2 Signature policy definitions using X.680 (2002) ASN.1 syntax 24 Annex B: What is a signature policy and signature validation policy .29 B.0 Introduction 29 B.1 Identification of signature policy .30 B.2 Ge
11、neral signature policy information.31 B.3 Recognized commitment types 31 B.4 Rules for use of certification authorities 32 B.4.1 Trust points.32 B.4.2 Certification path32 B.5 Rules for the use of time-stamping and time-marking .33 B.5.1 Trust points and certificate paths33 B.5.2 Time-stamping autho
12、rity names .33 B.5.3 Timing constraints - cautionary period.33 B.5.4 Timing constraints - time-stamp delay .33 B.6 Revocation rules.34 B.7 Rules for the use of roles34 ETSI ETSI TR 102 272 V1.1.1 (2003-12) 4 B.7.1 Attribute values 34 B.7.2 Trust points for certified attributes .34 B.7.3 Certificatio
13、n path for certified attributes 34 B.8 Rules for verification data to be followed 35 B.9 Rules for algorithm constraints and key lengths 35 B.10 Other signature policy rules .35 B.11 Signature policy protection 35 Annex C: Bibliography 36 History 39 ETSI ETSI TR 102 272 V1.1.1 (2003-12) 5 Intellectu
14、al Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (I
15、PRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR sea
16、rches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by
17、ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction Electronic commerce is emerging as the future way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued dev
18、elopment of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect the electroni
19、c signature is an important security component that can be used to protect information and provide trust in electronic business. The European Directive on a community framework for Electronic Signatures defines an electronic signature as: “data in electronic form which is attached to or logically as
20、sociated with other electronic data and which serves as a method of authentication“. An electronic signature as used in TS 101 733 and TS 101 903 (XAdES) (see bibliography) is a form of advanced electronic signature as defined in the Directive. An electronic signature produced in accordance with tho
21、se documents provides evidence that can be processed to get confidence that some commitment has been explicitly endorsed under a Signature policy, at a given time, by a signer under an identifier, e.g. a name or a pseudonym, and optionally a role. Although neither document does not mandate any form
22、of Signature Policy specification, TS 101 733 originally specified an ASN.1 based syntax that may be used to define a structured Signature Policy in a way that machines can read and process. Since TS 101 733 V1.4.0 only contains the description of the formats of Electronic Signatures using the ASN.1
23、 syntax, this document is basically an extract from the Signature Policy specification found in the original versions of TS 101 733 and using the ASN.1 syntax. At the time of publication of the present document, no implementation of the Signature Policy format using the ASN.1 syntax has been reporte
24、d. At the time of publication of the present document, two documents exist describing in detail the various components of a signature policy: using an XML syntax: TR 102 038 (XML format of signature policies), see bibliography; using an ASN.1 syntax: TR 102 272 (ASN.1 format of signature policies),
25、i.e. the present document. Further explanations and use of signature policies requirements for multiples signatures over a single document are published in TR 102 045 (see bibliography). ETSI ETSI TR 102 272 V1.1.1 (2003-12) 6 1 Scope The present document covers the aspects of Electronic Signature P
26、olicies that were defined in TS 101 733 v1 and other older versions of that document. No specific format is mandated for a signature policy specification. A signature policy may be specified either: in a free form document for human interpretation; or in a structured form using an agreed syntax and
27、encoding. The present document specifies the various components of a signature policy and one specific format using an ASN.1 syntax and DER encoding. 2 References For the purposes of this Technical Report (TR) the following references apply: 1 ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-8 (1998
28、): “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. 2 ITU-T Recommendation X.208 (1988): “Specification of Abstract Syntax Notation One (ASN.1)“. (withdrawn) 3 ITU-T Recommendation X.690 (2002) / ISO/IEC 8825-1 (2002): “Informa
29、tion technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)“. 4 ITU-T Recommendation F.1 (1998): “Operational provisions for the international public telegram service“. 5 IETF RFC 3494: “Lightweight Direct
30、ory Access Protocol“. 6 IETF RFC 3280: “Internet X.509 Public Key Infrastructure Certificate and CRL Profile“, see also RFC 3280 (April 2002). 7 IETF RFC 2560 (1999): “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP“. 8 IETF RFC 3369: “Cryptographic Message Syntax“
31、. 9 IETF RFC 2634 (1999): “Enhanced Security Services for S/MIME“. 10 ISO 7498-2 (1989): “Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture“. 11 ISO/IEC 13888-1 (1997): “Information technology - Security techniques - Non-repudiation
32、 - Part 1: General“. 12 ITU-T Recommendation X.400 (1999): “Message handling services: Message handling system and service overview“. 13 ITU-T Recommendation X.500 (2001): “Information technology - Open Systems Interconnection - The Directory: Overview of concepts, models and services“. 14 ITU-T Rec
33、ommendation X.501 (2001): “Information technology - Open Systems Interconnection - The Directory: Models“. 15 IETF RFC 2587 (1999): “Internet X.509 Public Key Infrastructure LDAPv2 Schema“. 16 ITU-T Recommendation X.680 (2002) / ISO/IEC 8824-1 (2002): “Information technology - Abstract Syntax Notati
34、on One (ASN.1): Specification of basic notation“. ETSI ETSI TR 102 272 V1.1.1 (2003-12) 7 17 IETF RFC 2450: “Proposed TLA and NLA Assignment Rule“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: arbitrator: arbitra
35、tor entity may be used to arbitrate a dispute between a signer and verifier when there is a disagreement on the validity of a digital signature Attribute Authority (AA): authority which assigns privileges by issuing attribute certificates Attribute Authority Revocation List (AARL): references to att
36、ribute certificates issued to AAs, that are no longer considered valid by the issuing authority Attribute Certificate Revocation List (ARL): revocation list containing a list of references to attribute certificates that are no longer considered valid by the issuing authority authority certificate: c
37、ertificate issued to an authority (e.g. either to a certification authority or to an attribute authority) cautionary period: period after the signing time that it is mandated the verifier shall wait to get high assurance of the validity of the signers key and that any relevant revocation has been no
38、tified Certificate Revocation List (CRL): signed list indicating a set of certificates that are no longer considered valid by the certificate issuer Certification Authority (CA): authority trusted by one or more users to create and assign certificates. Optionally the certification authority may crea
39、te the users keys NOTE: See ITU-T Recommendation X.509 1. digital signature: data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient NOTE: See IS
40、O 7498-2 10. public key certificate: public keys of a user, together with some other information, rendered unforgeable by encipherment with the private key of the certification authority which issued it NOTE: See ITU-T Recommendation X.509 1. Rivest-Shamir-Adleman (RSA): highly secure cryptography m
41、ethod using a two-part key signature policy: set of rules for the creation and validation of an electronic signature, under which the signature can be determined to be valid signature policy issuer: entity that defines the technical and procedural requirements for electronic signature creation and v
42、alidation, in order to meet a particular business need signature validation policy: part of the signature policy which specifies the technical requirements on the signer in creating a signature and verifier when validating a signature signer: entity that creates an electronic signature Time-Stamping
43、 Authority (TSA): trusted third party that creates time stamp tokens in order to indicate that a datum existed at a particular point in time Trusted Service Provider (TSP): entity that helps to build trust relationships by making available or providing some information upon request valid electronic
44、signature: electronic signature which passes validation according to a signature validation policy ETSI ETSI TR 102 272 V1.1.1 (2003-12) 8 verifier: entity that verifies an evidence NOTE 1: See ISO/IEC 13888-1 11. NOTE 2: Within the context of the present document this is an entity that validates an
45、 electronic signature. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AA Attribute Authority API Application Program Interface ARL Authority Revocation List ASN.1 Abstract Syntax Notation 1 CA Certification AuthorityCAD Card Accepting Device CMS Crypto
46、graphic Message Syntax CRL Certificate Revocation List DER Distinguished Encoding Rules (for ASN.1) ES Electronic Signature ES-T Electronic Signature with Timestamp MIME Multipurpose Internet Mail Extensions OCSP Online Certificate Status Provider OID Object Identifier PKIX internet X.509 Public Key
47、 Infrastructure RSA Rivest-Shamir-Adleman SHA-1 Secure Hash Algorithm 1 (see annex E on cryptographic algorithms) TSA Time-Stamping Authority TSP Trusted Service Provider URI Uniform Resource Identifier URL Uniform Resource Locator XML eXtensible Markup Language 4 Signature Policy overview The Signa
48、ture Policy is a set of rules for the creation and validation of an electronic signature, under which the signature can be determined to be valid. A given legal/contractual context may recognize a particular signature policy as meeting its requirements. The signature policy may be explicitly identif
49、ied or may be implied by the semantics of the data being signed and other external data like a contract being referenced which itself refers to a signature policy. An explicit signature policy has a globally unique reference, which is bound to an electronic signature by the signer as part of the signature calculation. The signature policy needs to be available in human readable form so that it can be assessed to meet the requirements of the legal and contractual context in which it is being applied. To facilitate the automatic
