1、 ETSI TS 103 171 V2.1.1 (2012-03) Electronic Signatures and Infrastructures (ESI); XAdES Baseline Profile Technical Specification ETSI ETSI TS 103 171 V2.1.1 (2012-03)2Reference RTS/ESI-000103 Keywords electronic signature, profile, security, XAdES ETSI 650 Route des Lucioles F-06921 Sophia Antipoli
2、s Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present d
3、ocument may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of t
4、he PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/
5、status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction e
6、xtend to reproduction in all media. European Telecommunications Standards Institute 2012. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Memb
7、ers and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 103 171 V2.1.1 (2012-03)3Contents Intellectual Property Rights 4g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Inf
8、ormative references 6g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 7g34 Conformance Levels. 7g35 General requirements . 8g35.1 Algorithm requirements . 8g35.2 Compliance requirements . 8g36 Requirements for B-Level Conformance . 9g36.1 Incorporation of XAdES qualifyin
9、g properties to the signature . 10g36.2 Profile of elements defined in XML Signature . 10g36.2.1 Placement of the signing certificate 10g36.2.2 Canonicalization of ds:SignedInfo element . 11g36.2.3 Profile of ds:Reference element 11g36.2.4 Transforms within ds:Reference element 12g36.3 Profile of XA
10、dES elements 12g36.3.1 Profile of xades:SigningCertificate element . 12g36.3.2 Profile of xades:SigningTime element 13g36.3.3 Profile of xades:DataObjectFormat element 13g37 Requirements for T-Level Conformance 13g38 Requirements for LT-Level Conformance . 14g38.1 Profile of XAdES elements 14g38.1.1
11、 Profile of xades:CertificateValues property . 14g38.1.2 Profile of xades:RevocationValues property . 15g38.1.3 Profile of xades:AttrAuthoritiesCertValues property . 15g38.1.4 Profile of xades:AttributeRevocationValues property 15g38.1.5 Validation material for time-stamp tokens 15g39 Requirements f
12、or LTA-Level Conformance 16g39.1 Transition strategy for ArchiveTimeStamp frameworks 16g3History 18g3ETSI ETSI TS 103 171 V2.1.1 (2012-03)4Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these
13、essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest up
14、dates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web serv
15、er) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction TS 101 903 1 (XAdES henceforth) specifies formats for Advanced Electronic
16、 Signatures built on XML SIG 2. That document defines a number of signed and unsigned optional signature properties, resulting in support for a number of variations in the signature contents and powerful processing requirements. In order to maximise interoperability in communities applying XAdES to
17、particular environments it is necessary to identify a common set of options that are appropriate to that environment. Such a selection is commonly called a profile. The present document profiles TS 101 903 1 signatures contexts where AdES signatures are used and in particular its use in the context
18、of the “Directive 2006/123/EC i.1 of the European Parliament and of the Council of 12 December 2006 on services in the internal market“ (EU Services Directive henceforth). ETSI ETSI TS 103 171 V2.1.1 (2012-03)51 Scope The present document defines a baseline profile for XAdES that provides the basic
19、features necessary for a wide range of business and governmental use cases for electronic procedures and communications to be applicable to a wide range of communities when there is a clear need for interoperability of AdES signatures used in electronic documents to be interchanged across borders. I
20、n particular it takes into account eSignature needs in the context of the EU Services Directive i.1. The profile defines four different conformance levels addressing incremental requirements to maintain the validity of the signatures over the long term, in a way that all the requirements addressed a
21、t a certain level are always addressed also by the levels above. Each level requires the presence of certain XAdES properties, suitably profiled for reducing the optionality as much as possible and referring to the forms that are specified in XAdES 1. Clause 4 identifies the four conformance levels
22、and shows how these levels might encompass the life cycle of the electronic signatures. Clause 5 provides details on the way that the requirements will be presented throughout the present document. Clause 6 profiles short-term related XAdES properties. Clause 7 profiles a XAdES signature for which a
23、 Trust Service Provider has generated a trusted token (time-mark or time-stamp token) proving that the signature itself actually existed at a certain date and time. Clause 8 profiles long-term related XAdES properties tackling the long term availability of the signature validation material. Clause 9
24、 profiles long-term related XAdES properties tackling the long term availability and integrity of the signature validation material. NOTE: The present document makes use of certain verbal forms (e.g. may, shall, shall not and should) as key words to signify requirements, conforming to ETSI Drafting
25、Rules, clause 14a i.8. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (includi
26、ng any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term val
27、idity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. 1 ETSI TS 101 903: “Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signatures (XAdES)“. 2 W3C Recommendation (June 2008): “XML Signature Syntax and
28、Processing (Second Edition)“. 3 W3C Recommendation (March 2001): “Canonical XML Version 1.0“. 4 W3C Recommendation (July 2002): “Exclusive XML Canonicalization Version 1.0“. 5 W3C Recommendation (May 2008): “Canonical XML Version 1.1“. 6 W3C Recommendation (November 1999): “XSL Transformations (XSLT
29、) Version 1.0“. ETSI ETSI TS 103 171 V2.1.1 (2012-03)67 W3C Recommendation (November 2002): “XML-Signature XPath Filter 2.0“. 8 ETSI TS 102 176-1: “Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algor
30、ithms“. 9 ECRYPT II (European Network of Excellence in Cryptology II): “ECRYPT II Yearly Report on Algorithms and Keysizes“. 10 IETF RFC 3986: “Uniform Resource Identifier (URI): Generic Syntax“. January 2005. 2.2 Informative references The following referenced documents are not necessary for the ap
31、plication of the present document but they assist the user with regard to a particular subject area. i.1 Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market. i.2 Commission Decision 2009/767/EC of 16 October 2009 amended by CD 20
32、10/425/EU of 28 July 2010, setting out measures facilitating the use of procedures by electronic means through the “points of single contact“ under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market. i.3 ETSI TS 102 231: “Electronic Signatures and
33、Infrastructures (ESI); Provision of harmonized Trust-service status information“. i.4 ETSI TS 101 533-1: “Electronic Signatures and Infrastructures (ESI); Data Preservation Systems Security; Part 1: Requirements for Implementation and Management“. i.5 ETSI TS 102 640-1: “Electronic Signatures and In
34、frastructures (ESI); Registered Electronic Mail (REM); Part 1: Architecture“. i.6 Commission Decision 2011/130/EU of 25 February 2011; establishing minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC of the Euro
35、pean Parliament and of the Council on services in the internal market (notified under document C(2011) 1081). i.7 ISO 8601:2004 (2004-12): “Data elements and interchange formats - Information interchange - Representation of dates and times“. i.8 ETSI Drafting Rules (EDRs). NOTE: Contained in the ETS
36、I Directives: http:/portal.etsi.org/Directives/home.asp. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: generator: any party which creates, or adds attributes to, a signature NOTE: This may be the signatory or any
37、party that initially verifies or further maintains the signature. protocol element: element of the protocol which may be including data elements and / or elements of procedure service element: element of service that may be provided using one or more protocol elements NOTE: All alternative protocol
38、elements provide an equivalent service to the users of the protocol. trust service provider: body operating one or more (electronic) Trust Services (see i.3) ETSI ETSI TS 103 171 V2.1.1 (2012-03)7verifier: entity that validates or verifies an electronic signature 3.2 Abbreviations For the purposes o
39、f the present document, the abbreviations given in XAdES 1 and the following apply: TSL Trust-service Status List (see i.3) 4 Conformance Levels The present document defines four conformance levels as indicated below. Applications managing signatures conformant to requirements specified in clause 6
40、may claim B-Level (basic level) conformance. Applications managing signatures conformant to B-Level and also conformant to requirements specified in clause 7 may claim T-Level (Trusted time for signature existence) conformance. Applications managing signatures conformant to T-Level and also conforma
41、nt to requirements specified in clause 8 of the present document may claim LT-Level (Long Term level) conformance. Applications managing signatures conformant to LT-Level and also conformant to requirements specified in clause 9 of the present document may claim LTA-Level (Long Term with Archive tim
42、e-stamps) conformance. These conformance levels are defined for encompassing the life cycle of electronic signature, namely: a) B-Level profiles incorporation of signed and some unsigned properties when the signature is actually generated. NOTE 1: It is considered that this level is sufficient to co
43、nform to the Commission Decision 2011/130/EU of 25 February 2011 i.6. b) T-Level profiles the generation, for an existing signature, of a trusted token proving that the signature itself actually existed at a certain date and time. c) LT-Level profiles the incorporation of all the material required f
44、or validating the signature in the signature. This level is understood to tackle the long term availability of the validation material. d) LTA-Level profiles the incorporation of time-stamp tokens that allow validation of the signature long time after its generation. This level is understood to tack
45、le the long term availability and integrity of the validation material. NOTE 2: The levels b) to d) are appropriate where the technical validity of signature needs to be preserved for a period of time after signature creation where certificate expiration, revocation and/or algorithm obsolescence is
46、of concern. The specific level applicable depends on the context and use case. All conformance levels up to LTA use properties defined in XAdES 1. When signed data is exchanged between parties the sender should use at least signatures conforming to a level that allows the relying parties to trust th
47、e signature at the time the exchange takes place. NOTE 3: Archiving or preservation of electronic signatures over long term requires in general conformance to LTA level. The use of LTA-level is considered an appropriate preservation and transmission technique for signed data. Conformance to lower le
48、vel is sufficient when combined with appropriate additional protection techniques such as use of systems compliant to TS 101 533-1 i.4. NOTE 4: The assessment of the effectiveness of other preservation and transmission techniques for signed data are out of the scope of the present document. The read
49、er is advised to consider legal instruments in force and related standards such as TS 101 533-1 i.4 or TS 102 640-1 i.5 to evaluate their appropriateness. ETSI ETSI TS 103 171 V2.1.1 (2012-03)85 General requirements 5.1 Algorithm requirements Generators are referred to applicable national laws regarding algorithms and key lengths. Generators are also recommended to take into account the latest version of TS 102 176-1 8 for guidelines purposes and the latest ECRYPT2 D.SPA.x 9 yearly report for further recom
