1、 ETSI TS 119 142-2 V1.0.1 (2015-07) Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 2: Additional PAdES signatures profiles TECHNICAL SPECIFICATION ETSI ETSI TS 119 142-2 V1.0.1 (2015-07)2Reference RTS/ESI-0019142-2-TS Keywords electronic signature, PAdES, profile, se
2、curity ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded f
3、rom: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or pe
4、rceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to re
5、vision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSuppo
6、rtStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authoriza
7、tion of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are
8、 Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 119 142-2 V1.0.1 (2015-07)3Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs termino
9、logy 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 7g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 9g34 Profile for CMS digital signatures in PDF . 9g34.1 Features 9g34.2 Requirements of Profile for CMS Signature
10、s in PDF 9g34.2.1 Requirements on PDF signatures 9g34.2.2 Requirements on PDF signature handlers . 10g34.2.3 Requirements on signature validation . 10g34.2.4 Requirements on Time Stamping 10g34.2.4.1 Requirements on electronic time-stamp creation 10g34.2.4.2 Requirements on electronic time-stamp val
11、idation . 11g34.2.5 Requirements on revocation checking 11g34.2.6 Requirements on Seed Values 11g34.2.7 Requirements on encryption . 11g35 Extended PAdES signature profiles . 11g35.1 Features 11g35.2 General Requirements 11g35.2.1 Requirements from Part 1 . 11g35.2.2 Notation of Requirements . 11g35
12、.3 PAdES-E-BES Level 12g35.4 PAdES-E-EPES Level 14g35.5 PAdES-E-LTV Level . 14g36 Profiles for XAdES Signatures signing XML content in PDF . 14g36.1 Features 14g36.2 Profiles for XAdES signatures of signed XML documents embedded in PDF containers . 14g36.2.1 Overview 14g36.2.2 Profile for Basic XAdE
13、S signatures of XML documents embedded in PDF containers 16g36.2.2.1 Features . 16g36.2.2.2 General syntax and requirements 17g36.2.2.3 Requirements for applications generating signed XML document to be embedded . 17g36.2.2.4 Mandatory operations 18g36.2.2.4.1 Protecting the signing certificate . 18
14、g36.2.2.5 Requirements on XAdES optional properties . 18g36.2.2.6 Serial Signatures . 18g36.2.2.7 Parallel Signatures. 18g36.2.2.8 PAdES Signatures . 19g36.2.3 Profile for long-term XAdES signatures of signed XML documents embedded in PDF containers 19g36.2.3.1 Features . 19g36.2.3.2 Augmentation me
15、chanism . 19g36.2.3.3 Optional properties 19g36.2.3.4 Validation Process. 19g36.3 Profiles for XAdES signatures on XFA Forms 19g36.3.1 Overview 19g36.3.2 Profile for Basic XAdES signatures on XFA forms . 22g3ETSI ETSI TS 119 142-2 V1.0.1 (2015-07)46.3.2.1 Features . 22g36.3.2.2 General syntax and re
16、quirements 22g36.3.2.3 Mandatory operations 23g36.3.2.3.1 Protecting the signing certificate . 23g36.3.2.4 Requirements on XAdES optional properties . 23g36.3.2.5 Serial Signatures . 24g36.3.2.6 Parallel Signatures. 25g36.3.3 Profile for long-term validation XAdES signatures on XFA forms 25g36.3.3.1
17、 Overview . 25g36.3.3.2 Features . 25g36.3.3.3 General Requirements . 25g36.3.4 Extensions Dictionary . 25g3Annex A (informative): General Features 26g3A.1 PDF signatures . 26g3A.2 PDF Signature types . 27g3A.3 PDF Signature Handlers . 27g3A.4 PDF serial signatures 27g3A.5 PDF signature Validation a
18、nd Time-stamping . 28g3A.6 ISO 19005-1: 2005 (PDF/A-1) . 28g3A.7 ISO 19005-2: 2008 (PDF/A-2) . 29g3A.8 Seed Values and Signature Policies . 29g3History 30g3ETSI ETSI TS 119 142-2 V1.0.1 (2015-07)5Intellectual Property Rights IPRs essential or potentially essential to the present document may have be
19、en declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“
20、, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not reference
21、d in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part
22、2 of a multi-part deliverable covering the PDF digital signatures (PAdES), as identified below. Part 1: “Building blocks and PAdES baseline signatures“; Part 2: “Additional PAdES signatures profiles“. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“
23、, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction Electronic co
24、mmerce has emerged as a frequent way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic mean
25、s of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect digital signatures are an important security component that can be used to protect information and provide trust
26、in electronic business. The present document is intended to cover digital signatures supported by PKI and public key certificates. This includes evidence as to its validity even if the signer or verifying party later attempts to deny (i.e. repudiates; see ISO/IEC 10181-4 i.1) the validity of the sig
27、nature. Thus, the present document can be used for any document encoded in a portable document format (PDF) produced by an individual and a company, and exchanged between companies, between an individual and a governmental body, etc. The present document is independent of any environment; it can be
28、applied to any environment, e.g. smart cards, SIM cards, special programs for digital signatures, etc. The present document is part of a rationalized framework of standards (see ETSI TR 119 000 i.8). See ETSI TR 119 100 i.9 for getting guidance on how to use the present document within the aforement
29、ioned framework. ETSI ETSI TS 119 142-2 V1.0.1 (2015-07)61 Scope The present document defines multiple profiles for PAdES digital signatures which are digital signatures embedded within a PDF file. The present document contains a profile for the use of PDF signatures, as described in ISO 32000-1 1 a
30、nd based on CMS digital signatures i.6, that enables greater interoperability for PDF signatures by providing additional restrictions beyond those of ISO 32000-1 1. This first profile is not related to part 1 of ETSI TS 119 142 4. The present document also contains a second set of profiles that exte
31、nd the scope of the profile in PAdES part 1 5, while keeping some features that enhance interoperability of PAdES signatures. These profiles define three levels of PAdES extended signatures addressing incremental requirements to maintain the validity of the signatures over the long term, in a way th
32、at a certain level always addresses all the requirements addressed at levels that are below it. These PAdES extended signatures offer a higher degree of optionality than the PAdES baseline signatures specified in part 1 of ETSI TS 119 142 4. The present document also defines a third profile for usag
33、e of an arbitrary XML document signed with XAdES signatures that is embedded within a PDF file. The profiles defined in the present document provide equivalent requirements to profiles found in ETSI ETSI TS 102 778 i.10. The present document does not repeat the base requirements of the referenced st
34、andards, but instead aims to maximize interoperability of digital signatures in various business areas. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the
35、cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlin
36、ks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 ISO 32000-1: “Document management - Portable document format - Part 1: PDF 1.7“. NOTE: Ava
37、ilable at http:/ 2 IETF RFC 2315: “PKCS #7: Cryptographic Message Syntax Version 1.5“. 3 IETF RFC 5280: “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile“. 4 ETSI TS 119 142-1: “Electronic Signatures and Infrastructures (ESI); PAdES digital signature
38、s; Part 1: Building blocks and PAdES baseline signatures“. 5 ETSI TS 119 122-1: “Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 1: Building blocks and CAdES baseline signatures“. 6 ETSI TS 119 132-1: “Electronic Signatures and Infrastructures (ESI); XAdES digital sig
39、natures; Part 1: Building blocks and XAdES baseline signatures“. 7 ETSI TS 119 132-2: “Electronic Signatures and Infrastructures (ESI); XAdES digital signatures; Part 2: Extended XAdES signatures“. ETSI ETSI TS 119 142-2 V1.0.1 (2015-07)78 Adobe XFA: “XML Forms Architecture (XFA) Specification“ vers
40、ion 2.5, (June 2007), Adobe Systems Incorporated“. 9 W3C Recommendation: “XML-Signature Syntax and Processing. Version 1.1“. 10 IETF RFC 5035 (2007): “Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility“. 11 IETF RFC 3161 (2001): “Internet X.509 Public Key Infrastructure Time-St
41、amp Protocol (TSP)“. 12 IETF RFC 5816 (2010): “ESSCertIDv2 Update for RFC 3161“. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-spe
42、cific references, the latest version of the reference document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the ap
43、plication of the present document but they assist the user with regard to a particular subject area. i.1 ISO/IEC 10181-4: “Information technology - Open Systems Interconnection - Security frameworks for open systems: Non-repudiation framework“. i.2 ETSI TS 119 312: “Electronic Signatures and Infrast
44、ructures (ESI); Cryptographic Suites“. i.3 IETF RFC 5755: “An Internet Attribute Certificate Profile for Authorization“. i.4 W3C Working Group Note, XML Signature Best Practices, 11 April 2013. i.5 ISO 19005-1:2005: “Document management - Electronic document file format for long-term preservation -
45、Part 1: Use of PDF 1.4 (PDF/A-1)“. i.6 IETF RFC 5652 (2009): “Cryptographic Message Syntax (CMS)“. i.7 ISO 19005-2 (2011): “Document management - Electronic document file format for long-term preservation - Part 2: Use of ISO 32000-1 (PDF/A-2)“. i.8 ETSI TR 119 000: “Electronic Signatures and Infras
46、tructures (ESI); Rationalized structure for Electronic Signature Standardization“. i.9 ETSI TR 119 100: “Electronic Signatures and Infrastructures (ESI); Business Driven Guidance for Signature Creation and Validation“. i.10 ETSI TS 102 778: “Electronic Signatures and Infrastructures (ESI); PDF Advan
47、ced Electronic Signature Profiles; CMS Profile based on ISO 32000-1“. ETSI ETSI TS 119 142-2 V1.0.1 (2015-07)83 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ISO 32000-1 1 and the following apply: certificate: public key of
48、 a user, together with some other information, rendered un-forgeable by encipherment with the private key of the certification authority which issued it certificate policy (CP): named set of rules that indicates the applicability of a certificate to a particular community and/or class of application
49、 with common security requirements Certificate Revocation List (CRL): signed list indicating a set of public key certificates that are no longer considered valid by the certificate issuer Certification Authority (CA): authority trusted by one or more users to create and assign public key certificates; optionally, the certification authority may create the users keys certification signature: digital signature that is used in conjunction with Modification De
