diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5126.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5126.txt')
-rw-r--r-- | doc/rfc/rfc5126.txt | 7899 |
1 files changed, 7899 insertions, 0 deletions
diff --git a/doc/rfc/rfc5126.txt b/doc/rfc/rfc5126.txt new file mode 100644 index 0000000..3969263 --- /dev/null +++ b/doc/rfc/rfc5126.txt @@ -0,0 +1,7899 @@ + + + + + + +Network Working Group D. Pinkas +Request for Comments: 5126 Bull SAS +Obsoletes: 3126 N. Pope +Category: Informational Thales eSecurity + J. Ross + Security and Standards + February 2008 + + + CMS Advanced Electronic Signatures (CAdES) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Abstract + + This document defines the format of an electronic signature that can + remain valid over long periods. This includes evidence as to its + validity even if the signer or verifying party later attempts to deny + (i.e., repudiates) the validity of the signature. + + The format can be considered as an extension to RFC 3852 and RFC + 2634, where, when appropriate, additional signed and unsigned + attributes have been defined. + + The contents of this Informational RFC amount to a transposition of + the ETSI Technical Specification (TS) 101 733 V.1.7.4 (CMS Advanced + Electronic Signatures -- CAdES) and is technically equivalent to it. + + The technical contents of this specification are maintained by ETSI. + The ETSI TS and further updates are available free of charge at: + http://www.etsi.org/WebSite/Standards/StandardsDownload.aspx + + + + + + + + + + + + + + + + +Pinkas, et al. Informational [Page 1] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +Table of Contents + + 1. Introduction ....................................................6 + 2. Scope ...........................................................6 + 3. Definitions and Abbreviations ...................................8 + 3.1. Definitions ................................................8 + 3.2. Abbreviations .............................................11 + 4. Overview .......................................................12 + 4.1. Major Parties .............................................13 + 4.2. Signature Policies ........................................14 + 4.3. Electronic Signature Formats ..............................15 + 4.3.1. CAdES Basic Electronic Signature (CAdES-BES) .......15 + 4.3.2. CAdES Explicit Policy-based Electronic + Signatures (CAdES-EPES) ............................18 + 4.4. Electronic Signature Formats with Validation Data .........19 + 4.4.1. Electronic Signature with Time (CAdES-T) ...........20 + 4.4.2. ES with Complete Validation Data References + (CAdES-C) ..........................................21 + 4.4.3. Extended Electronic Signature Formats ..............23 + 4.4.3.1. EXtended Long Electronic Signature + (CAdES-X Long) ............................24 + 4.4.3.2. EXtended Electronic Signature with + Time Type 1 ...............................25 + 4.4.3.3. EXtended Electronic Signature with + Time Type 2 ...............................26 + 4.4.3.4. EXtended Long Electronic Signature + with Time (CAdES-X Long ...................27 + 4.4.4. Archival Electronic Signature (CAdES-A) ............27 + 4.5. Arbitration ...............................................28 + 4.6. Validation Process ........................................29 + 5. Electronic Signature Attributes ................................30 + 5.1. General Syntax ............................................30 + 5.2. Data Content Type .........................................30 + 5.3. Signed-data Content Type ..................................30 + 5.4. SignedData Type ...........................................31 + 5.5. EncapsulatedContentInfo Type ..............................31 + 5.6. SignerInfo Type ...........................................31 + 5.6.1. Message Digest Calculation Process .................32 + 5.6.2. Message Signature Generation Process ...............32 + 5.6.3. Message Signature Verification Process .............32 + 5.7. Basic ES Mandatory Present Attributes .....................32 + 5.7.1. content-type .......................................32 + 5.7.2. Message Digest .....................................33 + 5.7.3. Signing Certificate Reference Attributes ...........33 + 5.7.3.1. ESS signing-certificate Attribute + Definition ................................34 + 5.7.3.2. ESS signing-certificate-v2 + Attribute Definition ......................34 + + + +Pinkas, et al. Informational [Page 2] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + 5.7.3.3. Other signing-certificate + Attribute Definition ......................35 + 5.8. Additional Mandatory Attributes for Explicit + Policy-based Electronic Signatures ........................36 + 5.8.1. signature-policy-identifier ........................36 + 5.9. CMS Imported Optional Attributes ..........................38 + 5.9.1. signing-time .......................................38 + 5.9.2. countersignature ...................................39 + 5.10. ESS-Imported Optional Attributes .........................39 + 5.10.1. content-reference Attribute .......................39 + 5.10.2. content-identifier Attribute ......................39 + 5.10.3. content-hints Attribute ...........................40 + 5.11. Additional Optional Attributes Defined in the + Present Document .........................................40 + 5.11.1. commitment-type-indication Attribute ..............41 + 5.11.2. signer-location Attribute .........................43 + 5.11.3. signer-attributes Attribute .......................43 + 5.11.4. content-time-stamp Attribute ......................44 + 5.12. Support for Multiple Signatures ..........................44 + 5.12.1. Independent Signatures ............................44 + 5.12.2. Embedded Signatures ...............................45 + 6. Additional Electronic Signature Validation Attributes ..........45 + 6.1. signature time-stamp Attribute (CAdES-T) ..................47 + 6.1.1. signature-time-stamp Attribute Definition ..........47 + 6.2. Complete Validation Data References (CAdES-C) .............48 + 6.2.1. complete-certificate-references Attribute + Definition .........................................48 + 6.2.2. complete-revocation-references Attribute + Definition .........................................49 + 6.2.3. attribute-certificate-references Attribute + Definition .........................................51 + 6.2.4. attribute-revocation-references Attribute + Definition .........................................52 + 6.3. Extended Validation Data (CAdES-X) ........................52 + 6.3.1. Time-Stamped Validation Data (CAdES-X Type + 1 or Type 2) .......................................53 + 6.3.2. Long Validation Data (CAdES-X Long, CAdES-X + Long Type 1 or 2) ..................................53 + 6.3.3. certificate-values Attribute Definition ............54 + 6.3.4. revocation-values Attribute Definition .............54 + 6.3.5. CAdES-C-time-stamp Attribute Definition ............56 + 6.3.6. time-stamped-certs-crls-references + Attribute Definition ...............................57 + 6.4. Archive Validation Data ...................................58 + 6.4.1. archive-time-stamp Attribute Definition ............58 + 7. Other Standard Data Structures .................................60 + 7.1. Public Key Certificate Format .............................60 + 7.2. Certificate Revocation List Format ........................60 + + + +Pinkas, et al. Informational [Page 3] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + 7.3. OCSP Response Format ......................................60 + 7.4. Time-Stamp Token Format ...................................60 + 7.5. Name and Attribute Formats ................................60 + 7.6. AttributeCertificate ......................................61 + 8. Conformance Requirements .......................................61 + 8.1. CAdES-Basic Electronic Signature (CAdES-BES) ..............62 + 8.2. CAdES-Explicit Policy-based Electronic Signature ..........63 + 8.3. Verification Using Time-Stamping ..........................63 + 8.4. Verification Using Secure Records .........................63 + 9. References .....................................................64 + 9.1. Normative References ......................................64 + 9.2. Informative References ....................................65 + Annex A (normative): ASN.1 Definitions ............................69 + A.1. Signature Format Definitions Using + X.208 ASN.1 Syntax ...................................69 + A.2. Signature Format Definitions Using + X.680 ASN.1 Syntax ...................................77 + Annex B (informative): Extended Forms of Electronic Signatures ....86 + B.1. Extended Forms of Validation Data ....................86 + B.1.1. CAdES-X Long ..................................87 + B.1.2. CAdES-X Type 1 ................................88 + B.1.3. CAdES-X Type 2 ................................90 + B.1.4. CAdES-X Long Type 1 and CAdES-X Long Type 2 ...91 + B.2. Time-Stamp Extensions ................................93 + B.3. Archive Validation Data (CAdES-A) ....................94 + B.4. Example Validation Sequence ..........................97 + B.5. Additional Optional Features ........................102 + Annex C (informative): General Description .......................103 + C.1. The Signature Policy ................................103 + C.2. Signed Information ..................................104 + C.3. Components of an Electronic Signature ...............104 + C.3.1. Reference to the Signature Policy ............104 + C.3.2. Commitment Type Indication ...................105 + C.3.3. Certificate Identifier from the Signer .......106 + C.3.4. Role Attributes ..............................106 + C.3.4.1. Claimed Role .......................107 + C.3.4.2. Certified Role .....................107 + C.3.5. Signer Location ..............................108 + C.3.6. Signing Time .................................108 + C.3.7. Content Format ...............................108 + C.3.8. content-hints ................................109 + C.3.9. Content Cross-Referencing ....................109 + C.4. Components of Validation Data .......................109 + C.4.1. Revocation Status Information ................109 + C.4.1.1. CRL Information .....................110 + C.4.1.2. OCSP Information ....................110 + C.4.2. Certification Path ...........................111 + C.4.3. Time-stamping for Long Life of Signatures ....111 + + + +Pinkas, et al. Informational [Page 4] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + C.4.4. Time-stamping for Long Life of Signature + before CA key Compromises ....................113 + C.4.4.1. Time-stamping the ES with + Complete Validation Data ...........113 + C.4.4.2. Time-Stamping Certificates and + Revocation Information References ..114 + C.4.5. Time-stamping for Archive of Signature .......115 + C.4.6. Reference to Additional Data .................116 + C.4.7. Time-Stamping for Mutual Recognition .........116 + C.4.8. TSA Key Compromise ...........................117 + C.5. Multiple Signatures .................................118 + Annex D (informative): Data Protocols to Interoperate with TSPs ..118 + D.1. Operational Protocols ...............................118 + D.1.1. Certificate Retrieval ........................118 + D.1.2. CRL Retrieval ................................118 + D.1.3. Online Certificate Status ....................119 + D.1.4. Time-Stamping ................................119 + D.2. Management Protocols ................................119 + D.2.1. Request for Certificate Revocation ...........119 + Annex E (informative): Security Considerations ...................119 + E.1. Protection of Private Key ...........................119 + E.2. Choice of Algorithms ................................119 + Annex F (informative): Example Structured Contents and MIME ......120 + F.1. General Description .................................120 + F.1.1. Header Information ...........................120 + F.1.2. Content Encoding .............................121 + F.1.3. Multi-Part Content ...........................121 + F.2. S/MIME ..............................................122 + F.2.1. Using application/pkcs7-mime .................123 + F.2.2. Using application/pkcs7-signature ............124 + Annex G (informative): Relationship to the European Directive + and EESSI .................................125 + G.1. Introduction ........................................125 + G.2. Electronic Signatures and the Directive .............126 + G.3. ETSI Electronic Signature Formats and the Directive .127 + G.4. EESSI Standards and Classes of Electronic Signature .127 + G.4.1. Structure of EESSI Standardization ...........127 + G.4.2. Classes of Electronic Signatures .............128 + G.4.3. Electronic Signature Classes and the ETSI + Electronic Signature Format ..................128 + Annex H (informative): APIs for the Generation and Verification + of Electronic Signatures Tokens ...........129 + H.1. Data Framing ........................................129 + H.2. IDUP-GSS-APIs Defined by the IETF ...................131 + H.3. CORBA Security Interfaces Defined by the OMG ........132 + Annex I (informative): Cryptographic Algorithms ..................133 + I.1. Digest Algorithms ...................................133 + I.1.1. SHA-1 ........................................133 + + + +Pinkas, et al. Informational [Page 5] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + I.1.2. General ......................................133 + I.2. Digital Signature Algorithms ........................134 + I.2.1. DSA ..........................................134 + I.2.2. RSA ..........................................135 + I.2.3. General ......................................135 + Annex J (informative): Guidance on Naming ........................137 + J.1. Allocation of Names .................................137 + J.2. Providing Access to Registration Information ........138 + J.3. Naming Schemes ......................................138 + J.3.1. Naming Schemes for Individual Citizens .......138 + J.3.2. Naming Schemes for Employees of an + Organization .................................139 + +1. Introduction + + This document is intended to cover electronic signatures for various + types of transactions, including business transactions (e.g., + purchase requisition, contract, and invoice applications) where + long-term validity of such signatures is important. This includes + evidence as to its validity even if the signer or verifying party + later attempts to deny (i.e., repudiates; see ISO/IEC 10181-5 + [ISO10181-5]) the validity of the signature. + + Thus, the present document can be used for any transaction between an + individual and a company, between two companies, between an + individual and a governmental body, etc. The present document is + independent of any environment; it can be applied to any environment, + e.g., smart cards, Global System for Mobile Communication Subscriber + Identity Module (GSM SIM) cards, special programs for electronic + signatures, etc. + + The European Directive on a community framework for Electronic + Signatures defines an electronic signature as: "Data in electronic + form which is attached to or logically associated with other + electronic data and which serves as a method of authentication". + + An electronic signature, as used in the present document, is a form + of advanced electronic signature, as defined in the Directive. + +2. Scope + + The scope of the present document covers electronic signature formats + only. The aspects of Electronic Signature Policies are defined in + RFC 3125 [RFC3125] and ETSI TR 102 272 [TR102272]. + + The present document defines a number of electronic signature + formats, including electronic signatures that can remain valid over + long periods. This includes evidence as to its validity even if the + + + +Pinkas, et al. Informational [Page 6] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + signer or verifying party later attempts to deny (repudiates) the + validity of the electronic signature. + + The present document specifies use of Trusted Service Providers + (e.g., Time-Stamping Authorities) and the data that needs to be + archived (e.g., cross-certificates and revocation lists) to meet the + requirements of long-term electronic signatures. + + An electronic signature, as defined by the present document, can be + used for arbitration in case of a dispute between the signer and + verifier, which may occur at some later time, even years later. + + The present document includes the concept of signature policies that + can be used to establish technical consistency when validating + electronic signatures, but it does not mandate their use. + + The present document is based on the use of public key cryptography + to produce digital signatures, supported by public key certificates. + The present document also specifies the use of time-stamping and + time-marking services to prove the validity of a signature long after + the normal lifetime of critical elements of an electronic signature. + This document also, as an option, defines ways to provide very + long-term protection against key compromise or weakened algorithms. + + The present document builds on existing standards that are widely + adopted. These include: + + - RFC 3852 [4]: "Cryptographic Message Syntax (CMS)"; + + - ISO/IEC 9594-8/ITU-T Recommendation X.509 [1]: "Information + technology - Open Systems Interconnection - The Directory: + Authentication framework"; + + - RFC 3280 [2]: "Internet X.509 Public Key Infrastructure (PKIX) + Certificate and Certificate Revocation List (CRL) Profile"; + + - RFC 3161 [7]: "Internet X.509 Public Key Infrastructure + Time-Stamp Protocol (TSP)". + + NOTE: See Section 11 for a full set of references. + + The present document describes formats for advanced electronic + signatures using ASN.1 (Abstract Syntax Notation 1) [14]. ASN.1 is + encoded using X.690 [16]. + + These formats are based on CMS (Cryptographic Message Syntax) defined + in RFC 3852 [4]. These electronic signatures are thus called CAdES, + for "CMS Advanced Electronic Signatures". + + + +Pinkas, et al. Informational [Page 7] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Another document, TS 101 903 [TS101903], describes formats for XML + advanced electronic signatures (XAdES) built on XMLDSIG as specified + in [XMLDSIG]. + + In addition, the present document identifies other documents that + define formats for Public Key Certificates, Attribute Certificates, + and Certificate Revocation Lists and supporting protocols, including + protocols for use by trusted third parties to support the operation + of electronic signature creation and validation. + + Informative annexes include: + + - illustrations of extended forms of Electronic Signature formats + that protect against various vulnerabilities and examples of + validation processes (Annex B); + + - descriptions and explanations of some of the concepts used in + the present document, giving a rationale for normative parts of + the present document (Annex C); + + - information on protocols to interoperate with Trusted Service + Providers (Annex D); + + - guidance on naming (Annex E); + + - an example structured content and MIME (Annex F); + + - the relationship between the present document and the directive + on electronic signature and associated standardization + initiatives (Annex G); + + - APIs to support the generation and verification of electronic + signatures (Annex H); + + - cryptographic algorithms that may be used (Annex I); and + + - naming schemes (see Annex J). + +3. Definitions and Abbreviations + +3.1. Definitions + + For the purposes of the present document, the following terms and + definitions apply: + + Arbitrator: an arbitrator entity may be used to arbitrate a dispute + between a signer and verifier when there is a disagreement on the + validity of a digital signature. + + + +Pinkas, et al. Informational [Page 8] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Attribute Authority (AA): an authority that assigns privileges by + issuing attribute certificates. + + Authority Certificate: a certificate issued to an authority (e.g., + either to a certification authority or an attribute authority). + + Attribute Authority Revocation List (AARL): a revocation list + containing a list of references to certificates issued to AAs that + are no longer considered valid by the issuing authority. + + Attribute Certificate Revocation List (ACRL): a revocation list + containing a list of references to attribute certificates that are no + longer considered valid by the issuing authority. + + Certification Authority Revocation List (CARL): a revocation list + containing a list of public key certificates issued to certification + authorities that are no longer considered valid by the certificate + issuer. + + Certification Authority (CA): an authority trusted by one or more + users to create and assign public key certificates; optionally, the + certification authority may create the users' keys. + + NOTE: See ITU-T Recommendation X.509 [1]. + + Certificate Revocation List (CRL): a signed list indicating a set of + public key certificates that are no longer considered valid by the + certificate issuer. + + Digital Signature: data appended to, or a cryptographic + transformation of, a data unit that allows a recipient of the data + unit to prove the source and integrity of the data unit and protect + against forgery, e.g., by the recipient. + + NOTE: See ISO 7498-2 [ISO7498-2]. + + Electronic Signature: data in electronic form that is attached to or + logically associated with other electronic data and that serves as a + method of authentication. + + NOTE: See Directive 1999/93/EC of the European Parliament and of + the Council of 13 December 1999 on a Community framework for + electronic signatures [EUDirective]. + + Extended Electronic Signatures: electronic signatures enhanced by + complementing the baseline requirements with additional data, such as + time-stamp tokens and certificate revocation data, to address + commonly recognized threats. + + + +Pinkas, et al. Informational [Page 9] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Explicit Policy-based Electronic Signature (EPES): an electronic + signature where the signature policy that shall be used to validate + it is explicitly specified. + + Grace Period: a time period that permits the certificate revocation + information to propagate through the revocation process to relying + parties. + + Initial Verification: a process performed by a verifier done after an + electronic signature is generated in order to capture additional + information that could make it valid for long-term verification. + + Public Key Certificate (PKC): public keys of a user, together with + some other information, rendered unforgeable by encipherment with the + private key of the certification authority that issued it. + + NOTE: See ITU-T Recommendation X.509 [1]. + + Rivest-Shamir-Adleman (RSA): an asymmetric cryptography algorithm + based on the difficulty to factor very large numbers using a key + pair: a private key and a public key. + + Signature Policy: a set of rules for the creation and validation of + an electronic signature that defines the technical and procedural + requirements for electronic signature creation and validation, in + order to meet a particular business need, and under which the + signature can be determined to be valid. + + Signature Policy Issuer: an entity that defines and issues a + signature policy. + + Signature Validation Policy: part of the signature policy that + specifies the technical requirements on the signer in creating a + signature and verifier when validating a signature. + + Signer: an entity that creates an electronic signature. + + Subsequent Verification: a process performed by a verifier to assess + the signature validity. + + NOTE: Subsequent verification may be done even years after the + electronic signature was produced by the signer and completed by + the initial verification, and it might not need to capture more + data than those captured at the time of initial verification. + + Time-Stamp Token: a data object that binds a representation of a + datum to a particular time, thus establishing evidence that the datum + existed before that time. + + + +Pinkas, et al. Informational [Page 10] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Time-Mark: information in an audit trail from a Trusted Service + Provider that binds a representation of a datum to a particular time, + thus establishing evidence that the datum existed before that time. + + Time-Marking Authority: a trusted third party that creates records in + an audit trail in order to indicate that a datum existed before a + particular point in time. + + Time-Stamping Authority (TSA): a trusted third party that creates + time-stamp tokens in order to indicate that a datum existed at a + particular point in time. + + Time-Stamping Unit (TSU): a set of hardware and software that is + managed as a unit and has a single time-stamp token signing key + active at a time. + + Trusted Service Provider (TSP): an entity that helps to build trust + relationships by making available or providing some information upon + request. + + Validation Data: additional data that may be used by a verifier of + electronic signatures to determine that the signature is valid. + + Valid Electronic Signature: an electronic signature that passes + validation. + + Verifier: an entity that verifies evidence. + + NOTE 1: See ISO/IEC 13888-1 [ISO13888-1]. + + NOTE 2: Within the context of the present document, this is an + entity that validates an electronic signature. + +3.2. Abbreviations + + For the purposes of the present document, the following abbreviations + apply: + + AA Attribute Authority + AARL Attribute Authority Revocation List + ACRL Attribute Certificate Revocation List + API Application Program Interface + ASCII American Standard Code for Information Interchange + ASN.1 Abstract Syntax Notation 1 + CA Certification Authority + CAD Card Accepting Device + CAdES CMS Advanced Electronic Signature + CAdES-A CAdES with Archive validation data + + + +Pinkas, et al. Informational [Page 11] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + CAdES-BES CAdES Basic Electronic Signature + CAdES-C CAdES with Complete validation data + CAdES-EPES CAdES Explicit Policy Electronic Signature + CAdES-T CAdES with Time + CAdES-X CAdES with eXtended validation data + CAdES-X Long CAdES with EXtended Long validation data + CARL Certification Authority Revocation List + CMS Cryptographic Message Syntax + CRL Certificate Revocation List + CWA CEN (European Committee for Standardization) Workshop + Agreement + DER Distinguished Encoding Rules (for ASN.1) + DSA Digital Signature Algorithm + EDIFACT Electronic Data Interchange For Administration, + Commerce and Transport + EESSI European Electronic Signature Standardization + Initiative + EPES Explicit Policy-based Electronic Signature + ES Electronic Signature + ESS Enhanced Security Services (enhances CMS) + IDL Interface Definition Language + MIME Multipurpose Internet Mail Extensions + OCSP Online Certificate Status Provider + OID Object IDentifier + PKC Public Key Certificate + PKIX Public Key Infrastructure using X.509 + (IETF Working Group) + RSA Rivest-Shamir-Adleman + SHA-1 Secure Hash Algorithm 1 + TSA Time-Stamping Authority + TSP Trusted Service Provider + TST Time-Stamp Token + TSU Time-Stamping Unit + URI Uniform Resource Identifier + URL Uniform Resource Locator + XML Extensible Markup Language + XMLDSIG XML Digital Signature + +4. Overview + + The present document defines a number of Electronic Signature (ES) + formats that build on CMS (RFC 3852 [4]) by adding signed and + unsigned attributes. + + This section: + + - provides an introduction to the major parties involved + (Section 4.1), + + + +Pinkas, et al. Informational [Page 12] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - introduces the concept of signature policies (Section 4.2), + + - provides an overview of the various ES formats (Section 4.3), + + - introduces the concept of validation data, and provides an + overview of formats that incorporate validation data + (Section 4.4), and + + - presents relevant considerations on arbitration + (Section 4.5) and for the validation process (Section 4.6). + + The formal specifications of the attributes are specified in Sections + 5 and 6; Annexes C and D provide rationale for the definitions of the + different ES forms. + +4.1. Major Parties + + The major parties involved in a business transaction supported by + electronic signatures, as defined in the present document, are: + + - the signer; + - the verifier; + - Trusted Service Providers (TSP); and + - the arbitrator. + + The signer is the entity that creates the electronic signature. When + the signer digitally signs over data using the prescribed format, + this represents a commitment on behalf of the signing entity to the + data being signed. + + The verifier is the entity that validates the electronic signature; + it may be a single entity or multiple entities. + + The Trusted Service Providers (TSPs) are one or more entities that + help to build trust relationships between the signer and verifier. + They support the signer and verifier by means of supporting services + including: user certificates, cross-certificates, time-stamp tokens, + CRLs, ARLs, and OCSP responses. The following TSPs are used to + support the functions defined in the present document: + + - Certification Authorities; + - Registration Authorities; + - CRL Issuers; + - OCSP Responders; + - Repository Authorities (e.g., a Directory); + - Time-Stamping Authorities; + - Time-Marking Authorities; and + - Signature Policy Issuers. + + + +Pinkas, et al. Informational [Page 13] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Certification Authorities provide users with public key certificates + and a revocation service. + + Registration Authorities allow the identification and registration of + entities before a CA generates certificates. + + Repository Authorities publish CRLs issued by CAs, signature policies + issued by Signature Policy Issuers, and optionally public key + certificates. + + Time-Stamping Authorities attest that some data was formed before a + given trusted time. + + Time-Marking Authorities record that some data was formed before a + given trusted time. + + Signature Policy Issuers define the signature policies to be used by + signers and verifiers. + + In some cases, the following additional TSPs are needed: + + - Attribute Authorities. + + Attributes Authorities provide users with attributes linked to public + key certificates. + + An Arbitrator is an entity that arbitrates in disputes between a + signer and a verifier. + +4.2. Signature Policies + + The present document includes the concept of signature policies that + can be used to establish technical consistency when validating + electronic signatures. + + When a comprehensive signature policy used by the verifier is either + explicitly indicated by the signer or implied by the data being + signed, then a consistent result can be obtained when validating an + electronic signature. + + When the signature policy being used by the verifier is neither + indicated by the signer nor can be derived from other data, or the + signature policy is incomplete, then verifiers, including + arbitrators, may obtain different results when validating an + electronic signature. Therefore, comprehensive signature policies + that ensure consistency of signature validation are recommended from + both the signer's and verifier's point of view. + + + + +Pinkas, et al. Informational [Page 14] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Further information on signature policies is provided in: + + - TR 102 038 [TR102038]; + - Sections 5.8.1, C.1, and C.3.1 of the present document; + - RFC 3125 [RFC3125]; and + - TR 102 272 [TR102272]. + +4.3. Electronic Signature Formats + + The current section provides an overview for two forms of CMS + advanced electronic signature specified in the present document, + namely, the CAdES Basic Electronic Signature (CAdES-BES) and the + CAdES Explicit Policy-based Electronic Signature (CAdES-EPES). + Conformance to the present document mandates that the signer create + one of these formats. + +4.3.1. CAdES Basic Electronic Signature (CAdES-BES) + + A CAdES Basic Electronic Signature (CAdES-BES), in accordance with + the present document, contains: + + - The signed user data (e.g., the signer's document), as defined + in CMS (RFC 3852 [4]); + + - A collection of mandatory signed attributes, as defined in CMS + (RFC 3852 [4]) and in ESS (RFC 2634 [5]); + + - Additional mandatory signed attributes, defined in the present + document; and + + - The digital signature value computed on the user data and, when + present, on the signed attributes, as defined in CMS (RFC 3852 + [4]). + + A CAdES Basic Electronic Signature (CAdES-BES), in accordance with + the present document, may contain: + + - a collection of additional signed attributes; and + + - a collection of optional unsigned attributes. + + The mandatory signed attributes are: + + - Content-type. It is defined in RFC 3852 [4] and specifies the + type of the EncapsulatedContentInfo value being signed. Details + are provided in Section 5.7.1 of the present document. + Rationale for its inclusion is provided in Annex C.3.7; + + + + +Pinkas, et al. Informational [Page 15] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - Message-digest. It is defined in RFC 3852 [4] and specifies the + message digest of the eContent OCTET STRING within + encapContentInfo being signed. Details are provided in Section + 5.7.2; + + - ESS signing-certificate OR ESS signing-certificate-v2. The ESS + signing-certificate attribute is defined in Enhanced Security + Services (ESS), RFC 2634 [5], and only allows for the use of + SHA-1 as a digest algorithm. The ESS signing-certificate-v2 + attribute is defined in "ESS Update: Adding CertID Algorithm + Agility", RFC 5035 [15], and allows for the use of any digest + algorithm. A CAdES-BES claiming compliance with the present + document must include one of them. Section 5.7.3 provides the + details of these attributes. Rationale for its inclusion is + provided in Annex C.3.3. + + Optional signed attributes may be added to the CAdES-BES, including + optional signed attributes defined in CMS (RFC 3852 [4]), ESS (RFC + 2634 [5]), and the present document. Listed below are optional + attributes that are defined in Section 5 and have a rationale + provided in Annex C: + + - Signing-time: as defined in CMS (RFC 3852 [4]), indicates the + time of the signature, as claimed by the signer. Details and + short rationale are provided in Section 5.9.1. Annex C.3.6 + provides the rationale. + + - content-hints: as defined in ESS (RFC 2634 [5]), provides + information that describes the innermost signed content of a + multi-layer message where one content is encapsulated in + another. Section 5.10.1 provides the specification details. + Annex C.3.8 provides the rationale. + + - content-reference: as defined in ESS (RFC 2634 [5]), can be + incorporated as a way to link request and reply messages in an + exchange between two parties. Section 5.10.1 provides the + specification details. Annex C.3.9 provides the rationale. + + - content-identifier: as defined in ESS (RFC 2634 [5]), contains + an identifier that may be used later on in the previous + content-reference attribute. Section 5.10.2 provides the + specification details. + + - commitment-type-indication: this attribute is defined by the + present document as a way to indicate the commitment endorsed by + the signer when producing the signature. Section 5.11.1 + provides the specification details. Annex C.3.2 provides the + rationale. + + + +Pinkas, et al. Informational [Page 16] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - signer-location: this attribute is defined by the present + document. It allows the signer to indicate the place where the + signer purportedly produced the signature. Section 5.11.2 + provides the specification details. Annex C.3.5 provides the + rationale. + + - signer-attributes: this attribute is defined by the present + document. It allows a claimed or certified role to be + incorporated into the signed information. Section 5.11.3 + provides the specification details. Annex C.3.4 provides the + rationale. + + - content-time-stamp: this attribute is defined by the present + document. It allows a time-stamp token of the data to be signed + to be incorporated into the signed information. It provides + proof of the existence of the data before the signature was + created. Section 5.11.4 provides the specification details. + Annex C.3.6 provides the rationale. + + A CAdES-BES form can also incorporate instances of unsigned + attributes, as defined in CMS (RFC 3852 [4]) and ESS (RFC 2634 [5]). + + - CounterSignature, as defined in CMS (RFC 3852 [4]); it can be + incorporated wherever embedded signatures (i.e., a signature on + a previous signature) are needed. Section 5.9.2 provides the + specification details. Annex C.5 in Annex C provides the + rationale. + + The structure of the CAdES-BES is illustrated in Figure 1. + + +------Elect.Signature (CAdES-BES)------+ + |+----------------------------------- + | + ||+---------+ +----------+ | | + |||Signer's | | Signed | Digital | | + |||Document | |Attributes| Signature | | + ||| | | | | | + ||+---------+ +----------+ | | + |+------------------------------------+ | + +---------------------------------------+ + + Figure 1: Illustration of a CAdES-BES + + The signer's conformance requirements of a CAdES-BES are defined in + Section 8.1. + + + + + + + +Pinkas, et al. Informational [Page 17] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE: The CAdES-BES is the minimum format for an electronic + signature to be generated by the signer. On its own, it does not + provide enough information for it to be verified in the longer + term. For example, revocation information issued by the relevant + certificate status information issuer needs to be available for + long-term validation (see Section 4.4.2). + + The CAdES-BES satisfies the legal requirements for electronic + signatures, as defined in the European Directive on Electronic + Signatures, (see Annex C for further discussion on the relationship + of the present document to the Directive). It provides basic + authentication and integrity protection. + + The semantics of the signed data of a CAdES-BES or its context may + implicitly indicate a signature policy to the verifier. + + Specification of the contents of signature policies is outside the + scope of the present document. However, further information on + signature policies is provided in TR 102 038 [TR102038], RFC 3125 + [RFC3125], and Sections 5.8.1, C.1, and C.3.1 of the present + document. + +4.3.2. CAdES Explicit Policy-based Electronic Signatures (CAdES-EPES) + + A CAdES Explicit Policy-based Electronic Signature (CAdES-EPES), in + accordance with the present document, extends the definition of an + electronic signature to conform to the identified signature policy. + + A CAdES Explicit Policy-based Electronic Signature (CAdES-EPES) + incorporates a signed attribute (sigPolicyID attribute) indicating + the signature policy that shall be used to validate the electronic + signature. This signed attribute is protected by the signature. The + signature may also have other signed attributes required to conform + to the mandated signature policy. + + Section 5.7.3 provides the details on the specification of + signature-policy-identifier attribute. Annex C.1 provides a short + rationale. Specification of the contents of signature policies is + outside the scope of the present document. + + Further information on signature policies is provided in TR 102 038 + [TR102038] and Sections 5.8.1, C.1, and C.3.1 of the present + document. + + + + + + + + +Pinkas, et al. Informational [Page 18] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + The structure of the CAdES-EPES is illustrated in Figure 2. + + +------------- Elect.Signature (CAdES-EPES) ---------------+ + | | + |+-------------------------------------------------------+ | + || +-----------+ | | + || | | +---------------------------+ | | + || | | | +----------+ | | | + || | Signer's | | |Signature | Signed | Digital | | + || | Document | | |Policy ID | Attributes |Signature| | + || | | | +----------+ | | | + || | | +---------------------------+ | | + || +-----------+ | | + |+-------------------------------------------------------+ | + | | + +----------------------------------------------------------+ + + Figure 2: Illustration of a CAdES-EPES + + The signer's conformance requirements of CAdES-EPES are defined in + Section 8.2. + +4.4. Electronic Signature Formats with Validation Data + + Validation of an electronic signature, in accordance with the present + document, requires additional data needed to validate the electronic + signature. This additional data is called validation data, and + includes: + + - Public Key Certificates (PKCs); + + - revocation status information for each PKC; + + - trusted time-stamps applied to the digital signature, otherwise + a time-mark shall be available in an audit log. + + - when appropriate, the details of a signature policy to be used + to verify the electronic signature. + + The validation data may be collected by the signer and/or the + verifier. When the signature-policy-identifier signed attribute is + present, it shall meet the requirements of the signature policy. + + + + + + + + + +Pinkas, et al. Informational [Page 19] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Validation data includes CA certificates as well as revocation status + information in the form of Certificate Revocation Lists (CRLs) or + certificate status information (OCSP) provided by an online service. + Validation data also includes evidence that the signature was created + before a particular point in time; this may be either a time-stamp + token or time-mark. + + The present document defines unsigned attributes able to contain + validation data that can be added to CAdES-BES and CAdES-EPES, + leading to electronic signature formats that include validation data. + The sections below summarize these formats and their most relevant + characteristics. + +4.4.1. Electronic Signature with Time (CAdES-T) + + An electronic signature with time (CAdES-T), in accordance with the + present document, is when there exits trusted time associated with + the ES. + + The trusted time may be provided by: + + - a time-stamp attribute as an unsigned attribute added to the ES; + and + + - a time-mark of the ES provided by a Trusted Service Provider. + + The time-stamp attribute contains a time-stamp token of the + electronic signature value. Section 6.1.1 provides the specification + details. Annex C.4.3 provides the rationale. + + A time-mark provided by a Trusted Service would have a similar effect + to the signature-time-stamp attribute, but in this case, no attribute + is added to the ES, as it is the responsibility of the TSP to provide + evidence of a time-mark when required to do so. The management of + time marks is outside the scope of the present document. + + Trusted time provides the initial steps towards providing long-term + validity. Electronic signatures with the time-stamp attribute or a + time-marked BES/EPES, forming the CAdES-T are illustrated in Figure + 3. + + + + + + + + + + + +Pinkas, et al. Informational [Page 20] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + +-------------------------------------------------CAdES-T ---------+ + |+------ CAdES-BES or CAdES-EPES -------+ | + ||+-----------------------------------+ | +----------------------+ | + |||+---------+ +----------+ | | | | | + ||||Signer's | | Signed | Digital | | | Signature-time-stamp | | + ||||Document | |Attributes| Signature | | | attribute required | | + |||| | | | | | | when using time | | + |||+---------+ +----------+ | | | stamps. | | + ||+-----------------------------------+ | | | | + |+--------------------------------------+ | or the BES/EPES | | + | | shall be time-marked | | + | | | | + | | Management and | | + | | provision of time | | + | | mark is the | | + | | responsibility of | | + | | the TSP. | | + | +----------------------+ | + +------------------------------------------------------------------+ + + Figure 3: Illustration of CAdES-T formats + + NOTE 1: A time-stamp token is added to the CAdES-BES or CAdES-EPES + as an unsigned attribute. + + NOTE 2: Time-stamp tokens that may themselves include unsigned + attributes required to validate the time-stamp token, such as the + complete-certificate-references and complete-revocation-references + attributes, as defined by the present document. + +4.4.2. ES with Complete Validation Data References (CAdES-C) + + Electronic Signature with Complete validation data references + (CAdES-C), in accordance with the present document, adds to the + CAdES-T the complete-certificate-references and + complete-revocation-references attributes, as defined by the present + document. The complete-certificate-references attribute contains + references to all the certificates present in the certification path + used for verifying the signature. The complete-revocation-references + attribute contains references to the CRLs and/or OCSPs responses used + for verifying the signature. Section 6.2 provides the specification + details. Storing the references allows the values of the + certification path and the CRLs or OCSPs responses to be stored + elsewhere, reducing the size of a stored electronic signature format. + + + + + + + +Pinkas, et al. Informational [Page 21] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Sections C.4.1 to C.4.2 provide rationale on the usage of validation + data and when it is suitable to generate the CAdES-C form. + Electronic signatures, with the additional validation data forming + the CAdES-C, are illustrated in Figure 4. + + +------------------------- CAdES-C --------------------------------+ + |+----------------------------- CAdES-T ---------+ | + || +----------+ | +-------------+ | + || |Timestamp | | | | | + || |attribute | | | | | + ||+- CAdES-BES or CAdES-EPES ------+|over | | | | | + ||| ||digital | | | Complete | | + |||+---------++----------+ ||signature | | | certificate | | + ||||Signer's || Signed | Digital ||is | | | and | | + ||||Document ||Attributes|Signature||mandatory | | | revocation | | + |||| || | ||if is not | | | references | | + |||+---------++----------+ ||timemarked| | | | | + ||+--------------------------------++----------+ | | | | + |+-----------------------------------------------+ +-------------+ | + +------------------------------------------------------------------+ + + Figure 4: Illustration of CAdES-C format + + NOTE 1: The complete certificate and revocation references are + added to the CAdES-T as an unsigned attribute. + + NOTE 2: As a minimum, the signer will provide the CAdES-BES or, + when indicating that the signature conforms to an explicit signing + policy, the CAdES-EPES. + + NOTE 3: To reduce the risk of repudiating signature creation, the + trusted time indication needs to be as close as possible to the + time the signature was created. The signer or a TSP could provide + the CAdES-T; if not, the verifier should create the CAdES-T on + first receipt of an electronic signature because the CAdES-T + provides independent evidence of the existence of the signature + prior to the trusted time indication. + + NOTE 4: A CAdES-T trusted time indication must be created before a + certificate has been revoked or expired. + + NOTE 5: The signer and TSP could provide the CAdES-C to minimize + this risk, and when the signer does not provide the CAdES-C, the + verifier should create the CAdES-C when the required component of + revocation and validation data become available; this may require + a grace period. + + + + + +Pinkas, et al. Informational [Page 22] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE 6: A grace period permits certificate revocation information + to propagate through the revocation processes. This period could + extend from the time an authorized entity requests certificate + revocation to when the information is available for the relying + party to use. In order to make sure that the certificate was not + revoked at the time the signature was time-marked or time-stamped, + verifiers should wait until the end of the grace period. A + signature policy may define specific values for grace periods. + + An illustration of a grace period is provided in Figure 5. + + +<--------------Grace Period --------->+ + ----+-------+-------+--------+---------------------+----------+ + ^ ^ ^ ^ ^ ^ + | | | | | | + | | | | | | + Signature | First | Second | + creation | revocation | revocation | + time | status | status | + | checking | checking | + | | | + Time-stamp Certification Build + or path CAdES-C + time-mark construction + over & verification + signature + + Figure 5: Illustration of a grace period + + NOTE 7: CWA 14171 [CWA14171] specifies a signature validation + process using CAdES-T, CAdES-C, and a grace period. Annex B + provides example validation processes. Annex C.4 provides + additional information about applying grace periods during the + validation process. + + The verifier's conformance requirements are defined in Section 8.3 + for time-stamped CAdES-C, and Section 8.4 for time-marked CAdES-C. + The present document only defines conformance requirements for the + verifier up to an ES with Complete validation data (CAdES-C). This + means that none of the extended and archive forms of electronic + signatures, as defined in Sections 4.4.3 to 4.4.4, need to be + implemented to achieve conformance to the present document. + +4.4.3. Extended Electronic Signature Formats + + CAdES-C can be extended by adding unsigned attributes to the + electronic signature. The present document defines various unsigned + attributes that are applicable for very long-term verification, and + + + +Pinkas, et al. Informational [Page 23] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + for preventing some disaster situations that are discussed in Annex + C. Annex B provides the details of the various extended formats, all + the required unsigned attributes for each type, and how they can be + used within the electronic signature validation process. The + sections below give an overview of the various forms of extended + signature formats in the present document. + +4.4.3.1. EXtended Long Electronic Signature (CAdES-X Long) + + Extended Long format (CAdES-X Long), in accordance with the present + document, adds the certificate-values and revocation-values + attributes to the CAdES-C format. The first one contains the whole + certificate path required for verifying the signature; the second one + contains the CRLs and/OCSP responses required for the validation of + the signature. This provides a known repository of certificate and + revocation information required to validate a CAdES-C and prevents + such information from getting lost. Sections 6.3.3 and 6.3.4 give + specification details. Annex B.1.1 gives details on the production + of the format. Annexes C4.1 to C.4.2 provide the rationale. + + The structure of the CAdES-X Long format is illustrated in Figure 6. + + +----------------------- CAdES-X-Long -----------------------------+ + |+------------------------------------ CadES-C --+ | + || +----------+ | +-------------+ | + ||+------ CAdES -------------------+|Timestamp | | | | | + ||| || over | | | Complete | | + |||+---------++----------+ ||digital | | | certificate | | + ||||Signer's || Signed | Digital ||signature | | | and | | + ||||Document ||Attributes|Signature|| | | | revocation | | + |||| || | ||Optional | | | data | | + |||+---------++----------+ ||when | | | | | + ||+--------------------------------+|timemarked| | | | | + || +----------+ | | | | + || +-------------+ | +-------------+ | + || | Complete | | | + || | certificate | | | + || | and | | | + || | revocation | | | + || | references | | | + || +-------------+ | | + |+-----------------------------------------------+ | + | | + +------------------------------------------------------------------+ + + Figure 6: Illustration of CAdES-X-Long + + + + + +Pinkas, et al. Informational [Page 24] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +4.4.3.2. EXtended Electronic Signature with Time Type 1 + (CAdES-X Type 1) + + Extended format with time type 1 (CAdES-X Type 1), in accordance with + the present document, adds the CAdES-C-time-stamp attribute, whose + content is a time-stamp token on the CAdES-C itself, to the CAdES-C + format. + + This provides an integrity and trusted time protection over all the + elements and references. It may protect the certificates, CRLs, and + OCSP responses in case of a later compromise of a CA key, CRL key, or + OCSP issuer key. Section 6.3.5 provides the specification details. + + Annex B.1.2 gives details on the production of the time-stamping + process. Annex C.4.4.1 provides the rationale. + + The structure of the CAdES-X Type 1 format is illustrated in Figure + 7. + + +----------------------- CAdES-X-Type 1 ------------------------------+ + |+-------------------------------------- CAdES-C -----+ | + || +-------------+ | +-----------+ | + ||+--------- CAdES ------------------+| Timestamp | | | | | + ||| || over | | | | | + |||+---------++----------+ || digital | | | | | + ||||Signer's || Signed | Digital || signature | | | Timestamp | | + ||||Document ||Attributes| Signature || | | | over | | + |||| || | || Optional | | | CAdES-C | | + |||+---------++----------+ || when | | | | | + ||+----------------------------------+| time-marked | | | | | + || +-------------+ | | | | + || +-------------+ | +-----------+ | + || | Complete | | | + || | certificate | | | + || | and | | | + || | revocation | | | + || | references | | | + || +-------------+ | | + |+----------------------------------------------------+ | + +---------------------------------------------------------------------+ + + Figure 7: Illustration of CAdES-X Type 1 + + + + + + + + + +Pinkas, et al. Informational [Page 25] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +4.4.3.3. EXtended Electronic Signature with Time Type 2 + (CAdES-X Type 2) + + Extended format with time type 2 (CAdES-X Type 2), in accordance with + the present document, adds to the CAdES-C format the + CAdES-C-time-stamped-certs-crls-references attribute, whose content + is a time-stamp token on the certification path and revocation + information references. This provides an integrity and trusted time + protection over all the references. + + It may protect the certificates, CRLs and OCSP responses in case of a + later compromise of a CA key, CRL key or OCSP issuer key. + + Both CAdES-X Type 1 and CAdES-X Type 2 counter the same threats, and + the usage of one or the other depends on the environment. Section + 6.3.5 provides the specification details. Annex B.1.3 gives details + on the production of the time-stamping process. Annex C.4.4.2 + provides the rationale. + + The structure of the CAdES-X Type 2 format is illustrated in Figure + 8. + ++------------------------- CAdES-X-Type 2 ----------------------------+ +|+----------------------------------------CAdES-C ---+ | +|| +------------+| | +||+----- CAdES -----------------------+| Timestamp || | +||| || over || | +|||+---------+ +----------+ || digital || +-------------+| +||||Signer's | | Signed | Digital || signature || | Time-stamp || +||||Document | |Attributes| signature || || | only over || +|||| | | | || optional || | complete || +|||+---------+ +----------+ || when || | certificate || +||+-----------------------------------+| timemarked || | and || +|| +------------+| | revocation || +|| +-------------+ | | references || +|| | Complete | | +-------------+| +|| | certificate | | | +|| | and | | | +|| | revocation | | | +|| | references | | | +|| +-------------+ | | +|+---------------------------------------------------+ | ++---------------------------------------------------------------------+ + + Figure 8: Illustration of CAdES-X Type 2 + + + + + + +Pinkas, et al. Informational [Page 26] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +4.4.3.4. EXtended Long Electronic Signature with Time (CAdES-X Long + Type 1 or 2) + + Extended Long with Time (CAdES-X Long Type 1 or 2), in accordance + with the present document, is a combination of CAdES-X Long and one + of the two former types (CAdES-X Type 1 and CAdES-X Type 2). Annex + B.1.4 gives details on the production of the time-stamping process. + Annex C.4.8 in Annex C provides the rationale. + + The structure of the CAdES-X Long Type 1 and CAdES-X Long Type 2 + format is illustrated in Figure 9. + + +------------------ CAdES-X Long Type 1 or 2 -----------------------+ + | +--------------+| + |+-------------------------------------- CAdES-C --+|+------------+|| + || ||| Timestamp ||| + ||+------- CAdES --------------------++----------+ ||| over ||| + ||| ||Timestamp | ||| CAdES-C ||| + ||| ||over | ||+------------+|| + |||+---------++----------+ ||digital | || OR || + ||||Signer's || Signed | Digital ||signature | ||+------------+|| + ||||Document ||Attributes| signature || | ||| Timestamp ||| + |||| || | ||Optional | ||| only over ||| + |||+---------++----------+ ||when | ||| complete ||| + ||+----------------------------------+|timemarked| ||| certificate||| + || +----------+ ||| and ||| + || ||| Revocation ||| + || +-------------+ ||| References ||| + || | Complete | ||+------------+|| + || | certificate | |+--------------+| + || | and | | +------------+ | + || | revocation | | | Complete | | + || | references | | |certificate | | + || +-------------+ | | and | | + |+-------------------------------------------------+ |revocation | | + | | value | | + | +------------+ | + +-------------------------------------------------------------------+ + + Figure 9: Illustration of CAdES-X Long Type 1 and CAdES Long Type 2 + +4.4.4. Archival Electronic Signature (CAdES-A) + + Archival Form (CAdES-A), in accordance with the present document, + builds on a CAdES-X Long or a CAdES-X Long Type 1 or 2 by adding one + or more archive-time-stamp attributes. This form is used for + archival of long-term signatures. Successive time-stamps protect the + whole material against vulnerable hashing algorithms or the breaking + + + +Pinkas, et al. Informational [Page 27] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + of the cryptographic material or algorithms. Section 6.4 contains + the specification details. Sections C.4.5 and C.4.8 provide the + rationale. + + The structure of the CAdES-A form is illustrated in Figure 10. + + +---------------------------CAdES-A ---------------------------------+ + |+----------------------------------------------------+ | + || +--------------+| +----------+ | + ||+----------------------CAdES-C ----+|+------------+|| | | | + ||| +----------+ ||| Timestamp ||| | | | + |||+---- CAdES-BES ----+|Timestamp | ||| over ||| | | | + |||| or CAdeS-EPES || over | ||| CAdES-C ||| | Archive | | + |||| ||digital | ||+------------+|| | | | + |||| ||signature | || or || |Timestamp | | + |||| || | ||+------------+|| | | | + |||| ||Optional | ||| Timestamp ||| | | | + |||| ||when | ||| only over ||| | | | + |||| ||Timemarked| ||| complete ||| | | | + |||+-------------------+| | ||| certificate||| +----------+ | + ||| +----------+ ||| and ||| | + ||| +-------------+ ||| revocation ||| | + ||| | Complete | ||| references ||| | + ||| | certificate | ||+------------+|| | + ||| | and | |+--------------+| | + ||| | revocation | | +------------+ | | + ||| | references | | | Complete | | | + ||| +-------------+ | |certificate | | | + ||| | | and | | | + ||+----------------------------------+ |revocation | | | + || | values | | | + || +------------+ | | + |+----------------------------------------------------+ | + +--------------------------------------------------------------------+ + + Figure 10: Illustration of CAdES-A + +4.5. Arbitration + + The CAdES-C may be used for arbitration should there be a dispute + between the signer and verifier, provided that: + + - the arbitrator knows where to retrieve the signer's certificate + (if not already present), all the cross-certificates and the + required CRLs, ACRLs, or OCSP responses referenced in the + CAdES-C; + + + + + +Pinkas, et al. Informational [Page 28] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - when time-stamping in the CAdES-T is being used, the certificate + from the TSU that has issued the time-stamp token in the CAdES-T + format is still within its validity period; + + - when time-stamping in the CAdES-T is being used, the certificate + from the TSU that has issued the time-stamp token in the CAdES-T + format is not revoked at the time of arbitration; + + - when time-marking in the CAdES-T is being used, a reliable audit + trail from the Time-Marking Authority is available for + examination regarding the time; + + - none of the private keys corresponding to the certificates used + to verify the signature chain have ever been compromised; + + - the cryptography used at the time the CAdES-C was built has not + been broken at the time the arbitration is performed; and + + - if the signature policy can be explicitly or implicitly + identified, then an arbitrator is able to determine the rules + required to validate the electronic signature. + +4.6. Validation Process + + The validation process validates an electronic signature; the output + status of the validation process can be: + + - invalid; + + - incomplete validation; or + + - valid. + + An invalid response indicates that either the signature format is + incorrect or that the digital signature value fails verification + (e.g., the integrity check on the digital signature value fails, or + any of the certificates on which the digital signature verification + depends is known to be invalid or revoked). + + An incomplete validation response indicates that the signature + validation status is currently unknown. In the case of incomplete + validation, additional information may be made available to the + application or user, thus allowing them to decide what to do with the + electronic signature. In the case of incomplete validation, the + electronic signature may be checked again at some later time when + additional information becomes available. + + + + + +Pinkas, et al. Informational [Page 29] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE: For example, an incomplete validation may be because all the + required certificates are not available or the grace period is not + completed. + + A valid response indicates that the signature has passed + verification, and it complies with the signature validation policy. + + Example validation sequences are illustrated in Annex B. + +5. Electronic Signature Attributes + + This section builds upon the existing Cryptographic Message Syntax + (CMS), as defined in RFC 3852 [4], and Enhanced Security Services + (ESS), as defined in RFC 2634 [5]. The overall structure of an + Electronic Signature is as defined in CMS. The Electronic Signature + (ES) uses attributes defined in CMS, ESS, and the present document. + The present document defines ES attributes that it uses and that are + not defined elsewhere. + + The mandated set of attributes and the digital signature value is + defined as the minimum Electronic Signature (ES) required by the + present document. A signature policy may mandate that other signed + attributes be present. + +5.1. General Syntax + + The general syntax of the ES is as defined in CMS (RFC 3852 [4]). + + NOTE: CMS defines content types for id-data, id-signedData, + id-envelopedData, id-digestedData, id-encryptedData, and + id-authenticatedData. Although CMS permits other documents to + define other content types, the ASN.1 type defined should not be a + CHOICE type. The present document does not define other content + types. + +5.2. Data Content Type + + The data content type of the ES is as defined in CMS (RFC 3852 [4]). + + NOTE: If the content type is id-data, it is recommended that the + content be encoded using MIME, and that the MIME type is used to + identify the presentation format of the data. See Annex F.1 for + an example of using MIME to identify the encoding type. + +5.3. Signed-data Content Type + + The Signed-data content type of the ES is as defined in CMS (RFC 3852 + [4]). + + + +Pinkas, et al. Informational [Page 30] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +5.4. SignedData Type + + The syntax of the SignedData of the ES is as defined in CMS (RFC 3852 + [4]). + + The fields of type SignedData are as defined in CMS (RFC 3852 [4]). + + The identification of a signer's certificate used to create the + signature is always signed (see Section 5.7.3). The validation + policy may specify requirements for the presence of certain + certificates. The degenerate case, where there are no signers, is + not valid in the present document. + +5.5. EncapsulatedContentInfo Type + + The syntax of the EncapsulatedContentInfo type ES is as defined in + CMS (RFC 3852 [4]). + + For the purpose of long-term validation, as defined by the present + document, it is advisable that either the eContent is present, or the + data that is signed is archived in such as way as to preserve any + data encoding. It is important that the OCTET STRING used to + generate the signature remains the same every time either the + verifier or an arbitrator validates the signature. + + NOTE: The eContent is optional in CMS : + + - When it is present, this allows the signed data to be + encapsulated in the SignedData structure, which then + contains both the signed data and the signature. However, + the signed data may only be accessed by a verifier able to + decode the ASN.1 encoded SignedData structure. + + - When it is missing, this allows the signed data to be sent + or stored separately from the signature, and the SignedData + structure only contains the signature. It is, in the case + of the signature, only the data that is signed that needs to + be stored and distributed in such as way as to preserve any + data encoding. + + The degenerate case where there are no signers is not valid in the + present document. + +5.6. SignerInfo Type + + The syntax of the SignerInfo type ES is as defined in CMS (RFC 3852 + [4]). + + + + +Pinkas, et al. Informational [Page 31] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Per-signer information is represented in the type SignerInfo. In the + case of multiple independent signatures (see Annex B.5), there is an + instance of this field for each signer. + + The fields of type SignerInfo have the meanings defined in CMS (RFC + 3852 [4]), but the signedAttrs field shall contain the following + attributes: + + - content-type, as defined in Section 5.7.1; and + + - message-digest, as defined in Section 5.7.2; + + - signing-certificate, as defined in Section 5.7.3. + +5.6.1. Message Digest Calculation Process + + The message digest calculation process is as defined in CMS (RFC 3852 + [4]). + +5.6.2. Message Signature Generation Process + + The input to the message signature generation process is as defined + in CMS (RFC 3852 [4]). + +5.6.3. Message Signature Verification Process + + The procedures for message signature verification are defined in CMS + (RFC 3852 [4]) and enhanced in the present document: the input to the + signature verification process must be the signer's public key, which + shall be verified as correct using the signing certificate reference + attribute containing a reference to the signing certificate, i.e., + when SigningCertificateV2 from RFC 5035 [16] or SigningCertificate + from ESS [5] is used, the public key from the first certificate + identified in the sequence of certificate identifiers from + SigningCertificate must be the key used to verify the digital + signature. + +5.7. Basic ES Mandatory Present Attributes + + The following attributes shall be present with the signed-data + defined by the present document. The attributes are defined in CMS + (RFC 3852 [4]). + +5.7.1. content-type + + The content-type attribute indicates the type of the signed content. + The syntax of the content-type attribute type is as defined in CMS + (RFC 3852 [4]) Section 11.1. + + + +Pinkas, et al. Informational [Page 32] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE 1: As stated in RFC 3852 [4] , the content-type attribute + must have its value (i.e., ContentType) equal to the eContentType + of the EncapsulatedContentInfo value being signed. + + NOTE 2: For implementations supporting signature generation, if + the content-type attribute is id-data, then it is recommended that + the eContent be encoded using MIME. For implementations + supporting signature verification, if the signed data (i.e., + eContent) is MIME-encoded, then the OID of the content-type + attribute must be id-data. In both cases, the MIME + content-type(s) must be used to identify the presentation format + of the data. See Annex F for further details about the use of + MIME. + +5.7.2. Message Digest + + The syntax of the message-digest attribute type of the ES is as + defined in CMS (RFC 3852 [4]). + +5.7.3. Signing Certificate Reference Attributes + + The Signing certificate reference attributes are supported by using + either the ESS signing-certificate attribute or the + ESS-signing-certificate-v2 attribute. + + These attributes shall contain a reference to the signer's + certificate; they are designed to prevent simple substitution and + reissue attacks and to allow for a restricted set of certificates to + be used in verifying a signature. They have a compact form (much + shorter than the full certificate) that allows for a certificate to + be unambiguously identified. + + One, and only one, of the following alternative attributes shall be + present with the signedData, defined by the present document: + + - The ESS signing-certificate attribute, defined in ESS [5], must + be used if the SHA-1 hashing algorithm is used. + + - The ESS signing-certificate-v2 attribute, defined in "ESS + Update: Adding CertID Algorithm Agility", RFC 5035 [15], which + shall be used when other hashing algorithms are to be used. + + The certificate to be used to verify the signature shall be + identified in the sequence (i.e., the certificate from the signer), + and the sequence shall not be empty. The signature validation policy + may mandate other certificates be present that may include all the + certificates up to the trust anchor. + + + + +Pinkas, et al. Informational [Page 33] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +5.7.3.1. ESS signing-certificate Attribute Definition + + The syntax of the signing-certificate attribute type of the ES is as + defined in Enhanced Security Services (ESS), RFC 2634 [5], and + further qualified in the present document. + + The sequence of the policy information field is not used in the + present document. + + The ESS signing-certificate attribute shall be a signed attribute. + The encoding of the ESSCertID for this certificate shall include the + issuerSerial field. + + If present, the issuerAndSerialNumber in SignerIdentifier field of + the SignerInfo shall match the issuerSerial field present in + ESSCertID. In addition, the certHash from ESSCertID shall match the + SHA-1 hash of the certificate. The certificate identified shall be + used during the signature verification process. If the hash of the + certificate does not match the certificate used to verify the + signature, the signature shall be considered invalid. + + NOTE: Where an attribute certificate is used by the signer to + associate a role, or other attributes of the signer, with the + electronic signature; this is placed in the signer-attributes + attribute as defined in Section 5.8.3. + +5.7.3.2. ESS signing-certificate-v2 Attribute Definition + + The ESS signing-certificate-v2 attribute is similar to the ESS + signing-certificate defined above, except that this attribute can be + used with hashing algorithms other than SHA-1. + + The syntax of the signing-certificate-v2 attribute type of the ES is + as defined in "ESS Update: Adding CertID Algorithm Agility", RFC 5035 + [15], and further qualified in the present document. + + The sequence of the policy information field is not used in the + present document. + + This attribute shall be used in the same manner as defined above for + the ESS signing-certificate attribute. + + The object identifier for this attribute is: + id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 47 } + + + + + +Pinkas, et al. Informational [Page 34] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + If present, the issuerAndSerialNumber in SignerIdentifier field of + the SignerInfo shall match the issuerSerial field present in + ESSCertIDv2. In addition, the certHash from ESSCertIDv2 shall match + the hash of the certificate computed using the hash function + specified in the hashAlgorithm field. The certificate identified + shall be used during the signature verification process. If the hash + of the certificate does not match the certificate used to verify the + signature, the signature shall be considered invalid. + + NOTE 1: Where an attribute certificate is used by the signer to + associate a role, or other attributes of the signer, with the + electronic signature; this is placed in the signer-attributes + attribute as defined in Section 5.8.3. + + NOTE 2: RFC 3126 was using the other signing-certificate attribute + (see Section 5.7.3.3) for the same purpose. Its use is now + deprecated, since this structure is simpler. + +5.7.3.3. Other signing-certificate Attribute Definition + + RFC 3126 was using the other signing-certificate attribute as an + alternative to the ESS signing-certificate when hashing algorithms + other than SHA-1 were being used. Its use is now deprecated, since + the structure of the signing-certificate-v2 attribute is simpler. + Its description is however still present in this version for + backwards compatibility. + + id-aa-ets-otherSigCert OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 19 } + + The other-signing-certificate attribute value has the ASN.1 syntax + OtherSigningCertificate: + + OtherSigningCertificate ::= SEQUENCE { + certs SEQUENCE OF OtherCertID, + policies SEQUENCE OF PolicyInformation OPTIONAL + -- NOT USED IN THE PRESENT DOCUMENT } + + OtherCertID ::= SEQUENCE { + otherCertHash OtherHash, + issuerSerial IssuerSerial OPTIONAL } + + OtherHash ::= CHOICE { + sha1Hash OtherHashValue, -- This contains a SHA-1 hash + otherHash OtherHashAlgAndValue} + + OtherHashValue ::= OCTET STRING + + + +Pinkas, et al. Informational [Page 35] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + OtherHashAlgAndValue ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier, + hashValue OtherHashValue } + +5.8. Additional Mandatory Attributes for Explicit Policy-based + Electronic Signatures + +5.8.1. signature-policy-identifier + + The present document mandates that for CAdES-EPES, a reference to the + signature policy is included in the signedData. This reference is + explicitly identified. A signature policy defines the rules for + creation and validation of an electronic signature, and is included + as a signed attribute with every Explicit Policy-based Electronic + Signature. The signature-policy-identifier shall be a signed + attribute. + + The following object identifier identifies the + signature-policy-identifier attribute: + + id-aa-ets-sigPolicyId OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 15 } + + signature-policy-identifier attribute values have ASN.1 type + SignaturePolicyIdentifier: + + SignaturePolicyIdentifier ::= CHOICE { + signaturePolicyId SignaturePolicyId, + signaturePolicyImplied SignaturePolicyImplied + -- not used in this version + } + + SignaturePolicyId ::= SEQUENCE { + sigPolicyId SigPolicyId, + sigPolicyHash SigPolicyHash, + sigPolicyQualifiers SEQUENCE SIZE (1..MAX) OF + SigPolicyQualifierInfo OPTIONAL} + + SignaturePolicyImplied ::= NULL + + + + + + + + + + + +Pinkas, et al. Informational [Page 36] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + The sigPolicyId field contains an object-identifier that uniquely + identifies a specific version of the signature policy. The syntax of + this field is as follows: + + SigPolicyId ::= OBJECT IDENTIFIER + + The sigPolicyHash field optionally contains the identifier of the + hash algorithm and the hash of the value of the signature policy. + The hashValue within the sigPolicyHash may be set to zero to indicate + that the policy hash value is not known. + + NOTE: The use of a zero sigPolicyHash value is to ensure backwards + compatibility with earlier versions of the current document. If + sigPolicyHash is zero, then the hash value should not be checked + against the calculated hash value of the signature policy. + + If the signature policy is defined using ASN.1, then the hash is + calculated on the value without the outer type and length fields, and + the hashing algorithm shall be as specified in the field + sigPolicyHash. + + If the signature policy is defined using another structure, the type + of structure and the hashing algorithm shall be either specified as + part of the signature policy, or indicated using a signature policy + qualifier. + + SigPolicyHash ::= OtherHashAlgAndValue + + OtherHashAlgAndValue ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier, + hashValue OtherHashValue } + + OtherHashValue ::= OCTET STRING + + A Signature Policy Identifier may be qualified with other information + about the qualifier. The semantics and syntax of the qualifier is as + associated with the object-identifier in the sigPolicyQualifierId + field. The general syntax of this qualifier is as follows: + + SigPolicyQualifierInfo ::= SEQUENCE { + sigPolicyQualifierId SigPolicyQualifierId, + sigQualifier ANY DEFINED BY sigPolicyQualifierId } + + + + + + + + + +Pinkas, et al. Informational [Page 37] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + The present document specifies the following qualifiers: + + - spuri: this contains the web URI or URL reference to the + signature policy, and + + - sp-user-notice: this contains a user notice that should be + displayed whenever the signature is validated. + + sigpolicyQualifierIds defined in the present document: + SigPolicyQualifierId ::= OBJECT IDENTIFIER + + id-spq-ets-uri OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-spq(5) 1 } + + SPuri ::= IA5String + + id-spq-ets-unotice OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-spq(5) 2 } + + SPUserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL} + + NoticeReference ::= SEQUENCE { + + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + + DisplayText ::= CHOICE { + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + utf8String UTF8String (SIZE (1..200)) } + +5.9. CMS Imported Optional Attributes + + The following attributes may be present with the signed-data; the + attributes are defined in CMS (RFC 3852 [4]) and are imported into + the present document. Where appropriate, the attributes are + qualified and profiled by the present document. + +5.9.1. signing-time + + The signing-time attribute specifies the time at which the signer + claims to have performed the signing process. + + + + + +Pinkas, et al. Informational [Page 38] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Signing-time attribute values for ES have the ASN.1 type SigningTime + as defined in CMS (RFC 3852 [4]). + + NOTE: RFC 3852 [4] states that dates between January 1, 1950 and + December 31, 2049 (inclusive) must be encoded as UTCTime. Any + dates with year values before 1950 or after 2049 must be encoded + as GeneralizedTime. + +5.9.2. countersignature + + The countersignature attribute values for ES have ASN.1 type + CounterSignature, as defined in CMS (RFC 3852 [4]). A + countersignature attribute shall be an unsigned attribute. + +5.10. ESS-Imported Optional Attributes + + The following attributes may be present with the signed-data defined + by the present document. The attributes are defined in ESS and are + imported into the present document and are appropriately qualified + and profiled by the present document. + +5.10.1. content-reference Attribute + + The content-reference attribute is a link from one SignedData to + another. It may be used to link a reply to the original message to + which it refers, or to incorporate by reference one SignedData into + another. The content-reference attribute shall be a signed + attribute. + + content-reference attribute values for ES have ASN.1 type + ContentReference, as defined in ESS (RFC 2634 [5]). + + The content-reference attribute shall be used as defined in ESS (RFC + 2634 [5]). + +5.10.2. content-identifier Attribute + + The content-identifier attribute provides an identifier for the + signed content, for use when a reference may be later required to + that content; for example, in the content-reference attribute in + other signed data sent later. The content-identifier shall be a + signed attribute. + + content-identifier attribute type values for the ES have an ASN.1 + type ContentIdentifier, as defined in ESS (RFC 2634 [5]). + + The minimal content-identifier attribute should contain a + concatenation of user-specific identification information (such as a + + + +Pinkas, et al. Informational [Page 39] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + user name or public keying material identification information), a + GeneralizedTime string, and a random number. + +5.10.3. content-hints Attribute + + The content-hints attribute provides information on the innermost + signed content of a multi-layer message where one content is + encapsulated in another. + + The syntax of the content-hints attribute type of the ES is as + defined in ESS (RFC 2634 [5]). + + When used to indicate the precise format of the data to be presented + to the user, the following rules apply: + + - the contentType indicates the type of the associated content. + It is an object identifier (i.e., a unique string of integers) + assigned by an authority that defines the content type; and + + - when the contentType is id-data, the contentDescription shall + define the presentation format; the format may be defined by + MIME types. + + When the format of the content is defined by MIME types, the + following rules apply: + + - the contentType shall be id-data, as defined in CMS (RFC 3852 + [4]); + + - the contentDescription shall be used to indicate the encoding of + the data, in accordance with the rules defined RFC 2045 [6]; see + Annex F for an example of structured contents and MIME. + + NOTE 1: id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs7(7) 1 } + + NOTE 2: contentDescription is optional in ESS (RFC 2634 [5]). It may + be used to complement contentTypes defined elsewhere; such + definitions are outside the scope of the present document. + +5.11. Additional Optional Attributes Defined in the Present Document + + This section defines a number of attributes that may be used to + indicate additional information to a verifier: + + a) the type of commitment from the signer, and/or + + b) the claimed location where the signature is performed, and/or + + + +Pinkas, et al. Informational [Page 40] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + c) claimed attributes or certified attributes of the signer, + and/or + + d) a content time-stamp applied before the content was signed. + +5.11.1. commitment-type-indication Attribute + + There may be situations where a signer wants to explicitly indicate + to a verifier that by signing the data, it illustrates a type of + commitment on behalf of the signer. The commitment-type-indication + attribute conveys such information. + + The commitment-type-indication attribute shall be a signed attribute. + The commitment type may be: + + - defined as part of the signature policy, in which case, the + commitment type has precise semantics that are defined as part + of the signature policy; and + + - be a registered type, in which case, the commitment type has + precise semantics defined by registration, under the rules of + the registration authority. Such a registration authority may + be a trading association or a legislative authority. + + The signature policy specifies a set of attributes that it + "recognizes". This "recognized" set includes all those commitment + types defined as part of the signature policy, as well as any + externally defined commitment types that the policy may choose to + recognize. Only recognized commitment types are allowed in this + field. + + The following object identifier identifies the + commitment-type-indication attribute: + +id-aa-ets-commitmentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 16} + +commitment-type-indication attribute values have ASN.1 type +CommitmentTypeIndication. + +CommitmentTypeIndication ::= SEQUENCE { + commitmentTypeId CommitmentTypeIdentifier, + commitmentTypeQualifier SEQUENCE SIZE (1..MAX) OF + CommitmentTypeQualifier OPTIONAL} + +CommitmentTypeIdentifier ::= OBJECT IDENTIFIER + + + + + +Pinkas, et al. Informational [Page 41] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +CommitmentTypeQualifier ::= SEQUENCE { + commitmentTypeIdentifier CommitmentTypeIdentifier, + qualifier ANY DEFINED BY commitmentTypeIdentifier } + + The use of any qualifiers to the commitment type is outside the scope + of the present document. + + The following generic commitment types are defined in the present + document: + +id-cti-ets-proofOfOrigin OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 1} + +id-cti-ets-proofOfReceipt OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 2} + +id-cti-ets-proofOfDelivery OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) +cti(6) 3} + +id-cti-ets-proofOfSender OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 4} + +id-cti-ets-proofOfApproval OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) +cti(6) 5} + +id-cti-ets-proofOfCreation OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) +cti(6) 6} + + These generic commitment types have the following meanings: + + Proof of origin indicates that the signer recognizes to have created, + approved, and sent the message. + + Proof of receipt indicates that signer recognizes to have received + the content of the message. + + Proof of delivery indicates that the TSP providing that indication + has delivered a message in a local store accessible to the recipient + of the message. + + Proof of sender indicates that the entity providing that indication + has sent the message (but not necessarily created it). + + Proof of approval indicates that the signer has approved the content + of the message. + + + +Pinkas, et al. Informational [Page 42] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Proof of creation indicates that the signer has created the message + (but not necessarily approved, nor sent it). + +5.11.2. signer-location Attribute + + The signer-location attribute specifies a mnemonic for an address + associated with the signer at a particular geographical (e.g., city) + location. The mnemonic is registered in the country in which the + signer is located and is used in the provision of the Public Telegram + Service (according to ITU-T Recommendation F.1 [11]). + + The signer-location attribute shall be a signed attribute. The + following object identifier identifies the signer-location attribute: + +id-aa-ets-signerLocation OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 17} + + Signer-location attribute values have ASN.1 type SignerLocation: + +SignerLocation ::= SEQUENCE { + -- at least one of the following shall be present: + countryName [0] DirectoryString OPTIONAL, + -- As used to name a Country in X.500 + localityName [1] DirectoryString OPTIONAL, + -- As used to name a locality in X.500 + postalAdddress [2] PostalAddress OPTIONAL } + +PostalAddress ::= SEQUENCE SIZE(1..6) OF DirectoryString + +5.11.3. signer-attributes Attribute + + The signer-attributes attribute specifies additional attributes of + the signer (e.g., role). It may be either: + + - claimed attributes of the signer; or + + - certified attributes of the signer. + + The signer-attributes attribute shall be a signed attribute. The + following object identifier identifies the signer-attribute + attribute: + + id-aa-ets-signerAttr OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 18} + + + + + + + +Pinkas, et al. Informational [Page 43] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + signer-attributes values have ASN.1 type SignerAttribute: + + SignerAttribute ::= SEQUENCE OF CHOICE { + claimedAttributes [0] ClaimedAttributes, + certifiedAttributes [1] CertifiedAttributes } + + ClaimedAttributes ::= SEQUENCE OF Attribute + + CertifiedAttributes ::= AttributeCertificate + -- as defined in RFC 3281: see Section 4.1. + + NOTE 1: Only a single signer-attributes can be used. + + NOTE 2: Attribute and AttributeCertificate are as defined + respectively in ITU-T Recommendations X.501 [9] and X.509 [1]. + +5.11.4. content-time-stamp Attribute + + The content-time-stamp attribute is an attribute that is the + time-stamp token of the signed data content before it is signed. The + content-time-stamp attribute shall be a signed attribute. + + The following object identifier identifies the content-time-stamp + attribute: + + id-aa-ets-contentTimestamp OBJECT IDENTIFIER ::= + { iso(1) member- body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 20} + + content-time-stamp attribute values have ASN.1 type ContentTimestamp: + ContentTimestamp ::= TimeStampToken + + The value of messageImprint of TimeStampToken (as described in RFC + 3161 [7]) shall be a hash of the value of the eContent field within + encapContentInfo in the signedData. + + For further information and definition of TimeStampToken, see Section + 7.4. + + NOTE: content-time-stamp indicates that the signed information was + formed before the date included in the content-time-stamp. + +5.12. Support for Multiple Signatures + +5.12.1. Independent Signatures + + Multiple independent signatures (see Annex B.5) are supported by + independent SignerInfo from each signer. + + + +Pinkas, et al. Informational [Page 44] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Each SignerInfo shall include all the attributes required under the + present document and shall be processed independently by the + verifier. + + NOTE: Independent signatures may be used to provide independent + signatures from different parties with different signed + attributes, or to provide multiple signatures from the same party + using alternative signature algorithms, in which case the other + attributes, excluding time values and signature policy + information, will generally be the same. + +5.12.2. Embedded Signatures + + Multiple embedded signatures (see Annex C.5) are supported using the + countersignature unsigned attribute (see Section 5.9.2). Each + counter signature is carried in countersignature held as an unsigned + attribute to the SignerInfo to which the counter-signature is + applied. + + NOTE: Counter signatures may be used to provide signatures from + different parties with different signed attributes, or to provide + multiple signatures from the same party using alternative + signature algorithms, in which case the other attributes, + excluding time values and signature policy information, will + generally be the same. + +6. Additional Electronic Signature Validation Attributes + + This section specifies attributes that contain different types of + validation data. These attributes build on the electronic signature + specified in Section 5. This includes: + + - Signature-time-stamp applied to the electronic signature value + or a Time-Mark in an audit trail. This is defined as the + Electronic Signature with Time (CAdES-T); and + + - Complete validation data references that comprise the time-stamp + of the signature value, plus references to all the certificates + (complete-certificate-references) and revocation (complete- + revocation-references) information used for full validation of + the electronic signature. This is defined as the Electronic + Signature with Complete data references (CAdES-C). + + NOTE 1: Formats for CAdES-T are illustrated in Section 4.4, and + the attributes are defined in Section 6.1.1. + + + + + + +Pinkas, et al. Informational [Page 45] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE 2: Formats for CAdES-C are illustrated in Section 4.4. The + required attributes for the CAdES-C signature format are defined + in Sections 6.2.1 to 6.2.2; optional attributes are defined in + Sections 6.2.3 and 6.2.4. + + In addition, the following optional extended forms of validation data + are also defined; see Annex B for an overview of the extended forms + of validation data: + + - CAdES-X with time-stamp: there are two types of time-stamps used + in extended validation data defined by the present document; + + - Type 1(CAdES-X Type 1): comprises a time-stamp over the ES + with Complete validation data (CAdES-C); and + + - Type 2 (CAdES-X Type2): comprises a time-stamp over the + certification path references and the revocation information + references used to support the CAdES-C. + + NOTE 3: Formats for CAdES-X Type 1 and CAdES-X Type 2 are + illustrated in Sections B.1.2 and B.1.3, respectively. + + - CAdES-X Long: comprises the Complete validation data + references (CAdES-C), plus the actual values of all the + certificates and revocation information used in the CAdES-C. + + NOTE 4: Formats for CAdES-X Long are illustrated in Annex B.1.1. + + - CAdES-X Long Type 1 or CAdES-X Long Type 2: comprises an + X-Time-Stamp (Type 1 or Type 2), plus the actual values of + all the certificates and revocation information used in the + CAdES-C as per CAdES-X Long. + + This section also specifies the data structures used in Archive + validation data format (CAdES-A)of extended forms: + + - Archive form of electronic signature (CAdES-A) comprises: + + - the Complete validation data references (CAdES-C), + + - the certificate and revocation values (as in a CAdES-X Long ), + + - any existing extended electronic signature time-stamps + (CAdES-X Type 1 or CAdES-X Type 2), if present, and + + - the signed user data and an additional archive time-stamp + applied over all that data. + + + + +Pinkas, et al. Informational [Page 46] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + An archive time-stamp may be repeatedly applied after long + periods to maintain validity when electronic signature and + time-stamping algorithms weaken. + + The additional data required to create the forms of electronic + signature identified above is carried as unsigned attributes + associated with an individual signature by being placed in the + unsignedAttrs field of SignerInfo. Thus, all the attributes defined + in Section 6 are unsigned attributes. + + NOTE 5: Where multiple signatures are to be supported, as + described in Section 5.12, each signature has a separate + SignerInfo. Thus, each signature requires its own unsigned + attribute values to create CAdES-T, CAdES-C, etc. + + NOTE 6: The optional attributes of the extended validation data + are defined in Sections 6.3 and 6.4. + +6.1. signature time-stamp Attribute (CAdES-T) + + An electronic signature with time-stamp is an electronic signature + for which part, but not all, of the additional data required for + validation is available (i.e., some certificates and revocation + information are available, but not all). + + The minimum structure time-stamp validation data is: + + - the signature time-stamp attribute, as defined in Section 6.1.1, + over the ES signature value. + +6.1.1. signature-time-stamp Attribute Definition + + The signature-time-stamp attribute is a TimeStampToken computed on + the signature value for a specific signer; it is an unsigned + attribute. Several instances of this attribute may occur with an + electronic signature, from different TSAs. + + The following object identifier identifies the signature-time-stamp + attribute: + + id-aa-signatureTimeStampToken OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 14} + + The signature-time-stamp attribute value has ASN.1 type + SignatureTimeStampToken: + + SignatureTimeStampToken ::= TimeStampToken + + + +Pinkas, et al. Informational [Page 47] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + The value of the messageImprint field within TimeStampToken shall be + a hash of the value of the signature field within SignerInfo for the + signedData being time-stamped. + + For further information and definition of TimeStampToken, see Section + 7.4. + + NOTE 1: In the case of multiple signatures, it is possible to have + a: + + - TimeStampToken computed for each and all signers; or + + - TimeStampToken computed on one signer's signature; and no + + - TimeStampToken on another signer's signature. + + NOTE 2: In the case of multiple signatures, several TSTs, issued + by different TSAs, may be present within the same signerInfo (see + RFC 3852 [4]). + +6.2. Complete Validation Data References (CAdES-C) + + An electronic signature with Complete validation data references + (CAdES-C) is an electronic signature for which all the additional + data required for validation (i.e., all certificates and revocation + information) is available. This form is built on the CAdES-T form + defined above. + + As a minimum, the Complete validation data shall include the + following: + + - a time, which shall either be a signature-timestamp attribute, + as defined in Section 6.1.1, or a time-mark operated by a + Time-Marking Authority; + + - complete-certificate-references, as defined in Section 6.2.1; + + - complete-revocation-references, as defined in Section 6.2.2. + +6.2.1. complete-certificate-references Attribute Definition + + The complete-certificate-references attribute is an unsigned + attribute. It references the full set of CA certificates that have + been used to validate an ES with Complete validation data up to (but + not including) the signer's certificate. Only a single instance of + this attribute shall occur with an electronic signature. + + + + + +Pinkas, et al. Informational [Page 48] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE 1: The signer's certificate is referenced in the signing + certificate attribute (see Section 5.7.3). + +id-aa-ets-certificateRefs OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 21} + + The complete-certificate-references attribute value has the ASN.1 + syntax CompleteCertificateRefs. + + CompleteCertificateRefs ::= SEQUENCE OF OtherCertID + + OtherCertID is defined in Section 5.7.3.3. + + The IssuerSerial that shall be present in OtherCertID. The certHash + shall match the hash of the certificate referenced. + + NOTE 2: Copies of the certificate values may be held using the + certificate-values attribute, defined in Section 6.3.3. + + This attribute may include references to the certification chain + for any TSUs that provides time-stamp tokens. In this case, the + unsigned attribute shall be added to the signedData of the + relevant time-stamp token as an unsignedAttrs in the signerInfos + field. + +6.2.2. complete-revocation-references Attribute Definition + + The complete-revocation-references attribute is an unsigned + attribute. Only a single instance of this attribute shall occur with + an electronic signature. It references the full set of the CRL, + ACRL, or OCSP responses that have been used in the validation of the + signer, and CA certificates used in ES with Complete validation data. + + This attribute indicates that the verifier has taken due diligence to + gather the available revocation information. The references stored + in this attribute can be used to retrieve the referenced information, + if not stored in the CMS structure, but somewhere else. + + The following object identifier identifies the + complete-revocation-references attribute: + +id-aa-ets-revocationRefs OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 22} + + + + + + + + +Pinkas, et al. Informational [Page 49] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + The complete-revocation-references attribute value has the ASN.1 + syntax CompleteRevocationRefs: + + CompleteRevocationRefs ::= SEQUENCE OF CrlOcspRef + + CrlOcspRef ::= SEQUENCE { + crlids [0] CRLListID OPTIONAL, + ocspids [1] OcspListID OPTIONAL, + otherRev [2] OtherRevRefs OPTIONAL + } + + CompleteRevocationRefs shall contain one CrlOcspRef for the + signing-certificate, followed by one for each OtherCertID in the + CompleteCertificateRefs attribute. The second and subsequent + CrlOcspRef fields shall be in the same order as the OtherCertID to + which they relate. At least one of CRLListID or OcspListID or + OtherRevRefs should be present for all but the "trusted" CA of the + certificate path. + +CRLListID ::= SEQUENCE { + crls SEQUENCE OF CrlValidatedID } + +CrlValidatedID ::= SEQUENCE { + crlHash OtherHash, + crlIdentifier CrlIdentifier OPTIONAL } + +CrlIdentifier ::= SEQUENCE { + crlissuer Name, + crlIssuedTime UTCTime, + crlNumber INTEGER OPTIONAL } + +OcspListID ::= SEQUENCE { + ocspResponses SEQUENCE OF OcspResponsesID } + +OcspResponsesID ::= SEQUENCE { + ocspIdentifier OcspIdentifier, + ocspRepHash OtherHash OPTIONAL +} + +OcspIdentifier ::= SEQUENCE { + ocspResponderID ResponderID, + -- As in OCSP response data + producedAt GeneralizedTime + -- As in OCSP response data +} + + + + + + +Pinkas, et al. Informational [Page 50] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + When creating a crlValidatedID, the crlHash is computed over the + entire DER encoded CRL including the signature. The crlIdentifier + would normally be present unless the CRL can be inferred from other + information. + + The crlIdentifier is to identify the CRL using the issuer name and + the CRL issued time, which shall correspond to the time thisUpdate + contained in the issued CRL, and if present, the crlNumber. The + crlListID attribute is an unsigned attribute. In the case that the + identified CRL is a Delta CRL, then references to the set of CRLs to + provide a complete revocation list shall be included. + + The OcspIdentifier is to identify the OCSP response using the issuer + name and the time of issue of the OCSP response, which shall + correspond to the time produced as contained in the issued OCSP + response. Since it may be needed to make the difference between two + OCSP responses received within the same second, the hash of the + response contained in the OcspResponsesID may be needed to solve the + ambiguity. + + NOTE 1: Copies of the CRL and OCSP responses values may be held + using the revocation-values attribute defined in Section 6.3.4. + + NOTE 2: It is recommended that this attribute be used in + preference to the OtherRevocationInfoFormat specified in RFC 3852 + to maintain backwards compatibility with the earlier version of + this specification. + + The syntax and semantics of other revocation references are outside + the scope of the present document. The definition of the syntax of + the other form of revocation information is as identified by + OtherRevRefType. + + This attribute may include the references to the full set of the CRL, + ACRL, or OCSP responses that have been used to verify the + certification chain for any TSUs that provide time-stamp tokens. In + this case, the unsigned attribute shall be added to the signedData of + the relevant time-stamp token as an unsignedAttrs in the signerInfos + field. + +6.2.3. attribute-certificate-references Attribute Definition + + This attribute is only used when a user attribute certificate is + present in the electronic signature. + + The attribute-certificate-references attribute is an unsigned + attribute. It references the full set of AA certificates that have + + + + +Pinkas, et al. Informational [Page 51] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + been used to validate the attribute certificate. Only a single + instance of this attribute shall occur with an electronic signature. + + id-aa-ets-attrCertificateRefs OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 44} + + The attribute-certificate-references attribute value has the ASN.1 + syntax AttributeCertificateRefs: + + AttributeCertificateRefs ::= SEQUENCE OF OtherCertID + + OtherCertID is defined in Section 5.7.3.3. + + NOTE: Copies of the certificate values may be held using the + certificate-values attribute defined in Section 6.3.3. + +6.2.4. attribute-revocation-references Attribute Definition + + This attribute is only used when a user attribute certificate is + present in the electronic signature and when that attribute + certificate can be revoked. + + The attribute-revocation-references attribute is an unsigned + attribute. Only a single instance of this attribute shall occur with + an electronic signature. It references the full set of the ACRL or + OCSP responses that have been used in the validation of the attribute + certificate. This attribute can be used to illustrate that the + verifier has taken due diligence of the available revocation + information. + + The following object identifier identifies the + attribute-revocation-references attribute: + + id-aa-ets-attrRevocationRefs OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) + id-aa(2) 45} + + The attribute-revocation-references attribute value has the ASN.1 + syntax AttributeRevocationRefs: + + AttributeRevocationRefs ::= SEQUENCE OF CrlOcspRef + +6.3. Extended Validation Data (CAdES-X) + + This section specifies a number of optional attributes that are used + by extended forms of electronic signatures (see Annex B for an + overview of these forms of validation data). + + + +Pinkas, et al. Informational [Page 52] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +6.3.1. Time-Stamped Validation Data (CAdES-X Type 1 or Type 2) + + The extended validation data may include one of the following + additional attributes, forming a CAdES-X Time-Stamp validation data + (CAdES-X Type 1 or CAdES-X Type 2), to provide additional protection + against later CA compromise and provide integrity of the validation + data used: + + - CAdES-C Time-stamp, as defined in Section 6.3.5 (CAdES-X Type + 1); or + + - Time-Stamped Certificates and CRLs references, as defined in + Section 6.3.6 (CAdES-X Type 2). + +6.3.2. Long Validation Data (CAdES-X Long, CAdES-X Long Type 1 or 2) + + The extended validation data may also include the following + additional information, forming a CAdES-X Long, for use if later + validation processes may not have access to this information: + + - certificate-values, as defined in Section 6.3.3; and + + - revocation-values, as defined in Section 6.3.4. + + The extended validation data may, in addition to certificate-values + and revocation-values as defined in Sections 6.3.3 and 6.3.4, include + one of the following additional attributes, forming a CAdES-X Long + Type 1 or CAdES-X Long Type 2. + + - CAdES-C Time-stamp, as defined in Section 6.3.3 (CAdES-X long + Type 1); or + + - Time-Stamped Certificates and CRLs references, as defined in + Section 6.3.4 (CAdES-X Long Type 2). + + The CAdES-X Long Type 1 or CAdES-X Long Type 2 provides additional + protection against later CA compromise and provides integrity of the + validation data used. + + NOTE 1: The CAdES-X-Long signature provides long-term proof of the + validity of the signature for as long as the CA keys, CRL Issuers + keys, and OCSP responder keys are not compromised and are + resistant to cryptographic attacks. + + NOTE 2: As long as the time-stamp data remains valid, the CAdES-X + Long Type 1 and the CAdES-X Long Type 2 provide the following + important property for long-standing signatures; that having been + found once to be valid, it shall continue to be so months or years + + + +Pinkas, et al. Informational [Page 53] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + later, long after the validity period of the certificates has + expired, or after the user key has been compromised. + +6.3.3. certificate-values Attribute Definition + + This attribute may be used to contain the certificate information + required for the following forms of extended electronic signature: + CAdES-X Long, ES X-Long Type 1, and CAdES-X Long Type 2; see Annex + B.1.1 for an illustration of this form of electronic signature. + + The certificate-values attribute is an unsigned attribute. Only a + single instance of this attribute shall occur with an electronic + signature. It holds the values of certificates referenced in the + complete-certificate-references attribute. + + NOTE: If an attribute certificate is used, it is not provided in + this structure but shall be provided by the signer as a + signer-attributes attribute (see Section 5.11.3). + + The following object identifier identifies the certificate-values + attribute: + + id-aa-ets-certValues OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 23} + + The certificate-values attribute value has the ASN.1 syntax + CertificateValues. + + CertificateValues ::= SEQUENCE OF Certificate + + Certificate is defined in Section 7.1. (which is as defined in ITU-T + Recommendation X.509 [1]). + + This attribute may include the certification information for any TSUs + that have provided the time-stamp tokens, if these certificates are + not already included in the TSTs as part of the TSUs signatures. In + this case, the unsigned attribute shall be added to the signedData of + the relevant time-stamp token. + +6.3.4. revocation-values Attribute Definition + + This attribute is used to contain the revocation information required + for the following forms of extended electronic signature: CAdES-X + Long, ES X-Long Type 1, and CAdES-X Long Type 2; see Annex B.1.1 for + an illustration of this form of electronic signature. + + The revocation-values attribute is an unsigned attribute. Only a + single instance of this attribute shall occur with an electronic + + + +Pinkas, et al. Informational [Page 54] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + signature. It holds the values of CRLs and OCSP referenced in the + complete-revocation-references attribute. + + NOTE: It is recommended that this attribute be used in preference + to the OtherRevocationInfoFormat specified in RFC 3852 to maintain + backwards compatibility with the earlier version of this + specification. + + The following object identifier identifies the revocation-values + attribute: + + id-aa-ets-revocationValues OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 24} + + The revocation-values attribute value has the ASN.1 syntax + RevocationValues + + RevocationValues ::= SEQUENCE { + crlVals [0] SEQUENCE OF CertificateList OPTIONAL, + ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL, + otherRevVals [2] OtherRevVals OPTIONAL } + + OtherRevVals ::= SEQUENCE { + OtherRevValType OtherRevValType, + OtherRevVals ANY DEFINED BY OtherRevValType } + + OtherRevValType ::= OBJECT IDENTIFIER + + The syntax and semantics of the other revocation values + (OtherRevVals) are outside the scope of the present document. + + The definition of the syntax of the other form of revocation + information is as identified by OtherRevRefType. + + CertificateList is defined in Section 7.2. (which is as defined in + ITU-T Recommendation X.509 [1]). + + BasicOCSPResponse is defined in Section 7.3. (which is as defined in + RFC 2560 [3]). + + This attribute may include the values of revocation data including + CRLs and OCSPs for any TSUs that have provided the time-stamp tokens, + if these certificates are not already included in the TSTs as part of + the TSUs signatures. In this case, the unsigned attribute shall be + added to the signedData of the relevant time-stamp token. + + + + + +Pinkas, et al. Informational [Page 55] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +6.3.5. CAdES-C-time-stamp Attribute Definition + + This attribute is used to protect against CA key compromise. + + This attribute is used for the time-stamping of the complete + electronic signature (CAdES-C). It is used in the following forms of + extended electronic signature; CAdES-X Type 1 and CAdES-X Long Type + 1; see Annex B.1.2 for an illustration of this form of electronic + signature. + + The CAdES-C-time-stamp attribute is an unsigned attribute. It is a + time-stamp token of the hash of the electronic signature and the + complete validation data (CAdES-C). It is a special-purpose + TimeStampToken Attribute that time-stamps the CAdES-C. Several + instances of this attribute may occur with an electronic signature + from different TSAs. + + NOTE 1: It is recommended that the attributes being time-stamped + be encoded in DER. If DER is not employed, then the binary + encoding of the ASN.1 structures being time-stamped should be + preserved to ensure that the recalculation of the data hash is + consistent. + + NOTE 2: Each attribute is included in the hash with the attrType + and attrValues (including type and length) but without the type + and length of the outer SEQUENCE. + + The following object identifier identifies the CAdES-C-Timestamp + attribute: + + id-aa-ets-escTimeStamp OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 25} + + The CAdES-C-timestamp attribute value has the ASN.1 syntax + ESCTimeStampToken : + + ESCTimeStampToken ::= TimeStampToken + + The value of the messageImprint field within TimeStampToken shall be + a hash of the concatenated values (without the type or length + encoding for that value) of the following data objects: + + - OCTETSTRING of the SignatureValue field within SignerInfo; + + - signature-time-stamp, or a time-mark operated by a Time-Marking + Authority; + + - complete-certificate-references attribute; and + + + +Pinkas, et al. Informational [Page 56] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - complete-revocation-references attribute. + + For further information and definition of the TimeStampToken, see + Section 7.4. + +6.3.6. time-stamped-certs-crls-references Attribute Definition + + This attribute is used to protect against CA key compromise. This + attribute is used for the time-stamping certificate and revocation + references. It is used in the following forms of extended electronic + signature: CAdES-X Type 2 and CAdES-X Long Type 2; see Annex B.1.3 + for an illustration of this form of electronic signature. + + A time-stamped-certs-crls-references attribute is an unsigned + attribute. It is a time-stamp token issued for a list of referenced + certificates and OCSP responses and/or CRLs to protect against + certain CA compromises. Its syntax is as follows: + + NOTE 1: It is recommended that the attributes being time-stamped + be encoded in DER. If DER is not employed, then the binary + encoding of the ASN.1 structures being time-stamped should be + preserved to ensure that the recalculation of the data hash is + consistent. + + NOTE 2: Each attribute is included in the hash with the attrType + and attrValues (including type and length) but without the type + and length of the outer SEQUENCE. + + The following object identifier identifies the + time-stamped-certs-crls-references attribute: + + id-aa-ets-certCRLTimestamp OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 26} + + The attribute value has the ASN.1 syntax TimestampedCertsCRLs: + + TimestampedCertsCRLs ::= TimeStampToken + + The value of the messageImprint field within the TimeStampToken shall + be a hash of the concatenated values (without the type or length + encoding for that value) of the following data objects, as present in + the ES with Complete validation data (CAdES-C): + + - complete-certificate-references attribute; and + + - complete-revocation-references attribute. + + + + +Pinkas, et al. Informational [Page 57] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +6.4. Archive Validation Data + + Where an electronic signature is required to last for a very long + time, and the time-stamp token on an electronic signature is in + danger of being invalidated due to algorithm weakness or limits in + the validity period of the TSA certificate, it may be required to + time-stamp the electronic signature several times. When this is + required, an archive time-stamp attribute may be required for the + archive form of the electronic signature (CAdES-A). This archive + time-stamp attribute may be repeatedly applied over a period of time. + +6.4.1. archive-time-stamp Attribute Definition + + The archive-time-stamp attribute is a time-stamp token of many of the + elements of the signedData in the electronic signature. If the + certificate-values and revocation-values attributes are not present + in the CAdES-BES or CAdES-EPES, then they shall be added to the + electronic signature prior to computing the archive time-stamp token. + + The archive-time-stamp attribute is an unsigned attribute. Several + instances of this attribute may occur with an electronic signature + both over time and from different TSUs. + + The following object identifier identifies the nested + archive-time-stamp attribute: + + id-aa-ets-archiveTimestampV2 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) id-aa(2) 48} + + Archive-time-stamp attribute values have the ASN.1 syntax + ArchiveTimeStampToken + + ArchiveTimeStampToken ::= TimeStampToken + + The value of the messageImprint field within TimeStampToken shall be + a hash of the concatenation of: + + - the encapContentInfo element of the SignedData sequence; + + - any external content being protected by the signature, if the + eContent element of the encapContentInfo is omitted; + + - the Certificates and crls elements of the SignedData sequence, + when present, and; + + - all data elements in the SignerInfo sequence including all + signed and unsigned attributes. + + + +Pinkas, et al. Informational [Page 58] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE 1: An alternative archiveTimestamp attribute, identified by + an object identifier { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 27, is defined + in prior versions of TS 101 733 [TS101733] and in RFC 3126. + + The archiveTimestamp attribute, defined in versions of TS 101 733 + prior to 1.5.1 and in RFC 3126, is not compatible with the + attribute defined in the current document. The archiveTimestamp + attribute, defined in versions 1.5.1 to 1.6.3 of TS 101 733, is + compatible with the current document if the content is internal to + encapContentInfo. Unless the version of TS 101 733 employed by + the signing party is known by all recipients, use of the + archiveTimestamp attribute defined in prior versions of TS 101 733 + is deprecated. + + NOTE 2: Counter signatures held as countersignature attributes do + not require independent archive time-stamps, as they are protected + by the archive time-stamp against the containing SignedData + structure. + + NOTE 3: Unless DER is used throughout, it is recommended that the + binary encoding of the ASN.1 structures being time-stamped be + preserved when being archived to ensure that the recalculation of + the data hash is consistent. + + NOTE 4: The hash is calculated over the concatenated data elements + as received/stored, including the Type and Length encoding. + + NOTE 5: Whilst it is recommended that unsigned attributes be DER + encoded, it cannot generally be so guaranteed except by prior + arrangement. For further information and definition of + TimeStampToken, see Section 7.4. The timestamp should be created + using stronger algorithms (or longer key lengths) than in the + original electronic signatures and weak algorithm (key length) + timestamps. + + NOTE 6: This form of ES also provides protection against a TSP key + compromise. + + The ArchiveTimeStamp will be added as an unsigned attribute in the + SignerInfo sequence. For the validation of one ArchiveTimeStamp, the + data elements of the SignerInfo must be concatenated, excluding all + later ArchivTimeStampToken attributes. + + Certificates and revocation information required to validate the + ArchiveTimeStamp shall be provided by one of the following methods: + + + + + +Pinkas, et al. Informational [Page 59] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - The TSU provides the information in the SignedData of the + timestamp token; + + - Adding the complete-certificate-references attribute and the + complete-revocation-references attribute of the TSP as an + unsigned attribute within TimeStampToken, when the required + information is stored elsewhere; or + + - Adding the certificate-values attribute and the + revocation-values attribute of the TSP as an unsigned attribute + within TimeStampToken, when the required information is stored + elsewhere. + +7. Other Standard Data Structures + +7.1. Public Key Certificate Format + + The X.509 v3 certificate basis syntax is defined in ITU-T + Recommendation X.509 [1]. A profile of the X.509 v3 certificate is + defined in RFC 3280 [2]. + +7.2. Certificate Revocation List Format + + The X.509 v2 CRL syntax is defined in ITU-T Recommendation X.509 [1]. + A profile of the X.509 v2 CRL is defined in RFC 3280 [2]. + +7.3. OCSP Response Format + + The format of an OCSP token is defined in RFC 2560 [3]. + +7.4. Time-Stamp Token Format + + The format of a TimeStampToken type is defined in RFC 3161 [7] and + profiled in ETSI TS 101 861 [TS101861]. + +7.5. Name and Attribute Formats + + The syntax of the naming and other attributes is defined in ITU-T + Recommendation X.509 [1]. + + NOTE: The name used by the signer, held as the subject in the + signer's certificate, is allocated and verified on registration + with the Certification Authority, either directly or indirectly + through a Registration Authority, before being issued with a + Certificate. + + + + + + +Pinkas, et al. Informational [Page 60] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + The present document places no restrictions on the form of the name. + The subject's name may be a distinguished name, as defined in ITU-T + Recommendation X.500 [12], held in the subject field of the + certificate, or any other name form held in the subjectAltName + certificate extension field, as defined in ITU-T Recommendation X.509 + [1]. In the case that the subject has no distinguished name, the + subject name can be an empty sequence and the subjectAltName + extension shall be critical. + + All Certification Authorities, Attribute Authorities, and + Time-Stamping Authorities shall use distinguished names in the + subject field of their certificate. + + The distinguished name shall include identifiers for the organization + providing the service and the legal jurisdiction (e.g., country) + under which it operates. + + Where a signer signs as an individual, but wishes to also identify + him/herself as acting on behalf of an organization, it may be + necessary to provide two independent forms of identification. The + first identity, which is directly associated with the signing key, + identifies him/her as an individual. The second, which is managed + independently, identifies that person acting as part of the + organization, possibly with a given role. In this case, one of the + two identities is carried in the subject/subjectAltName field of the + signer's certificate as described above. + + The present document does not specify the format of the signer's + attribute that may be included in public key certificates. + + NOTE: The signer's attribute may be supported by using a claimed + role in the CMS signed attributes field or by placing an attribute + certificate containing a certified role in the CMS signed + attributes field; see Section 7.6. + +7.6. AttributeCertificate + + The syntax of the AttributeCertificate type is defined in RFC 3281 + [13]. + +8. Conformance Requirements + + For implementations supporting signature generation, the present + document defines conformance requirements for the generation of two + forms of basic electronic signature, one of the two forms must be + implemented. + + + + + +Pinkas, et al. Informational [Page 61] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + For implementations supporting signature verification, the present + document defines conformance requirements for the verification of two + forms of basic electronic signature, one of the two forms must be + implemented. + + The present document only defines conformance requirements up to an + ES with Complete validation data (CAdES-C). This means that none of + the extended and archive forms of the electronic signature (CAdES-X, + CAdES-A) need to be implemented to get conformance to the present + document. + + On verification the inclusion of optional signed and unsigned + attributes must be supported only to the extent that the signature is + verifiable. The semantics of optional attributes may be unsupported, + unless specified otherwise by a signature policy. + +8.1. CAdES-Basic Electronic Signature (CAdES-BES) + + A system supporting CAdES-BES signers, according to the present + document, shall, at a minimum, support generation of an electronic + signature consisting of the following components: + + - The general CMS syntax and content type, as defined in RFC 3852 + [4] (see Sections 5.1 and 5.2); + + - CMS SignedData, as defined in RFC 3852 [4], with the version set + to 3 and at least one SignerInfo present (see Sections 5.3 to + 5.6); + + - The following CMS attributes, as defined in RFC 3852 [4]: + + - content-type; this shall always be present (see Section + 5.7.1); and + + - message-digest; this shall always be present (see Section + 5.7.2). + + - One of the following attributes, as defined in the present + document: + + - signing-certificate: as defined in Section 5.7.3.1; or + - signing-certificate v2 : as defined in Section 5.7.3.2. + + NOTE: RFC 3126 was using the other signing-certificate attribute + (see Section 5.7.3.3). Its use is now deprecated, since the + structure of the signing-certificate v2 attribute is simpler than + the other signing-certificate attribute. + + + + +Pinkas, et al. Informational [Page 62] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +8.2. CAdES-Explicit Policy-based Electronic Signature + + A system supporting Policy-based signers, according to the present + document, shall, at a minimum, support the generation of an + electronic signature consisting of the previous components defined + for the basic signer, plus: + + - The following attributes, as defined in Section 5.9: + + - signature-policy-identifier; this shall always be present + (see Section 5.8.1). + +8.3. Verification Using Time-Stamping + + A system supporting verifiers, according to the present document, + with time-stamping facilities shall, at a minimum, support: + + - verification of the mandated components of an electronic + signature, as defined in Section 8.1; + + - signature-time-stamp attribute, as defined in Section 6.1.1; + + - complete-certificate-references attribute, as defined in Section + 6.2.1; + + - complete-revocation-references attribute, as defined in Section + 6.2.2; + + - Public Key Certificates, as defined in ITU-T Recommendation + X.509 [1] (see Section 8.1); and + + - either of: + + - Certificate Revocation Lists, as defined in ITU-T + Recommendation X.509 [1] (see Section 8.2); or + + - Online Certificate Status Protocol, as defined in RFC 2560 + [3] (see Section 8.3). + +8.4. Verification Using Secure Records + + A system supporting verifiers, according to the present document, + shall, at a minimum, support: + + - verification of the mandated components of an electronic + signature, as defined in Section 8.1; + + + + + +Pinkas, et al. Informational [Page 63] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - complete-certificate-references attribute, as defined in Section + 6.2.1; + + - complete-revocation-references attribute, as defined in Section + 6.2.2; + + - a record of the electronic signature and the time when the + signature was first validated, using the referenced certificates + and revocation information, must be maintained, such that + records cannot be undetectably modified; + + - Public Key Certificates, as defined in ITU-T Recommendation + X.509 [1] (see Section 8.1); and + + - either of: + + - Certificate Revocation Lists, as defined in ITU-T + Recommendation X.509 [1] (see Section 8.2); or + + - online Certificate Status Protocol, as defined in RFC 2560 + [3] (see Section 8.3). + +9. References + +9.1. Normative References + + [1] ITU-T Recommendation X.509 (2000)/ISO/IEC 9594-8 (2001): + "Information technology - Open Systems Interconnection - The + Directory: Public key and Attribute Certificate framework". + + [2] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 + Public Key Infrastructure Certificate and Certificate + Revocation List (CRL) Profile", RFC 3280, April 2002. + + [3] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. + Adams, "X.509 Internet Public Key Infrastructure Online + Certificate Status Protocol - OCSP", RFC 2560, June 1999. + + [4] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, + July 2004. + + [5] Hoffman, P., Ed., "Enhanced Security Services for S/MIME", RFC + 2634, June 1999. + + [6] Freed, N. and N. Borenstein, "Multipurpose Internet Mail + Extensions (MIME) Part One: Format of Internet Message + Bodies", RFC 2045, November 1996. + + + + +Pinkas, et al. Informational [Page 64] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + [7] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato, "Internet + X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)", + RFC 3161, August 2001. + + [8] ITU-T Recommendation X.680 (1997): "Information technology - + Abstract Syntax Notation One (ASN.1): Specification of basic + notation". + + [9] ITU-T Recommendation X.501 (2000)/ISO/IEC 9594-1 (2001): + "Information technology - Open Systems Interconnection - + Directory models". + + [10] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", + RFC 3370, August 2002. + + [11] ITU-T Recommendation F.1: "Operational provisions for the + international public telegram service". + + [12] ITU-T Recommendation X.500: "Information technology - Open + Systems Interconnection - The Directory: Overview of concepts, + models and services". + + [13] Farrell, S. and R. Housley, "An Internet Attribute Certificate + Profile for Authorization", RFC 3281, April 2002. + + [14] ITU-T Recommendation X.208 (1988): "Specification of Abstract + Syntax Notation One (ASN.1)". + + [15] Schaad, J., "Enhanced Security Services (ESS) Update: Adding + CertID Algorithm Agility", RFC 5035, August 2007. + + [16] ITU-T Recommendation X.690 (2002): "Information technology + ASN.1 encoding rules: Specification of Basic Encoding Rules + (BER), Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)". + +9.2. Informative References + + [EUDirective] Directive 1999/93/EC of the European Parliament and of + the Council of 13 December 1999 on a community + framework for Electronic Signatures. + + [TS101733] ETSI Standard TS 101 733 V.1.7.3 (2005-06) Electronic + Signature Formats. + + [TS101861] ETSI TS 101 861: "Time stamping profile". + + + + + +Pinkas, et al. Informational [Page 65] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + [TS101903] ETSI TS 101 903: "XML Advanced Electronic Signatures + (XAdES)". + + [TR102038] ETSI TR 102 038: "Electronic Signatures and + Infrastructures (ESI); XML format for signature + policies". + + [TR102272] ETSI TR 102 272 V1.1.1 (2003-12). "Electronic + Signatures and Infrastructures (ESI); ASN.1 format for + signature policies". + + [RFC2479] Adams, C., "Independent Data Unit Protection Generic + Security Service Application Program Interface (IDUP- + GSS-API)", RFC 2479, December 1998. + + [RFC2743] Linn, J., "Generic Security Service Application + Program Interface Version 2, Update 1", RFC 2743, + January 2000. + + [RFC3125] Ross, J., Pinkas, D., and N. Pope, "Electronic + Signature Policies", RFC 3125, September 2001. + + [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography + Standards (PKCS) #1: RSA Cryptography Specifications + Version 2.1", RFC 3447, February 2003. + + [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol + version 2 (LDAPv2) to Historic Status", RFC 3494, + March 2003. + + [RFC3851] Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail + Extensions (S/MIME) Version 3.1 Message + Specification", RFC 3851, July 2004. + + [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, + "Internet X.509 Public Key Infrastructure Certificate + Management Protocol (CMP)", RFC 4210, September 2005. + + [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer + Security (TLS) Protocol Version 1.1", RFC 4346, April + 2006. + + [RFC4523] Zeilenga, K., "Lightweight Directory Access Protocol + (LDAP) Schema Definitions for X.509 Certificates", RFC + 4523, June 2006. + + + + + + +Pinkas, et al. Informational [Page 66] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + [ISO7498-2] ISO 7498-2 (1989): "Information processing systems - + Open Systems Interconnection - Basic Reference Model - + Part 2: Security Architecture". + + [ISO9796-2] ISO/IEC 9796-2 (2002): "Information technology - + Security techniques - Digital signature schemes giving + message recovery - Part 2: Integer factorization based + mechanisms". + + [ISO9796-4] ISO/IEC 9796-4 (1998): "Digital signature schemes + giving message recovery - Part 4: Discrete logarithm + based mechanisms". + + [ISO10118-1] ISO/IEC 10118-1 (2000): "Information technology - + Security techniques - Hash-functions - Part 1: + General". + + [ISO10118-2] ISO/IEC 10118-2 (2000): "Information technology - + Security techniques - Hash-functions - Part 2: + Hash-functions using an n-bit block cipher algorithm". + + [ISO10118-3] ISO/IEC 10118-3 (2004): "Information technology - + Security techniques - Hash-functions - Part 3: + Dedicated hash-functions". + + [ISO10118-4] ISO/IEC 10118-4 (1998): "Information technology - + Security techniques - Hash-functions - Part 4: Hash- + functions using modular arithmetic". + + [ISO10181-5] ISO/IEC 10181-5: Security Frameworks in Open Systems. + Non-Repudiation Framework. April 1997. + + [ISO13888-1] ISO/IEC 13888-1 (2004): "IT security techniques - + Non-repudiation - Part 1: General". + + [ISO14888-1] ISO/IEC 14888-1 (1998): "Information technology - + Security techniques - Digital signatures with appendix + - Part 1: General". + + [ISO14888-2] ISO/IEC 14888-2 (1999): "Information technology - + Security techniques - Digital signatures with appendix + - Part 2: Identity-based mechanisms". + + [ISO14888-3] ISO/IEC 14888-3 (1998): "Information technology - + Security techniques - Digital signatures with appendix + - Part 3: Certificate-based mechanisms". + + + + + +Pinkas, et al. Informational [Page 67] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + [ISO15946-2] ISO/IEC 15946-2 (2002): "Information technology - + Security techniques - Cryptographic techniques based + on elliptic curves - Part 2: Digital signatures". + + [CWA14171] CWA 14171 CEN Workshop Agreement: "General Guidelines + for Electronic Signature Verification". + + [XMLDSIG] XMLDSIG: W3C/IETF Recommendation (February 2002): + "XML-Signature Syntax and Processing". + + [X9.30-1] ANSI X9.30-1 (1997): "Public Key Cryptography for the + Financial Services Industry - Part 1: The Digital + Signature Algorithm (DSA)". + + [X9.30-2] ANSI X9.30-2 (1997): "Public Key Cryptography for the + Financial Services Industry - Part 2: The Secure Hash + Algorithm (SHA-1)". + + [X9.31-1] ANSI X9.31-1 (1997): "Public Key Cryptography Using + Reversible Algorithms for the Financial Services + Industry - Part 1: The RSA Signature Algorithm". + + [X9.31-2] ANSI X9.31-2 (1996): "Public Key Cryptography Using + Reversible Algorithms for the Financial Services + Industry - Part 2: Hash Algorithms". + + [X9.62] ANSI X9.62 (1998): "Public Key Cryptography for the + Financial Services Industry - The Elliptic Curve + Digital Signature Algorithm (ECDSA)". + + [P1363] IEEE P1363 (2000): "Standard Specifications for + Public-Key Cryptography". + + ETSI technical specifications can be downloaded free of charge via + the Services and Products Download Area at: + http://www.etsi.org/WebSite/Standards/StandardsDownload.aspx + + + + + + + + + + + + + + + +Pinkas, et al. Informational [Page 68] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +Annex A (Normative): ASN.1 Definitions + + This annex provides a summary of all the ASN.1 syntax definitions for + new syntax defined in the present document. + +A.1. Signature Format Definitions Using X.208 ASN.1 Syntax + + NOTE: The ASN.1 module defined in Annex A.1 using syntax defined + in ITU-T Recommendation X.208 [14] has precedence over that + defined in Annex A.2 in the case of any conflict. + +ETS-ElectronicSignatureFormats-ExplicitSyntax88 { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-mod(0) +eSignature-explicit88(28)} + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +-- EXPORTS All + +IMPORTS + +-- Cryptographic Message Syntax (CMS): RFC 3852 + + ContentInfo, ContentType, id-data, id-signedData, SignedData, + EncapsulatedContentInfo, SignerInfo, id-contentType, + id-messageDigest, MessageDigest, id-signingTime, SigningTime, + id-countersignature, Countersignature + FROM CryptographicMessageSyntax2004 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) cms-2004(24) } + +-- ESS Defined attributes: ESS Update +-- RFC 5035 (Adding CertID Algorithm Agility) + + id-aa-signingCertificate, SigningCertificate, IssuerSerial, + id-aa-contentReference, ContentReference, id-aa-contentIdentifier, + ContentIdentifier, id-aa-signingCertificateV2 + FROM ExtendedSecurityServices-2006 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-ess-2006(30) } + +-- Internet X.509 Public Key Infrastructure - Certificate and CRL +-- Profile: RFC 3280 + + Certificate, AlgorithmIdentifier, CertificateList, Name, + DirectoryString, Attribute, BMPString, UTF8String + + + +Pinkas, et al. Informational [Page 69] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + FROM PKIX1Explicit88 + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18)} + + GeneralNames, GeneralName, PolicyInformation + FROM PKIX1Implicit88 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit (19)} + +-- Internet Attribute Certificate Profile for Authorization - RFC 3281 + + AttributeCertificate + FROM PKIXAttributeCertificate {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-mod-attribute-cert(12)} + +-- OCSP - RFC 2560 + + BasicOCSPResponse, ResponderID + FROM OCSP {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp(14)} + +-- Time Stamp Protocol RFC 3161 + + TimeStampToken + FROM PKIXTSP + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-tsp(13)} + +; + + +-- Definitions of Object Identifier arcs used in the present document +-- ================================================================== + +-- OID used referencing electronic signature mechanisms based on +-- the present document for use with the Independent Data Unit +-- Protection (IDUP) API (see Annex D) + + id-etsi-es-IDUP-Mechanism-v1 OBJECT IDENTIFIER ::= + { itu-t(0) identified-organization(4) etsi(0) + electronic-signature-standard (1733) part1 (1) idupMechanism (4) + etsiESv1(1) } + + +-- Basic ES CMS Attributes Defined in the present document +-- ======================================================= + + + + +Pinkas, et al. Informational [Page 70] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +-- OtherSigningCertificate - deprecated + + id-aa-ets-otherSigCert OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 19 } + + OtherSigningCertificate ::= SEQUENCE { + certs SEQUENCE OF OtherCertID, + policies SEQUENCE OF PolicyInformation OPTIONAL + -- NOT USED IN THE PRESENT DOCUMENT + } + + OtherCertID ::= SEQUENCE { + otherCertHash OtherHash, + issuerSerial IssuerSerial OPTIONAL } + + OtherHash ::= CHOICE { + sha1Hash OtherHashValue, + -- This contains a SHA-1 hash + otherHash OtherHashAlgAndValue} + + +-- Policy ES Attributes Defined in the present document +-- ==================================================== + +-- Mandatory Basic Electronic Signature Attributes as above, +-- plus in addition. + +-- Signature-policy-identifier attribute + + id-aa-ets-sigPolicyId OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-aa(2) 15 } + + SignaturePolicy ::= CHOICE { + signaturePolicyId SignaturePolicyId, + signaturePolicyImplied SignaturePolicyImplied + -- not used in this version + } + + SignaturePolicyId ::= SEQUENCE { + sigPolicyId SigPolicyId, + sigPolicyHash SigPolicyHash, + sigPolicyQualifiers SEQUENCE SIZE (1..MAX) OF + SigPolicyQualifierInfo OPTIONAL + } + + SignaturePolicyImplied ::= NULL + + + +Pinkas, et al. Informational [Page 71] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + SigPolicyId ::= OBJECT IDENTIFIER + + SigPolicyHash ::= OtherHashAlgAndValue + + OtherHashAlgAndValue ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier, + hashValue OtherHashValue } + + OtherHashValue ::= OCTET STRING + + SigPolicyQualifierInfo ::= SEQUENCE { + sigPolicyQualifierId SigPolicyQualifierId, + sigQualifier ANY DEFINED BY sigPolicyQualifierId } + + SigPolicyQualifierId ::= OBJECT IDENTIFIER + + id-spq-ets-uri OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-spq(5) 1 } + + SPuri ::= IA5String + + id-spq-ets-unotice OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-spq(5) 2 } + + SPUserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL} + + NoticeReference ::= SEQUENCE { + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + + DisplayText ::= CHOICE { + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + + utf8String UTF8String (SIZE (1..200)) } + +-- Optional Electronic Signature Attributes + +-- Commitment-type attribute + +id-aa-ets-commitmentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 16} + + CommitmentTypeIndication ::= SEQUENCE { + + + +Pinkas, et al. Informational [Page 72] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + commitmentTypeId CommitmentTypeIdentifier, + commitmentTypeQualifier SEQUENCE SIZE (1..MAX) OF + CommitmentTypeQualifier OPTIONAL} + + CommitmentTypeIdentifier ::= OBJECT IDENTIFIER + + CommitmentTypeQualifier ::= SEQUENCE { + commitmentTypeIdentifier CommitmentTypeIdentifier, + qualifier ANY DEFINED BY commitmentTypeIdentifier } + +id-cti-ets-proofOfOrigin OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 1} + +id-cti-ets-proofOfReceipt OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 2} + +id-cti-ets-proofOfDelivery OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) cti(6) 3} + +id-cti-ets-proofOfSender OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 4} + +id-cti-ets-proofOfApproval OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) cti(6) 5} + +id-cti-ets-proofOfCreation OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) cti(6) 6} + +-- Signer-location attribute + +id-aa-ets-signerLocation OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 17} + + SignerLocation ::= SEQUENCE { + -- at least one of the following shall be present + countryName [0] DirectoryString OPTIONAL, + -- As used to name a Country in X.500 + localityName [1] DirectoryString OPTIONAL, + -- As used to name a locality in X.500 + postalAdddress [2] PostalAddress OPTIONAL } + + PostalAddress ::= SEQUENCE SIZE(1..6) OF DirectoryString + +-- Signer-attributes attribute + + + + +Pinkas, et al. Informational [Page 73] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +id-aa-ets-signerAttr OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 18} + + SignerAttribute ::= SEQUENCE OF CHOICE { + claimedAttributes [0] ClaimedAttributes, + certifiedAttributes [1] CertifiedAttributes } + + ClaimedAttributes ::= SEQUENCE OF Attribute + + CertifiedAttributes ::= AttributeCertificate + -- as defined in RFC 3281: see Section 4.1 + +-- Content-time-stamp attribute + +id-aa-ets-contentTimestamp OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 20} + + ContentTimestamp ::= TimeStampToken + +-- Signature-time-stamp attribute + +id-aa-signatureTimeStampToken OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 14} + +SignatureTimeStampToken ::= TimeStampToken + +-- Complete-certificate-references attribute + +id-aa-ets-certificateRefs OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 21} + +CompleteCertificateRefs ::= SEQUENCE OF OtherCertID + +-- Complete-revocation-references attribute + +id-aa-ets-revocationRefs OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 22} + + CompleteRevocationRefs ::= SEQUENCE OF CrlOcspRef + + CrlOcspRef ::= SEQUENCE { + crlids [0] CRLListID OPTIONAL, + ocspids [1] OcspListID OPTIONAL, + otherRev [2] OtherRevRefs OPTIONAL + } + + + + +Pinkas, et al. Informational [Page 74] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + CRLListID ::= SEQUENCE { + crls SEQUENCE OF CrlValidatedID} + + CrlValidatedID ::= SEQUENCE { + crlHash OtherHash, + crlIdentifier CrlIdentifier OPTIONAL} + + CrlIdentifier ::= SEQUENCE { + crlissuer Name, + crlIssuedTime UTCTime, + crlNumber INTEGER OPTIONAL } + + OcspListID ::= SEQUENCE { + ocspResponses SEQUENCE OF OcspResponsesID} + + OcspResponsesID ::= SEQUENCE { + ocspIdentifier OcspIdentifier, + ocspRepHash OtherHash OPTIONAL + } + + OcspIdentifier ::= SEQUENCE { + ocspResponderID ResponderID, + -- As in OCSP response data + producedAt GeneralizedTime + -- As in OCSP response data + } + + OtherRevRefs ::= SEQUENCE { + otherRevRefType OtherRevRefType, + otherRevRefs ANY DEFINED BY otherRevRefType + } + + OtherRevRefType ::= OBJECT IDENTIFIER + +-- Certificate-values attribute + +id-aa-ets-certValues OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 23} + + CertificateValues ::= SEQUENCE OF Certificate + +-- Certificate-revocation-values attribute + +id-aa-ets-revocationValues OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 24} + + RevocationValues ::= SEQUENCE { + + + +Pinkas, et al. Informational [Page 75] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + crlVals [0] SEQUENCE OF CertificateList OPTIONAL, + ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL, + otherRevVals [2] OtherRevVals OPTIONAL} + + OtherRevVals ::= SEQUENCE { + otherRevValType OtherRevValType, + otherRevVals ANY DEFINED BY otherRevValType + } + + OtherRevValType ::= OBJECT IDENTIFIER + +-- CAdES-C time-stamp attribute + +id-aa-ets-escTimeStamp OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 25} + +ESCTimeStampToken ::= TimeStampToken + +-- Time-Stamped Certificates and CRLs + +id-aa-ets-certCRLTimestamp OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 26} + +TimestampedCertsCRLs ::= TimeStampToken + +-- Archive time-stamp attribute +id-aa-ets-archiveTimestampV2 OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 48} + +ArchiveTimeStampToken ::= TimeStampToken + +-- Attribute-certificate-references attribute + +id-aa-ets-attrCertificateRefs OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 44} + +AttributeCertificateRefs ::= SEQUENCE OF OtherCertID + +-- Attribute-revocation-references attribute + +id-aa-ets-attrRevocationRefs OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 45} + +AttributeRevocationRefs ::= SEQUENCE OF CrlOcspRef + + + +Pinkas, et al. Informational [Page 76] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +END + +A.2. Signature Format Definitions Using X.680 ASN.1 Syntax + + NOTE: The ASN.1 module defined in Annex A.1 has precedence over + that defined in Annex A.2 using syntax defined in ITU-T + Recommendation X.680 (1997) [8] in the case of any conflict. + +ETS-ElectronicSignatureFormats-ExplicitSyntax97 { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-mod(0) +eSignature-explicit97(29)} + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +-- EXPORTS All - + +IMPORTS + +-- Cryptographic Message Syntax (CMS): RFC 3852 + + ContentInfo, ContentType, id-data, id-signedData, SignedData, + EncapsulatedContentInfo, SignerInfo, + id-contentType, id-messageDigest, MessageDigest, id-signingTime, + SigningTime, id-countersignature, Countersignature + FROM CryptographicMessageSyntax2004 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) cms-2004(24) } + +-- ESS Defined attributes: ESS Update +-- RFC 5035 (Adding CertID Algorithm Agility) + + id-aa-signingCertificate, SigningCertificate, IssuerSerial, + id-aa-contentReference, ContentReference, id-aa-contentIdentifier, + ContentIdentifier, id-aa-signingCertificateV2 + FROM ExtendedSecurityServices-2006 + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-ess-2006(30) } + +-- Internet X.509 Public Key Infrastructure +-- Certificate and CRL Profile: RFC 3280 + + Certificate, AlgorithmIdentifier, CertificateList, Name, + Attribute + + FROM PKIX1Explicit88 + {iso(1) identified-organization(3) dod(6) internet(1) + + + +Pinkas, et al. Informational [Page 77] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + security(5) mechanisms(5) pkix(7) id-mod(0) + id-pkix1-explicit(18)} + + GeneralNames, GeneralName, PolicyInformation + FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-pkix1-implicit(19)} + +-- Internet Attribute Certificate Profile for Authorization - RFC 3281 + + AttributeCertificate + FROM PKIXAttributeCertificate {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-attribute-cert(12)} + +-- OCSP RFC 2560 + + BasicOCSPResponse, ResponderID + FROM OCSP {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp(14)} + +-- RFC 3161 Internet X.509 Public Key Infrastructure +-- Time-Stamp Protocol + + TimeStampToken + FROM PKIXTSP {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-tsp(13)} + +-- X.520 + + DirectoryString {} + FROM SelectedAttributeTypes + {joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 4} + +; + +-- Definitions of Object Identifier arcs used in the present document +-- ================================================================== + +-- OID used referencing electronic signature mechanisms based +-- on the present document for use with the IDUP API (see Annex D) + +id-etsi-es-IDUP-Mechanism-v1 OBJECT IDENTIFIER ::= +{ itu-t(0) identified-organization(4) etsi(0) +electronic-signature-standard (1733) part1 (1) idupMechanism (4) +etsiESv1(1) } + + + + + +Pinkas, et al. Informational [Page 78] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +-- Basic ES Attributes Defined in the present document +-- =================================================== + +-- CMS Attributes defined in the present document + +-- OtherSigningCertificate - deprecated + +id-aa-ets-otherSigCert OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) +smime(16) id-aa(2) 19 } + + + OtherSigningCertificate ::= SEQUENCE { + certs SEQUENCE OF OtherCertID, + policies SEQUENCE OF PolicyInformation OPTIONAL + -- NOT USED IN THE PRESENT DOCUMENT + } + + OtherCertID ::= SEQUENCE { + otherCertHash OtherHash, + issuerSerial IssuerSerial OPTIONAL } + + OtherHash ::= CHOICE { + sha1Hash OtherHashValue, + -- This contains a SHA-1 hash + otherHash OtherHashAlgAndValue} + +-- Policy ES Attributes Defined in the present document +-- ==================================================== + +-- Mandatory Basic Electronic Signature Attributes, plus in addition. +-- Signature Policy Identifier + +id-aa-ets-sigPolicyId OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) +smime(16) id-aa(2) 15 } + + SignaturePolicy ::= CHOICE { + signaturePolicyId SignaturePolicyId, + signaturePolicyImplied SignaturePolicyImplied + -- not used in this version + } + + SignaturePolicyId ::= SEQUENCE { + sigPolicyId SigPolicyId, + sigPolicyHash SigPolicyHash, + sigPolicyQualifiers SEQUENCE SIZE (1..MAX) OF + SigPolicyQualifierInfo OPTIONAL + + + +Pinkas, et al. Informational [Page 79] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + } + + SignaturePolicyImplied ::= NULL + + SigPolicyId ::= OBJECT IDENTIFIER + + SigPolicyHash ::= OtherHashAlgAndValue + + OtherHashAlgAndValue ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier, + hashValue OtherHashValue + } + + OtherHashValue ::= OCTET STRING + + SigPolicyQualifierInfo ::= SEQUENCE { + sigPolicyQualifierId SIG-POLICY-QUALIFIER.&id + ({SupportedSigPolicyQualifiers}), + qualifier SIG-POLICY-QUALIFIER.&Qualifier + ({SupportedSigPolicyQualifiers} + {@sigPolicyQualifierId})OPTIONAL } + + SupportedSigPolicyQualifiers SIG-POLICY-QUALIFIER ::= + { noticeToUser | pointerToSigPolSpec } + + SIG-POLICY-QUALIFIER ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Qualifier OPTIONAL } + WITH SYNTAX { + SIG-POLICY-QUALIFIER-ID &id + [SIG-QUALIFIER-TYPE &Qualifier] } + + noticeToUser SIG-POLICY-QUALIFIER ::= { + SIG-POLICY-QUALIFIER-ID id-spq-ets-unotice SIG-QUALIFIER-TYPE + SPUserNotice } + + pointerToSigPolSpec SIG-POLICY-QUALIFIER ::= { + SIG-POLICY-QUALIFIER-ID id-spq-ets-uri SIG-QUALIFIER-TYPE SPuri } + + id-spq-ets-uri OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-spq(5) 1 } + + SPuri ::= IA5String + + id-spq-ets-unotice OBJECT IDENTIFIER ::= { iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) + smime(16) id-spq(5) 2 } + + + +Pinkas, et al. Informational [Page 80] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + SPUserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL} + + NoticeReference ::= SEQUENCE { + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + + DisplayText ::= CHOICE { + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + utf8String UTF8String (SIZE (1..200)) } + +-- Optional Electronic Signature Attributes + +-- Commitment Type + + id-aa-ets-commitmentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 16} + + CommitmentTypeIndication ::= SEQUENCE { + commitmentTypeId CommitmentTypeIdentifier, + commitmentTypeQualifier SEQUENCE SIZE (1..MAX) OF + CommitmentTypeQualifier OPTIONAL} + + CommitmentTypeIdentifier ::= OBJECT IDENTIFIER + + CommitmentTypeQualifier ::= SEQUENCE { + commitmentQualifierId COMMITMENT-QUALIFIER.&id, + qualifier COMMITMENT-QUALIFIER.&Qualifier OPTIONAL } + + COMMITMENT-QUALIFIER ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Qualifier OPTIONAL } + WITH SYNTAX { + COMMITMENT-QUALIFIER-ID &id + [COMMITMENT-TYPE &Qualifier] } + +id-cti-ets-proofOfOrigin OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 1} + +id-cti-ets-proofOfReceipt OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 2} + +id-cti-ets-proofOfDelivery OBJECT IDENTIFIER ::= { iso(1) +member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) +cti(6) 3} + + + + +Pinkas, et al. Informational [Page 81] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +id-cti-ets-proofOfSender OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 4} + +id-cti-ets-proofOfApproval OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) cti(6) 5} + +id-cti-ets-proofOfCreation OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) cti(6) 6} + +-- Signer Location + +id-aa-ets-signerLocation OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 17} + + SignerLocation ::= SEQUENCE { + -- at least one of the following shall be present + countryName [0] DirectoryString{maxSize} OPTIONAL, + -- as used to name a Country in X.520 + localityName [1] DirectoryString{maxSize} OPTIONAL, + -- as used to name a locality in X.520 + postalAdddress [2] PostalAddress OPTIONAL } + + PostalAddress ::= SEQUENCE SIZE(1..6) OF DirectoryString{maxSize} + -- maxSize parametrization as specified in X.683 + +-- Signer Attributes + +id-aa-ets-signerAttr OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 18} + + SignerAttribute ::= SEQUENCE OF CHOICE { + claimedAttributes [0] ClaimedAttributes, + certifiedAttributes [1] CertifiedAttributes } + + ClaimedAttributes ::= SEQUENCE OF Attribute + + CertifiedAttributes ::= AttributeCertificate + -- as defined in RFC 3281: see Section 4.1 + +-- Content Timestamp + +id-aa-ets-contentTimestamp OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 20} + ContentTimestamp ::= TimeStampToken + + + + +Pinkas, et al. Informational [Page 82] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +-- Signature Timestamp + +id-aa-signatureTimeStampToken OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 14} + + SignatureTimeStampToken ::= TimeStampToken + +-- Complete Certificate Refs. + +id-aa-ets-certificateRefs OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 21} + +CompleteCertificateRefs ::= SEQUENCE OF OtherCertID + +-- Complete Revocation Refs + +id-aa-ets-revocationRefs OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 22} + + CompleteRevocationRefs ::= SEQUENCE OF CrlOcspRef + + CrlOcspRef ::= SEQUENCE { + crlids [0] CRLListID OPTIONAL, + ocspids [1] OcspListID OPTIONAL, + otherRev [2] OtherRevRefs OPTIONAL + } + + CRLListID ::= SEQUENCE { + crls SEQUENCE OF CrlValidatedID + } + + CrlValidatedID ::= SEQUENCE { + crlHash OtherHash, + crlIdentifier CrlIdentifier OPTIONAL } + + CrlIdentifier ::= SEQUENCE { + crlissuer Name, + crlIssuedTime UTCTime, + crlNumber INTEGER OPTIONAL + } + + OcspListID ::= SEQUENCE { + ocspResponses SEQUENCE OF OcspResponsesID + } + + OcspResponsesID ::= SEQUENCE { + ocspIdentifier OcspIdentifier, + + + +Pinkas, et al. Informational [Page 83] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + ocspRepHash OtherHash OPTIONAL + } + + OcspIdentifier ::= SEQUENCE { + ocspResponderID ResponderID, + -- As in OCSP response data + producedAt GeneralizedTime + -- As in OCSP response data + } + + OtherRevRefs ::= SEQUENCE { + otherRevRefType OTHER-REVOCATION-REF.&id, + otherRevRefs SEQUENCE OF OTHER-REVOCATION-REF.&Type + } + +OTHER-REVOCATION-REF ::= CLASS { + &Type, + &id OBJECT IDENTIFIER UNIQUE } + WITH SYNTAX { + WITH SYNTAX &Type ID &id } + +-- Certificate Values + +id-aa-ets-certValues OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 23} + +CertificateValues ::= SEQUENCE OF Certificate + +-- Certificate Revocation Values + +id-aa-ets-revocationValues OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 24} + + RevocationValues ::= SEQUENCE { + crlVals [0] SEQUENCE OF CertificateList OPTIONAL, + ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL, + + otherRevVals [2] OtherRevVals OPTIONAL + } + + OtherRevVals ::= SEQUENCE { + otherRevValType OTHER-REVOCATION-VAL.&id, + otherRevVals SEQUENCE OF OTHER-REVOCATION-REF.&Type + } + + OTHER-REVOCATION-VAL ::= CLASS { + &Type, + + + +Pinkas, et al. Informational [Page 84] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + &id OBJECT IDENTIFIER UNIQUE } + WITH SYNTAX { + WITH SYNTAX &Type ID &id } + +-- CAdES-C Timestamp +id-aa-ets-escTimeStamp OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 25} + + ESCTimeStampToken ::= TimeStampToken + +-- Time-Stamped Certificates and CRLs + +id-aa-ets-certCRLTimestamp OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 26} + + TimestampedCertsCRLs ::= TimeStampToken + +-- Archive Timestamp + +id-aa-ets-archiveTimestampV2 OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 48} + + ArchiveTimeStampToken ::= TimeStampToken + +-- Attribute certificate references + +id-aa-ets-attrCertificateRefs OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 44} + + AttributeCertificateRefs ::= SEQUENCE OF OtherCertID + +-- Attribute revocation references + +id-aa-ets-attrRevocationRefs OBJECT IDENTIFIER ::= +{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) +smime(16) id-aa(2) 45} + + AttributeRevocationRefs ::= SEQUENCE OF CrlOcspRef + +END + + + + + + + + +Pinkas, et al. Informational [Page 85] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +Annex B (Informative): Extended Forms of Electronic Signatures + + Section 4 provides an overview of the various formats of electronic + signatures included in the present document. This annex lists the + attributes that need to be present in the various extended electronic + signature formats and provides example validation sequences using the + extended formats. + +B.1. Extended Forms of Validation Data + + The Complete validation data (CAdES-C) described in Section 4.3 and + illustrated in Figure 3 may be extended to create electronic + signatures with extended validation data. Some electronic signature + forms that include extended validation are explained below. + + An X-Long electronic signature (CAdES-X Long) is the CAdES-C with the + values of the certificates and revocation information. + + This form of electronic signature can be useful when the verifier + does not have direct access to the following information: + + - the signer's certificate; + + - all the CA certificates that make up the full certification + path; + + - all the associated revocation status information, as referenced + in the CAdES-C. + + In some situations, additional time-stamps may be created and added + to the Electronic Signatures as additional attributes. For example: + + - time-stamping all the validation data as held with the ES + (CAdES-C), this eXtended validation data is called a CAdES-X + Type 1; or + + - time-stamping individual reference data as used for complete + validation. This form of eXtended validation data is called an + CAdES-X Type 2. + + NOTE 1: The advantages/drawbacks for CAdES-X Type 1 and CAdES-X + Type 2 are discussed in Annex C.4.4. + + The above time-stamp forms can be useful when it is required to + counter the risk that any CA keys used in the certificate chain may + be compromised. + + + + + +Pinkas, et al. Informational [Page 86] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + A combination of the two formats above may be used. This form of + eXtended validation data is called an ES X-Long Type 1 or CAdES-X + Long Type 2. This form of electronic signature can be useful when + the verifier needs both the values and proof of when the validation + data existed. + + NOTE 2: The advantages/drawbacks for CAdES-X long Type 1 and + CAdES-X long Type 2 are discussed in Annex C.4.6. + +B.1.1. CAdES-X Long + + An electronic signature with the additional validation data forming + the CAdES-X Long form (CAdES-X-Long) is illustrated in Figure B.1 and + comprises the following: + + - CAdES-BES or CAdES-EPES, as defined in Sections 4.3 , 5.7, or + 5.8; + + - complete-certificate-references attribute, as defined in Section + 6.2.1; + + - complete-revocation-references attribute, as defined in Section + 6.2.2. + + The following attributes are required if a TSP is not providing a + time-mark of the ES: + + - signature-time-stamp attribute, as defined in Section 6.1.1. + + The following attributes are required if the full certificate values + and revocation values are not already included in the CAdES-BES or + CAdES-EPES: + + - certificate-values attribute, as defined in Section 6.3.3; + + - revocation-values attribute, as defined in Section 6.3.4. + + If attributes certificates are used, then the following attributes + may be present: + + - attribute-certificate-references attribute, defined in Section + 6.2.3; + + - attribute-revocation-references attribute, as defined in Section + 6.2.4. + + Other unsigned attributes may be present, but are not required. + + + + +Pinkas, et al. Informational [Page 87] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE: Attribute certificate and revocation references are only + present if a user attribute certificate is present in the + electronic signature; see Sections 6.2.2 and 6.2.3. + ++---------------------- CAdES-X-Long --------------------------------+ +|+-------------------------------------- CAdES-C ---+ | +|| +----------+ | +-------------+| +||+----- CAdES-BES or CAdES-EPES ----+ |Timestamp | | | || +||| | |over | | | Complete || +|||+---------++----------++---------+| |digital | | | certificate || +|||| || || || |signature | | | and || +||||Signer's || Signed ||Digital || | | | | revocation || +||||Document ||Attributes||signature|| |Optional | | | data || +|||| || || || |when | | | || +|||+---------++----------++---------+| |timemarked| | | || +||+----------------------------------+ +----------+ | | || +|| +-----------+| +-------------+| +|| |Complete || | +|| |certificate|| | +|| |and || | +|| |revocation || | +|| |references || | +|| +-----------+| | +|+--------------------------------------------------+ | +| | ++--------------------------------------------------------------------+ + + Figure B.1: Illustration of CAdES-X-Long + +B.1.2. CAdES-X Type 1 + + An electronic signature with the additional validation data forming + the eXtended validation data - Type 1 X is illustrated in Figure B.2 + and comprises the following: + + - the CAdES-BES or CAdES-EPES, as defined in Sections 4.2, 5.7, or + 5.8; + + - complete-certificate-references attribute, as defined in Section + 6.2.1; + + - complete-revocation-references attribute, as defined in Section + 6.2.2; + + - CAdES-C-Timestamp attribute, as defined in Section 6.3.5. + + + + + + +Pinkas, et al. Informational [Page 88] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + The following attributes are required if a TSP is not providing a + time-mark of the ES: + + - signature-time-stamp attribute, as defined in Section 6.1.1. + + If attributes certificates are used, then the following attributes + may be present: + + - attribute-certificate-references attribute, defined in Section + 6.2.3; + + - attribute-revocation-references attribute, as defined in Section + 6.2.4. + + Other unsigned attributes may be present, but are not required. + ++------------------------ CAdES-X-Type 1 ----------------------------+ +|+---------------------------------- CAdES-C ------+ | +|| +----------+ | +-------------+ | +||+--- CAdES-BES or CAdES-EPES ------+|Timestamp | | | | | +||| ||over | | | | | +|||+---------++----------++---------+||digital | | | | | +||||Signer's || Signed || Digital |||signature | | | Timestamp | | +||||Document ||Attributes||signature||| | | | over | | +|||| || || |||Optional | | | CAdES-C | | +|||+---------++----------++---------+||when | | | | | +||+----------------------------------+|timemarked| | | | | +|| +----------+ | | | | +|| +-----------+| +-------------+ | +|| |Complete || | +|| |certificate|| | +|| | and || | +|| |revocation || | +|| |references || | +|| +-----------+| | +|+-------------------------------------------------+ | +| | ++--------------------------------------------------------------------+ + + Figure B.2: Illustration of CAdES-X Type 1 + + + + + + + + + + + +Pinkas, et al. Informational [Page 89] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +B.1.3. CAdES-X Type 2 + + An electronic signature with the additional validation data forming + the eXtended Validation Data - Type 2 X is illustrated in Figure B.3 + and comprises the following: + + - CAdES-BES or CAdES-EPES, as defined in Sections 4.2, 5.7, or + 5.8; + + - complete-certificate-references attribute, as defined in Section + 6.2.1; + + - complete-revocation-references attribute, as defined in Section + 6.2.2; + + - time-stamped-certs-crls-references attribute, as defined in + Section 6.3.6. + + The following attributes are required if a TSP is not providing a + time-mark of the ES: + + - signature-time-stamp attribute, as defined in Section 6.1.1. + + If attributes certificates are used, then the following attributes + may be present: + + - attribute-certificate-references attribute, defined in Section + 6.2.3; + + - attribute-revocation-references attribute, as defined in Section + 6.2.4. + + Other unsigned attributes may be present, but are not required. + + + + + + + + + + + + + + + + + + +Pinkas, et al. Informational [Page 90] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + ++----------------------- CAdES-X-Type 2 -----------------------------+ +|+-------------------------------------- CAdES-C --+ | +|| +----------+ | | +||+-- CAdES-BES or CAdES-EPES -------+|Timestamp | | | +||| ||over | | | +|||+---------++----------++---------+||digital | | +-------------+ | +|||| || || |||Signature | | | Timestamp | | +||||Signer's || Signed || Digital ||| | | | only over | | +||||Document ||Attributes||signature|||Optional | | | Complete | | +|||| || || |||when | | | certificate | | +|||+---------++----------++---------+||Timemarked| | | and | | +||+----------------------------------++----------+ | | revocation | | +|| +-----------+| | references | | +|| |Complete || +-------------+ | +|| |certificate|| | +|| |and || | +|| |revocation || | +|| |references || | +|| +-----------+| | +|+-------------------------------------------------+ | +| | ++--------------------------------------------------------------------+ + + Figure B.3: Illustration of CAdES-X Type 2 + +B.1.4. CAdES-X Long Type 1 and CAdES-X Long Type 2 + + An electronic signature with the additional validation data forming + the CAdES-X Long Type 1 and CAdES-X Long Type 2 is illustrated in + Figure B.4 and comprises the following: + + - CAdES-BES or CAdES-EPES, as defined in Sections 4.3, 5.7, or + 5.8; + + - complete-certificate-references attribute, as defined in Section + 6.2.1; + + - complete-revocation-references attribute, as defined in Section + 6.2.2; + + The following attributes are required if a TSP is not providing a + time-mark of the ES: + + - signature-time-stamp attribute, as defined in Section 6.1.1. + + + + + + + +Pinkas, et al. Informational [Page 91] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + The following attributes are required if the full certificate values + and revocation values are not already included in the CAdES-BES or + CAdES-EPES: + + - certificate-values attribute, as defined in Section 6.3.3; + + - revocation-values attribute, as defined in Section 6.3.4. + + If attributes certificates are used, then the following attributes + may be present: + + - attribute-certificate-references attribute, defined in Section + 6.2.3; + + - attribute-revocation-references attribute, as defined in Section + 6.2.4. + + Plus one of the following attributes is required: + + - CAdES-C-Timestamp attribute, as defined in Section 6.3.5; + + - time-stamped-certs-crls-references attribute, as defined in + Section 6.3.6. + + Other unsigned attributes may be present, but are not required. + + + + + + + + + + + + + + + + + + + + + + + + + + +Pinkas, et al. Informational [Page 92] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + +---------------------- CAdES-X-Type 1 or 2 ------------------------+ + | +--------------+| + |+-------------------------------------- CAdES-C --+|+------------+|| + || +----------+ ||| Timestamp ||| + ||+-- CAdES-BES or CAdES-EPES -------+|Timestamp | ||| over ||| + ||| ||over | ||| CAdES-C ||| + |||+---------++----------++---------+||digital | | +------------+ | + |||| || || |||signature | || or || + ||||Signer's || Signed || Digital ||| | ||+------------+|| + ||||Document ||Attributes||Signature|||Optional | ||| Timestamp ||| + |||| || || |||when | ||| only over ||| + |||+---------++----------++---------+||timemarked| ||| complete ||| + ||+----------------------------------++----------+ ||| certificate||| + || ||| and ||| + || +-----------+||| revocation ||| + || |Complete |||| references ||| + || |certificate|||+------------+|| + || |and ||+--------------+| + || |revocation || +------------+ | + || |references || |Complete | | + || +-----------+| |certificate | | + |+-------------------------------------------------+ | and | | + | |revocation | | + | | values | | + | +------------+ | + +-------------------------------------------------------------------+ + + Figure B.4: Illustration of CAdES-X Long Type 1 + and CAdES-X Long Type 2 + +B.2. Time-Stamp Extensions + + Each instance of the time-stamp attribute may include, as unsigned + attributes in the signedData of the time-stamp, the following + attributes related to the TSU: + + - complete-certificate-references attribute of the TSU, as defined + in Section 6.2.1; + + - complete-revocation-references attribute of the TSU, as defined + in Section 6.2.2; + + - certificate-values attribute of the TSU, as defined in Section + 6.3.3; + + - revocation-values attribute of the TSU, as defined in Section + 6.3.4. + + + + +Pinkas, et al. Informational [Page 93] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Other unsigned attributes may be present, but are not required. + +B.3. Archive Validation Data (CAdES-A) + + Before the algorithms, keys, and other cryptographic data used at the + time the CAdES-C was built become weak and the cryptographic + functions become vulnerable, or the certificates supporting previous + time-stamps expire, the signed data, the CAdES-C, and any additional + information (i.e., any CAdES-X) should be time-stamped. If possible, + this should use stronger algorithms (or longer key lengths) than in + the original time-stamp. This additional data and time-stamp is + called Archive validation data required for the ES Archive format + (CAdES-A). The Time-stamping process may be repeated every time the + protection used to time-stamp a previous CAdES-A becomes weak. A + CAdES-A may thus bear multiple embedded time-stamps. + + An example of an electronic signature (ES), with the additional + validation data for the CAdES-C and CAdES-X forming the CAdES-A is + illustrated in Figure B.5. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Pinkas, et al. Informational [Page 94] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + ++--------------------------- CAdES-A---------------------------------+ +|+----------------------------------------------------+ | +|| +--------------+| +----------+ | +||+--------------------- CAdES-C ----+|+------------+|| | | | +||| +----------+ ||| Timestamp ||| | | | +|||+-- CAdES-BES ------+|Timestamp | ||| over ||| | | | +|||| or CAdES-EPES ||over | ||| CAdES-C ||| | Archive | | +|||| ||digital | ||+------------+|| | | | +|||| ||signature | || or || |Timestamp | | +|||| || | ||+------------+|| | | | +|||| ||optional | ||| Timestamp ||| | | | +|||| ||when | ||| only over ||| | | | +|||| ||timemarked| ||| complete ||| | | | +|||+-------------------++----------+ ||| certificate||| +----------+ | +||| ||| and ||| | +||| +-------------+||| revocation ||| | +||| | Complete |||| references ||| | +||| | certificate |||+------------+|| | +||| | and ||+--------------+| | +||| | revocation || +------------+ | | +||| | references || |Complete | | | +||| +-------------+| |certificate | | | +||+----------------------------------+ | and | | | +|| |revocation | | | +|| | values | | | +|| +------------+ | | +|+----------------------------------------------------+ | ++--------------------------------------------------------------------+ + + Figure B.5: Illustration of CAdES-A + + The CAdES-A comprises the following elements: + + - the CAdES-BES or CAdES-EPES, including their signed and unsigned + attributes; + + - complete-certificate-references attribute, as defined in Section + 6.2.1; + + - complete-revocation-references attribute, as defined in Section + 6.2.2. + + The following attributes are required if a TSP is not providing a + time-mark of the ES: + + - signature-time-stamp attribute, as defined in Section 6.1.1. + + + + + +Pinkas, et al. Informational [Page 95] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + If attributes certificates are used, then the following attributes + may be present: + + - attribute-certificate-references attribute, defined in Section + 6.2.3; + + - attribute-revocation-references attribute, as defined in Section + 6.2.4. + + The following attributes are required if the full certificate values + and revocation values are not already included in the CAdES-BES or + CAdES-EPES: + + - certificate-values attribute, as defined in Section 6.3.3; + + - revocation-values attribute, as defined in Section 6.3.4. + + At least one of the following two attributes is required: + + - CAdES-C-Timestamp attribute, as defined in Section 6.3.5; + + - time-stamped-certs-crls-references attribute, as defined in + Section 6.3.6. + + The following attribute is required: + + - archive-time-stamp attributes, defined in Section 6.4.1. + + Several instances of the archive-time-stamp attribute may occur with + an electronic signature, both over time and from different TSUs. The + time-stamp should be created using stronger algorithms (or longer key + lengths) than in the original electronic signatures or time-stamps. + + Other unsigned attributes of the ES may be present, but are not + required. + + The archive-time-stamp will itself contain the certificate and + revocation information required to validate the archive-time-stamp; + this may include the following unsigned attributes: + + - complete-certificate-references attribute of the TSU, as defined + in Section 6.2.1; + + - complete-revocation-references attribute of the TSU, as defined + in Section 6.2.2; + + - certificate-values attribute of the TSU, as defined in Section + 6.3.3; + + + +Pinkas, et al. Informational [Page 96] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - revocation-values attribute of the TSU, as defined in Section + 6.3.4. + + Other unsigned attributes may be present, but are not required. + +B.4. Example Validation Sequence + + As described earlier, the signer or initial verifier may collect all + the additional data that forms the electronic signature. Figure B.6 + and the subsequent description describe how the validation process + may build up a complete electronic signature over time. + ++------------------------------------------ CAdES-C -------------+ +|+------------------------------- CAdES-T ------+ | +||+-------------- CAdES ------------+ | | +|||+--------------------++---------+|+---------+| +-----------+ | +|||| ________ || |||Timestamp|| |Complete | | +|||||Sign.Pol| ||Digital |||over || |certificate| | +||||| Id. | Signed ||signature|||digital || | and | | +||||| option.|attributes|| |||signature|| |revocation | | +|||||________| |+---------+|+---------+| |references | | +|||+--------------------+ | ^ | +-----------+ | +||+---------------------------------+ | | ^ | +|| 1 | / | | | +|+---------------------- | ------------/--------+ | | ++----------------------- | ---------- / --------------- / -------+ + | /2 ----3-------- + +----------+ | / / + | | v / | + | Signer's | +---------------------+ +-------------+ + | document |----->| Validation Process |---->|- Valid | + | | +---------------------+ 4 |- Invalid | + +----------+ | ^ | ^ |- Validation | + v | v | | Incomplete | + +---------+ +--------+ +-------------+ + |Signature| |Trusted | + | Policy | |Service | + | Issuer | |Provider| + +---------+ +--------+ + + Figure B.6: Illustration of a CAdES validation sequence + + Soon after receiving the electronic signature (CAdES) from the signer + (1), the digital signature value may be checked; the validation + process shall at least add a time-stamp (2), unless the signer has + provided one which is trusted by the verifier. The validation + process may also validate the electronic signature using additional + data (e.g., certificates, CRL, etc.) provided by Trusted Service + + + +Pinkas, et al. Informational [Page 97] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Providers. When applicable, the validation process will also need to + conform to the requirements specified in a signature policy. If the + validation process is validation incomplete, then the output from + this stage is the CAdES-T. + + To ascertain the validity status as Valid or Invalid and communicate + that to the user (4), all the additional data required to validate + the CAdES-C must be available (e.g., the complete certificate and + revocation information). + + Once the data needed to complete validation data references (CAdES-C) + is available, then the validation process should: + + - obtain all the necessary additional certificates and revocation + status information; + + - complete all the validation checks on the ES using the complete + certificate and revocation information (if a time-stamp is not + already present, this may be added at the same stage, combining + the CAdES-T and CAdES-C processes); + + - record the complete certificate and revocation references (3); + + - indicate the validity status to the user (4). + + At the same time as the validation process creates the CAdES-C, the + validation process may provide and/or record the values of + certificates and revocation status information used in CAdES-C (5). + The end result is called CAdES-X Long. + + This is illustrated in Figure B.7. + + + + + + + + + + + + + + + + + + + + +Pinkas, et al. Informational [Page 98] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + ++----------------------------------------------------- CAdES-X Long -+ +|+------------------------------- CAdES-C -------------+ | +||+-------------- CAdES ------------+ | | +|||+--------------------++---------+|+---------+ |+-----------+| +|||| ________ || |||Timestamp| ||Complete || +|||||Sign.Pol| ||Digital |||over | ||certificate|| +||||| Id. | Signed ||signature|||digital | || and || +||||| option.|attributes|| |||signature| ||revocation || +|||||________| || ||+---------+ || values || +|||+--------------------++---------+| ^ +-----------+|+-----------+| +||+---------------------------------+ | |Complete || ^ | +|| | | |certificate|| | | +|| | 2 | | and || | | +|| | | |revocation || | | +|| | | |references || | | +|| 1 | / +-----------+| | | +|+------------------------ | ------- / --------- ^-----+ / | ++------------------------- | ------ / ---------- |--------- / -------+ + | / ----- / ------- / + +----------+ | / / 3 / 5 + | | v | | | + | Signer's | +--------------------+ +-----------+ + | document |----->| Validation Process |----->| - Valid | + | | +--------------------+ 4 | - Invalid | + +----------+ | ^ | ^ +-----------+ + v | v | + +---------+ +--------+ + |Signature| |Trusted | + | Policy | |Service | + | Issuer | |Provider| + +---------+ +--------+ + + Figure B.7: Illustration of a CAdES validation sequence + with CAdES-X Long + + When the validation process creates the CAdES-C, it may also create + extended forms of validation data. + + A first alternative is to time-stamp all data forming the CAdES-X + Type 1. + + This is illustrated in Figure B.8. + + + + + + + + + +Pinkas, et al. Informational [Page 99] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + ++------------------------------------------------ CAdES-X Type 1 -----+ +|+------------------------------- CAdES-C ------------------+ | +||+-------------- CAdES ------------+ | | +|||+--------------------++---------+|+---------++----------+|+-------+| +|||| ________ || |||Timestamp|| Complete ||| || +|||||Sign.Pol| ||Digital |||over || cert. |||Time- || +||||| Id. | Signed ||signature|||digital || and |||stamp || +||||| option.|attributes|| |||signature|| revoc. ||| over || +|||||________| |+---------+|+---------+|references|||CAdES-C|| +|||+--------------------+ | ^ | ||| || +||+---------------------------------+ | +----------+|+-------+| +|| | | ^ | ^ | +|| 1 | / | | | | +|+------------------------ | --------- / ----------- / -----+ | | ++------------------------- | -------- / ----------- / --------- / ----+ + | 2 / ---3---- / + +----------+ | / / -----------5------ + | | v | | / + | Signer's | +--------------------+ +-----------+ + | document |----->| Validation Process |-----> | - Valid | + | | +--------------------+ 4 | - Invalid | + +----------+ | ^ | ^ +-----------+ + v | v | + +---------+ +--------+ + |Signature| |Trusted | + | Policy | |Service | + | Issuer | |Provider| + +---------+ +--------+ + + Figure B.8: Illustration of CAdES with eXtended validation data + CAdES-X Type 1 + + Another alternative is to time-stamp the certificate and revocation + information references used to validate the electronic signature (but + not the signature) (6). The end result is called CAdES-X Type 2. + + This is illustrated in Figure B.9. + + + + + + + + + + + + + + +Pinkas, et al. Informational [Page 100] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + ++-------------------------------------------- CAdES-X Type 2 --------+ +|+------------------------------- CAdES-C -------------+ | +||+-------------- CAdES ------------+ | | +|||+--------------------++---------+|+---------+ |+-----------+| +|||| ________ || |||Timestamp| ||Timestamp || +|||||Sign.Pol| || |||over | || over || +||||| Id. | Signed ||Digital |||digital | ||complete || +||||| option.|attributes||signature|||signature| ||certificate|| +|||||________| || ||| | || || +|||+--------------------++---------+|+---------+ || and || +||+---------------------------------+ ^ +-----------+||revocation || +|| | | |Complete |||references || +|| | | |certificate||+-----------+| +|| | | | and || ^ | +|| 1 | 2 | |revocation || | | +|| | | |references || | | +|| | | +-----------+| | | +|+------------------------ | --------- | --- ^ --------+ | | +| | | 3 | / | +| | | / ---------- | +| | / / / 6 | +| | / / / | +| | / / / | ++------------------------- | ----- | -- | -- / ----------------------+ + | | | | + v | | | + +--------------------+ +-----------+ + | Validation Process |----->| - Valid | + +--------------------+ 4 | - Invalid | + | ^ | ^ +-----------+ + v | v | + +---------+ +--------+ + |Signature| |Trusted | + | Policy | |Service | + | Issuer | |Provider| + +---------+ +--------+ + + Figure B.9: Illustration of CAdES with eXtended validation data + CAdES-X Type 2 + + Before the algorithms used in any of the electronic signatures become + or are likely to be compromised or rendered vulnerable in the future, + it may be necessary to time-stamp the entire electronic signature, + including all the values of the validation and user data as an ES + with Archive validation data (CAdES-A) (7). + + A CAdES-A is illustrated in Figure B.10. + + + + +Pinkas, et al. Informational [Page 101] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + ++----------------------------- CAdES-A ---------------------------+ +| | +| +-- CAdES-X Long Type 1 or 2 ----------+ | +| | | +------------+ | +| | | | | | +| | | | Archive | | +| | | | Time-stamp | | +| | | | | | +| | | +------------+ | +| +---------------------------------------+ ^ | +| +----------+ ^ ^ ^ ^ | | +| | | | | | | / | +| | Signers' | | | | | / | +| | Document |\ | | | | / | +| | | \ 1 2 | 3 | 5 | 6 | 7 / | +| +----------+ \ | | | | / | +| \ | | | | / | ++----------------- \ --- | - | - | - | ------ / ------------------+ + \ | | | | | + | | | | | | + | | | | | | + v v | | | | + +-----------------------------+ +-----------+ + | Validation Process |----->| - Valid | + +-----------------------------+ 4 | - Invalid | + | ^ | ^ +-----------+ + v | v | + +---------+ +--------+ + |Signature| |Trusted | + | Policy | |Service | + | Issuer | |Provider| + +---------+ +--------+ + + Figure B.10: Illustration of CAdES-A + +B.5. Additional Optional Features + + The present document also defines additional optional features to: + + - indicate a commitment type being made by the signer; + + - indicate the claimed time when the signature was done; + + - indicate the claimed location of the signer; + + - indicate the claimed or certified role under which a signature + was created; + + + + +Pinkas, et al. Informational [Page 102] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - support counter signatures; + + - support multiple signatures. + +Annex C (Informative): General Description + + This annex explains some of the concepts and provides the rationale + for normative parts of the present document. + + The specification below includes a description of why and when each + component of an electronic signature is useful, with a brief + description of the vulnerabilities and threats and the manner by + which they are countered. + +C.1. The Signature Policy + + The signature policy is a set of rules for the creation and + validation of an electronic signature, under which the signature can + be determined to be valid. A given legal/contractual context may + recognize a particular signature policy as meeting its requirements. + A signature policy may be issued, for example, by a party relying on + the electronic signatures and selected by the signer for use with + that relying party. Alternatively, a signature policy may be + established through an electronic trading association for use amongst + its members. Both the signer and verifier use the same signature + policy. + + The signature policy may be explicitly identified or may be implied + by the semantics of the data being signed and other external data, + like a contract being referenced, which itself refers to a signature + policy. An explicit signature policy has a globally unique + reference, which is bound to an electronic signature by the signer as + part of the signature calculation. + + The signature policy needs to be available in human readable form so + that it can be assessed to meet the requirements of the legal and + contractual context in which it is being applied. To facilitate the + automatic processing of an electronic signature, the parts of the + signature policy, which specify the electronic rules for the creation + and validation of the electronic signature, also need to be + comprehensively defined and in a computer-processable form. + + The signature policy thus includes the following: + + - rules that apply to technical validation of a particular + signature; + + + + + +Pinkas, et al. Informational [Page 103] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - rules that may be implied through adoption of Certificate + Policies that apply to the electronic signature (e.g., rules for + ensuring the secrecy of the private signing key); + + - rules that relate to the environment used by the signer, e.g., + the use of an agreed CAD (Card Accepting Device) used in + conjunction with a smart card. + + For example, the major rules required for technical validation can + include: + + - recognized root keys or "top-level certification authorities"; + + - acceptable certificate policies (if any); + + - necessary certificate extensions and values (if any); + + - the need for the revocation status for each component of the + certification tree; + + - acceptable TSAs (if time-stamp tokens are being used); + + - acceptable organizations for keeping the audit trails with + time-marks (if time-marking is being used); + + - acceptable AAs (if any are being used),and; + + - rules defining the components of the electronic signature that + shall be provided by the signer with data required by the + verifier when required to provide long-term proof. + +C.2. Signed Information + + The information being signed may be defined as a MIME-encapsulated + message that can be used to signal the format of the content in order + to select the right display or application. It can be composed of + formatted data, free text, or fields from an electronic form + (e-form). For example, the Adobe(tm) format "pdf" or the eXtensible + Mark up Language (XML) may be used. Annex D defines how the content + may be structured to indicate the type of signed data using MIME. + +C.3. Components of an Electronic Signature + +C.3.1. Reference to the Signature Policy + + When two independent parties want to evaluate an electronic + signature, it is fundamental that they get the same result. This + requirement can be met using comprehensive signature policies that + + + +Pinkas, et al. Informational [Page 104] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + ensure consistency of signature validation. Signature policies can + be identified implicitly by the data being signed, or they can be + explicitly identified using the CAdES-EPES form of electronic + signature; the CAdES-EPES mandates a consistent signature policy must + be used by both the signer and verifier. + + By signing over the Signature Policy Identifier in the CAdES-EPES, + the signer explicitly indicates that he or she has applied the + signature policy in creating the signature. + + In order to unambiguously identify the details of an explicit + signature policy that is to be used to verify a CAdES-EPES, the + signature, an identifier, and hash of the "Signature policy" shall be + part of the signed data. Additional information about the explicit + policy (e.g., web reference to the document) may be carried as + "qualifiers" to the Signature Policy Identifier. + + In order to unambiguously identify the authority responsible for + defining an explicit signature policy, the "Signature policy" can be + signed. + +C.3.2. Commitment Type Indication + + The commitment type can be indicated in the electronic signature + either: + + - explicitly using a "commitment type indication" in the + electronic signature; + + - implicitly or explicitly from the semantics of the signed data. + + If the indicated commitment type is explicit using a "commitment type + indication" in the electronic signature, acceptance of a verified + signature implies acceptance of the semantics of that commitment + type. The semantics of explicit commitment type indications may be + subject to signer and verifier agreement, specified as part of the + signature policy or registered for generic use across multiple + policies. + + If a CAdES-EPES electronic signature format is used and the + electronic signature includes a commitment type indication other than + one of those recognized under the signature policy, the signature + shall be treated as invalid. + + How commitment is indicated using the semantics of the data being + signed is outside the scope of the present document. + + + + + +Pinkas, et al. Informational [Page 105] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE: Examples of commitment indicated through the semantics of + the data being signed are: + + - an explicit commitment made by the signer indicated by the type + of data being signed over. Thus, the data structure being + signed can have an explicit commitment within the context of the + application (e.g., EDIFACT purchase order); + + - an implicit commitment that is a commitment made by the signer + because the data being signed over has specific semantics + (meaning), which is only interpretable by humans, (i.e., free + text). + +C.3.3. Certificate Identifier from the Signer + + In many real-life environments, users will be able to get from + different CAs or even from the same CA, different certificates + containing the same public key for different names. The prime + advantage is that a user can use the same private key for different + purposes. Multiple use of the private key is an advantage when a + smart card is used to protect the private key, since the storage of a + smart card is always limited. When several CAs are involved, each + different certificate may contain a different identity, e.g., as a + citizen of a nation or as an employee from a company. Thus, when a + private key is used for various purposes, the certificate is needed + to clarify the context in which the private key was used when + generating the signature. Where there is the possibility that + multiple private keys are used, it is necessary for the signer to + indicate to the verifier the precise certificate to be used. + + Many current schemes simply add the certificate after the signed data + and thus are vulnerable to substitution attacks. If the certificate + from the signer was simply appended to the signature and thus not + protected by the signature, anyone could substitute one certificate + for another, and the message would appear to be signed by someone + else. In order to counter this kind of attack, the identifier of the + signer has to be protected by the digital signature from the signer. + + In order to unambiguously identify the certificate to be used for the + verification of the signature, an identifier of the certificate from + the signer shall be part of the signed data. + +C.3.4. Role Attributes + + While the name of the signer is important, the position of the signer + within a company or an organization is of paramount importance as + well. Some information (i.e., a contract) may only be valid if + signed by a user in a particular role, e.g., a Sales Director. In + + + +Pinkas, et al. Informational [Page 106] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + many cases, who the sales Director really is, is not that important, + but being sure that the signer is empowered by his company to be the + Sales Director is fundamental. + + The present document defines two different ways for providing this + feature: + + - by placing a claimed role name in the CMS signed attributes + field; + + - by placing an attribute certificate containing a certified role + name in the CMS signed attributes field. + + NOTE: Another possible approach would have been to use additional + attributes containing the roles name(s) in the signer's identity + certificate. However, it was decided not to follow this approach + as it significantly complicates the management of certificates. + For example, by using separate certificates for the signer's + identity and roles means new identity keys need not be issued if a + user's role changes. + +C.3.4.1. Claimed Role + + The signer may be trusted to state his own role without any + certificate to corroborate this claim; in which case, the claimed + role can be added to the signature as a signed attribute. + +C.3.4.2. Certified Role + + Unlike public key certificates that bind an identifier to a public + key, Attribute Certificates bind the identifier of a certificate to + some attributes, like a role. An Attribute Certificate is NOT issued + by a CA but by an Attribute Authority (AA). The Attribute Authority, + in most cases, might be under the control of an organization or a + company that is best placed to know which attributes are relevant for + which individual. The Attribute Authority may use or point to public + key certificates issued by any CA, provided that the appropriate + trust may be placed in that CA. Attribute Certificates may have + various periods of validity. That period may be quite short, e.g., + one day. While this requires that a new Attribute Certificate be + obtained every day, valid for that day, this can be advantageous + since revocation of such certificates may not be needed. When + signing, the signer will have to specify which Attribute Certificate + it selects. In order to do so, the Attribute Certificate will have + to be included in the signed data in order to be protected by the + digital signature from the signer. + + + + + +Pinkas, et al. Informational [Page 107] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + In order to unambiguously identify the attribute certificate(s) to be + used for the verification of the signature, an identifier of the + attribute certificate(s) from the signer shall be part of the signed + data. + +C.3.5. Signer Location + + In some transactions, the purported location of the signer at the + time he or she applies his signature may need to be indicated. For + this reason, an optional location indicator shall be able to be + included. + + In order to provide indication of the location of the signer at the + time he or she applied his signature, a location attribute may be + included in the signature. + +C.3.6. Signing Time + + The present document provides the capability to include a claimed + signing time as an attribute of an electronic signature. + + Using this attribute, a signer may sign over a time that is the + claimed signing time. When an ES with Time is created (CAdES-T), + then either a trusted time-stamp is obtained and added to the ES or a + trusted time-mark exists in an audit trail. When a verifier accepts + a signature, the two times shall be within acceptable limits. + + A further optional attribute is defined in the present document to + time-stamp the content and to provide proof of the existence of the + content, at the time indicated by the time-stamp token. + + Using this optional attribute, a trusted secure time may be obtained + before the document is signed and included under the digital + signature. This solution requires an online connection to a trusted + time-stamping service before generating the signature and may not + represent the precise signing time, since it can be obtained in + advance. However, this optional attribute may be used by the signer + to prove that the signed object existed before the date included in + the time-stamp (see Section 5.11.4). + +C.3.7. Content Format + + When presenting signed data to a human user, it may be important that + there is no ambiguity as to the presentation of the signed + information to the relying party. In order for the appropriate + representation (text, sound, or video) to be selected by the relying + party when data (as opposed to data that has been further signed or + encrypted) is encapsulated in the SignedData (indicated by the + + + +Pinkas, et al. Informational [Page 108] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + eContentType within EncapsulatedContentInfo being set to id-data), + further typing information should be used to identify the type of + document being signed. This is generally achieved using the MIME + content typing and encoding mechanism defined in RFC 2045 [6]). + Further information on the use of MIME is given in Annex F. + +C.3.8. content-hints + + The contents-hints attribute provides information on the innermost + signed content of a multi-layer message where one content is + encapsulated in another. This may be useful if the signed data is + itself encrypted. + +C.3.9. Content Cross-Referencing + + When presenting a signed data is in relation to another signed data, + it may be important to identify the signed data to which it relates. + The content-reference and content-identifier attributes, as defined + in ESS (RFC 2634 [5]), provide the ability to link a request and + reply messages in an exchange between two parties. + +C.4. Components of Validation Data + +C.4.1. Revocation Status Information + + A verifier will have to ascertain that the certificate of the signer + was valid at the time of the signature. This can be done by either: + + - using Certificate Revocation Lists (CRLs); + + - using responses from an online certificate status server (for + example, obtained through the OCSP protocol). + + NOTE 1: The time of the signature may not be known, so + time-stamping or time-marking may be used to provide the time + indication of when it was known that the signature existed. + + NOTE 2: When validating an electronic signature and checking + revocation status information, if a "grace period" is required, it + needs to be suitably long enough to allow the involved authority + to process a "last-minute" revocation request and for the request + to propagate through the revocation system. This grace period is + to be added to the time included with the time-stamp token or the + time-mark, and thus the revocation status information should be + captured after the end of the grace period. + + + + + + +Pinkas, et al. Informational [Page 109] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +C.4.1.1. CRL Information + + When using CRLs to get revocation information, a verifier will have + to make sure that he or she gets, at the time of the first + verification, the appropriate certificate revocation information from + the signer's CA. This should be done as soon as possible to minimize + the time delay between the generation and verification of the + signature. However, a "grace period" is required to allow CAs time + to process revocation requests. + + For example, a revocation request may arrive at a CA just before + issuing the next CRL, and there may not enough time to include the + revised revocation status information. This involves checking that + the signer certificate serial number is not included in the CRL. + Either the signer, the initial verifier, or a subsequent verifier may + obtain this CRL. If obtained by the signer, then it shall be + conveyed to the verifier. It may be convenient to archive the CRL + for ease of subsequent verification or arbitration. Alternatively, + provided the CRL is archived elsewhere, which is accessible for the + purpose of arbitration, then the serial number of the CRL used may be + archived together with the verified electronic signature as a CAdES-C + form. + + Even if the certificate serial number appears in the CRL with the + status "suspended" (i.e., on hold), the signature is not to be deemed + as valid since a suspended certificate is not supposed to be used + even by its rightful owner. + +C.4.1.2. OCSP Information + + When using OCSP to get revocation information, a verifier will have + to make sure that he or she gets, at the time of the first + verification, an OCSP response that contains the status "valid". + This should be done as soon as possible after the generation of the + signature, still providing a "grace period" suitable enough to allow + the involved authority to process a "last-minute" revocation request. + The signer, the verifier, or any other third party may fetch this + OCSP response. Since OCSP responses are transient and thus are not + archived by any TSP, including CA, it is the responsibility of every + verifier to make sure that it is stored in a safe place. The + simplest way is to store them associated with the electronic + signature. An alternative would be to store them so that they can + then be easily retrieved and incorporate references to them in the + electronic signature itself as a CAdES-C form. + + + + + + + +Pinkas, et al. Informational [Page 110] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + In the same way as for the case of the CRL, it may happen that the + certificate is declared as invalid but with the secondary status + "suspended". In such a case, the same comment as for the CRL + applies. + +C.4.2. Certification Path + + A verifier may have to ascertain that the certification path was + valid, at the time of the signature, up to a trust point, according + to the: + + - naming constraints; + - certificate policy constraints; + - signature policy, when applicable. + + Since the time of the signature cannot be known with certainty, an + upper limit of it should be used as indicated by either the + time-stamp or time-mark. + + In this case, it will be necessary to capture all the certificates + from the certification path, starting with those from the signer and + ending up with those of the self-signed certificate from one trusted + root; when applicable, this may be specified as part of the Signature + Policy. In addition, it will be necessary to capture the Certificate + Authority Revocation Lists (CARLs) to prove that none of the CAs from + the chain were revoked at the time of the signature. Again, all this + material may be incorporated in the electronic signature (ES X + forms). An alternative would be to store this information so that it + can be easily retrieved and incorporate references to it in the + electronic signature itself as a CAdES-C form. + +C.4.3. Time-Stamping for Long Life of Signatures + + An important property for long-standing signatures is that a + signature, having been found once to be valid, shall continue to be + so months or years later. + + A signer, verifier, or both may be required to provide, on request, + proof that a digital signature was created or verified during the + validity period of all the certificates that make up the certificate + path. In this case, the signer, verifier, or both will also be + required to provide proof that the signer's certificate and all the + CA certificates used to form a valid certification path were not + revoked when the signature was created or verified. + + + + + + + +Pinkas, et al. Informational [Page 111] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + It would be quite unacceptable to consider a signature as invalid + even if the keys or certificates were later compromised. Thus, there + is a need to be able to demonstrate that the signature keys were + valid at the time that the signature was created to provide long-term + evidence of the validity of a signature. + + It could be the case that a certificate was valid at the time of the + signature but revoked some time later. In this event, evidence shall + be provided that the document was signed before the signing key was + revoked. Time-stamping by a Time-Stamping Authority (TSA) can + provide such evidence. A time-stamp is obtained by sending the hash + value of the given data to the TSA. The returned "time-stamp" is a + signed document that contains the hash value, the identity of the + TSA, and the time of stamping. This proves that the given data + existed before the time of stamping. Time-stamping a digital + signature (by sending a hash of the signature to the TSA) before the + revocation of the signer's private key provides evidence that the + signature had been created before the certificate was revoked. + + If a recipient wants to hold a valid electronic signature, he will + have to ensure that he has obtained a valid time-stamp for it before + that key (and any key involved in the validation) is revoked. The + sooner the time-stamp is obtained after the signing time, the better. + Any time-stamp or time-mark that is taken after the expiration date + of any certificate in the certification path has no value in proving + the validity of a signature. + + It is important to note that signatures may be generated "off-line" + and time-stamped at a later time by anyone, for example, by the + signer or any recipient interested in the value of the signature. + The time-stamp can thus be provided by the signer, together with the + signed document, or obtained by the recipient following receipt of + the signed document. + + The time-stamp is NOT a component of the Basic Electronic Signature, + but it is the essential component of the ES with Time. + + It is required, in the present document, that if a signer's digital + signature value is to be time-stamped, the time-stamp token is issued + by a trusted source, known as a Time-Stamping Authority. + + The present document requires that the signer's digital signature + value be time-stamped by a trusted source before the electronic + signature can become an ES with Complete validation data. Acceptable + TSAs may be specified in a Signature Validation Policy. + + This technique is referred to as CAdES-C in the present document. + + + + +Pinkas, et al. Informational [Page 112] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Should both the signer and verifier be required to time-stamp the + signature value to meet the requirements of the signature policy, the + signature policy may specify a permitted time delay between the two + time-stamps. + +C.4.4. Time-Stamping for Long Life of Signature before CA Key + Compromises + + Time-stamped, extended electronic signatures are needed when there is + a requirement to safeguard against the possibility of a CA key in the + certificate chain ever being compromised. A verifier may be required + to provide, on request, proof that the certification path and the + revocation information used at the time of the signature were valid, + even in the case where one of the issuing keys or OCSP responder keys + is later compromised. + + The present document defines two ways of using time-stamps to protect + against this compromise: + + - time-stamp the ES with Complete validation data, when an OCSP + response is used to get the status of the certificate from the + signer (CAdES-X Type 1). This format is suitable to be used + with an OCSP response, and it offers the additional advantage of + providing an integrity protection over the whole data; + + - time-stamp only the certification path and revocation + information references when a CRL is used to get the status of + the certificate from the signer (CAdES-X Type2). This format is + suitable to be used with CRLs, since the time-stamped + information may be used for more than one signature (when + signers have their certificates issued by the same CA and when + signatures can be checked using the same CRLs). + + NOTE: The signer, verifier, or both may obtain the time-stamp. + +C.4.4.1. Time-Stamping the ES with Complete Validation Data (CAdES-X + Type 1) + + When an OCSP response is used, it is necessary to time-stamp in + particular that response in the case the key from the responder would + be compromised. Since the information contained in the OCSP response + is user specific and time specific, an individual time-stamp is + needed for every signature received. Instead of placing the + time-stamp only over the certification path references and revocation + information references, which include the OCSP response, the + time-stamp is placed on the CAdES-C. Since the certification path + and revocation information references are included in the ES with + Complete validation data, they are also protected. For the same + + + +Pinkas, et al. Informational [Page 113] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + cryptographic price, this provides an integrity mechanism over the ES + with Complete validation data. Any modification can be immediately + detected. It should be noticed that other means of + protecting/detecting the integrity of the ES with Complete validation + data exist and could be used. Although the technique requires a + time-stamp for every signature, it is well suited for individual + users wishing to have an integrity-protected copy of all the + validated signatures they have received. + + By time-stamping the complete electronic signature, including the + digital signature as well as the references to the certificates and + revocation status information used to support validation of that + signature, the time-stamp ensures that there is no ambiguity in the + means of validating that signature. + + This technique is referred to as CAdES-X Type 1 in the present + document. + + NOTE: Trust is achieved in the references by including a hash of + the data being referenced. + + If it is desired for any reason to keep a copy of the additional data + being referenced, the additional data may be attached to the + electronic signature, in which case the electronic signature becomes + a CAdES-X Long Type 1, as defined by the present document. + + A CAdES-X Long Type 1 is simply the concatenation of a CAdES-X Type + 1, with a copy of the additional data being referenced. + +C.4.4.2. Time-Stamping Certificates and Revocation Information + References (CAdES-X Type 2) + + Time-stamping each ES with Complete validation data, as defined + above, may not be efficient, particularly when the same set of CA + certificates and CRL information is used to validate many signatures. + + Time-stamping CA certificates will stop any attacker from issuing + bogus CA certificates that could be claimed to exist before the CA + key was compromised. Any bogus time-stamped CA certificates will + show that the certificate was created after the legitimate CA key was + compromised. In the same way, time-stamping CA CRLs will stop any + attacker from issuing bogus CA CRLs that could be claimed to exist + before the CA key was compromised. + + Time-stamping of commonly used certificates and CRLs can be done + centrally, e.g., inside a company or by a service provider. This + method reduces the amount of data the verifier has to time-stamp; for + example, it could be reduced to just one time-stamp per day (i.e., in + + + +Pinkas, et al. Informational [Page 114] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + the case where all the signers use the same CA, and the CRL applies + for the whole day). The information that needs to be time-stamped is + not the actual certificates and CRLs, but the unambiguous references + to those certificates and CRLs. + + This technique is referred to as CAdES-X Type 2 in the present + document and requires the following: + + - all the CA certificates references and revocation information + references (i.e., CRLs) used in validating the CAdES-C are + covered by one or more time-stamps. + + Thus, a CAdES-C with a time-stamp signature value at time T1 can be + proved valid if all the CA and CRL references are time-stamped at + time T1+. + +C.4.5. Time-Stamping for Archive of Signature + + Advances in computing increase the probability of being able to break + algorithms and compromise keys. There is therefore a requirement to + be able to protect electronic signatures against this possibility. + + Over a period of time, weaknesses may occur in the cryptographic + algorithms used to create an electronic signature (e.g., due to the + time available for cryptoanalysis, or improvements in + cryptoanalytical techniques). Before such weaknesses become likely, + a verifier should take extra measures to maintain the validity of the + electronic signature. Several techniques could be used to achieve + this goal, depending on the nature of the weakened cryptography. In + order to simplify matters, a single technique called Archive + validation data, covering all the cases, is being used in the present + document. + + Archive validation data consists of the validation data and the + complete certificate and revocation data, time-stamped together with + the electronic signature. The Archive validation data is necessary + if the hash function and the crypto algorithms that were used to + create the signature are no longer secure. Also, if it cannot be + assumed that the hash function used by the Time-Stamping Authority is + secure, then nested time-stamps of the Archived Electronic Signature + are required. + + The potential for a Trusted Service Provider (TSP) key compromise + should be significantly lower than user keys because TSP(s) are + expected to use stronger cryptography and better key protection. It + can be expected that new algorithms (or old ones with greater key + lengths) will be used. In such a case, a sequence of time-stamps + will protect against forgery. Each time-stamp needs to be affixed + + + +Pinkas, et al. Informational [Page 115] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + before either the compromise of the signing key or the cracking of + the algorithms used by the TSA. TSAs (Time-Stamping Authorities) + should have long keys (e.g., which at the time of drafting the + present document was at least 2048 bits for the signing RSA + algorithm) and/or a "good" or different algorithm. + + Nested time-stamps will also protect the verifier against key + compromise or cracking the algorithm on the old electronic + signatures. + + The process will need to be performed and iterated before the + cryptographic algorithms used for generating the previous time-stamp + are no longer secure. Archive validation data may thus bear multiple + embedded time-stamps. + + This technique is referred to as CAdES-A in the present document. + +C.4.6. Reference to Additional Data + + Using CAdES-X Type 1 or CAdES-X Type 2 extended validation data, + verifiers still need to keep track of all the components that were + used to validate the signature, in order to be able to retrieve them + again later on. These components may be archived by an external + source, like a Trusted Service Provider; in which case, referenced + information that is provided as part of the ES with Complete + validation data (CAdES-C) is adequate. The actual certificates and + CRL information reference in the CAdES-C can be gathered when needed + for arbitration. + + If references to additional data are not adequate, then the actual + values of all the certificates and revocation information required + may be part of the electronic signature. This technique is referred + to as CAdES-X Long Type 1 or CAdES-X Long Type 2 in the present + document. + +C.4.7. Time-Stamping for Mutual Recognition + + In some business scenarios, both the signer and the verifier need to + time-stamp their own copy of the signature value. Ideally, the two + time-stamps should be as close as possible to each other. + + EXAMPLE: A contract is signed by two parties, A and B, + representing their respective organizations; to time-stamp the + signer and verifier data, two approaches are possible: + + - under the terms of the contract, a predefined common + "trusted" TSA may be used; + + + + +Pinkas, et al. Informational [Page 116] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - if both organizations run their own time-stamping services, A + and B can have the transaction time-stamped by these two + time-stamping services. + + In the latter case, the electronic signature will only be considered + valid if both time-stamps were obtained in due time (i.e., there + should not be a long delay between obtaining the two time-stamps). + Thus, neither A nor B can repudiate the signing time indicated by + their own time-stamping service. Therefore, A and B do not need to + agree on a common "trusted" TSA to get a valid transaction. + + It is important to note that signatures may be generated "off-line" + and time-stamped at a later time by anyone, e.g., by the signer or + any recipient interested in validating the signature. The time-stamp + over the signature from the signer can thus be provided by the + signer, together with the signed document, and/or be obtained by the + verifier following receipt of the signed document. + + The business scenarios may thus dictate that one or more of the + long-term signature time-stamping methods described above be used. + This may be part of a mutually agreed Signature Validation Policy + that is part of an agreed signature policy under which digital + signatures may be used to support the business relationship between + the two parties. + +C.4.8. TSA Key Compromise + + TSA servers should be built in such a way that once the private + signature key is installed, there is minimal likelihood of compromise + over as long as a possible period. Thus, the validity period for the + TSA's keys should be as long as possible. + + Both the CAdES-T and the CAdES-C contain at least one time-stamp over + the signer's signature. In order to protect against the compromise + of the private signature key used to produce that time-stamp, the + Archive validation data can be used when a different Time-Stamping + Authority key is involved to produce the additional time-stamp. If + it is believed that the TSA key used in providing an earlier + time-stamp may ever be compromised (e.g., outside its validity + period), then the CAdES-A should be used. For extremely long + periods, this may be applied repeatedly using new TSA keys. + + This technique is referred to as a nested CAdES-A in the present + document. + + + + + + + +Pinkas, et al. Informational [Page 117] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +C.5. Multiple Signatures + + Some electronic signatures may only be valid if they bear more than + one signature. This is generally the case when a contract is signed + between two parties. The ordering of the signatures may or may not + be important, i.e., one may or may not need to be applied before the + other. + + Several forms of multiple and counter signatures need to be + supported, which fall into two basic categories: + + - independent signatures; + - embedded signatures. + + Independent signatures are parallel signatures where the ordering of + the signatures is not important. The capability to have more than + one independent signature over the same data shall be provided. + + Embedded signatures are applied one after the other and are used + where the order in which the signatures are applied is important. + The capability to sign over signed data shall be provided. + + These forms are described in Section 5.13. All other multiple + signature schemes, e.g., a signed document with a countersignature, + double countersignatures, or multiple signatures can be reduced to + one or more occurrences of the above two cases. + +Annex D (Informative): Data Protocols to Interoperate with TSPs + +D.1. Operational Protocols + + The following protocols can be used by signers and verifiers to + interoperate with Trusted Service Providers during the electronic + signature creation and validation. + +D.1.1. Certificate Retrieval + + User certificates, CA certificates, and cross-certificates can be + retrieved from a repository using the Lightweight Directory Access + Protocol as defined in RFC 3494 [RFC3494], with the schema defined in + RFC 4523 [RFC4523]. + +D.1.2. CRL Retrieval + + Certificate revocation lists, including authority revocation lists + and partial CRL variants, can be retrieved from a repository using + the Lightweight Directory Access Protocol, as defined in RFC 3494 + [RFC3494], with the schema defined in RFC 4523 [RFC4523]. + + + +Pinkas, et al. Informational [Page 118] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +D.1.3. Online Certificate Status + + As an alternative to the use of certificate revocation lists, the + status of a certificate can be checked using the Online Certificate + Status Protocol (OCSP), as defined in RFC 2560 [3]. + +D.1.4. Time-Stamping + + The time-stamping service can be accessed using the Time-Stamping + Protocol defined in RFC 3161 [7]. + +D.2. Management Protocols + + Signers and verifiers can use the following management protocols to + manage the use of certificates. + +D.2.1. Request for Certificate Revocation + + Request for a certificate to be revoked can be made using the + revocation request and response messages defined in RFC 4210 + [RFC4210]. + +Annex E (Informative): Security Considerations + +E.1. Protection of Private Key + + The security of the electronic signature mechanism defined in the + present document depends on the privacy of the signer's private key. + + Implementations should take steps to ensure that private keys cannot + be compromised. + +E.2. Choice of Algorithms + + Implementers should be aware that cryptographic algorithms become + weaker with time. As new cryptoanalysis techniques are developed and + computing performance improves, the work factor to break a particular + cryptographic algorithm will reduce. Therefore, cryptographic + algorithm implementations should be modular, allowing new algorithms + to be readily inserted. That is, implementers should be prepared for + the set of mandatory-to-implement algorithms to change over time. + + + + + + + + + + +Pinkas, et al. Informational [Page 119] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +Annex F (Informative): Example Structured Contents and MIME + +F.1. Use of MIME to Encode Data + + The signed content may be structured using MIME (Multipurpose + Internet Mail Extensions -- RFC 2045 [6]). Whilst the MIME structure + was initially developed for Internet email, it has a number of + features that make it useful to provide a common structure for + encoding a range of electronic documents and other multi-media data + (e.g., photographs, video). These features include: + + - providing a means of signalling the type of "object" being + carried (e.g., text, image, ZIP file, application data); + + - providing a means of associating a file name with an object; + + - associating several independent objects (e.g., a document and + image) to form a multi-part object; + + - handling data encoded in text or binary and, if necessary, + re-encoding the binary as text. + + When encoding a single object, MIME consists of: + + - header information, followed by; + + - encoded content. + + This structure can be extended to support multi-part content. + +F.1.1. Header Information + + A MIME header includes: + + MIME Version information: e.g., MIME-Version: 1.0 + + Content type information, which includes information describing the + content sufficient for it to be presented to a user or application + process, as required. This includes information on the "media type" + (e.g., text, image, audio) or whether the data is for passing to a + particular type of application. In the case of text, the content + type includes information on the character set used, e.g., + Content-Type: text/plain; charset="us-ascii". + + Content-encoding information, which defines how the content is + encoded (see below about encoding supported by MIME). + + + + + +Pinkas, et al. Informational [Page 120] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Other information about the content, such as a description or an + associated file name. + + An example MIME header for text object is: + + Mime-Version: 1.0 + Content-Type: text/plain; charset=ISO-8859-1 + Content-Transfer-Encoding: quoted-printable + + An example MIME header for a binary file containing a pdf document + is: + + Content-Type: application/pdf + Content-Transfer-Encoding: base64 + Content-Description: JCFV201.pdf + Content-Disposition: filename="JCFV201.pdf" + +F.1.2. Content Encoding + + MIME supports a range of mechanisms for encoding both text and binary + data. + + Text data can be carried transparently as lines of text data encoded + in 7- or 8-bit ASCII characters. MIME also includes a + "quoted-printable" encoding that converts characters other than the + basic ASCII into an ASCII sequence. + + Binary can either be carried: + + - transparently as 8-bit octets; or + + - converted to a basic set of characters using a system called + Base64. + + NOTE: As there are some mail relays that can only handle 7-bit + ASCII, Base64 encoding is usually used on the Internet. + +F.1.3. Multi-Part Content + + Several objects (e.g., text and a file attachment) can be associated + together using a special "multi-part" content type. This is + indicated by the content type "multipart" with an indication of the + string to be used indicating a separation between each part. + + In addition to a header for the overall multipart content, each part + includes its own header information indicating the inner content type + and encoding. + + + + +Pinkas, et al. Informational [Page 121] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + An example of a multipart content is: + +Mime-Version: 1.0 +Content-Type: multipart/mixed; boundary="---- +=_NextPart_000_01BC4599.98004A80" +Content-Transfer-Encoding: 7bit + +------=_NextPart_000_01BC4599.98004A80 +Content-Type: text/plain; charset=ISO-8859-1 +Content-Transfer-Encoding: 7bit + +Per your request, I've attached our proposal for the Java Card Version +2.0 API and the Java Card FAQ. + +------=_NextPart_000_01BC4599.98004A80 +Content-Type: application/pdf; name="JCFV201.pdf" +Content-Transfer-Encoding: base64 +Content-Description: JCFV201.pdf +Content-Disposition: attachment; filename="JCFV201.pdf" + +0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAAgAAAAA +AAAAAEAAAtAAAAAEAAAD+////AAAAAAMAAAAGAAAA////////////////////////////// +//////////AANhAAQAYg== + +------=_NextPart_000_01BC4599.98004A80-- + + Multipart content can be nested. So a set of associated objects + (e.g., HTML text and images) can be handled as a single attachment to + another object (e.g., text). + + The Content-Type from each part of the S/MIME message indicates the + type of content. + +F.2. S/MIME + + The specific use of MIME to carry CMS (extended as defined in the + present document) secured data is called S/MIME (see [RFC3851]). + + S/MIME carries electronic signatures as either: + + - an "application/pkcs7-mime" object with the CMS carried as a + binary attachment (PKCS7 is the name of the early version of + CMS). + + The signed data may be included in the SignedData, which itself + may be included in a single S/MIME object. See [RFC3851], + Section 3.4.2: "Signing Using application/pkcs7-mime with + SignedData" and Figure F.1 hereafter. + + + +Pinkas, et al. Informational [Page 122] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + or + + - a "multipart/signed" object with the signed data and the + signature encoded as separate MIME objects. + + The signed data is not included in the SignedData, and the CMS + structure only includes the signature. See [RFC3851], Section + 3.4.3: "Signing Using the multipart/signed Format" and Figure + F.2 hereafter. + + +-------------++----------++-------------++------------+ + | || || || | + | S/MIME || CAdES || MIME || pdf file | + | || || || | + |Content-Type=||SignedData||Content-Type=||Dear MrSmith| + |application/ || eContent ||application/ ||Received | + |pkcs7-mime || ||pdf || 100 tins | + | || || || | + |smime-type= || /| || /| || Mr.Jones | + |signed-data || / -----+ / ------+ | + | || \ -----+ \ ------+ | + | || \| || \| |+------------+ + | || |+-------------+ + | |+----------+ + +-------------+ + + Figure F.1: Signing Using application/pkcs7-mime + +F.2.1. Using application/pkcs7-mime + + This approach is similar to handling signed data as any other binary + file attachment. + + An example of signed data encoded using this approach is: + + Content-Type: application/pkcs7-mime; smime-type=signed-data; + Content-Transfer-Encoding: base64 + Content-Disposition: attachment; filename=smime.p7m + + 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7 + 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH + HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh + 6YT64V0GhIGfHfQbnj75 + + + + + + + + +Pinkas, et al. Informational [Page 123] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +F.2.2. Using application/pkcs7-signature + + CMS also supports an alternative structure where the signature and + data being protected are separate MIME objects carried within a + single message. In this case, the signed data is not included in the + SignedData, and the CMS structure only includes the signature. See + [RFC3851], Section 3.4.3: "Signing Using the multipart/signed Format" + and Figure F.2 hereafter. + + An example of signed data encoded using this approach is: + + Content-Type: multipart/signed; + protocol="application/pkcs7-signature"; + micalg=sha1; boundary=boundary42 + + --boundary42 + Content-Type: text/plain + + This is a clear-signed message. + + --boundary42 + + Content-Type: application/pkcs7-signature; name=smime.p7s + Content-Transfer-Encoding: base64 + Content-Disposition: attachment; filename=smime.p7s + + ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 + 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj + n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 + 7GhIGfHfYT64VQbnj756 + + --boundary42-- + + With this second approach, the signed data passes through the CMS + process and is carried as part of a multiple-parts signed MIME + structure, as illustrated in Figure F.2. The CMS structure just + holds the electronic signature. + + + + + + + + + + + + + + +Pinkas, et al. Informational [Page 124] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + +---------------++----------++-------------++------------+ + | || || || | + | MIME || CAdES || MIME || pdf file | + | || || || | + |Content-Type= ||SignedData||Content-Type=||Dear MrSmith| + |multipart/ || ||application/ ||Received | + |signed || ||pdf || 100 tins | + | /| || || || | + | / -------------------+ /| || Mr.Jones | + | \ -------------------+ / -----+ | + | \| || || \ -----+ | + |Content-Type= || || \| |+------------+ + |application/ || |+-------------+ + |pdf || | + | || | + |Content-Type= || | + |application/ || | + |pkcs7-signature|| | + | || | + | /| || | + | / -------+ | + | \ -------+ | + | \| ||----------+ + | | + +---------------+ + + Figure F.2: Signing Using application/pkcs7-signature + + This second approach (multipart/signed) has the advantage that the + signed data can be decoded by any MIME-compatible system even if it + does not recognize CMS-encoded electronic signatures. + +Annex G (Informative): Relationship to the European Directive and EESSI + +G.1. Introduction + + This annex provides an indication of the relationship between + electronic signatures created under the present document and + requirements under the European Parliament and Council Directive on a + Community framework for electronic signatures. + + NOTE: Legal advice should be sought on the specific national + legislation regarding use of electronic signatures. + + The present document is one of a set of standards that has been + defined under the "European Electronic Signature Standardization + Initiative" (EESSI) for electronic signature products and solutions + compliant with the European Directive for Electronic Signatures. + + + +Pinkas, et al. Informational [Page 125] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +G.2. Electronic Signatures and the Directive + + This directive defines electronic signatures as: + + - "data in electronic form which are attached to or logically + associated with other electronic data and which serve as a + method of authentication". + + The directive states that an electronic signature should not be + denied "legal effectiveness and admissibility as evidence in legal + proceedings" solely on the grounds that it is in electronic form. + + The directive identifies an electronic signature as having + equivalence to a hand-written signature if it meets specific + criteria: + + - it is an "advanced electronic signature" with the following + properties: + + a) it is uniquely linked to the signatory; + + b) it is capable of identifying the signatory; + + c) it is created using means that the signatory can maintain + under his sole control; and + + d) it is linked to the data to which it relates in such a + manner that any subsequent change of the data is detectable. + + - it is based on a certificate that meets detailed criteria given + in Annex I of the directive and is issued by a + "certification-service-provider" that meets requirements given + in Annex II of the directive. Such a certificate is referred to + as a "qualified certificate"; + + - it is created by a "device", for which detailed criteria are + given in Annex III of the directive. Such a device is referred + to a "secure-signature-creation device". + + This form of electronic signature is referred to as a "qualified + electronic signature" in EESSI (see below). + + + + + + + + + + +Pinkas, et al. Informational [Page 126] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +G.3. ETSI Electronic Signature Formats and the Directive + + An electronic signature created in accordance with the present + document is: + + a) considered to be an "electronic signature" under the terms of + the Directive; + + b) considered to be an "advanced electronic signature" under the + terms of the Directive; + + c) considered to be a "Qualified Electronic Signature", provided + the additional requirements in Annex I, II, and III of the + Directive are met. The requirements in Annex I, II, and III of + the Directive are outside the scope of the present document, + and are subject to standardization elsewhere. + +G.4. EESSI Standards and Classes of Electronic Signature + +G.4.1. Structure of EESSI Standardization + + EESSI looks at standards in several areas. See the ETSI and CEN web + sites for the latest list of standards and their versions: + + - use of X.509 public key certificates as qualified certificates; + + - security Management and Certificate Policy for CSPs Issuing + Qualified Certificates; + + - security requirements for trustworthy systems used by CSPs + Issuing Qualified Certificates; + + - security requirements for Secure Signature Creation Devices; + + - security requirements for Signature Creation Systems; + + - procedures for Electronic Signature Verification; + + - electronic signature syntax and encoding formats; + + - protocol to interoperate with a Time-Stamping Authority; + + - Policy requirements for Time-Stamping Authorities; and + + - XML electronic signature formats. + + + + + + +Pinkas, et al. Informational [Page 127] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Each of these standards addresses a range of requirements, including + the requirements of Qualified Electronic Signatures, as specified in + Article 5.1 of the Directive. However, some of them also address + general requirements of electronic signatures for business and + electronic commerce, which all fall into the category of Article 5.2 + of the Directive. Such variation in the requirements may be + identified either as different levels or different options. + +G.4.2. Classes of Electronic Signatures + + Since some of these standards address a range of requirements, it may + be useful to identify a set of standards to address a specific + business need. Such a set of standards and their uses define a class + of electronic signature. The first class already identified is the + qualified electronic signature, fulfilling the requirements of + Article 5.1 of the Directive. + + A limited number of "classes of electronic signatures" and + corresponding profiles could be defined in close cooperation with + actors on the market (business, users, suppliers). The need for such + standards is envisaged, in addition to those for qualified electronic + signatures, in areas such as: + + - different classes of electronic signatures with long-term + validity; + + - electronic signatures for business transactions with limited + value. + +G.4.3. Electronic Signature Classes and the ETSI Electronic Signature + Format + + The electronic signature format defined in the present document is + applicable to the EESSI area "electronic signature and encoding + formats". + + An electronic signature produced by a signer (see Section 5 and + conformance Section 10.1) is applicable to the proposed class of + electronic signature: "qualified electronic signatures fulfilling + article 5.1". + + With the addition of attributes by the verifier (see Section 6 and + conformance Section 10.2) the qualified electronic signature supports + long-term validity. + + + + + + + +Pinkas, et al. Informational [Page 128] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +Annex H (Informative): APIs for the Generation and Verification of + Electronic Signatures Tokens + + While the present document describes the data format of an electronic + signature, the question is whether there exist APIs (Application + Programming Interfaces) able to manipulate these structures. At + least two such APIs have been defined; one set by the IETF and + another set by the OMG (Object Management Group). + +H.1. Data Framing + + In order to be able to use either of these APIs, it will be necessary + to frame the previously defined electronic signature data structures + using a mechanism-independent token format. Section 3.1 of RFC 2743 + [RFC2743] specifies a mechanism-independent level of encapsulating + representation for the initial token of a GSS-API context + establishment sequence, incorporating an identifier of the mechanism + type to be used on that context and enabling tokens to be interpreted + unabmiguously. + + In order to be processable by these APIs, all electronic signature + data formats that are defined in the present document shall be framed + following that description. + + The encoding format for the token tag is derived from ASN.1 and DER, + but its concrete representation is defined directly in terms of + octets rather than at the ASN.1 level, in order to facilitate + interoperable implementation without use of general ASN.1 processing + code. The token tag consists of the following elements, in order: + + 1) 0x60 -- Tag for RFC 2743 SEQUENCE; indicates that constructed + form, definite length encoding follows. + + 2) Token-length octets, specifying length of subsequent data + (i.e., the summed lengths of elements 3 to 5 in this list, and + of the mechanism-defined token object following the tag). This + element comprises a variable number of octets: + + a) If the indicated value is less than 128, it shall be + represented in a single octet with bit 8 (high order) set to + "0" and the remaining bits representing the value. + + + + + + + + + + +Pinkas, et al. Informational [Page 129] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + b) If the indicated value is 128 or more, it shall be + represented in two or more octets, with bit 8 of the first + octet set to "1" and the remaining bits of the first octet + specifying the number of additional octets. The subsequent + octets carry the value, 8 bits per octet, with the most + significant digit first. The minimum number of octets shall + be used to encode the length (i.e., no octets representing + leading zeros shall be included within the length encoding). + + 3) 0x06 -- Tag for OBJECT IDENTIFIER. + + 4) Object identifier length -- length (number of octets) of the + encoded object identifier contained in element 5, encoded per + rules as described in 2a) and 2b) above. + + 5) object identifier octets -- variable number of octets, encoded + per ASN.1 BER rules: + + - The first octet contains the sum of two values: + + (1) the top-level object identifier component, multiplied by + 40 (decimal); and + + (2) the second-level object identifier component. + + This special case is the only point within an object + identifier encoding where a single octet represents + contents of more than one component. + + - Subsequent octets, if required, encode successively lower + components in the represented object identifier. A + component's encoding may span multiple octets, encoding 7 + bits per octet (most significant bits first) and with bit + 8 set to "1" on all but the final octet in the component's + encoding. The minimum number of octets shall be used to + encode each component (i.e., no octets representing + leading zeros shall be included within a component's + encoding). + + NOTE: In many implementations, elements 3 to 5 may be stored and + referenced as a contiguous string constant. + + The token tag is immediately followed by a mechanism-defined token + object. Note that no independent size specifier intervenes following + the object identifier value to indicate the size of the + mechanism-defined token object. + + + + + +Pinkas, et al. Informational [Page 130] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Tokens conforming to the present document shall have the following + OID in order to be processable by IDUP-APIs: + + id-etsi-es-IDUP-Mechanism-v1 OBJECT IDENTIFIER ::= + { itu-t(0) identified-organization(4) etsi(0) + electronic-signature-standard (1733) part1 (1) IDUPMechanism (4) + etsiESv1(1) } + +H.2. IDUP-GSS-APIs Defined by the IETF + + The IETF CAT WG produced, in December 1998, an RFC (RFC 2479 + [RFC2479]) under the name of IDUP-GSS-API (Independent Data Unit + Protection) able to handle the electronic signature data format + defined in the present document. + + The IDUP-GSS-API includes support for non-repudiation services. + + It supports evidence generation, where "evidence" is information that + either by itself, or when used in conjunction with other information, + is used to establish proof about an event or action, as well as + evidence verification. + + IDUP supports various types of evidences. All the types defined in + IDUP are supported in the present document through the + commitment-type parameter. + + Section 2.3.3 of IDUP describes the specific calls needed to handle + evidence ("EV" calls). The "EV" group of calls provides a simple, + high-level interface to underlying IDUP mechanisms when application + developers need to deal with only evidence: not with encryption or + integrity services. + + All generations and verification are performed according to the + content of a NR policy that is referenced in the context. + + Get_token_details is used to return the attributes that correspond to + a given input token to an application. Since IDUP-GSS-API tokens are + meant to be opaque to the calling application, this function allows + the application to determine information about the token without + having to violate the opaqueness intention of IDUP. Of primary + importance is the mechanism type, which the application can then use + as input to the IDUP_Establish_Env() call in order to establish the + correct environment in which to have the token processed. + + Generate_token generates a non-repudiation token using the current + environment. + + + + + +Pinkas, et al. Informational [Page 131] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + Verify_evidence verifies the evidence token using the current + environment. This operation returns a major_status code that can be + used to determine whether the evidence contained in a token is + complete (i.e., can be successfully verified (perhaps years) later). + If a token's evidence is not complete, the token can be passed to + another API, form_complete_pidu, to complete it. This happens when a + status "conditionally valid" is returned. That status corresponds to + the status "validation incomplete" of the present document. + + Form_complete_PIDU is used primarily when the evidence token itself + does not contain all the data required for its verification, and it + is anticipated that some of the data not stored in the token may + become unavailable during the interval between generation of the + evidence token and verification unless it is stored in the token. + The Form_Complete_PIDU operation gathers the missing information and + includes it in the token so that verification can be guaranteed to be + possible at any future time. + +H.3. CORBA Security Interfaces Defined by the OMG + + Non-repudiation interfaces have been defined in "CORBA Security", a + document produced by the OMG (Object Management Group). These + interfaces are described in IDL (Interface Definition Language) and + are optional. + + The handling of "tokens" supporting non-repudiation is done through + the following interfaces: + + - set_NR_features specifies the features to apply to future + evidence generation and verification operations; + + - get_NR_features returns the features that will be applied to + future evidence generation and verification operations; + + - generate_token generates a non-repudiation token using the + current non-repudiation features; + + - verify_evidence verifies the evidence token using the current + non-repudiation features; + + - get_tokens_details returns information about an input + non-repudiation token. The information returned depends upon + the type of token; + + - form_complete_evidence is used when the evidence token itself + does not contain all the data required for its verification, and + it is anticipated that some of the data not stored in the token + may become unavailable during the interval between generation of + + + +Pinkas, et al. Informational [Page 132] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + the evidence token and verification unless it is stored in the + token. The form_complete_evidence operation gathers the missing + information and includes it in the token so that verification + can be guaranteed to be possible at any future time. + + NOTE: The similarity between the two sets of APIs is noticeable. + +Annex I (Informative): Cryptographic Algorithms + + RFC 3370 [10] describes the conventions for using several + cryptographic algorithms with the Crytographic Message Syntax (CMS). + Only the hashing and signing algorithms are appropriate for use with + the present document. + + Since the publication of RFC 3370 [10], MD5 has been broken. This + algorithm is no longer considered appropriate and has been deleted + from the list of algorithms. + +I.1. Digest Algorithms + +I.1.1. SHA-1 + + The SHA-1 digest algorithm is defined in FIPS Pub 180-1. The + algorithm identifier for SHA-1 is: + +sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) +secsig(3) algorithm(2) 26 } + + The AlgorithmIdentifier parameters field is optional. If present, + the parameters field shall contain an ASN.1 NULL. Implementations + should accept SHA-1 AlgorithmIdentifiers with absent parameters as + well as NULL parameters. Implementations should generate SHA-1 + AlgorithmIdentifiers with NULL parameters. + +I.1.2. General + + The following is a selection of work that has been done in the area + of digest algorithms or, as they are often called, hash functions: + + - ISO/IEC 10118-1 (1994) [ISO10118-1]: "Information technology - + Security techniques - Hash-functions - Part 1: General". ISO/IEC + 10118-1 contains definitions and describes basic concepts. + + - ISO/IEC 10118-2 (1994) [ISO10118-2]: "Information technology - + Security techniques - Hash-functions - Part 2: Hash-functions + using an n-bit block cipher algorithm". ISO/IEC 10118-2 + specifies two ways to construct a hash-function from a block + cipher. + + + +Pinkas, et al. Informational [Page 133] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - ISO/IEC 10118-3 (1997) [ISO10118-3]: "Information technology - + Security techniques - Hash-functions - Part 3: Dedicated + hash-functions". ISO/IEC 10118-3 specifies the following + dedicated hash-functions: + + - SHA-1 (FIPS 180-1); + - RIPEMD-128; + - RIPEMD-160. + + - ISO/IEC 10118-4 (1998) [ISO10118-4]: "Information technology - + Security techniques - Hash-functions - Part 4: Hash-functions + using modular arithmetic". + + - RFC 1320 (PS 1992): "The MD4 Message-Digest Algorithm". RFC + 1320 specifies the hash-function MD4. Today, MD4 is considered + outdated. + + - RFC 1321 (I 1992): "The MD5 Message-Digest Algorithm". RFC 1321 + (informational) specifies the hash-function MD5. Today, MD5 is + not recommended for new implementations. + + - FIPS Publication 180-1 (1995): "Secure Hash Standard". FIPS + 180-1 specifies the Secure Hash Algorithm (SHA), dedicated hash- + function developed for use with the DSA. The original SHA, + published in 1993, was slightly revised in 1995 and renamed + SHA-1. + + - ANSI X9.30-2 (1997) [X9.30-2]: "Public Key Cryptography for the + Financial Services Industry - Part 2: The Secure Hash Algorithm + (SHA-1)". X9.30-2 specifies the ANSI-Version of SHA-1. + + - ANSI X9.31-2 (1996) [X9.31-2]: "Public Key Cryptography Using + Reversible Algorithms for the Financial Services Industry - Part + 2: Hash Algorithms". X9.31-2 specifies hash algorithms. + +I.2. Digital Signature Algorithms + +I.2.1. DSA + + The DSA signature algorithm is defined in FIPS Pub 186. DSA is + always used with the SHA-1 message digest algorithm. The algorithm + identifier for DSA is: + +id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) +x9-57 (10040) x9cm(4) 3 } + + The AlgorithmIdentifier parameters field shall not be present. + + + + +Pinkas, et al. Informational [Page 134] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +I.2.2. RSA + + The RSA signature algorithm is defined in RFC 3447 [RFC3447]. RFC + 3370 [10] specifies the use of the RSA signature algorithm with the + SHA-1 algorithm. The algorithm identifier for RSA with SHA-1 is: + + Sha1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } + + NOTE: RFC 3370 [10] recommends that MD5 not be used for new + implementations. + +I.2.3. General + + The following is a selection of work that has been done in the + area of digital signature mechanisms: + + - FIPS Publication 186 (1994): "Digital Signature Standard". + NIST's Digital Signature Algorithm (DSA) is a variant of + ElGamal's Discrete Logarithm-based digital signature mechanism. + The DSA requires a 160-bit hash-function and mandates SHA-1. + + - IEEE P1363 (2000) [P1363]: "Standard Specifications for Public- + Key Cryptography". IEEE P1363 contains mechanisms for digital + signatures, key establishment, and encipherment based on three + families of public key schemes: + + - "Conventional" Discrete Logarithm (DL)-based techniques, i.e., + Diffie-Hellman (DH) key agreement, Menezes-Qu-Vanstone (MQV) key + agreement, the Digital Signature Algorithm (DSA), and + Nyberg-Rueppel (NR) digital signatures; + + - Elliptic Curve (EC)-based variants of the DL-mechanisms + specified above, i.e., EC-DH, EC-MQV, EC-DSA, and EC-NR. For + elliptic curves, implementation options include mod p and + characteristic 2 with polynomial or normal basis representation; + + - Integer Factoring (IF)-based techniques, including RSA + encryption, RSA digital signatures, and RSA-based key transport. + + - ISO/IEC 9796-2 (1997) [ISO9796-2]: "Information technology - + Security techniques - Digital signature schemes giving message + recovery - Part 2: Mechanisms using a hash-function". ISO/IEC + 9796-2 specifies digital signature mechanisms with partial + message recovery that are also based on the RSA technique but + make use of a hash-function. + + + + + +Pinkas, et al. Informational [Page 135] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - ISO/IEC 9796-4 (1998) [ISO9796-4]: "Digital signature schemes + giving message recovery - Part 4: Discrete logarithm based + mechanisms". ISO/IEC 9796-4 specifies digital signature + mechanisms with partial message recovery that are based on + Discrete Logarithm techniques. The document includes the + Nyberg-Rueppel scheme. + + - ISO/IEC 14888-1 [ISO14888-1]: "Digital signatures with appendix + - Part 1: General". ISO/IEC 14888-1 contains definitions and + describes the basic concepts of digital signatures with + appendix. + + - ISO/IEC 14888-2 [ISO14888-2]: "Digital signatures with appendix + - Part 2: Identity-based mechanisms". ISO/IEC 14888-2 specifies + digital signature schemes with appendix that make use of + identity-based keying material. The document includes the + zero-knowledge techniques of Fiat-Shamir and Guillou-Quisquater. + + - ISO/IEC 14888-3 [ISO14888-3]: "Digital signatures with appendix + - Part 3: Certificate-based mechanisms". ISO/IEC 14888-3 + specifies digital signature schemes with appendix that make use + of certificate-based keying material. The document includes + five schemes: + + - DSA; + - EC-DSA, an elliptic curve-based analog of NIST's Digital + Signature Algorithm; + - Pointcheval-Vaudeney signatures; + - RSA signatures; + - ESIGN. + + - ISO/IEC 15946-2 (2002) [ISO15946-2]: "Cryptographic techniques + based on elliptic curves - Part 2: Digital signatures", + specifies digital signature schemes with appendix using elliptic + curves. + + - The document includes two schemes: + + - EC-DSA, an elliptic curve-based analog of NIST's Digital + Signature Algorithm; + + - EC-AMV, an elliptic curve-based analog of the Agnew-Muller- + Vanstone signature algorithm. + + + + + + + + +Pinkas, et al. Informational [Page 136] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + - ANSI X9.31-1 (1997) [X9.31-1]: "Public Key Cryptography Using + Reversible Algorithms for the Financial Services Industry - Part + 1: The RSA Signature Algorithm". ANSI X9.31-1 specifies a + digital signature mechanism with appendix using the RSA public + key technique. + + - ANSI X9.30-1 (1997) [X9.30-1]: "Public Key Cryptography Using + Irreversible Algorithms for the Financial Services Industry - + Part 1: The Digital Signature Algorithm (DSA)". ANSI X9.30-1 + specifies the DSA, NIST's Digital Signature Algorithm. + + - ANSI X9.62 (1998) [X9.62]: "Public Key Cryptography for the + Financial Services Industry - The Elliptic Curve Digital + Signature Algorithm (ECDSA)". ANSI X9.62 specifies the Elliptic + Curve Digital Signature Algorithm, an analog of NIST's Digital + Signature Algorithm (DSA) using elliptic curves. The appendices + provide tutorial information on the underlying mathematics for + elliptic curve cryptography and give many examples. + +Annex J (Informative): Guidance on Naming + +J.1. Allocation of Names + + The subject name shall be allocated through a registration scheme + administered through a Registration Authority (RA) to ensure + uniqueness. This RA may be an independent body or a function carried + out by the Certification Authority. + + In addition to ensuring uniqueness, the RA shall verify that the name + allocated properly identifies the applicant and that authentication + checks are carried out to protect against masquerade. + + The name allocated by an RA is based on registration information + provided by, or relating to, the applicant (e.g., his personal name, + date of birth, residence address) and information allocated by the + RA. Three variations commonly exist: + + - the name is based entirely on registration information, which + uniquely identifies the applicant (e.g., "Pierre Durand (born + on) July 6, 1956"); + + - the name is based on registration information, with the addition + of qualifiers added by the registration authority to ensure + uniqueness (e.g., "Pierre Durand 12"); + + - the registration information is kept private by the registration + authority and the registration authority allocates a + "pseudonym". + + + +Pinkas, et al. Informational [Page 137] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +J.2. Providing Access to Registration Information + + Under certain circumstances, it may be necessary for information used + during registration, but not published in the certificate, to be made + available to third parties (e.g., to an arbitrator to resolve a + dispute or for law enforcement). This registration information is + likely to include personal and sensitive information. + + Thus, the RA needs to establish a policy for: + + - whether the registration information should be disclosed; + - to whom such information should be disclosed; + - under what circumstances such information should be + disclosed. + + This policy may be different whether the RA is being used only within + a company or for public use. The policy will have to take into + account national legislation and in particular any data protection + and privacy legislation. + + Currently, the provision of access to registration is a local matter + for the RA. However, if open access is required, standard protocols, + such as HTTP -- RFC 2068 (Internet Web Access Protocol), may be + employed with the addition of security mechanisms necessary to meet + the data protection requirements (e.g., Transport Layer Security -- + RFC 4346 [RFC4346]) with client authentication. + +J.3. Naming Schemes + +J.3.1. Naming Schemes for Individual Citizens + + In some cases, the subject name that is contained in a public key + certificate may not be meaningful enough. This may happen because of + the existence of homonyms or because of the use of pseudonyms. A + distinction could be made if more attributes were present. However, + adding more attributes to a public key certificate placed in a public + repository would be going against the privacy protection + requirements. + + In any case, the Registration Authority will get information at the + time of registration, but not all that information will be placed in + the certificate. In order to achieve a balance between these two + opposite requirements, the hash values of some additional attributes + can be placed in a public key certificate. When the certificate + owner provides these additional attributes, then they can be + verified. Using biometrics attributes may unambiguously identify a + person. Examples of biometrics attributes that can be used include: + a picture or a manual signature from the certificate owner. + + + +Pinkas, et al. Informational [Page 138] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + NOTE: Using hash values protects privacy only if the possible + inputs are large enough. For example, using the hash of a + person's social security number is generally not sufficient since + it can easily be reversed. + + A picture can be used if the verifier once met the person and later + on wants to verify that the certificate that he or she got relates to + the person whom was met. In such a case, at the first exchange, the + picture is sent, and the hash contained in the certificate may be + used by the verifier to verify that it is the right person. At the + next exchange, the picture does not need to be sent again. + + A manual signature may be used if a signed document has been received + beforehand. In such a case, at the first exchange, the drawing of + the manual signature is sent, and the hash contained in the + certificate may be used by the verifier to verify that it is the + right manual signature. At the next exchange, the manual signature + does not need to be sent again. + +J.3.2. Naming Schemes for Employees of an Organization + + The name of an employee within an organization is likely to be some + combination of the name of the organization and the identifier of the + employee within that organization. + + An organization name is usually a registered name, i.e., business or + trading name used in day-to-day business. This name is registered by + a Naming Authority, which guarantees that the organization's + registered name is unambiguous and cannot be confused with another + organization. + + In order to get more information about a given registered + organization name, it is necessary to go back to a publicly available + directory maintained by the Naming Authority. + + The identifier may be a name or a pseudonym (e.g., a nickname or an + employee number). When it is a name, it is supposed to be + descriptive enough to unambiguously identify the person. When it is + a pseudonym, the certificate does not disclose the identity of the + person. However, it ensures that the person has been correctly + authenticated at the time of registration and therefore may be + eligible to some advantages implicitly or explicitly obtained through + the possession of the certificate. In either case, however, this can + be insufficient because of the existence of homonyms. + + Placing more attributes in the certificate may be one solution, for + example, by giving the organization unit of the person or the name of + a city where the office is located. However, the more information is + + + +Pinkas, et al. Informational [Page 139] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + + placed in the certificate, the more problems arise if there is a + change in the organization structure or the place of work. So this + may not be the best solution. An alternative is to provide more + attributes (like the organization unit and the place of work) through + access to a directory maintained by the company. It is likely that, + at the time of registration, the Registration Authority got more + information than what was placed in the certificate, if such + additional information is placed in a repository accessible only to + the organization. + +Acknowledgments + + Special thanks to Russ Housley for reviewing the document. + +Authors' Addresses + + Denis Pinkas + Bull SAS + Rue Jean-Jaures + 78340 Les Clayes sous Bois CEDEX + FRANCE + EMail: Denis.Pinkas@bull.net + + Nick Pope + Thales eSecurity + Meadow View House + Long Crendon + Aylesbury + Buck + HP18 9EQ + United Kingdom + EMail: nick.pope@thales-esecurity.com + + John Ross + Security & Standards Consultancy Ltd + The Waterhouse Business Centre + 2 Cromer Way + Chelmsford + Essex + CM1 2QE + United Kingdom + EMail: ross@secstan.com + + + + + + + + + +Pinkas, et al. Informational [Page 140] + +RFC 5126 CMS Advanced Electronic Signatures February 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + + +Pinkas, et al. Informational [Page 141] + |