summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9321.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc9321.txt')
-rw-r--r--doc/rfc/rfc9321.txt1801
1 files changed, 1801 insertions, 0 deletions
diff --git a/doc/rfc/rfc9321.txt b/doc/rfc/rfc9321.txt
new file mode 100644
index 0000000..fec9c3c
--- /dev/null
+++ b/doc/rfc/rfc9321.txt
@@ -0,0 +1,1801 @@
+
+
+
+
+Independent Submission S. Santesson
+Request for Comments: 9321 IDsec Solutions
+Category: Informational R. Housley
+ISSN: 2070-1721 Vigil Security
+ October 2022
+
+
+ Signature Validation Token
+
+Abstract
+
+ Electronic signatures have a limited lifespan with respect to the
+ time period that they can be validated and determined to be
+ authentic. The Signature Validation Token (SVT) defined in this
+ specification provides evidence that asserts the validity of an
+ electronic signature. The SVT is provided by a trusted authority,
+ which asserts that a particular signature was successfully validated
+ according to defined procedures at a certain time. Any future
+ validation of that electronic signature can be satisfied by
+ validating the SVT without any need to also validate the original
+ electronic signature or the associated digital certificates. The SVT
+ supports electronic signatures in Cryptographic Message Syntax (CMS),
+ XML, PDF, and JSON documents.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not candidates for any level of Internet Standard;
+ see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9321.
+
+Copyright Notice
+
+ Copyright (c) 2022 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+Table of Contents
+
+ 1. Introduction
+ 2. Definitions
+ 3. Signature Validation Token
+ 3.1. Signature Validation Token Function
+ 3.2. Signature Validation Token Syntax
+ 3.2.1. Data Types
+ 3.2.2. Signature Validation Token JWT Claims
+ 3.2.3. SigValidation Object Class
+ 3.2.4. Signature Claims Object Class
+ 3.2.5. SigReference Claims Object Class
+ 3.2.6. SignedDataReference Claims Object Class
+ 3.2.7. PolicyValidation Claims Object Class
+ 3.2.8. TimeValidation Claims Object Class
+ 3.2.9. CertReference Claims Object Class
+ 3.2.10. SVT JOSE Header
+ 4. Profiles
+ 4.1. Defined Profiles
+ 5. Signature Verification with an SVT
+ 6. IANA Considerations
+ 6.1. Claim Names Registration
+ 6.1.1. Registry Contents
+ 6.2. Header Parameter Names Registration
+ 6.2.1. Registry Contents
+ 7. Security Considerations
+ 7.1. Level of Reliance
+ 7.2. Aging Algorithms
+ 8. References
+ 8.1. Normative References
+ 8.2. Informative References
+ Appendix A. XML Signature Profile
+ A.1. Notation
+ A.1.1. References to XML Elements from XML Schemas
+ A.2. SVT in XML Documents
+ A.2.1. SignatureValidationToken Signature Property
+ A.2.2. Multiple SVTs in an XML Signature
+ A.3. XML Signature SVT Claims
+ A.3.1. XML Profile Identifier
+ A.3.2. XML Signature Reference Data
+ A.3.3. XML Signed Data Reference Data
+ A.3.4. XML Signer Certificate References
+ A.4. JOSE Header
+ A.4.1. SVT Signing Key Reference
+ Appendix B. PDF Signature Profile
+ B.1. SVTs in PDF Documents
+ B.1.1. SVT Extension to Timestamp Tokens
+ B.2. PDF Signature SVT Claims
+ B.2.1. PDF Profile Identifier
+ B.2.2. PDF Signature Reference Data
+ B.2.3. PDF Signed Data Reference Data
+ B.2.4. PDF Signer Certificate References
+ B.3. JOSE Header
+ B.3.1. SVT Signing Key Reference
+ Appendix C. JWS Profile
+ C.1. SVT in JWS
+ C.1.1. "svt" Header Parameter
+ C.1.2. Multiple SVTs in a JWS Signature
+ C.2. JWS Signature SVT Claims
+ C.2.1. JWS Profile Identifier
+ C.2.2. JWS Signature Reference Data
+ C.2.3. JWS Signed Data Reference Data
+ C.2.4. JWS Signer Certificate References
+ C.3. SVT JOSE Header
+ C.3.1. SVT Signing Key Reference
+ Appendix D. Schemas
+ D.1. Concise Data Definition Language (CDDL)
+ D.2. JSON Schema
+ Appendix E. Examples
+ Authors' Addresses
+
+1. Introduction
+
+ Electronic signatures have a limited lifespan regarding when they can
+ be validated and determined to be authentic. Many factors make it
+ more difficult to validate electronic signatures over time. For
+ example:
+
+ * Trusted information about the validity of the certificate
+ containing the signer's public key is not available.
+
+ * Trusted information about the time when the signature was actually
+ created is not available.
+
+ * Algorithms used to create the electronic signature may no longer
+ be considered secure at the time of validation and may therefore
+ no longer be available in software libraries.
+
+ * Services necessary to validate the signature are no longer
+ available at the time of validation.
+
+ * Supporting evidence such as certification authority (CA)
+ certificates, Online Certificate Status Protocol (OCSP) responses,
+ Certificate Revocation Lists (CRLs), or timestamps is not
+ available or can't be validated.
+
+ The challenges to validation of an electronic signature increase over
+ time, and eventually it may simply be impossible to verify the
+ signature with a sufficient level of assurance.
+
+ Existing standards, such as the ETSI XAdES [XADES] profile for XML
+ signatures [XMLDSIG11], ETSI PAdES [PADES] profile for PDF signatures
+ [ISOPDF2], and ETSI CAdES [CADES] profile for CMS signatures
+ [RFC5652], can be used to extend the time within which a signature
+ can be validated at the cost of significant complexity, which
+ involves storing and validating significant amounts of external
+ evidence data such as revocation data, signature time stamps, and
+ archival time stamps.
+
+ The Signature Validation Token (SVT) defined in this specification
+ takes a trusted signature validation process as an input and
+ preserves the validation result for the associated signature and
+ signed document. The SVT asserts that a particular electronic
+ signature was successfully validated by a trusted authority according
+ to defined procedures at a certain time. Those procedures MUST
+ include checks that the signature match the signed document, checks
+ that the signature can be validated by the signing certificate, and
+ checks that the signing certificate pass certificate path validation
+ [RFC5280]. Those procedures MAY also include checks associated with
+ a particular trust policy such as that an acceptable certificate
+ policy [RFC5280] [RFC3647] was used to issue the signer's certificate
+ and checks that an acceptable signature policy was used by the signer
+ [RFC3125].
+
+ Once the SVT is issued by a trusted authority, any future validation
+ of that electronic signature can be satisfied by validating the SVT
+ without any need to also revalidate the original electronic
+ signature.
+
+ As the SVT is used to preserve validation results obtained through
+ applying existing standards for signature validation, it is
+ complementary to and not a replacement for such standards, including
+ the ETSI standards for long-term validation listed above. The SVT
+ does, however, have the potentially positive effect that it may
+ significantly reduce the need to apply complex long-term validation
+ and preservation techniques for signature validation if an SVT is
+ issued and applied to the signed document at an early stage where the
+ signature can be validated without support of large amounts of
+ external evidence. The use of SVTs may therefore drastically reduce
+ the complexity of revalidation of old archived electronic signatures.
+
+ The SVT can be signed with private keys and algorithms that provide
+ confidence for a considerable time period. In fact, multiple SVTs
+ can be used to offer greater assurance. For example, one SVT could
+ be produced with a large RSA private key, a second one with a strong
+ elliptic curve, and a third one with a quantum safe digital signature
+ algorithm to protect against advances in computing power and
+ cryptanalytic capabilities. Further, the trusted authority can add
+ additional SVTs in the future using fresh private keys and signatures
+ to extend the lifetime of the SVTs if necessary.
+
+2. Definitions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+ This document use the following terms:
+
+ Signed Data: The data covered by a particular electronic signature.
+ This is typically equivalent to the signed content of a document,
+ and it represents the data that the signer intended to sign. In
+ some cases, such as in some XML signatures, the Signed Data can be
+ the collection of several data fragments each referenced by the
+ signature. In the case of PDF, this is the data covered by the
+ "ByteRange" parameter in the signature dictionary. In JSON Web
+ Signature (JWS), this is the unencoded payload data (before
+ base64url encoding).
+
+ Signed Bytes: These are the actual bytes of data that were hashed
+ and signed by the digital signature algorithm. In most cases,
+ this is not the actual Signed Data but a collection of signature
+ metadata that includes references (hash) of the Signed Data as
+ well as information about algorithms and other data bound to a
+ signature. In XML, this is the canonicalized SignedInfo element.
+ In CMS and PDF signatures, this is the DER-encoded
+ SignedAttributes structure. In JWS, this is the protected header
+ and payload data formatted according to [RFC7515].
+
+ When these terms are used as defined in this section, they appear
+ with a capitalized first letter.
+
+3. Signature Validation Token
+
+3.1. Signature Validation Token Function
+
+ The Signature Validation Token (SVT) is created by a trusted service
+ to assert evidence of successful electronic signature validation
+ using a well-defined and trustworthy signature validation process.
+ The SVT binds the validation result to the validated signature, the
+ document signed by the signature, and the certificate of the signer.
+ This allows a relying party to verify the validity of a signed
+ document without having to revalidate the original signature or to
+ reuse any of its associated cryptographic algorithms for as long as
+ the SVT itself can be validated. The SVT achieves this by binding
+ the following information to a specific electronic signature:
+
+ * A unique identification of the electronic signature.
+
+ * The data and metadata signed by the electronic signature.
+
+ * The signer's certificate that was validated as part of electronic
+ signature verification.
+
+ * The certification path that was used to validate the signer's
+ certificate.
+
+ * An assertion providing evidence of signature verification, the
+ time the verification was performed, the procedures used to verify
+ the electronic signature, and the outcome of the verification.
+
+ * An assertion providing evidence of the time at which the signature
+ is known to have existed, the procedures used to validate the time
+ of existence, and the outcome of the validation.
+
+ The SVT aims to support long-term validation that can be further
+ extended into the future by applying the following strategies:
+
+ * by using secure algorithms with long life expectancy when signing
+ the SVT
+
+ * by reissuing the SVT before it becomes insecure or is considered
+ expired
+
+ * optionally, by issuing multiple SVTs with different algorithms to
+ provide redundancy in case one algorithm is broken
+
+3.2. Signature Validation Token Syntax
+
+ The SVT is carried in a JSON Web Token (JWT) as defined in [RFC7519].
+
+3.2.1. Data Types
+
+ The contents of claims in an SVT are specified using the following
+ data types:
+
+ String: JSON Data Type of string that contains an arbitrary case-
+ sensitive string value.
+
+ Base64Binary: JSON Data Type of string that contains a
+ Base64-encoded byte array of binary data.
+
+ StringOrURI: JSON Data Type of string that contains an arbitrary
+ string or a URI as defined in [RFC7519]. It is REQUIRED to
+ contain the colon character (":") to be a URI.
+
+ URI: JSON Data Type of string that contains a URI as defined in
+ [RFC7519].
+
+ Integer: JSON Data Type of number that contains a 32-bit signed
+ integer value (from -2^31 to 2^31-1).
+
+ Long: JSON Data Type of number that contains a 64-bit signed integer
+ value (from -2^63 to 2^63-1).
+
+ NumericDate: JSON Data Type of number that contains data as defined
+ in [RFC7519], which is the number of seconds from
+ 1970-01-01T00:00:00Z UTC until the specified UTC date/time,
+ ignoring leap seconds.
+
+ Boolean: JSON Data Type of boolean that contains the explicit value
+ of true or false.
+
+ Object<Class>: A JSON object holding a claims object of a class
+ defined in this specification (see Section 3.2.2).
+
+ Map<Type>: A JSON object with name-value pairs where the value is an
+ object of the specified Type in the notation. For example,
+ Map<String> is a JSON object with name-value pairs where all
+ values are of type String.
+
+ Array: A JSON array of a specific data type as defined in this
+ section. An array is expressed in this specification by square
+ brackets. For example, [String] indicates an array of String
+ values, and [Object<DocHash>] indicates an array of DocHash
+ objects.
+
+ Null: A JSON null that represents an absent value. A claim with a
+ null value is equivalent with an absent claim.
+
+3.2.2. Signature Validation Token JWT Claims
+
+ The SVT MUST contain only JWT claims in the following list:
+
+ "jti": A String data type that is a "JWT ID" registered claim
+ according to [RFC7519]. It is RECOMMENDED that the identifier
+ holds a hexadecimal string representation of a 128-bit unsigned
+ integer. An SVT MUST contain one "JWT ID" claim.
+
+ "iss": A StringOrURI data type that is an "Issuer" registered claim
+ according to [RFC7519], which is an arbitrary unique identifier of
+ the SVT issuer. This value SHOULD have the value of a URI based
+ on a domain owned by the issuer. An SVT MUST contain one "Issuer"
+ claim.
+
+ "iat": A NumericDate data type that is an "Issued At" registered
+ claim according to [RFC7519], which expresses the time when this
+ SVT was issued. An SVT MUST contain one "Issued At" claim.
+
+ "aud": A [StringOrURI] data type or a StringOrURI data type that is
+ an "Audience" registered claim according to [RFC7519]. The
+ audience claim is an array of one or more identifiers, identifying
+ intended recipients of the SVT. Each identifier MAY identify a
+ single entity, a group of entities, or a common policy adopted by
+ a group of entities. If only one value is provided, it MAY be
+ provided as a single StringOrURI data type value instead of as an
+ array of values. Inclusion of the "Audience" claim in an SVT is
+ OPTIONAL.
+
+ "exp": A NumericDate data type that is an "Expiration Time"
+ registered claim according to [RFC7519], which expresses the time
+ when services and responsibilities related to this SVT are no
+ longer provided by the SVT issuer. The precise meaning of the
+ expiration time claim is defined by local policies. See
+ implementation note below. Inclusion of the "Expiration Time"
+ claim in an SVT is OPTIONAL.
+
+ "sig_val_claims": An Object<SigValidation> data type that contains
+ signature validation claims for this SVT extending the standard
+ registered JWT claims above. An SVT MUST contain one
+ sig_val_claims claim.
+
+ Note: An SVT asserts that a particular validation process was
+ undertaken at a stated time. This fact never changes and never
+ expires. However, some other aspects of the SVT such as liability
+ for false claims or service provision related to a specific SVT may
+ expire after a certain period of time, such as a service where an old
+ SVT can be upgraded to a new SVT signed with fresh keys and
+ algorithms.
+
+3.2.3. SigValidation Object Class
+
+ The sig_val_claims JWT claim uses the SigValidation object class. A
+ SigValidation object holds all custom claims, and a SigValidation
+ object contains the following parameters:
+
+ "ver": A String data type representing the version. This parameter
+ MUST be present and the version in this specification indicated by
+ the value "1.0".
+
+ "profile": A StringOrURI data type representing the name of a
+ profile that defines conventions followed for specific claims and
+ any extension points used by the SVT issuer. This parameter MUST
+ be present.
+
+ "hash_algo": A URI data type that identifies the hash algorithm used
+ to compute the hash values within the SVT. The URI identifier
+ MUST be one defined in [RFC9231] or in the IANA registry defined
+ by this specification. This parameter MUST be present.
+
+ "sig": An [Object<Signature>] data type that gives information about
+ validated electronic signatures as an array of Signature objects.
+ If the SVT contains signature validation evidence for more than
+ one signature, then each signature is represented by a separate
+ Signature object. At least one Signature object MUST be present.
+
+ "ext": A Map<String> data type that provides additional claims
+ related to the SVT. Extension claims are added at the discretion
+ of the SVT issuer; however, extension claims MUST follow any
+ conventions defined in a profile of this specification (see
+ Section 4). Inclusion of this parameter is OPTIONAL.
+
+3.2.4. Signature Claims Object Class
+
+ The sig parameter in the SigValidation object class uses the
+ Signature object class. The Signature object contains claims related
+ to signature validation evidence for one signature, and it contains
+ the following parameters:
+
+ "sig_ref": An Object<SigReference> data type that contains reference
+ information identifying the target signature. This parameter MUST
+ be present.
+
+ "sig_data_ref": An [Object<SignedDataReference>] data type that
+ contains an array of references to Signed Data that was signed by
+ the target electronic signature. At least one SignedDataReference
+ object MUST be present.
+
+ "signer_cert_ref": An Object<CertReference> data type that
+ references the signer's certificate and optionally references a
+ supporting certification path that was used to verify the target
+ electronic signature. This parameter MUST be present.
+
+ "sig_val": An [Object<PolicyValidation>] data type that contains an
+ array of results of signature verification according to defined
+ procedures. At least one PolicyValidation object MUST be present.
+
+ "time_val": An [Object<TimeValidation>] data type that contains an
+ array of time verification results showing that the target
+ signature has existed at a specific time in the past. Inclusion
+ of this parameter is OPTIONAL.
+
+ "ext": A MAP<String> data type that provides additional claims
+ related to the target signature. Extension claims are added at
+ the discretion of the SVT issuer; however, extension claims MUST
+ follow any conventions defined in a profile of this specification
+ (see Section 4). Inclusion of this parameter is OPTIONAL.
+
+3.2.5. SigReference Claims Object Class
+
+ The sig_ref parameter in the Signature object class uses the
+ SigReference object class. The SigReference object provides
+ information used to match the Signature claims object to a specific
+ target electronic signature and to verify the integrity of the target
+ signature value and Signed Bytes, and it contains the following
+ parameters:
+
+ "id": A String data type that contains an identifier assigned to the
+ target signature. Inclusion of this parameter is OPTIONAL.
+
+ "sig_hash": A Base64Binary data type that contains a hash value of
+ the target electronic signature value. This parameter MUST be
+ present.
+
+ "sb_hash": A Base64Binary data type that contains a hash value of
+ the Signed Bytes of the target electronic signature. This
+ parameter MUST be present.
+
+3.2.6. SignedDataReference Claims Object Class
+
+ The sig_data_ref parameter in the Signature object class uses the
+ SignedDataReference object class. The SignedDataReference object
+ provides information used to verify the target electronic signature
+ references to Signed Data as well as to verify the integrity of all
+ data that is signed by the target signature, and it contains the
+ following parameters:
+
+ "ref": A String data type that contains a reference identifier for
+ the data or data fragment covered by the target electronic
+ signature. This parameter MUST be present.
+
+ "hash": A Base64Binary data type that contains the hash value for
+ the data covered by the target electronic signature. This
+ parameter MUST be present.
+
+3.2.7. PolicyValidation Claims Object Class
+
+ The sig_val parameter in the Signature object class uses the
+ PolicyValidation object class. The PolicyValidation object provides
+ information about the result of a validation process according to a
+ specific policy, and it contains the following parameters:
+
+ "pol": A StringOrURI data type that contains the identifier of the
+ policy governing the electronic signature verification process.
+ This parameter MUST be present.
+
+ "res": A String data type that contains the result of the electronic
+ signature verification process. The value MUST be one of
+ "PASSED", "FAILED", or "INDETERMINATE" as defined by
+ [ETSI319102-1]. This parameter MUST be present.
+
+ "msg": A String data type that contains a message describing the
+ result. Inclusion of this parameter is OPTIONAL.
+
+ "ext": A MAP<String> data type that provides additional claims
+ related to the target signature. Extension claims are added at
+ the discretion of the SVT issuer; however, extension claims MUST
+ follow any conventions defined in a profile of this specification
+ (see Section 4). Inclusion of this parameter is OPTIONAL.
+
+3.2.8. TimeValidation Claims Object Class
+
+ The time_val parameter in the Signature object class uses the
+ TimeValidation object class. The TimeValidation claims object
+ provides information about the result of validating evidence of time
+ asserting that the target signature existed at a particular time in
+ the past. Evidence of time is typically a timestamp according to
+ [RFC3161], but other types of evidence may be used such as a
+ previously issued SVT for this signature. The TimeValidation claims
+ object contains the following parameters:
+
+ "time": A NumericDate data type that contains the verified time.
+ This parameter MUST be present.
+
+ "type": A StringOrURI data type that contains an identifier of the
+ type of evidence of time. This parameter MUST be present.
+
+ "iss": A StringOrURI data type that contains an identifier of the
+ entity that issued the evidence of time. This parameter MUST be
+ present.
+
+ "id": A String data type that contains an unique identifier assigned
+ to the evidence of time. Inclusion of this parameter is OPTIONAL.
+
+ "hash": A Base64Binary data type that contains the hash value of the
+ validated evidence of time. Inclusion of this parameter is
+ OPTIONAL.
+
+ "val": An [Object<PolicyValidation>] data type that contains an
+ array of results of the time evidence validation according to
+ defined validation procedures. Inclusion of this parameter is
+ OPTIONAL.
+
+ "ext": A MAP<String> data type that provides additional claims
+ related to the target signature. Extension claims are added at
+ the discretion of the SVT issuer; however, extension claims MUST
+ follow any conventions defined in a profile of this specification
+ (see Section 4). Inclusion of this parameter is OPTIONAL.
+
+3.2.9. CertReference Claims Object Class
+
+ The signer_cert_ref parameter in the Signature object class uses the
+ CertReference object class. The CertReference object references a
+ single X.509 certificate or a X.509 certification path either by
+ providing the certificate data or by providing hash references for
+ certificates that can be located in the target electronic signature,
+ and it contains the following parameters:
+
+ "type": A StringOrURI data type that contains an identifier of the
+ type of reference. The type identifier MUST be one of the
+ identifiers defined below, an identifier specified by the selected
+ profile, or a URI identifier. This parameter MUST be present.
+
+ "ref": A [String] data type that contains an array of string
+ parameters according to conventions defined by the type
+ identifier. At least one parameter MUST be present.
+
+ The following type identifiers are defined:
+
+ "chain": The ref contains an array of Base64-encoded X.509
+ certificates [RFC5280]. The certificates MUST be provided in the
+ order starting with the end entity certificate. Any following
+ certificate must be able to validate the signature on the previous
+ certificate in the array.
+
+ "chain_hash": The ref contains an array of one or more
+ Base64-encoded hash values where each hash value is a hash over a
+ X.509 certificate [RFC5280] used to validate the signature. The
+ certificates MUST be provided in the order starting with the end
+ entity certificate. Any following certificate must be able to
+ validate the signature on the previous certificate in the array.
+ This option MUST NOT be used unless all hashed certificates are
+ present in the target electronic signature.
+
+ Note: All certificates referenced using the identifiers above are
+ X.509 certificates. Profiles of this specification MAY define
+ alternative types of public key containers; however, a major function
+ of these referenced certificates is not just to reference the public
+ key but also to provide the subject name of the signer. It is
+ therefore important for the full function of an SVT that the
+ referenced public key container also provides the means to identify
+ the signer.
+
+3.2.10. SVT JOSE Header
+
+ The SVT JWT MUST contain the following JSON Object Signing and
+ Encryption (JOSE) header parameters in accordance with Section 5 of
+ [RFC7519]:
+
+ "typ": This parameter MUST have the string value "JWT" (upper case).
+
+ "alg": This parameter identifies the algorithm used to sign the SVT
+ JWT. The algorithm identifier MUST be specified in [RFC7518] or
+ the IANA "JSON Web Signature and Encryption Algorithms" registry
+ [IANA-JOSE-REG]. The specified signature hash algorithm MUST be
+ identical to the hash algorithm specified in the hash_algo
+ parameter of the SigValidation object within the sig_val_claims
+ claim.
+
+ The SVT header MUST contain a public key or a reference to a public
+ key used to verify the signature on the SVT in accordance with
+ [RFC7515]. Each profile, as discussed in Section 4, MUST define the
+ requirements for how the key or key reference is included in the
+ header.
+
+4. Profiles
+
+ Each signed document and signature type will have to define the
+ precise content and use of several claims in the SVT.
+
+ At a minimum, each profile MUST define:
+
+ * The identifier of the profile
+
+ * How to reference the Signed Data content of the signed document
+
+ * How to reference the target electronic signature and the Signed
+ Bytes of the signature
+
+ * How to reference certificates supporting each electronic signature
+
+ * How to include public keys or references to public keys in the SVT
+
+ * Whether each electronic signature is supported by a single SVT, or
+ one SVT may support multiple electronic signatures of the same
+ document
+
+ A profile MAY also define:
+
+ * Explicit information on how to perform signature validation based
+ on an SVT
+
+ * How to attach an SVT to an electronic signature or signed document
+
+4.1. Defined Profiles
+
+ The following profiles are defined in appendixes of this document:
+
+ Appendix A: XML Signature Profile
+
+ Appendix B: PDF Signature Profile
+
+ Appendix C: JWS Profile
+
+ Other documents MAY define other profiles that MAY complement, amend,
+ or supersede these profiles.
+
+5. Signature Verification with an SVT
+
+ Signature verification based on an SVT MUST follow these steps:
+
+ 1. Locate all available SVTs available for the signed document that
+ are relevant for the target electronic signature.
+
+ 2. Select the most recent SVT that can be successfully validated and
+ meets the requirement of the relying party.
+
+ 3. Verify the integrity of the signature and the Signed Bytes of the
+ target electronic signature using the sig_ref claim.
+
+ 4. Verify that the Signed Data reference in the original electronic
+ signature matches the reference values in the sig_data_ref claim.
+
+ 5. Verify the integrity of referenced Signed Data using provided
+ hash values in the sig_data_ref claim.
+
+ 6. Obtain the verified certificates supporting the asserted
+ electronic signature verification through the signer_cert_ref
+ claim.
+
+ 7. Verify that signature validation policy results satisfy the
+ requirements of the relying party.
+
+ 8. Verify that verified time results satisfy the context for the use
+ of the signed document.
+
+ After successfully performing these steps, signature validity is
+ established as well as the trusted signer certificate binding the
+ identity of the signer to the electronic signature.
+
+6. IANA Considerations
+
+6.1. Claim Names Registration
+
+ IANA has registered the "sig_val_claims" claim name in the "JSON Web
+ Token Claims" registry established by Section 10.1 of [RFC7519].
+
+6.1.1. Registry Contents
+
+ Claim Name: sig_val_claims
+
+ Claim Description: Signature Validation Token
+
+ Change Controller: IESG
+
+ Specification Document(s): Section 3.2.3 of RFC 9321
+
+6.2. Header Parameter Names Registration
+
+ IANA has registered the "svt" Header Parameter in the "JSON Web
+ Signature and Encryption Header Parameters" registry established by
+ [RFC7515].
+
+6.2.1. Registry Contents
+
+ Header Parameter Name: svt
+
+ Header Parameter Description: Signature Validation Token
+
+ Header Parameter Usage Location(s): JWS
+
+ Change Controller: IESG
+
+ Specification Document(s): Appendix C.1.1 of RFC 9321
+
+7. Security Considerations
+
+7.1. Level of Reliance
+
+ An SVT allows a signature verifier to still validate the original
+ signature using the original signature data and to use the
+ information in the SVT selectively to confirm the validity and
+ integrity of the original data, such as confirming the integrity of
+ Signed Data or the validity of the signer's certificate, etc.
+
+ Another way to use an SVT is to completely rely on the validation
+ conclusion provided by the SVT and to omit revalidation of the
+ original signature value and original certificate status checking
+ data.
+
+ This choice is a decision made by the verifier according to its own
+ policy and risk assessment.
+
+ However, even when relying on the SVT validation conclusion of an
+ SVT, it is vital to still verify that the present SVT is correctly
+ associated with the document and signature that is being validated by
+ validating the hashed reference data in the SVT of the signature,
+ signing certificate chain, Signed Data, and the Signed Bytes.
+
+7.2. Aging Algorithms
+
+ Even if the SVT provides protection against algorithms becoming
+ weakened or broken over time, this protection is only valid for as
+ long as the algorithms used to sign the SVT are still considered
+ secure. It is advisable to reissue SVTs in cases where an algorithm
+ protecting the SVT is getting close to its end of life.
+
+ One way to increase the resistance of algorithms becoming insecure,
+ is to issue multiple SVTs for the same signature with different
+ algorithms and key lengths where one algorithm could still be secure
+ even if the corresponding algorithm used in the alternative SVT is
+ broken.
+
+8. References
+
+8.1. Normative References
+
+ [CADES] ETSI, "Electronic Signatures and Infrastructures (ESI);
+ CAdES digital signatures; Part 1: Building blocks and
+ CAdES baseline signatures", v1.1.1, ETSI EN 319 122-1,
+ April 2016.
+
+ [ETSI319102-1]
+ ETSI, "Electronic Signatures and Infrastructures (ESI);
+ Procedures for Creation and Validation of AdES Digital
+ Signatures; Part 1: Creation and Validation", v1.1.1, ETSI
+ EN 319 102-1, May 2016.
+
+ [IANA-JOSE-REG]
+ IANA, "JSON Object Signing and Encryption (JOSE)",
+ <https://www.iana.org/assignments/jose/>.
+
+ [ISOPDF2] ISO, "Document management -- Portable document format --
+ Part 2: PDF 2.0", ISO 32000-2:2020, December 2020.
+
+ [PADES] ETSI, "Electronic Signatures and Infrastructures (ESI);
+ PAdES digital signatures; Part 1: Building blocks and
+ PAdES baseline signatures", v1.1.1, ETSI EN 319 142-1,
+ April 2016.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC3125] Ross, J., Pinkas, D., and N. Pope, "Electronic Signature
+ Policies", RFC 3125, DOI 10.17487/RFC3125, September 2001,
+ <https://www.rfc-editor.org/info/rfc3125>.
+
+ [RFC3161] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato,
+ "Internet X.509 Public Key Infrastructure Time-Stamp
+ Protocol (TSP)", RFC 3161, DOI 10.17487/RFC3161, August
+ 2001, <https://www.rfc-editor.org/info/rfc3161>.
+
+ [RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S.
+ Wu, "Internet X.509 Public Key Infrastructure Certificate
+ Policy and Certification Practices Framework", RFC 3647,
+ DOI 10.17487/RFC3647, November 2003,
+ <https://www.rfc-editor.org/info/rfc3647>.
+
+ [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update:
+ Adding CertID Algorithm Agility", RFC 5035,
+ DOI 10.17487/RFC5035, August 2007,
+ <https://www.rfc-editor.org/info/rfc5035>.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
+ <https://www.rfc-editor.org/info/rfc5280>.
+
+ [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
+ RFC 5652, DOI 10.17487/RFC5652, September 2009,
+ <https://www.rfc-editor.org/info/rfc5652>.
+
+ [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
+ Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
+ 2015, <https://www.rfc-editor.org/info/rfc7515>.
+
+ [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
+ DOI 10.17487/RFC7518, May 2015,
+ <https://www.rfc-editor.org/info/rfc7518>.
+
+ [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
+ (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
+ <https://www.rfc-editor.org/info/rfc7519>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC9231] Eastlake 3rd, D., "Additional XML Security Uniform
+ Resource Identifiers (URIs)", RFC 9231,
+ DOI 10.17487/RFC9231, July 2022,
+ <https://www.rfc-editor.org/info/rfc9231>.
+
+ [XADES] ETSI, "Electronic Signatures and Infrastructures (ESI);
+ XAdES digital signatures; Part 1: Building blocks and
+ XAdES baseline signatures", v1.1.1, ETSI EN 319 132-1,
+ April 2016.
+
+ [XMLDSIG11]
+ Eastlake 3rd, D., Reagle, J., Solo, D., Hirsch, F.,
+ Nystrom, M., Roessler, T., and K. Yiu, "XML Signature
+ Syntax and Processing Version 1.1", W3C Proposed
+ Recommendation, April 2013. Latest version available at
+ https://www.w3.org/TR/xmldsig- core1/.
+
+8.2. Informative References
+
+ [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
+ Definition Language (CDDL): A Notational Convention to
+ Express Concise Binary Object Representation (CBOR) and
+ JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
+ June 2019, <https://www.rfc-editor.org/info/rfc8610>.
+
+Appendix A. XML Signature Profile
+
+ This appendix defines a profile for implementing SVTs with a signed
+ XML document and defines the following aspects of SVT usage:
+
+ * How to include reference data related to XML signatures and XML
+ documents in an SVT
+
+ * How to add an SVT token to an XML signature
+
+ XML documents can have any number of signature elements, signing an
+ arbitrary number of fragments of XML documents. The actual signature
+ element may be included in the signed XML document (enveloped),
+ include the Signed Data (enveloping), or may be separate from the
+ signed content (detached).
+
+ To provide a generic solution for any type of XML signature, an SVT
+ is added to each XML signature element within the XML signature
+ <ds:Object> element.
+
+A.1. Notation
+
+A.1.1. References to XML Elements from XML Schemas
+
+ When referring to elements from the W3C XML Signature namespace
+ (https://www.w3.org/2000/09/xmldsig#), the following syntax is used:
+
+ * <ds:Signature>
+
+ When referring to elements from the ETSI XAdES XML Signature
+ namespace (https://uri.etsi.org/01903/v1.3.2#), the following syntax
+ is used:
+
+ * <xades:CertDigest>
+
+ When referring to elements defined in this specification
+ (http://id.swedenconnect.se/svt/1.0/sig-prop/ns), the following
+ syntax is used:
+
+ * <svt:Element>
+
+A.2. SVT in XML Documents
+
+ When SVTs are provided for XML signatures, then one SVT MUST be
+ provided for each XML signature.
+
+ An SVT embedded within the XML signature element MUST be placed in a
+ <svt:SignatureValidationToken> element as defined in Appendix A.2.1.
+
+A.2.1. SignatureValidationToken Signature Property
+
+ The <svt:SignatureValidationToken> element MUST be placed in a
+ <ds:SignatureProperty> element in accordance with [XMLDSIG11]. The
+ <ds:SignatureProperty> element MUST be placed inside a
+ <ds:SignatureProperties> element inside a <ds:Object> element inside
+ a <ds:Signature> element.
+
+ Note: [XMLDSIG11] requires the Target attribute to be present in
+ <ds:SignatureProperty>, referencing the signature targeted by this
+ signature property. If an SVT is added to a signature that does not
+ have an Id attribute, implementations SHOULD add an Id attribute to
+ the <ds:Signature> element and reference that Id in the Target
+ attribute. This Id attribute and Target attribute value matching is
+ required by the [XMLDSIG11] standard, but it is redundant in the
+ context of SVT validation as the SVT already contains information
+ that uniquely identifies the target signature. Validation
+ applications SHOULD NOT reject an SVT token because of Id and Target
+ attribute mismatch and MUST rely on matching against a signature
+ using signed information in the SVT itself.
+
+ The <svt:SignatureValidationToken> element is defined by the
+ following XML Schema:
+
+ <?xml version="1.0" encoding="UTF-8"?>
+ <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ elementFormDefault="qualified"
+ targetNamespace="http://id.swedenconnect.se/svt/1.0/sig-prop/ns"
+ xmlns:svt="http://id.swedenconnect.se/svt/1.0/sig-prop/ns">
+
+ <xs:element name="SignatureValidationToken"
+ type="svt:SignatureValidationTokenType" />
+
+ <xs:complexType name="SignatureValidationTokenType">
+ <xs:simpleContent>
+ <xs:extension base="xs:string">
+ </xs:extension>
+ </xs:simpleContent>
+ </xs:complexType>
+
+ </xs:schema>
+
+ The SVT token MUST be included as a string representation of the SVT
+ JWT. Note that this is the string representation of the JWT without
+ further encoding. The SVT MUST NOT be represented by the
+ Base64-encoded bytes of the JWT string.
+
+ Example:
+
+ <ds:Signature Id="MySignatureId">
+ ...
+ <ds:Object>
+ <ds:SignatureProperties>
+ <ds:SignatureProperty Target="#MySignatureId">
+ <svt:SignatureValidationToken>
+ eyJ0eXAiOiJKV1QiLCJhb...2aNZ
+ </svt:SignatureValidationToken>
+ </ds:SignatureProperty>
+ </ds:SignatureProperties>
+ </ds:Object>
+ </ds:Signature>
+
+A.2.2. Multiple SVTs in an XML Signature
+
+ If a new SVT is stored in a signature that already contains a
+ previously issued SVT, implementations can choose either to replace
+ the existing SVT or to store the new SVT in addition to the existing
+ SVT.
+
+ If the new SVT is stored in addition to the old SVT, it SHOULD be
+ stored in a new <ds:SignatureProperty> element inside the existing
+ <ds:SignatureProperties> element where the old SVT is located.
+
+ For interoperability robustness, signature validation applications
+ MUST be able to handle signatures where the new SVT is located in a
+ new <ds:Object> element.
+
+A.3. XML Signature SVT Claims
+
+A.3.1. XML Profile Identifier
+
+ When this profile is used, the SigValidation object MUST contain a
+ "profile" claim with the value "XML".
+
+A.3.2. XML Signature Reference Data
+
+ The SVT Signature object MUST contain a "sig_ref" claim (SigReference
+ object) with the following elements:
+
+ "id": The Id-attribute of the XML signature, if present.
+
+ "sig_hash": The hash over the signature value bytes.
+
+ "sb_hash": The hash over the canonicalized <ds:SignedInfo> element
+ (the bytes the XML signature algorithm has signed to generate the
+ signature value).
+
+A.3.3. XML Signed Data Reference Data
+
+ The SVT Signature object MUST contain one instance of the "sig_data"
+ claim (SignedData object) for each <ds:Reference> element in the
+ <ds:SignedInfo> element. The "sig_data" claim MUST contain the
+ following elements:
+
+ "ref": The value of the URI attribute of the corresponding
+ <ds:Reference> element.
+
+ "hash": The hash of all bytes that were identified by the
+ corresponding <ds:Reference> element after applying all identified
+ canonicalization and transformation algorithms. These are the
+ same bytes that are hashed by the hash value in the
+ <ds:DigestValue> element inside the <ds:Reference> element.
+
+A.3.4. XML Signer Certificate References
+
+ The SVT Signature object MUST contain a "signer_cert_ref" claim
+ (CertReference object). The "type" parameter of the
+ "signer_cert_ref" claim MUST be either "chain" or "chain_hash".
+
+ * The "chain" type MUST be used when signature validation was
+ performed using one or more certificates where some or all of the
+ certificates in the chain are not present in the target signature.
+
+ * The "chain_hash" type MUST be used when signature validation was
+ performed using one or more certificates where all of the
+ certificates are present in the target signature.
+
+A.4. JOSE Header
+
+A.4.1. SVT Signing Key Reference
+
+ The SVT JOSE header for XML signatures must contain one of the
+ following header parameters in accordance with [RFC7515] for storing
+ a reference to the public key used to verify the signature on the
+ SVT:
+
+ "x5c": Holds an X.509 certificate [RFC5280] or a chain of
+ certificates. The certificate holding the public key that
+ verifies the signature on the SVT MUST be the first certificate in
+ the chain.
+
+ "kid": A key identifier holding the Base64-encoded hash value of the
+ certificate that can verify the signature on the SVT. The hash
+ algorithm MUST be the same hash algorithm used when signing the
+ SVT as specified by the "alg" Header Parameter.
+
+Appendix B. PDF Signature Profile
+
+ This appendix defines a profile for implementing SVTs with a signed
+ PDF document, and it defines the following aspects of SVT usage:
+
+ * How to include reference data related to PDF signatures and PDF
+ documents in an SVT.
+
+ * How to add an SVT token to a PDF document.
+
+ PDF document signatures are added as incremental updates to the
+ signed PDF document and signs all data of the PDF document up until
+ the current signature. When more than one signature is added to a
+ PDF document the previous signature is signed by the next signature
+ and can not be updated with additional data after this event.
+
+ To minimize the impact on PDF documents with multiple signatures and
+ to stay backwards compatible with PDF software that does not
+ understand SVTs, PDF documents add one SVT token for all signatures
+ of the PDF as an extension to a document timestamp added to the
+ signed PDF as an incremental update. This SVT covers all signatures
+ of the signed PDF.
+
+B.1. SVTs in PDF Documents
+
+ The SVT for a signed PDF document MAY provide signature validation
+ information about any of the present signatures in the PDF. The SVT
+ MUST contain a separate "sig" claim (Signature object) for each
+ signature on the PDF that is covered by the SVT.
+
+ An SVT added to a signed PDF document MUST be added to a document
+ timestamp in accordance with ISO 32000-2:2020 [ISOPDF2].
+
+ The document timestamp contains an [RFC3161] timestamp token
+ (TSTInfo) in EncapsulatedContentInfo of the CMS signature. The SVT
+ MUST be added to the timestamp token (TSTInfo) as an Extension object
+ as defined in Appendix B.1.1.
+
+B.1.1. SVT Extension to Timestamp Tokens
+
+ The SVT extension is an Extension suitable to be included in TSTInfo
+ as defined by [RFC3161].
+
+ The SVT extension is identified by the Object Identifier (OID)
+ 1.2.752.201.5.2.
+
+ This extension data (OCTET STRING) holds the bytes of SVT JWT,
+ represented as a UTF-8-encoded string.
+
+ This extension MUST NOT be marked critical.
+
+ Note: Extensions in timestamp tokens according to [RFC3161] are
+ imported from the definition of the X.509 certificate extensions
+ defined in [RFC5280].
+
+B.2. PDF Signature SVT Claims
+
+B.2.1. PDF Profile Identifier
+
+ When this profile is used, the SigValidation object MUST contain a
+ "profile" claim with the value "PDF".
+
+B.2.2. PDF Signature Reference Data
+
+ The SVT Signature object MUST contain a "sig_ref" claim (SigReference
+ object) with the following elements:
+
+ "id": Absent or a Null value.
+
+ "sig_hash": The hash over the signature value bytes.
+
+ "sb_hash": The hash over the DER-encoded SignedAttributes in
+ SignerInfo.
+
+B.2.3. PDF Signed Data Reference Data
+
+ The SVT Signature object MUST contain one instance of the "sig_data"
+ claim (SignedData object) with the following elements:
+
+ "ref": The string representation of the ByteRange value of the PDF
+ signature dictionary of the target signature. This is a sequence
+ of integers separated by space where each integer pair specifies
+ the start index and length of a byte range.
+
+ "hash": The hash of all bytes identified by the ByteRange value.
+ This is the concatenation of all byte ranges identified by the
+ ByteRange value.
+
+B.2.4. PDF Signer Certificate References
+
+ The SVT Signature object MUST contain a "signer_cert_ref" claim
+ (CertReference object). The "type" parameter of the
+ "signer_cert_ref" claim MUST be either "chain" or "chain_hash".
+
+ * The "chain" type MUST be used when signature validation was
+ performed using one or more certificates where some or all of the
+ certificates in the chain are not present in the target signature.
+
+ * The "chain_hash" type MUST be used when signature validation was
+ performed using one or more certificates where all of the
+ certificates are present in the target signature.
+
+ Note: The referenced signer certificate MUST match any certificates
+ referenced using ESSCertID or ESSCertIDv2 from [RFC5035].
+
+B.3. JOSE Header
+
+B.3.1. SVT Signing Key Reference
+
+ The SVT JOSE header must contain one of the following header
+ parameters in accordance with [RFC7515] for storing a reference to
+ the public key used to verify the signature on the SVT:
+
+ "x5c": Holds an X.509 certificate [RFC5280] or a chain of
+ certificates. The certificate holding the public key that
+ verifies the signature on the SVT MUST be the first certificate in
+ the chain.
+
+ "kid": A key identifier holding the Base64-encoded hash value of the
+ certificate that can verify the signature on the SVT. The hash
+ algorithm MUST be the same hash algorithm used when signing the
+ SVT as specified by the "alg" Header Parameter. The referenced
+ certificate SHOULD be the same certificate that was used to sign
+ the document timestamp that contains the SVT.
+
+Appendix C. JWS Profile
+
+ This appendix defines a profile for implementing SVTs with a JWS
+ signed payload according to [RFC7515], and it defines the following
+ aspects of SVT usage:
+
+ * How to include reference data related to JWS signatures in an SVT.
+
+ * How to add an SVT token to JWS signatures.
+
+ A JWS may have one or more signatures, depending on its serialization
+ format, signing the same payload data. A JWS either contains the
+ data to be signed (enveloping) or may sign any externally associated
+ payload data (detached).
+
+ To provide a generic solution for JWS, an SVT is added to each
+ present signature as a JWS Unprotected Header. If a JWS includes
+ multiple signatures, then each signature includes its own SVT.
+
+C.1. SVT in JWS
+
+ An SVT token MAY be added to any signature of a JWS to support
+ validation of that signature. If more than one signature is present,
+ then each present SVT MUST provide information exclusively related to
+ one associated signature and MUST NOT include information about any
+ other signature in the JWS.
+
+ Each SVT is stored in its associated signature's "svt" header as
+ defined in Appendix C.1.1.
+
+C.1.1. "svt" Header Parameter
+
+ The "svt" (Signature Validation Token) Header Parameter is used to
+ contain an array of SVT tokens to support validation of the
+ associated signature. Each SVT token in the array has the format of
+ a JWT as defined in [RFC7519] and is stored using its natural string
+ representation without further wrapping or encoding.
+
+ The "svt" Header Parameter, when used, MUST be included as a JWS
+ Unprotected Header.
+
+ Note: A JWS Unprotected Header is not supported with JWS Compact
+ Serialization. A consequence of adding an SVT token to a JWS is
+ therefore that JWS JSON Serialization MUST be used either in the form
+ of general JWS JSON Serialization (for one or more signatures) or in
+ the form of flattened JWS JSON Serialization (optionally used when
+ only one signature is present in the JWS).
+
+C.1.2. Multiple SVTs in a JWS Signature
+
+ If a new SVT is stored in a signature that already contains a
+ previously issued SVT, implementations can choose either to replace
+ the existing SVT or to store the new SVT in addition to the existing
+ SVT.
+
+ If a JWS signature already contains an array of SVTs and a new SVT is
+ to be added, then the new SVT MUST be added to the array of SVT
+ tokens in the existing "svt" Header Parameter.
+
+C.2. JWS Signature SVT Claims
+
+C.2.1. JWS Profile Identifier
+
+ When this profile is used, the SigValidation object MUST contain a
+ "profile" claim with the value "JWS".
+
+C.2.2. JWS Signature Reference Data
+
+ The SVT Signature object MUST contain a "sig_ref" claim (SigReference
+ object) with the following elements:
+
+ "sig_hash": The hash over the associated signature value (the bytes
+ of the base64url-decoded signature parameter).
+
+ "sb_hash": The hash over all bytes signed by the associated
+ signature (the JWS Signing Input according to [RFC7515]).
+
+C.2.3. JWS Signed Data Reference Data
+
+ The SVT Signature object MUST contain one instance of the "sig_data"
+ claim (SignedData object) with the following elements:
+
+ "ref": This parameter MUST hold one of the following three possible
+ values:
+
+ 1. The explicit string value "payload" if the signed JWS Payload
+ is embedded in a "payload" member of the JWS.
+
+ 2. The explicit string value "detached" if the JWS signs detached
+ payload data without explicit reference.
+
+ 3. A URI that can be used to identify or fetch the detached
+ Signed Data. The means to determine the URI for the detached
+ Signed Data is outside the scope of this specification.
+
+ "hash": The hash over the JWS Payload data bytes (not its base64url-
+ encoded string representation).
+
+C.2.4. JWS Signer Certificate References
+
+ The SVT Signature object MUST contain a "signer_cert_ref" claim
+ (CertReference object). The "type" parameter of the
+ "signer_cert_ref" claim MUST be either "chain" or "chain_hash".
+
+ * The "chain" type MUST be used when signature validation was
+ performed using one or more certificates where some or all of the
+ certificates in the chain are not present in the target signature.
+
+ * The "chain_hash" type MUST be used when signature validation was
+ performed using one or more certificates where all of the
+ certificates are present in the target signature JOSE header using
+ the "x5c" Header Parameter.
+
+C.3. SVT JOSE Header
+
+C.3.1. SVT Signing Key Reference
+
+ The SVT JOSE header must contain one of the following header
+ parameters in accordance with [RFC7515] for storing a reference to
+ the public key used to verify the signature on the SVT:
+
+ "x5c": Holds an X.509 certificate [RFC5280] or a chain of
+ certificates. The certificate holding the public key that
+ verifies the signature on the SVT MUST be the first certificate in
+ the chain.
+
+ "kid": A key identifier holding the Base64-encoded hash value of the
+ certificate that can verify the signature on the SVT. The hash
+ algorithm MUST be the same hash algorithm used when signing the
+ SVT as specified by the "alg" Header Parameter.
+
+Appendix D. Schemas
+
+D.1. Concise Data Definition Language (CDDL)
+
+ The following informative CDDL [RFC8610] expresses the structure of
+ an SVT token:
+
+ svt = {
+ jti: text
+ iss: text
+ iat: uint
+ ? aud: text / [* text]
+ ? exp: uint
+ sig_val_claims: SigValClaims
+ }
+
+ SigValClaims = {
+ ver: text
+ profile: text
+ hash_algo: text
+ sig: [+ Signature]
+ ? ext: Extension
+ }
+
+ Signature = {
+ sig_ref: SigReference
+ sig_data_ref: [+ SignedDataReference]
+ signer_cert_ref: CertReference
+ sig_val: [+ PolicyValidation]
+ ? time_val: [* TimeValidation]
+ ? ext: Extension
+ }
+
+ SigReference = {
+ ? id: text / null
+ sig_hash: binary-value
+ sb_hash: binary-value
+ }
+
+ SignedDataReference = {
+ ref: text
+ hash: binary-value
+ }
+
+
+ CertReference = {
+ type: "chain" / "chain_hash"
+ ref: [+ text]
+ }
+
+ PolicyValidation = {
+ pol: text
+ res: "PASSED" / "FAILED" / "INDETERMINATE"
+ ? msg: text / null
+ ? ext: Extension
+ }
+
+ TimeValidation = {
+ "time": uint
+ type: text
+ iss: text
+ ? id: text / null
+ ? hash: binary-value / null
+ ? val: [* PolicyValidation]
+ ? ext: Extension
+ }
+
+
+ Extension = {
+ + text => text
+ } / null
+
+ binary-value = text ; base64 classic with padding
+
+D.2. JSON Schema
+
+ The following informative JSON schema describes the syntax of the SVT
+ token payload.
+
+ {
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "title": "Signature Validation Token JSON Schema",
+ "description": "Schema defining the payload format for SVTs",
+ "type": "object",
+ "required": [
+ "jti",
+ "iss",
+ "iat",
+ "sig_val_claims"
+ ],
+ "properties": {
+ "jti": {
+ "description": "JWT ID",
+ "type": "string"
+ },
+ "iss": {
+ "description": "Issuer",
+ "type": "string"
+ },
+ "iat": {
+ "description": "Issued At",
+ "type": "integer"
+ },
+ "aud": {
+ "description": "Audience",
+ "type": [
+ "string",
+ "array"
+ ],
+ "items": {"type": "string"}
+ },
+ "exp": {
+ "description": "Expiration time (seconds since epoch)",
+ "type": "integer"
+ },
+ "sig_val_claims": {
+ "description": "Signature validation claims",
+ "type": "object",
+ "required": [
+ "ver",
+ "profile",
+ "hash_algo",
+ "sig"
+ ],
+ "properties": {
+ "ver": {
+ "description": "Version",
+ "type": "string"
+ },
+ "profile": {
+ "description": "Implementation profile",
+ "type": "string"
+ },
+ "hash_algo": {
+ "description": "Hash algorithm URI",
+ "type": "string"
+ },
+ "sig": {
+ "description": "Validated signatures",
+ "type": "array",
+ "items": {
+ "$ref": "#/$def/Signature"
+ },
+ "minItems": 1
+ },
+ "ext": {
+ "description": "Extension map",
+ "$ref": "#/$def/Extension"
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "additionalProperties": false,
+ "$def": {
+ "Signature":{
+ "type": "object",
+ "required": [
+ "sig_ref",
+ "sig_data_ref",
+ "signer_cert_ref",
+ "sig_val"
+ ],
+ "properties": {
+ "sig_ref": {
+ "description": "Signature Reference",
+ "$ref": "#/$def/SigReference"
+ },
+ "sig_data_ref": {
+ "description": "Signed data array",
+ "type": "array",
+ "items": {
+ "$ref" : "#/$def/SignedDataReference"
+ },
+ "minItems": 1
+ },
+ "signer_cert_ref": {
+ "description": "Signer certificate reference",
+ "$ref": "#/$def/CertReference"
+ },
+ "sig_val": {
+ "description": "Signature validation results",
+ "type": "array",
+ "items": {
+ "$ref": "#/$def/PolicyValidation"
+ },
+ "minItems": 1
+ },
+ "time_val": {
+ "description": "Time validations",
+ "type": "array",
+ "items": {
+ "$ref": "#/$def/TimeValidation"
+ }
+ },
+ "ext": {
+ "description": "Extension map",
+ "$ref": "#/$def/Extension"
+ }
+ },
+ "additionalProperties": false
+ },
+ "SigReference":{
+ "type": "object",
+ "required": [
+ "sig_hash",
+ "sb_hash"
+ ],
+ "properties": {
+ "sig_hash": {
+ "description": "Hash of the signature value",
+ "type": "string",
+ "format": "base64"
+ },
+ "sb_hash": {
+ "description": "Hash of the Signed Bytes",
+ "type": "string",
+ "format": "base64"
+ },
+ "id": {
+ "description": "Signature ID reference",
+ "type": ["string","null"]
+ }
+ },
+ "additionalProperties": false
+ },
+ "SignedDataReference": {
+ "type": "object",
+ "required": [
+ "ref",
+ "hash"
+ ],
+ "properties": {
+ "ref": {
+ "description": "Reference to the signed data",
+ "type": "string"
+ },
+ "hash": {
+ "description": "Signed data hash",
+ "type": "string",
+ "format": "base64"
+ }
+ },
+ "additionalProperties": false
+ },
+ "CertReference":{
+ "type": "object",
+ "required": [
+ "type",
+ "ref"
+ ],
+ "properties": {
+ "type": {
+ "description": "Type of certificate reference",
+ "type": "string",
+ "enum": ["chain","chain_hash"]
+ },
+ "ref": {
+ "description": "Certificate reference data",
+ "type": "array",
+ "items": {
+ "type": "string",
+ "format": "base64"
+ },
+ "minItems": 1
+ }
+ },
+ "additionalProperties": false
+ },
+ "PolicyValidation":{
+ "type": "object",
+ "required": [
+ "pol",
+ "res"
+ ],
+ "properties": {
+ "pol": {
+ "description": "Policy identifier",
+ "type": "string"
+ },
+ "res": {
+ "description": "Signature validation result",
+ "type": "string",
+ "enum": ["PASSED","FAILED","INDETERMINATE"]
+ },
+ "msg": {
+ "description": "Message",
+ "type": ["string","null"]
+ },
+ "ext": {
+ "description": "Extension map",
+ "$ref": "#/$def/Extension"
+ }
+ },
+ "additionalProperties": false
+ },
+ "TimeValidation":{
+ "type": "object",
+ "required": [
+ "time",
+ "type",
+ "iss"
+ ],
+ "properties": {
+ "time": {
+ "description": "Verified time",
+ "type": "integer"
+ },
+ "type": {
+ "description": "Type of time validation proof",
+ "type": "string"
+ },
+ "iss": {
+ "description": "Issuer of the time proof",
+ "type": "string"
+ },
+ "id": {
+ "description": "Time evidence identifier",
+ "type": ["string","null"]
+
+ },
+ "hash": {
+ "description": "Hash of time evidence",
+ "type": ["string","null"],
+ "format": "base64"
+ },
+ "val": {
+ "description": "Validation result",
+ "type": "array",
+ "items": {
+ "$ref": "#/$def/PolicyValidation"
+ }
+ },
+ "ext": {
+ "description": "Extension map",
+ "$ref": "#/$def/Extension"
+ }
+ },
+ "additionalProperties": false
+ },
+ "Extension": {
+ "description": "Extension map",
+ "type": ["object","null"],
+ "required": [],
+ "additionalProperties": {
+ "type": "string"
+ }
+ }
+ }
+ }
+
+Appendix E. Examples
+
+ The following example illustrates a basic SVT according to this
+ specification issued for a signed PDF document.
+
+ Note: Line breaks in the decoded example are inserted for
+ readability. Line breaks are not allowed in valid JSON data.
+
+ Signature validation token JWT:
+
+ eyJraWQiOiJPZW5JKzQzNEpoYnZmRG50ZlZcLzhyT3hHN0ZrdnlqYUtWSmFWcUlG
+ QlhvaFZoQWU1Zks4YW5vdjFTNjg4cjdLYmFsK2Z2cGFIMWo4aWJnNTJRQnkxUFE9
+ PSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJhdWQiOiJodHRwOlwvXC9l
+ eGFtcGxlLmNvbVwvYXVkaWVuY2UxIiwiaXNzIjoiaHR0cHM6XC9cL3N3ZWRlbmNv
+ bm5lY3Quc2VcL3ZhbGlkYXRvciIsImlhdCI6MTYwMzQ1ODQyMSwianRpIjoiNGQx
+ Mzk2ZjFmZjcyOGY0MGQ1MjQwM2I2MWM1NzQ0ODYiLCJzaWdfdmFsX2NsYWltcyI6
+ eyJzaWciOlt7ImV4dCI6bnVsbCwic2lnX3ZhbCI6W3sibXNnIjoiT0siLCJleHQi
+ Om51bGwsInJlcyI6IlBBU1NFRCIsInBvbCI6Imh0dHA6XC9cL2lkLnN3ZWRlbmNv
+ bm5lY3Quc2VcL3N2dFwvc2lndmFsLXBvbGljeVwvdHMtcGtpeFwvMDEifV0sInNp
+ Z19yZWYiOnsic2lnX2hhc2giOiJ5Y2VQVkxJemRjcEs5N0lZT2hGSWYxbnk3OUht
+ SUNiU1Z6SWVaTmJpem83ckdJd0hOTjB6WElTeUtHakN2bm9uT2FRR2ZMXC9QM3ZE
+ dEI4OHlLU1dlWGc9PSIsImlkIjoiaWQtNzM5ODljNmZjMDYzNjM2YWI1ZTc1M2Yx
+ MGY3NTc0NjciLCJzYl9oYXNoIjoiQm9QVjRXQ0E5c0FJYWhqSzFIYWpmRnhpK0F6
+ QzRKR1R1ZjM5VzNaV2pjekRDVVJ4ZGM5WWV0ZUh0Y3hHVmVnZ3B4SEo3NVwvY1E3
+ SE4xZERkbGl5SXdnPT0ifSwic2lnbmVyX2NlcnRfcmVmIjp7InJlZiI6WyIxK2Fh
+ SmV0ZzdyZWxFUmxVRFlFaVU0WklaaFQ0UlV2aUlRWnVLN28xR0ZLYVRQUTZ5K2t4
+ XC9QTnREcnB1cVE2WGZya0g5d1lESzRleTB5NFdyTkVybnc9PSIsImg0UER4YjVa
+ S214MWVUU3F2VnZZRzhnMzNzMDVKendCK05nRUhGVTRnYzl0cUcwa2dIa2Y2VzNv
+ THprVHd3dXJJaDZZOUFhZlpZcWMyelAycEUycDRRPT0iLCJEZDJDNXNCMElPUWVN
+ Vm5FQmtNNVE5Vzk2bUJITnd3YTJ0elhNcytMd3VZY09VdlBrcnlHUjBhUEc4Tzlu
+ SVAzbGJ3NktqUTFoRG1SazZ6Qzh4MmpkZz09Il0sInR5cGUiOiJjaGFpbl9oYXNo
+ In0sInNpZ19kYXRhX3JlZiI6W3sicmVmIjoiIiwiaGFzaCI6IkZjR3BPT2Y4aWxj
+ UHQyMUdEZDJjR25MR0R4UlM1ajdzdk00YXBwMkg0MWRERUxtMkN6Y2VUWTAybmRl
+ SmZXamludG1RMzc2SWxYVE9BcjMxeXpZenNnPT0ifSx7InJlZiI6IiN4YWRlcy0x
+ MWExNTVkOTJiZjU1Nzc0NjEzYmI3YjY2MTQ3N2NmZCIsImhhc2giOiJLUmtnYlo2
+ UFwvbmhVNjNJTWswR2lVZlVcL0RUd3ZlWWl0ZVFrd0dlSnFDNUJ6VE5WOGJRYnBl
+ ZFRUdVdKUHhxdkowUlk4NGh3bTdlWVwvZzBIckFPZWdLdz09In1dLCJ0aW1lX3Zh
+ bCI6W119XSwiZXh0IjpudWxsLCJ2ZXIiOiIxLjAiLCJwcm9maWxlIjoiWE1MIiwi
+ aGFzaF9hbGdvIjoiaHR0cDpcL1wvd3d3LnczLm9yZ1wvMjAwMVwvMDRcL3htbGVu
+ YyNzaGE1MTIifX0.TdHCoIUSZj2zMINKg7E44-8VE_mJq6TG1OoPwnYSs_hyUbuX
+ mrLJpuk8GR5YrndeOucPUYAwPxHt_f68JIQyFTi0agO9VJjn1R7Pj3Jt6WG9pYVN
+ n5LH-D1maxD11ZxxbcYeHbsstd2Sy2uMa3BdpsstGdPymSmc6GxY5uJoL0-5vwo_
+ 3l-4Bb3LCTiuxYPcmztKIbDy2hEgJ3Hx1K4HF0SHgn3InpqBev3hm2SLw3hH5BCM
+ rywBAhHYE6OGE0aOJ6ktA5UP0jIIHfaw9i1wIiJtHTaGuvtyWSLk5cshmun9Hkdk
+ kRTA75bzuq0Iyd0qh070rA8Gje-s4Tw4xzttgKx1KSkvy8n5FqvzWdsZvclCG2mY
+ Y9rMxh_7607NXcxajAP4yDOoKNs5nm937ULe0vCN8a7WTrFuiaGjry7HhzRM4C5A
+ qxbDOBXPLyoMr4qn4LRJCHxOeLZ6o3ugvDOOWsyjk3eliyBwDu8qJH7UmyicLxDc
+ Cr0hUK_kvREqjD2Z
+
+ Decoded JWT Header:
+
+ {
+ "kid":"OenI+434JhbvfDntfV\/8rOxG7FkvyjaKVJaVqIFBXohVhAe5fK8anov
+ 1S688r7Kbal+fvpaH1j8ibg52QBy1PQ==",
+ "typ":"JWT",
+ "alg":"RS512"
+ }
+
+ Decoded JWT Claims:
+
+ {
+ "aud" : "http://example.com/audience1",
+ "iss" : "https://swedenconnect.se/validator",
+ "iat" : 1603458421,
+ "jti" : "4d1396f1ff728f40d52403b61c574486",
+ "sig_val_claims" : {
+ "sig" : [ {
+ "ext" : null,
+ "sig_val" : [ {
+ "msg" : "OK",
+ "ext" : null,
+ "res" : "PASSED",
+ "pol" : "http://id.swedenconnect.se/svt/sigval-policy/
+ ts-pkix/01"
+ } ],
+ "sig_ref" : {
+ "sig_hash" : "ycePVLIzdcpK97IYOhFIf1ny79HmICbSVzIeZNbizo7rGIw
+ HNN0zXISyKGjCvnonOaQGfL/P3vDtB88yKSWeXg==",
+ "id" : "id-73989c6fc063636ab5e753f10f757467",
+ "sb_hash" : "BoPV4WCA9sAIahjK1HajfFxi+AzC4JGTuf39W3ZWjczDCURx
+ dc9YeteHtcxGVeggpxHJ75/cQ7HN1dDdliyIwg=="
+ },
+ "signer_cert_ref" : {
+ "ref" : [ "1+aaJetg7relERlUDYEiU4ZIZhT4RUviIQZuK7o1GFKaTPQ6y+
+ kx/PNtDrpuqQ6XfrkH9wYDK4ey0y4WrNErnw==",
+ "h4PDxb5ZKmx1eTSqvVvYG8g33s05JzwB+NgEHFU4gc9tqG0kgH
+ kf6W3oLzkTwwurIh6Y9AafZYqc2zP2pE2p4Q==",
+ "Dd2C5sB0IOQeMVnEBkM5Q9W96mBHNwwa2tzXMs+LwuYcOUvPkr
+ yGR0aPG8O9nIP3lbw6KjQ1hDmRk6zC8x2jdg==" ],
+ "type" : "chain_hash"
+ },
+ "sig_data_ref" : [ {
+ "ref" : "",
+ "hash" : "FcGpOOf8ilcPt21GDd2cGnLGDxRS5j7svM4app2H41dDELm2Czc
+ eTY02ndeJfWjintmQ376IlXTOAr31yzYzsg=="
+ }, {
+ "ref" : "#xades-11a155d92bf55774613bb7b661477cfd",
+ "hash" : "KRkgbZ6P/nhU63IMk0GiUfU/DTwveYiteQkwGeJqC5BzTNV8bQb
+ pedTTuWJPxqvJ0RY84hwm7eY/g0HrAOegKw=="
+ } ],
+ "time_val" : [ ]
+ } ],
+ "ext" : null,
+ "ver" : "1.0",
+ "profile" : "XML",
+ "hash_algo" : "http://www.w3.org/2001/04/xmlenc#sha512"
+ }
+ }
+
+Authors' Addresses
+
+ Stefan Santesson
+ IDsec Solutions AB
+ Forskningsbyn Ideon
+ SE-223 70 Lund
+ Sweden
+ Email: sts@aaa-sec.com
+
+
+ Russ Housley
+ Vigil Security, LLC
+ 516 Dranesville Road
+ Herndon, VA 20170
+ United States of America
+ Email: housley@vigilsec.com