1、 ISO 2014 Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES) Processus, lments dinformations et documents dans le commerce, lindustrie et ladministration Prof
2、ils de signature long terme Partie 1: Profils de signature long terme pour les signatures lectroniques avances CMS (CAdES) INTERNATIONAL STANDARD ISO 14533-1 Second edition 2014-12-01 Reference number ISO 14533-1:2014(E) ISO 14533-1:2014(E)ii ISO 2014 All rights reserved COPYRIGHT PROTECTED DOCUMENT
3、 ISO 2014 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be
4、 requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ISO 14533-1:2014(E)Contents Page F
5、oreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 Terms and definitions . 1 4 Symbols 4 5 Requirements 4 6 Long term signature profiles . 4 6.1 Defined profiles 4 6.2 Representation of the required level . 5 6.3 Standard for setting the required level 5 6.4 Action to take when an opti
6、onal element is not implemented 6 6.5 CAdES-T profile . 6 6.6 CAdES-A profile 8 6.7 Timestamp validation data 10 Annex A (normative) Suppliers declaration of conformity and its attachment 12 Annex B (normative) Structure of timestamp token 17 Bibliography .19 ISO 2014 All rights reserved iii ISO 145
7、33-1:2014(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject
8、for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) o
9、n all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees
10、are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held
11、 responsible for identifying any or all such patent rights. ISO 14533-1 was prepared by Technical Committee ISO/TC 154, Processes, data elements and documents in commerce, industry and administration. This second edition cancels and replaces the first edition (ISO 14533-1:2012), which has been techn
12、ically revised. The main changes compared with the previous edition are that Clause 6 and Annexes A and B have been technically revised with the addition of a new archive time-stamp format: archive-time- stamp-v3 (ATSv3) and an associated attribute ats-hash-index. ISO 14533 consists of the following
13、 parts, under the general title Processes, data elements and documents in commerce, industry and administration Long term signature profiles: Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES) Part 2: Long term signature profiles for XML Advanced Electronic Signature
14、s (XAdES) The following part is under preparation: Part 3: Long term signature profiles for PDF Advanced Electronic Signatures (PAdES)iv ISO 2014 All rights reserved ISO 14533-1:2014(E) Introduction The purpose of this part of ISO 14533 is to ensure the interoperability of implementations with respe
15、ct to long term signatures that make electronic signatures verifiable for a long term. Long term signature specifications referenced by each implementation cover CMS Advanced Electronic Signatures (CAdES) developed by the European Telecommunications Standards Institute (ETSI). ISO 2014 All rights re
16、served v Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES) 1 Scope This part of ISO 14533 specifies the elements, among those defined in CMS Advanced Electro
17、nic Signatures (CAdES), that enable verification of a digital signature over a long period of time. It does not give new technical specifications about the digital signature itself, nor new restrictions of usage of the technical specifications about the digital signatures which have already existed.
18、 NOTE CMS Advanced Electronic Signatures (CAdES) is the extended specification of Cryptographic message syntax (CMS), used widely. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated ref
19、erences, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ETSI/TS 101 733 v2.2.1 (2013-04), Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES) 1) 3 Terms and definitions
20、For the purposes of this document, the following terms and definitions apply. 3.1 long term signature signature that is made verifiable for a long term by implementing measures to enable the detection of illegal alterations of signature information, including the identification of signing time, the
21、subject of said signature, and validation data 3.2 profile rule used to ensure interoperability, related to the optional elements of referenced specifications, the range of values, etc. 3.3 required level level of requirement for implementing each element constituting a profile 1) Available from htt
22、p:/pda.etsi.org/pda/queryform.asp INTERNATIONAL ST ANDARD ISO 14533-1:2014(E) ISO 2014 All rights reserved 1 ISO 14533-1:2014(E) 3.4 cryptographic message syntax CMS syntax pertaining to the signature, digest, authentication, and encryption of a given message Note 1 to entry: Cryptographic message s
23、yntax is defined in IETF RFC 5652. 3.5 CMS advanced electronic signature CAdES electronic signature defined in ETSI/TS 101 733 for which the signer can be identified and any illegal data alteration detected 3.6 CAdES with time CAdES-T CMS advanced electronic signature defined in ETSI/TS 101 733 with
24、 information to ascertain signing time EXAMPLE Signature timestamp. 3.7 archival CAdES CAdES-A CMS advanced electronic signature defined in ETSI/TS 101 733 with information that enables the detection of any illegal alterations of information pertaining to the signature, including the subject of the
25、signature and validation data EXAMPLE Archive timestamp. 3.8 content information data structure that defines the content in CMS 3.9 signed data data structure that defines the signed data in CMS or related data 3.10 signerinfo data structure that defines the signature information for each signer or
26、related data 3.11 signed attribute signature information that is the subject of a signature 3.12 unsigned attribute signature information that is not the subject of a signature Note 1 to entry: The signature timestamp and archive timestamp are unsigned attributes. 3.13 validation data certificate an
27、d revocation information used to validate a signature and timestamp 3.14 timestamping authority TSA trusted third party commissioned to provide proof that certain data existed prior to a certain point in time2 ISO 2014 All rights reserved ISO 14533-1:2014(E) 3.15 timestamp token TST data object that
28、 binds a representation of a datum to a particular time, thus establishing evidence that the datum existed before that time 3.16 signature timestamp timestamp affixed to a signature value in order to identify the time when the signature existed 3.17 archive timestamp timestamp affixed to information
29、 pertaining to a signature, including the subject of the signature and validation data, in order to enable the detection of any illegal alteration 3.18 trust anchor origin of trust provided in the form of a public key certificate or public key used by the validator to validate an electronic signatur
30、e, and generally a public key certificate issued by a trusted root certification authority 3.19 trusted third party TTP security authority or its agent entrusted by another entity in connection with activities related to security 3.20 certification authority CA centre that is entrusted with the deve
31、lopment and assignment of public key certificates Note 1 to entry: Certification authorities can, at their discretion, develop and assign keys to entities. 3.21 certificate information on the publicly disclosed key as a part of an asymmetric key pair for an entity, signed by a certification authorit
32、y to prevent forgery 3.22 attribute certificate certificate containing the job, qualification, position, and other attributes and attribute values 3.23 revocation information information issued by a certification authority with respect to a certificate revocated within the effective period Note 1 to
33、 entry: This information can be collated to determine whether the certificate is still in force. 3.24 enhanced security service ESS optional enhanced service related to a signature including, but not limited to, information identifying SigningCertificate and information showing the type of signature
34、 ISO 2014 All rights reserved 3 ISO 14533-1:2014(E) 4 Symbols The following symbols are used for the “required level”. C: Conditional M: Mandatory O: Optional P: Prohibited (creation or modification) 5 Requirements 5.1 The generation or validation of CAdES-T data conforms to this part of ISO 14533 p
35、rovided that the following requirements are met: a) all processing of elements whose required level is “Mandatory” in the CAdES-T profile, as specified in this part of ISO 14533, shall be included; b) detailed specifications pertaining to the processing of any element whose required level is “Condit
36、ional” in the CAdES-T profile, as specified in this part of ISO 14533, shall be provided. 5.2 The generation or validation of CAdES-A data conforms to this part of ISO 14533 provided that the following requirements are met: a) all processing of elements whose required level is “Mandatory” in the CAd
37、ES-A profile, as specified in this part of ISO 14533, shall be included; b) detailed specifications pertaining to the processing of any element whose required level is “Conditional” in the CAdES-A profile, as specified in this part of ISO 14533, shall be provided. 5.3 If first-party conformity asses
38、sment is used, the implementer shall make a declaration of conformity to this part of ISO 14533 by disclosing the suppliers declaration of compliance and its attachment (see Annex A) containing a description of implementation status (and the specifications for any elements “Conditional”). NOTE Figur
39、e 1 shows the positioning of the generation and validation of CAdES-T data and CAdES-A data. 6 Long term signature profiles 6.1 Defined profiles In order to make electronic signatures verifiable for a long term, signing time shall be identifiable, any illegal alterations of information pertaining to
40、 signatures, including the subject of information and validation data, shall be detectable, and interoperability ensured. To meet these requirements, this part of ISO 14533 defines the following two profiles with respect to CAdES: a) CAdES-T profile: a profile pertaining to the generation and valida
41、tion of CAdES-T data; b) CAdES-A profile: a profile pertaining to the generation and validation of CAdES-A data. Figure 1 shows the relation between CAdES-T data and CAdES-A data.4 ISO 2014 All rights reserved ISO 14533-1:2014(E) Figure 1 Relation between CAdES-T data and CAdES-A data 6.2 Representa
42、tion of the required level This part of ISO 14533 defines the following representation methods for the required level (as a profile) of each element constituting CAdES-T data and CAdES-A data. a) Mandatory (M): Elements whose required level is “Mandatory” shall be implemented without fail. If such a
43、n element has optional subelements, at least one subelement shall be selected. Any element whose required level is “Mandatory” and is one of the subelements of an optional element shall be selected whenever the optional element is selected. b) Optional (O): Elements whose required level is “Optional
44、” may be implemented at the discretion of the implementer. c) Conditional (C): Elements whose required level is “Conditional” may be implemented at the discretion of the implementer, provided that detailed specifications for the processing thereof are provided separately. d) Prohibited (P): Elements
45、 whose required level is Prohibited shall not be created or modified, may be read. 6.3 Standard for setting the required level The required level of each element constituting CAdES- T data and CAdES-A data shall be set in accordance with the following requirements. a) The required level shall be “Ma
46、ndatory” for elements whose required level is “Mandatory” in the definition of CAdES, and those necessary for the generation and validation of long term signatures. The elements whose required level is “Optional” in the definition of CAdES are defined as “Mandatory”, “Optional” or “Conditional”. b)
47、The required level shall be “Conditional” for externally defined elements. EXAMPLE 1 OtherCertificateFormat. c) The required level shall be “Conditional” for elements intended to interact with a certain application. EXAMPLE 2 ContentReference. d) The required level shall be “Conditional” for element
48、s with an operation-dependent factor. EXAMPLE 3 Attribute certificate; time mark. NOTE The archiving-type timestamp defined in ISO/IEC 18014-2 is included in “Time mark or other method.” ISO 2014 All rights reserved 5 ISO 14533-1:2014(E) e) The required level shall be “optional” for elements only co
49、ntaining reference information. 6.4 Action to take when an optional element is not implemented The following action shall be taken when the CAdES data used in a validation transaction contains an unimplemented element. a) When the required level of an upper-level element is mandatory and one or more subordinate optional elements shall be selected, or one or more relevant optional elements shall be selected, the validator shall be cautioned that validation requires implementation of said element(s); otherwise,
