1、 ISO 2012 Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES) Processus, lments dinformations et documents dans le commerce, lindustrie et ladministration Prof
2、ils de signature long terme Partie 2: Profils de signature long terme pour les signatures lectroniques avances XML (XAdES) INTERNATIONAL STANDARD ISO 14533-2 First edition 2012-09-15 Reference number ISO 14533-2:2012(E) ISO 14533-2:2012(E) ii ISO 2012 All rights reserved COPYRIGHT PROTECTED DOCUMENT
3、 ISO 2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in
4、the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ISO 14533-2:2012(E) ISO 2012 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope 1 2
5、 Normative references . 1 3 Terms and definitions . 1 4 Symbols . 2 5 Requirements . 2 6 Long term signature profiles 2 6.1 Defined profiles 2 6.2 Representation of the required level 3 6.3 Standard for setting the required level 3 6.4 Action to take when an optional element is not implemented 4 6.5
6、 XAdES-T profile . 4 6.6 XAdES-A profile . 6 6.7 Timestamp validation data 8 Annex A (normative) Suppliers declaration of conformity and its attachment 9 Annex B (normative) Structure of timestamp token .14 Bibliography .16 ISO 14533-2:2012(E) Foreword ISO (the International Organization for Standar
7、dization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to
8、 be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Stan
9、dards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an Int
10、ernational Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 14533
11、-2 was prepared by Technical Committee ISO/TC 154, Processes, data elements and documents in commerce, industry and administration. ISO 14533 consists of the following parts, under the general title Processes, data elements and documents in commerce, industry and administration Long term signature p
12、rofiles: Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES) Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES) iv ISO 2012 All rights reserved ISO 14533-2:2012(E) Introduction The purpose of this part of ISO 14533 is to ensure the int
13、eroperability of implementations with respect to long term signatures that make electronic signatures verifiable for a long term. Long term signature specifications referenced by each implementation cover XML Advanced Electronic Signatures (XAdES) developed by the European Telecommunications Standar
14、ds Institute (ETSI). ISO 2012 All rights reserved v Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES) 1 Scope This part of ISO 14533 specifies the elements,
15、among those defined in XML Advanced Electronic Signatures (XAdES), that enable verification of a digital signature over a long period of time. It does not give new technical specifications about the digital signature itself, nor new restrictions of usage of the technical specifications about the dig
16、ital signatures which has already existed. NOTE XML Advanced Electronic Signatures (XAdES) is the extended specification of XML-Signature Syntax and Processing, used widely. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated re
17、ferences, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 14533-1, Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 1: Long term signature pr
18、ofiles for CMS Advanced Electronic Signatures (CAdES) ETSI TS 101 903 v1.4.1 (2009-06), XML Advanced Electronic Signatures (XAdES) 1) 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO 14533-1 and the following apply. 3.1 XML signature signature syntax
19、and processing for a given message NOTE XML signature is defined in XML-Signature Syntax and Processing, W3C Recommendation, 12 February 2002. 3.2 XML advanced electronic signature XAdES generic term for XML advanced electronic signatures defined in ETSI TS 101 903 for which the signer can be identi
20、fied and any illegal data alteration detected 3.3 XAdES with time XAdES-T XML advanced electronic signature defined in ETSI TS 101 903 with information to ascertain SigningTime (e.g. signature timestamp) 1) Available from http:/pda.etsi.org/pda/queryform.asp. INTERNATIONAL STANDARD ISO 14533-2:2012(
21、E) ISO 2012 All rights reserved 1 ISO 14533-2:2012(E) 3.4 archival XAdES XAdES-A XML advanced electronic signature defined in ETSI TS 101 903 with information to enable the detection of any illegal alterations of information pertaining to the signature, including the subject of the signature and val
22、idation data (e.g. archive timestamp) 3.5 signature element element that serves as a route for the XML signature. There may be two or more signature elements for one subject of a signature 4 Symbols The following symbols are used for the “required level”. C Conditional M Mandatory O Optional 5 Requi
23、rements 5.1 The generation or validation of XAdES-T data conforms to this part of ISO 14533 provided that the following requirements are met: a) all processing of elements whose required level is “Mandatory” in the XAdES-T profile, as specified in this part of ISO 14533, shall be included; b) detail
24、ed specifications pertaining to the processing of any element whose required level is “Conditional” in the XAdES-T profile, as specified in this part of ISO 14533, shall be provided. 5.2 The generation or validation of XAdES-A data conforms to this part of ISO 14533 provided that the following requi
25、rements are met: a) all processing of elements whose required level is “Mandatory” in the XAdES-A profile, as specified in this part of ISO 14533, shall be included; b) detailed specifications pertaining to the processing of any element whose required level is “Conditional” in the XAdES-A profile, a
26、s specified in this part of ISO 14533, shall be provided. 5.3 When first-party conformity assessment is used, the implementer shall make a declaration of conformity to this part of ISO 14533 by disclosing the suppliers declaration of compliance and its attachment (see Annex A) containing a descripti
27、on of implementation status (and the specifications for any elements “Conditional”). NOTE Figure 1 shows the positioning of the generation and validation of XAdES-T data and XAdES-A data. 6 Long term signature profiles 6.1 Defined profiles In order to make electronic signatures verifiable for a long
28、 term, signing time shall be identifiable, any illegal alterations of information pertaining to signatures, including the subject of information and validation data, shall be detectable, and interoperability ensured. To meet these requirements, this part of ISO 14533 defines the following two profil
29、es with respect to XAdES: a) XAdES-T profile: a profile pertaining to the generation and validation of XAdES-T data; 2 ISO 2012 All rights reserved ISO 14533-2:2012(E) b) XAdES-A profile: a profile pertaining to the generation and validation of XAdES-A data. Figure 1 shows the relation between XAdES
30、-T data and XAdES-A data. Generate XAdES-A data Generate XAdES-T data Verify XAdES-T data Verify XAdES-A data XAdES-T data Data Archive Timestamp (Distribution) (Archiving) XAdES-A data Figure 1 Relation between XAdES-T data and XAdES-A data 6.2 Representation of the required level This part of ISO
31、14533 defines the following representation methods for the required level (as a profile) of each element constituting XAdES-T data and XAdES-A data. a) Mandatory (M) Elements whose required level is “Mandatory” shall be implemented without fail. If such an element has optional subelements, at least
32、one subelement shall be selected. Any element whose required level is “Mandatory” and is one of the subelements of an optional element shall be selected whenever the optional element is selected. b) Optional (O) Elements whose required level is “Optional” may be implemented at the discretion of the
33、implementer. c) Conditional (c) Elements whose required level is “Conditional” may be implemented at the discretion of the implementer, provided that detailed specifications for the processing thereof are provided separately. 6.3 Standard for setting the required level The required level of each ele
34、ment constituting XAdES-T data and XAdES-A data shall be set in accordance with the following requirements. a) The required level shall be “Mandatory” for elements whose required level is “Mandatory” in the definition of XAdES, and those necessary for the generation and validation of long term signa
35、tures. The elements whose required level is “Optional” in the definition of XAdES are defined as “Mandatory”, “Optional” or “Conditional”. b) The required level shall be “Conditional” for externally defined elements. EXAMPLE OtherCertificateFormat. c) The required level shall be “Conditional” for el
36、ements intended to interact with a certain application. EXAMPLE DataObjectFormat. d) The required level shall be “Conditional” for elements with an operation-dependent factor. EXAMPLES Attribute certificate; time mark. NOTE The archiving-type timestamp defined in ISO/IEC 18014-2 is included in “Time
37、 mark or other method.” e) The required level shall be “optional” for elements only containing reference information. ISO 2012 All rights reserved 3 ISO 14533-2:2012(E) 6.4 Action to take when an optional element is not implemented The following action shall be taken when the XAdES data used in a va
38、lidation transaction contains an unimplemented element. a) When the required level of an upper-level element is mandatory and one or more subordinate optional elements shall be selected, or one or more relevant optional elements shall be selected, the validator shall be cautioned that validation req
39、uires implementation of said element(s); otherwise, validation cannot be performed. EXAMPLE In a validation transaction, a BasicOCSPResponse element is detected where only the processing of CertificateList elements, among all other optional elements in RevocationValues, is implemented. b) When Count
40、erSignature is an unimplemented element, the validator shall be cautioned that validation requires implementation of said element; otherwise, validation cannot be performed. c) Optional elements other than those specified above may be ignored for implementation. 6.5 XAdES-T profile 6.5.1 General The
41、 required levels of constituent elements of XAdES-T data are specified in 6.5.2 and 6.5.3. 6.5.2 Signature element Table 1 specifies the required level of each constituent element of XML signature. The required level shall be “Conditional” for any elements not listed in Table 1. Table 1 Signature el
42、ement Element or attribute a Required level ETSI TS 101 903 v1.4.1 Reference Id attribute M b 4.4 ds:SignedInfo M 4.4ds:CanonicalizationMethod M 4.4ds:SignatureMethod M 4.4ds:Reference M 4.4ds:Transforms O 4.4ds:DigestMethod M 4.4ds:DigestValue M 4.4 ds:SignatureValue M 4.4 ds:KeyInfo O c 4.4 ds:Obj
43、ect M 4.4 aThe prefix “ds” corresponds to the XML signature namespace. b“Optional” in an XML signature, but “Mandatory” in ETSI TS 101 903. cEither ds:KeyInfo or SigningCertificate (Table 3) is required. If ds:KeyInfo is selected (Mandatory in ETSI TS 101 903 v1.1.1), an X.509 data element defined i
44、n the XML signature shall be included as a subelement. 4 ISO 2012 All rights reserved ISO 14533-2:2012(E) 6.5.3 Object element, SignedProperties element, UnsignedProperties element Tables 2, 3 and 4 specify the required levels of elements that constitute signed properties and unsigned properties. Th
45、e required level shall be “Conditional” for any signed and unsigned property elements not listed in Tables 2, 3 and 4. NOTE Unsigned property elements not listed in Tables 2, 3 and 4 include, but are not limited to, CompleteCertificateReferences and CompleteRevocationReferences set forth in Table 5.
46、 XAdES-T data to which CompleteCertificateReferences and CompleteRevocationReferences are added can be made compliant with the XAdES-T profile by separately providing for the processing of these elements. Table 2 Object element Element Required level Condition ETSI TS 101 903 v1.4.1 Reference Qualif
47、yingProperties M The Id attribute value of the signature element shall be entered in the target attribute. 6.2SignedProperties M 6.2.1UnsignedProperties O 6.2.2 QualifyingPropertiesReference C 6.3.2 Table 3 SignedProperties element Element Required level ETSI TS 101 903 v1.4.1 Reference SignedSignat
48、ureProperties M 6.2.3SigningTime O a 7.2.1SigningCertificate O a,b 7.2.2SignaturePolicyIdentifier C 7.2.3SignatureProductionPlace C 7.2.7SignerRole C 7.2.8 SignedDataObjectProperties C 6.2.4DataObjectFormat C 7.2.5CommitmentTypeIndication C 7.2.6AllDataObjectsTimeStamp C 7.2.9IndividualDataObjectsTi
49、meStamp C 7.2.10 aMandatory in ETSI TS 101 903 v1.1.1. bEither SigningCertificate or ds:KeyInfo (Table 1) is required. Table 4 UnsignedProperties element Element Required level ETSI TS 101 903 v1.4.1 Reference UnsignedSignatureProperties M 6.2.5CounterSignature O 7.2.4Trusted time M 7.3SignatureTimeStamp O 7.3Time mark or other method C 7.3 UnsignedDataObjectProperties C 6.2.6 ISO 2012 All rights reserved 5 ISO 14533-2:2012(E) 6.6 XAdES-A profile 6.6.1 General The required levels of constituent
