RFC 5126
CMS Advanced Electronic Signatures (CAdES)
Network Working Group D. Pinkas Request for Comments: 5126 Bull SAS Obsoletes: 3126 N. Pope Category: Informational Thales eSecurity J. Ross Security and Standards February 2008 CMS Advanced Electronic Signatures (CAdES) Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.Abstract
This document defines the format of an electronic signature that can remain valid over long periods. This includes evidence as to its validity even if the signer or verifying party later attempts to deny (i.e., repudiates) the validity of the signature. The format can be considered as an extension to RFC 3852 and RFC 2634, where, when appropriate, additional signed and unsigned attributes have been defined. The contents of this Informational RFC amount to a transposition of the ETSI Technical Specification (TS) 101 733 V.1.7.4 (CMS Advanced Electronic Signatures -- CAdES) and is technically equivalent to it. The technical contents of this specification are maintained by ETSI. The ETSI TS and further updates are available free of charge at: http://www.etsi.org/WebSite/Standards/StandardsDownload.aspx
Table of Contents
1. Introduction ....................................................6 2. Scope ...........................................................6 3. Definitions and Abbreviations ...................................8 3.1. Definitions ................................................8 3.2. Abbreviations .............................................11 4. Overview .......................................................12 4.1. Major Parties .............................................13 4.2. Signature Policies ........................................14 4.3. Electronic Signature Formats ..............................15 4.3.1. CAdES Basic Electronic Signature (CAdES-BES) .......15 4.3.2. CAdES Explicit Policy-based Electronic Signatures (CAdES-EPES) ............................18 4.4. Electronic Signature Formats with Validation Data .........19 4.4.1. Electronic Signature with Time (CAdES-T) ...........20 4.4.2. ES with Complete Validation Data References (CAdES-C) ..........................................21 4.4.3. Extended Electronic Signature Formats ..............23 4.4.3.1. EXtended Long Electronic Signature (CAdES-X Long) ............................24 4.4.3.2. EXtended Electronic Signature with Time Type 1 ...............................25 4.4.3.3. EXtended Electronic Signature with Time Type 2 ...............................26 4.4.3.4. EXtended Long Electronic Signature with Time (CAdES-X Long ...................27 4.4.4. Archival Electronic Signature (CAdES-A) ............27 4.5. Arbitration ...............................................28 4.6. Validation Process ........................................29 5. Electronic Signature Attributes ................................30 5.1. General Syntax ............................................30 5.2. Data Content Type .........................................30 5.3. Signed-data Content Type ..................................30 5.4. SignedData Type ...........................................31 5.5. EncapsulatedContentInfo Type ..............................31 5.6. SignerInfo Type ...........................................31 5.6.1. Message Digest Calculation Process .................32 5.6.2. Message Signature Generation Process ...............32 5.6.3. Message Signature Verification Process .............32 5.7. Basic ES Mandatory Present Attributes .....................32 5.7.1. content-type .......................................32 5.7.2. Message Digest .....................................33 5.7.3. Signing Certificate Reference Attributes ...........33 5.7.3.1. ESS signing-certificate Attribute Definition ................................34 5.7.3.2. ESS signing-certificate-v2 Attribute Definition ......................34
5.7.3.3. Other signing-certificate
Attribute Definition ......................35
5.8. Additional Mandatory Attributes for Explicit
Policy-based Electronic Signatures ........................36
5.8.1. signature-policy-identifier ........................36
5.9. CMS Imported Optional Attributes ..........................38
5.9.1. signing-time .......................................38
5.9.2. countersignature ...................................39
5.10. ESS-Imported Optional Attributes .........................39
5.10.1. content-reference Attribute .......................39
5.10.2. content-identifier Attribute ......................39
5.10.3. content-hints Attribute ...........................40
5.11. Additional Optional Attributes Defined in the
Present Document .........................................40
5.11.1. commitment-type-indication Attribute ..............41
5.11.2. signer-location Attribute .........................43
5.11.3. signer-attributes Attribute .......................43
5.11.4. content-time-stamp Attribute ......................44
5.12. Support for Multiple Signatures ..........................44
5.12.1. Independent Signatures ............................44
5.12.2. Embedded Signatures ...............................45
6. Additional Electronic Signature Validation Attributes ..........45
6.1. signature time-stamp Attribute (CAdES-T) ..................47
6.1.1. signature-time-stamp Attribute Definition ..........47
6.2. Complete Validation Data References (CAdES-C) .............48
6.2.1. complete-certificate-references Attribute
Definition .........................................48
6.2.2. complete-revocation-references Attribute
Definition .........................................49
6.2.3. attribute-certificate-references Attribute
Definition .........................................51
6.2.4. attribute-revocation-references Attribute
Definition .........................................52
6.3. Extended Validation Data (CAdES-X) ........................52
6.3.1. Time-Stamped Validation Data (CAdES-X Type
1 or Type 2) .......................................53
6.3.2. Long Validation Data (CAdES-X Long, CAdES-X
Long Type 1 or 2) ..................................53
6.3.3. certificate-values Attribute Definition ............54
6.3.4. revocation-values Attribute Definition .............54
6.3.5. CAdES-C-time-stamp Attribute Definition ............56
6.3.6. time-stamped-certs-crls-references
Attribute Definition ...............................57
6.4. Archive Validation Data ...................................58
6.4.1. archive-time-stamp Attribute Definition ............58
7. Other Standard Data Structures .................................60
7.1. Public Key Certificate Format .............................60
7.2. Certificate Revocation List Format ........................60
7.3. OCSP Response Format ......................................60
7.4. Time-Stamp Token Format ...................................60
7.5. Name and Attribute Formats ................................60
7.6. AttributeCertificate ......................................61
8. Conformance Requirements .......................................61
8.1. CAdES-Basic Electronic Signature (CAdES-BES) ..............62
8.2. CAdES-Explicit Policy-based Electronic Signature ..........63
8.3. Verification Using Time-Stamping ..........................63
8.4. Verification Using Secure Records .........................63
9. References .....................................................64
9.1. Normative References ......................................64
9.2. Informative References ....................................65
Annex A (normative): ASN.1 Definitions ............................69
A.1. Signature Format Definitions Using
X.208 ASN.1 Syntax ...................................69
A.2. Signature Format Definitions Using
X.680 ASN.1 Syntax ...................................77
Annex B (informative): Extended Forms of Electronic Signatures ....86
B.1. Extended Forms of Validation Data ....................86
B.1.1. CAdES-X Long ..................................87
B.1.2. CAdES-X Type 1 ................................88
B.1.3. CAdES-X Type 2 ................................90
B.1.4. CAdES-X Long Type 1 and CAdES-X Long Type 2 ...91
B.2. Time-Stamp Extensions ................................93
B.3. Archive Validation Data (CAdES-A) ....................94
B.4. Example Validation Sequence ..........................97
B.5. Additional Optional Features ........................102
Annex C (informative): General Description .......................103
C.1. The Signature Policy ................................103
C.2. Signed Information ..................................104
C.3. Components of an Electronic Signature ...............104
C.3.1. Reference to the Signature Policy ............104
C.3.2. Commitment Type Indication ...................105
C.3.3. Certificate Identifier from the Signer .......106
C.3.4. Role Attributes ..............................106
C.3.4.1. Claimed Role .......................107
C.3.4.2. Certified Role .....................107
C.3.5. Signer Location ..............................108
C.3.6. Signing Time .................................108
C.3.7. Content Format ...............................108
C.3.8. content-hints ................................109
C.3.9. Content Cross-Referencing ....................109
C.4. Components of Validation Data .......................109
C.4.1. Revocation Status Information ................109
C.4.1.1. CRL Information .....................110
C.4.1.2. OCSP Information ....................110
C.4.2. Certification Path ...........................111
C.4.3. Time-stamping for Long Life of Signatures ....111
C.4.4. Time-stamping for Long Life of Signature
before CA key Compromises ....................113
C.4.4.1. Time-stamping the ES with
Complete Validation Data ...........113
C.4.4.2. Time-Stamping Certificates and
Revocation Information References ..114
C.4.5. Time-stamping for Archive of Signature .......115
C.4.6. Reference to Additional Data .................116
C.4.7. Time-Stamping for Mutual Recognition .........116
C.4.8. TSA Key Compromise ...........................117
C.5. Multiple Signatures .................................118
Annex D (informative): Data Protocols to Interoperate with TSPs ..118
D.1. Operational Protocols ...............................118
D.1.1. Certificate Retrieval ........................118
D.1.2. CRL Retrieval ................................118
D.1.3. Online Certificate Status ....................119
D.1.4. Time-Stamping ................................119
D.2. Management Protocols ................................119
D.2.1. Request for Certificate Revocation ...........119
Annex E (informative): Security Considerations ...................119
E.1. Protection of Private Key ...........................119
E.2. Choice of Algorithms ................................119
Annex F (informative): Example Structured Contents and MIME ......120
F.1. General Description .................................120
F.1.1. Header Information ...........................120
F.1.2. Content Encoding .............................121
F.1.3. Multi-Part Content ...........................121
F.2. S/MIME ..............................................122
F.2.1. Using application/pkcs7-mime .................123
F.2.2. Using application/pkcs7-signature ............124
Annex G (informative): Relationship to the European Directive
and EESSI .................................125
G.1. Introduction ........................................125
G.2. Electronic Signatures and the Directive .............126
G.3. ETSI Electronic Signature Formats and the Directive .127
G.4. EESSI Standards and Classes of Electronic Signature .127
G.4.1. Structure of EESSI Standardization ...........127
G.4.2. Classes of Electronic Signatures .............128
G.4.3. Electronic Signature Classes and the ETSI
Electronic Signature Format ..................128
Annex H (informative): APIs for the Generation and Verification
of Electronic Signatures Tokens ...........129
H.1. Data Framing ........................................129
H.2. IDUP-GSS-APIs Defined by the IETF ...................131
H.3. CORBA Security Interfaces Defined by the OMG ........132
Annex I (informative): Cryptographic Algorithms ..................133
I.1. Digest Algorithms ...................................133
I.1.1. SHA-1 ........................................133
I.1.2. General ......................................133
I.2. Digital Signature Algorithms ........................134
I.2.1. DSA ..........................................134
I.2.2. RSA ..........................................135
I.2.3. General ......................................135
Annex J (informative): Guidance on Naming ........................137
J.1. Allocation of Names .................................137
J.2. Providing Access to Registration Information ........138
J.3. Naming Schemes ......................................138
J.3.1. Naming Schemes for Individual Citizens .......138
J.3.2. Naming Schemes for Employees of an
Organization .................................139
1. Introduction
This document is intended to cover electronic signatures for various
types of transactions, including business transactions (e.g.,
purchase requisition, contract, and invoice applications) where
long-term validity of such signatures is important. This includes
evidence as to its validity even if the signer or verifying party
later attempts to deny (i.e., repudiates; see ISO/IEC 10181-5
[ISO10181-5]) the validity of the signature.
Thus, the present document can be used for any transaction between an
individual and a company, between two companies, between an
individual and a governmental body, etc. The present document is
independent of any environment; it can be applied to any environment,
e.g., smart cards, Global System for Mobile Communication Subscriber
Identity Module (GSM SIM) cards, special programs for electronic
signatures, etc.
The European Directive on a community framework for Electronic
Signatures defines an electronic signature as: "Data in electronic
form which is attached to or logically associated with other
electronic data and which serves as a method of authentication".
An electronic signature, as used in the present document, is a form
of advanced electronic signature, as defined in the Directive.
2. Scope
The scope of the present document covers electronic signature formats
only. The aspects of Electronic Signature Policies are defined in
RFC 3125 [RFC3125] and ETSI TR 102 272 [TR102272].
The present document defines a number of electronic signature
formats, including electronic signatures that can remain valid over
long periods. This includes evidence as to its validity even if the
signer or verifying party later attempts to deny (repudiates) the
validity of the electronic signature.
The present document specifies use of Trusted Service Providers
(e.g., Time-Stamping Authorities) and the data that needs to be
archived (e.g., cross-certificates and revocation lists) to meet the
requirements of long-term electronic signatures.
An electronic signature, as defined by the present document, can be
used for arbitration in case of a dispute between the signer and
verifier, which may occur at some later time, even years later.
The present document includes the concept of signature policies that
can be used to establish technical consistency when validating
electronic signatures, but it does not mandate their use.
The present document is based on the use of public key cryptography
to produce digital signatures, supported by public key certificates.
The present document also specifies the use of time-stamping and
time-marking services to prove the validity of a signature long after
the normal lifetime of critical elements of an electronic signature.
This document also, as an option, defines ways to provide very
long-term protection against key compromise or weakened algorithms.
The present document builds on existing standards that are widely
adopted. These include:
- RFC 3852 [4]: "Cryptographic Message Syntax (CMS)";
- ISO/IEC 9594-8/ITU-T Recommendation X.509 [1]: "Information
technology - Open Systems Interconnection - The Directory:
Authentication framework";
- RFC 3280 [2]: "Internet X.509 Public Key Infrastructure (PKIX)
Certificate and Certificate Revocation List (CRL) Profile";
- RFC 3161 [7]: "Internet X.509 Public Key Infrastructure
Time-Stamp Protocol (TSP)".
NOTE: See Section 11 for a full set of references.
The present document describes formats for advanced electronic
signatures using ASN.1 (Abstract Syntax Notation 1) [14]. ASN.1 is
encoded using X.690 [16].
These formats are based on CMS (Cryptographic Message Syntax) defined
in RFC 3852 [4]. These electronic signatures are thus called CAdES,
for "CMS Advanced Electronic Signatures".
Another document, TS 101 903 [TS101903], describes formats for XML advanced electronic signatures (XAdES) built on XMLDSIG as specified in [XMLDSIG]. In addition, the present document identifies other documents that define formats for Public Key Certificates, Attribute Certificates, and Certificate Revocation Lists and supporting protocols, including protocols for use by trusted third parties to support the operation of electronic signature creation and validation. Informative annexes include: - illustrations of extended forms of Electronic Signature formats that protect against various vulnerabilities and examples of validation processes (Annex B); - descriptions and explanations of some of the concepts used in the present document, giving a rationale for normative parts of the present document (Annex C); - information on protocols to interoperate with Trusted Service Providers (Annex D); - guidance on naming (Annex E); - an example structured content and MIME (Annex F); - the relationship between the present document and the directive on electronic signature and associated standardization initiatives (Annex G); - APIs to support the generation and verification of electronic signatures (Annex H); - cryptographic algorithms that may be used (Annex I); and - naming schemes (see Annex J).3. Definitions and Abbreviations
3.1. Definitions
For the purposes of the present document, the following terms and definitions apply: Arbitrator: an arbitrator entity may be used to arbitrate a dispute between a signer and verifier when there is a disagreement on the validity of a digital signature.
Attribute Authority (AA): an authority that assigns privileges by
issuing attribute certificates.
Authority Certificate: a certificate issued to an authority (e.g.,
either to a certification authority or an attribute authority).
Attribute Authority Revocation List (AARL): a revocation list
containing a list of references to certificates issued to AAs that
are no longer considered valid by the issuing authority.
Attribute Certificate Revocation List (ACRL): a revocation list
containing a list of references to attribute certificates that are no
longer considered valid by the issuing authority.
Certification Authority Revocation List (CARL): a revocation list
containing a list of public key certificates issued to certification
authorities that are no longer considered valid by the certificate
issuer.
Certification Authority (CA): an authority trusted by one or more
users to create and assign public key certificates; optionally, the
certification authority may create the users' keys.
NOTE: See ITU-T Recommendation X.509 [1].
Certificate Revocation List (CRL): a signed list indicating a set of
public key certificates that are no longer considered valid by the
certificate issuer.
Digital Signature: data appended to, or a cryptographic
transformation of, a data unit that allows a recipient of the data
unit to prove the source and integrity of the data unit and protect
against forgery, e.g., by the recipient.
NOTE: See ISO 7498-2 [ISO7498-2].
Electronic Signature: data in electronic form that is attached to or
logically associated with other electronic data and that serves as a
method of authentication.
NOTE: See Directive 1999/93/EC of the European Parliament and of
the Council of 13 December 1999 on a Community framework for
electronic signatures [EUDirective].
Extended Electronic Signatures: electronic signatures enhanced by
complementing the baseline requirements with additional data, such as
time-stamp tokens and certificate revocation data, to address
commonly recognized threats.
Explicit Policy-based Electronic Signature (EPES): an electronic
signature where the signature policy that shall be used to validate
it is explicitly specified.
Grace Period: a time period that permits the certificate revocation
information to propagate through the revocation process to relying
parties.
Initial Verification: a process performed by a verifier done after an
electronic signature is generated in order to capture additional
information that could make it valid for long-term verification.
Public Key Certificate (PKC): public keys of a user, together with
some other information, rendered unforgeable by encipherment with the
private key of the certification authority that issued it.
NOTE: See ITU-T Recommendation X.509 [1].
Rivest-Shamir-Adleman (RSA): an asymmetric cryptography algorithm
based on the difficulty to factor very large numbers using a key
pair: a private key and a public key.
Signature Policy: a set of rules for the creation and validation of
an electronic signature that defines the technical and procedural
requirements for electronic signature creation and validation, in
order to meet a particular business need, and under which the
signature can be determined to be valid.
Signature Policy Issuer: an entity that defines and issues a
signature policy.
Signature Validation Policy: part of the signature policy that
specifies the technical requirements on the signer in creating a
signature and verifier when validating a signature.
Signer: an entity that creates an electronic signature.
Subsequent Verification: a process performed by a verifier to assess
the signature validity.
NOTE: Subsequent verification may be done even years after the
electronic signature was produced by the signer and completed by
the initial verification, and it might not need to capture more
data than those captured at the time of initial verification.
Time-Stamp Token: a data object that binds a representation of a
datum to a particular time, thus establishing evidence that the datum
existed before that time.
Time-Mark: information in an audit trail from a Trusted Service
Provider that binds a representation of a datum to a particular time,
thus establishing evidence that the datum existed before that time.
Time-Marking Authority: a trusted third party that creates records in
an audit trail in order to indicate that a datum existed before a
particular point in time.
Time-Stamping Authority (TSA): a trusted third party that creates
time-stamp tokens in order to indicate that a datum existed at a
particular point in time.
Time-Stamping Unit (TSU): a set of hardware and software that is
managed as a unit and has a single time-stamp token signing key
active at a time.
Trusted Service Provider (TSP): an entity that helps to build trust
relationships by making available or providing some information upon
request.
Validation Data: additional data that may be used by a verifier of
electronic signatures to determine that the signature is valid.
Valid Electronic Signature: an electronic signature that passes
validation.
Verifier: an entity that verifies evidence.
NOTE 1: See ISO/IEC 13888-1 [ISO13888-1].
NOTE 2: Within the context of the present document, this is an
entity that validates an electronic signature.
3.2. Abbreviations
For the purposes of the present document, the following abbreviations
apply:
AA Attribute Authority
AARL Attribute Authority Revocation List
ACRL Attribute Certificate Revocation List
API Application Program Interface
ASCII American Standard Code for Information Interchange
ASN.1 Abstract Syntax Notation 1
CA Certification Authority
CAD Card Accepting Device
CAdES CMS Advanced Electronic Signature
CAdES-A CAdES with Archive validation data
CAdES-BES CAdES Basic Electronic Signature
CAdES-C CAdES with Complete validation data
CAdES-EPES CAdES Explicit Policy Electronic Signature
CAdES-T CAdES with Time
CAdES-X CAdES with eXtended validation data
CAdES-X Long CAdES with EXtended Long validation data
CARL Certification Authority Revocation List
CMS Cryptographic Message Syntax
CRL Certificate Revocation List
CWA CEN (European Committee for Standardization) Workshop
Agreement
DER Distinguished Encoding Rules (for ASN.1)
DSA Digital Signature Algorithm
EDIFACT Electronic Data Interchange For Administration,
Commerce and Transport
EESSI European Electronic Signature Standardization
Initiative
EPES Explicit Policy-based Electronic Signature
ES Electronic Signature
ESS Enhanced Security Services (enhances CMS)
IDL Interface Definition Language
MIME Multipurpose Internet Mail Extensions
OCSP Online Certificate Status Provider
OID Object IDentifier
PKC Public Key Certificate
PKIX Public Key Infrastructure using X.509
(IETF Working Group)
RSA Rivest-Shamir-Adleman
SHA-1 Secure Hash Algorithm 1
TSA Time-Stamping Authority
TSP Trusted Service Provider
TST Time-Stamp Token
TSU Time-Stamping Unit
URI Uniform Resource Identifier
URL Uniform Resource Locator
XML Extensible Markup Language
XMLDSIG XML Digital Signature
(page 12 continued on part 2)
