XML Advanced Electronic Signatures (XAdES)

1 Introduction

1.1 Overview

Electronic commerce is emerging as the future way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect the electronic signature is an important security component that can be used to protect information and provide trust in electronic business.

The European Directive [EU-DIR-ESIG] defines an electronic signature as: "data in electronic form which is attached to or logically associated with other electronic data and which serves as a method of authentication".

The present document is intended to cover electronic signatures for various types of transactions, including business transactions (e.g. purchase requisition, contract, and invoice applications). Thus the present document can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc.

An electronic signature produced in accordance with the present document provides evidence that can be processed to get confidence that some commitment has been explicitly endorsed under a signature policy, at a given time, by a signer under an identifier, e.g. a name or a pseudonym, and optionally a role. The signature policy specifies the technical and procedural requirements on signature creation and validation in order to meet a particular business need. A given legal/contractual context may recognize a particular signature policy as meeting its requirements. For example, a specific signature policy may be recognized by court of law as meeting the requirements of the European Directive for electronic commerce.

The ETSI standard TS 101 733 [ESI] defines formats for advanced electronic signatures that remain valid over long periods, are compliant with the European Directive [EU-DIR-ESIG] and incorporate additional useful information in common use cases (like indication of the commitment got by the signature production). Currently, it uses Abstract Syntax Notation 1 (ASN.1) and is based on the structure defined in RFC 2630 [CMS] (in the present document the signatures aligned with this RFC will be denoted as [CMS] signatures).

TS 101 733 [ESI]:

Defines new ASN.1 types able to contain information for qualifying the [CMS] signatures so that they fulfil the aforementioned requirements.
Specifies how this qualifying information must be incorporated to the [CMS] signatures.

Currently, the IETF W3C XML-Signature Working Group has developed a syntax for XML signatures: "XML-Signature Syntax and Processing"[XMLDSIG]. This syntax provides a basic functionality for digitally signing several data objects at the same time. It also provides basic means to incorporate any kind of needed qualifying information.

The present document defines XML formats for advanced electronic signatures that remain valid over long periods, are compliant with the European Directive [EU-DIR-ESIG] and incorporate additional useful information in common uses cases, by:

Proposing XML schema [XML-schema-part-1][XML-schema-part-2] definitions for new XML types able to contain the information needed to fulfil the requirement of long term validity and those ones imposed by current use cases and the European Directive [EU-DIR-ESIG].
Specifying the mechanisms used to produce the aforementioned addition of this qualifying information.

The present document specifies two main types of properties: signed properties and unsigned properties. The first ones are additional data objects that are also secured by the signature produced by the signer on the ds:SignedInfo element, which implies that the signer has these data objects, computes a hash for all of them and generates the corresponding ds:Reference element. The unsigned properties are data objects added by the signer, by the verifier or by other parties after the production of the signature. They are not secured by the signature in the ds:Signature element (the one computed by the signer); however they can be actually signed by other parties (time-stamps, countersignatures, certificates and CRLs are also signed data objects).

1.2 Definitions of Terms

The following terms are used within this document with the particular meaning indicated below:

1.3 Editorial Conventions

Throughouht the rest of the present document, the terms "qualifying information", "properties" or "qualifying properties" will be used to refer to the information added to the [XMLDSIG] to get a XML Advanced Electronic Signature as specified in this document.

For the present document the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in RFC2119 [Keywords]:

2 XML Advanced Electronic Signature Data Structures

The present document defines different forms of electronic signatures, each one satisfying requirements that will be shown in the corresponding clauses.

The current clause presents the first three forms: the XML Advanced Electronic Signature (XAdES), the XAdES with Time-Stamp (XAdES-T) and the XAdES with Complete VALIDATION DATA (XAdES-C). Clause 2.2 Extended forms of validation data introduces extended forms to the XAdES (XAdES-X and XAdES-X-L) to meet additional requirements. Finally, clause 2.3 Archive validation data presents the format for archiving signatures in a way that they are protected if the cryptographic data become weak (XAdES-A).

The first three forms are the following ones:

The XML Advanced Electronic Signature (XAdES). Its format is the one defined in [XMLDSIG] with the addition of signed properties (SigningTime, SigningCertificate, SignaturePolicyIdentifier, SignatureProductionPlace, SignerRole, AllDataObjectsTimeStamp, IndividualDataObjectsTimeStamp, DataObjectFormat and CommitmentTypeIndication) and unsigned properties (CounterSignature)
The XML Advanced Electronic Signature with Time-Stamp (XAdES-T), which adds a time-stamp to the XAdES, to take initial steps towards providing long term validity. This form or a time record should be created close to the time that the XAdES was produced to provide protection against repudiation.
The XML Advanced Electronic Signature with Complete validation data (XAdES -C), which adds to the XAdES-T the references to the set of data supporting the validity of the electronic signatur (i.e. the remaining references to the certification path and its associated revocation status information). Note that this does not contain the actual data of the certification path and its associated revocation status information, which is far more voluminous.

The XAdES satisfies the legal requirements for advanced electronic signatures as defined in the European Directive [EU-DIR-ESIG] on electronic signatures. It provides basic authentication and integrity protection and can be created without accessing on-line (time-stamping) services. However, without the addition of a time-stamp or a secure time record the electronic signature does not protect against the threat that the signer later denies having created the electronic signature (i.e. does not provide non-repudiation of its existence).

The XAdES-T timestamp should be created close to the time that XAdES was created to provide protection against repudiation. At this time all the data needed to complete the validation may not be available but what information is readily available may be used to carry out some of the initial checks. For example, only part of the revocation information may be available for verification at that point in time.

Support for XAdES-C by the verifier is mandated as soon as there is a need for a subsequent verification.

The signer shall provide at least the XAdES form, but in some cases maydecide to provide the XAdES-T form and in the extreme case could provide the XAdES-C form. If the signer does not provide XAdES-T, the verifier shall either create the XAdES-T on first receipt of an electronic signature or shall keep a secure record of the current time with the XAdES. Either of these two approaches provide independent evidence of the existence of the signature at the time it was first verified which should be near the time it was created, and so protects against later repudiation of the existence of the signature. If the signer does not provide XAdES-C the verifier shall create the XAdES-C when the complete set of revocation and other validation data is available. Generally, the XAdES-C form cannot be created at the same time as the XAdES, as it is necessary to allow time for any revocation information to be captured. Also, if a certificate is found to be temporarily suspended, it will be necessary to wait until the end of the suspension period.

The signer should only create the XAdES-C in situations where it was prepared to wait for a sufficient length of time after creating the XAdES form before dispatching the XAdES-C. This, however, has the advantage that the verifier can be presented with the complete set of data supporting the validity of the XAdES.

An XML Advanced Electronic Signature XAdES is illustrated in figure 1.

Figure 1. Illustration of a XAdES

Below follows the structure of the XAdES built by direct incorporation ofthe qualifying information in the corresponding new XML elements to the [XMLDSIG] (see clause 4.3 Incorporating qualifying properties into an XMLsignature for further details). In the example "?" denotes zero or one occurrence; "+" denotes one or more occurrences; and "*" denotes zero or more occurrences.

The XML schema definition in clause 5 Qualifying properties syntax defines the prefix "ds" for all the XML elements already defined in [XMLDSIG], and states that the default namespace is the one defined for the present document. In consequence, in the examples of this clause, the elements already defined in [XMLDSIG] appear with the prefix "ds", whereas the new XML elements defined in the present document appear without prefix.

                              XMLDSIG 
                                   |
<ds:Signature ID?>- - - - - - - - -+- - - - -+
  <ds:SignedInfo>                  |         |
    <ds:CanonicalizationMethod/>   |         |
    <ds:SignatureMethod/>          |         |
    (<ds:Reference URI? >          |         |
      (<ds:Transforms>)?           |         |
      <ds:DigestMethod>            |         |
      <ds:DigestValue>             |         |
    </ds:Reference>)+              |         |
  </ds:SignedInfo>                 |         |
  <ds:SignatureValue>              |         |
  (<ds:KeyInfo>)?- - - - - - - - - +         |
                                             |
  <ds:Object>                                |
                                             |
    <QualifyingProperties>                   |
                                             |
      <SignedProperties>                     |
                                             |
        <SignedSignatureProperties>          |
          (SigningTime)                      |
          (SigningCertificate)               |
          (SignaturePolicyIdentifier)        |
          (SignatureProductionPlace)?        |
          (SignerRole)?                      |
        </SignedSignatureProperties>         |
                                             |
        <SignedDataObjectProperties>         |
          (DataObjectFormat)*                |
          (CommitmentTypeIndication)*        |
          (AllDataObjectsTimeStamp)*         |
          (IndividualDataObjectsTimeStamp)*  |
        </SignedDataObjectProperties>        |
                                             |
      </SignedProperties>                    |
                                             |
      <UnsignedProperties>                   |
                                             |
        <UnsignedSignatureProperties>        |
          (CounterSignature)*                |
        </UnsignedSignatureProperties>       |
                                             |
      </UnsignedProperties>                  |
                                             |
    </QualifyingProperties>                  |
                                             |
  </ds:Object>                               |
                                             |
</ds:Signature>- - - - - - - - - - - - - - - +
                                             |
                                          XAdES

Readers must take into account that the XAdES forms build up on the[XMLDSIG] by adding new XML elements containing qualifying information within the shown [XMLDSIG]ds:Object element, according to the rules defined in the present document. This ds:Object element will act as a bag for the whole set of qualifying properties defined in the present document, conveniently grouped.

Other [XMLDSIG]ds:Object elements with different contents CAN be added within the structure shown above to satisfy requirements other than the ones expressed in the present document. This also applies to the rest of the examples of structures of XAdES forms shown in this clause.

Detailed explanation of the purposes of each property will be given throughout clause 5 Qualifying properties syntax.

An XML Advanced Electronic Signature (XAdES), with the additional validation data forming the XAdES-T and XAdES-C is illustrated in figure2.

Figure 2. Illustration of a XAdES,XAdES-T and XAdES-C

Below follows the structure of XAdES-T signature.

                              XMLDISG
                                  |
<ds:Signature ID?>- - - - - - - - +- - - - +- - - +
  <ds:SignedInfo>                 |        |      |
    <ds:CanonicalizationMethod/>  |        |      |
    <ds:SignatureMethod/>         |        |      |
    (<ds:Reference URI? >         |        |      |
      (<ds:Transforms>)?          |        |      |
      <ds:DigestMethod>           |        |      |
      <ds:DigestValue>            |        |      |
    </ds:Reference>)+             |        |      |
  </ds:SignedInfo>                |        |      |
  <ds:SignatureValue>             |        |      |
  (<ds:KeyInfo>)? - - - - - - - - +        |      |
                                           |      |
  <ds:Object>                              |      |
                                           |      |
    <QualifyingProperties>                 |      |
                                           |      |
      <SignedProperties>                   |      |
                                           |      |
        <SignedSignatureProperties>        |      |
          (SigningTime)                    |      |
          (SigningCertificate)             |      |
          (SignaturePolicyIdentifier)      |      |
          (SignatureProductionPlace)?      |      |
          (SignerRole)?                    |      |
        </SignedSignatureProperties>       |      |
                                           |      |
        <SignedDataObjectProperties>       |      |
          (DataObjectFormat)*              |      |
          (CommitmentTypeIndication)*      |      |
          (AllDataObjectsTimeStamp)*       |      |
          (IndividualDataObjectsTimeStamp)*|      |
        </SignedDataObjectProperties>      |      |
                                           |      |
      </SignedProperties>                  |      |
                                           |      |
      <UnSignedProperties>                 |      |
                                           |      |
        <UnsignedSignatureProperties>      |      |
          (CounterSignature)*- - - - - - - +      |
          (SignatureTimeStamp)+                   |
        </UnsignedSignatureProperties>- - -+      |
                                           |      |
      </UnsignedProperties>                |      |
                                           |      |
    </QualifyingProperties>                |      |
                                           |      |
  </ds:Object>                             |      |
                                           |      |
</ds:Signature>- - - - - - - - - - - - - - +- - - +
                                           |      |
                                        XAdES     |
                                                  |
                                             XAdES-T

Below follows the structure for XAdES-C.

                             XMLDISG
                                  |
<ds:Signature ID?>- - - - - - - - +- - - - - - +-+-+
  <ds:SignedInfo>                 |            | | |
    <ds:CanonicalizationMethod/>  |            | | |
    <ds:SignatureMethod/>         |            | | |
   (<ds:Reference URI? >          |            | | |
      (<ds:Transforms>)?          |            | | |
      <ds:DigestMethod>           |            | | |
      <ds:DigestValue>            |            | | |
    </ds:Reference>)+             |            | | |
  </ds:SignedInfo>                |            | | |
  <ds:SignatureValue>             |            | | |
  (<ds:KeyInfo>)? - - - - - - - - +            | | |
                                               | | |
  <ds:Object>                                  | | |
                                               | | |
    <QualifyingProperties>                     | | |
                                               | | |
      <SignedProperties>                       | | |
                                               | | |
        <SignedSignatureProperties>            | | |
        (SigningTime)                          | | |
        (SigningCertificate)                   | | |
        (SignaturePolicyIdentifier)            | | |
        (SignatureProductionPlace)?            | | |
        (SignerRole)?                          | | |
      </SignedSignatureProperties>             | | |
                                               | | |
      <SignedDataObjectProperties>             | | |
        (DataObjectFormat)*                    | | |
        (CommitmentTypeIndication)*            | | |
        (AllDataObjectsTimeStamp)*             | | |
        (IndividualDataObjectsTimeStamp)*      | | |
      </SignedDataObjectProperties>            | | |
                                               | | |
      </SignedProperties>                      | | |
                                               | | |
      <UnsignedProperties>                     | | |
                                               | | |
        </UnsignedSignatureProperties>         | | |
          (CounterSignature)*- - - - - - - - - + | |
          (SignatureTimeStamp)+- - - - - - - - - + |
          (CompleteCertificateRefs)                |
          (CompleteRevocationRefs)                 |
        </UnsignedSignatureProperties>- - - -  +-+ |
                                               | | |
       </UnsignedProperties>                   | | |
                                               | | |
    </QualifyingProperties>                    | | |
                                               | | |
  </ds:Object>                                 | | |
                                               | | |
</ds:Signature>- - -  - - - - - - - - - - - - -+-+-+
                                               | | |
                                           XadES | |
                                                 | |
                                           XAdES-T |
                                                   |
                                              XAdES-C

2.1 Contents

2.1.1 Contents of XAdES

As it has been stated, a XAdES signature will build on [XMLDSIG] by incorporation of one ds:Object that will be the bag for the whole set of qualifying properties. Some of them will be signed (signed qualifying information grouped within one new element, SignedProperties, see clause 4.2.1 SignedProperties) and others will not be signed (unsigned qualifying information, grouped within the UnsignedProperties element, see clause 4.2.2 UnsignedProperties).

In a XAdES the signature SHALL be applied in the usual way of [XMLDSIG] over the data object(s) to be signed and on the whole set of signed properties (SignedProperties element). The mandatory information in the SignedProperties element is:

An unambiguous reference to the signer's certificate, e.g. the certificate itself or a reference to it together with a hash value of the certificate. This is particularly important when a signer holds a number of different certificates containing the same public key, to avoid claims by a verifier that the signature implies another certificate with different semantics. This is also important when the signer holds different certificates containing different public keys in order to provide the verifier with the correct signature verification data. Finally, it is also important in case the issuing key of the CA providing the certificate would be compromised (clause 5.2.2 The SigningCertificate element).
An unambiguous way allowing the identification of the signature policy under which the electronic signature has been produced (clause 5.2.3 The SignaturePolicyIdentifier element). This will ensure that the verifier will be able to use the same signature policy during the verification process. A signature policy is needed to clarify the precise role and commitments that the signer intends to assume with respect to the signed data object, and to avoid claims by the verifier that a different signature policy was implied by the signer.
The signing time, specifying the time at which the signer claims to have performed the signing process (clause 5.2.1 The SigningTime element).

In addition, the signature can also cover other signed propertiescontaining the following information:

The data object(s) format(s) that identifies the format of a signed data object (when electronic signatures are not exchanged in a restricted context) to enable the verifier to be presented or use it (text, sound or video) in exactly the same way as intended by the signer (clause 5.2.5 The DataObjectFormat element).
The commitment type(s) undertaken by the signer in signing (a) signed data object(s) in the context of the selected signature policy (when an explicit commitment is being used); This will be required where a Signature Policy specifies more than a single commitment type, each of which might have different legal interpretations of the intent of the signature (e.g. proof of origin, proof of receipt, proof of creation... ) (clause 5.2.6 The CommitmentTypeIndication element).
The claimed or certified role assumed by the signer in creating the signature (clause 5.2.8 The SignerRole element).
The purported place where the signer claims to have produced the signature (clause 5.2.7 The SignatureProductionPlace element).

2.1.2 Contents of XAdES-T

The signer or the verifier can build an XAdES-T by adding to the existentXAdES (as a child of UnsignedProperties element), an XML element (clause 5.1.3 The EncapsulatedPKIDataType data type) encapsulating a time-stamp on the [XMLDSIG] digital signature value, generated by a TSA to prove that the electronic signature was performed before that time (clause 5.3.1 The SignatureTimeStamp element).

2.1.3 Contents of XAdES-C

The signer or the verifier of an electronic signature can create theXAdES-C form by incorporating to the XAdES-T references to the complete set of data supporting its validity (certificate path, certificate revocation lists, OCSP responses [OCSP], etc). The signer or the verifier will create this form by incorporating to the XAdES-T these references, within an XML element whose definition will be given in the present document (clauses 5.4.1 The CompleteCertificateRefs element and 5.4.2 The CompleteRevocationRefs element). This element will be added as a child of the UnsignedProperties element.

2.2 Extended forms of validation data

The complete validation data (XAdES-C) described above may be extended toform an XAdES with eXtended validation data (XAdES-X) to meet following additional requirements.

Firstly, if there is a risk that any keys used in the certificate chain or in the revocation status information may be compromised. The case of a broken algorithm is different and is addressed later on in the archived form of an electronic signature. It is necessary to additionally time-stamp all the certification path references and revocation status references, contained in the XAdES-C (see clause 5.5.2 The RefsOnlyTimeStamp element). Alternativelly, the time-stamp can be applied to the digital signature (ds:Signature element), the time-stamp(s) present in the XAdES-T form and the aforementioned references (see clause 5.5.1 The SigAndRefsTimeStamp element).
Secondly, when the certification path data and revocation status data is not stored for the long term elsewhere, then there is a need to add them to the signature (XAdES-X-L).

Figure 3. Illustration of XAdES-X andXAdES-X-L

Note it may be possible to omit the time-stamp over certification pathreferences and revocation status references while still adding the Certification path data and revocation status data.

The XAdES-X validation data is created by adding to a previously generatedXAdES-C a time-stamp over the references to the complete set of data supporting its validity or over the sequence formed by ds:SignatureValue element, the previous time-stamp(s) present in the XAdES-T form and the aforementioned references. Again, this new form will be achieved by adding an XML element conveniently encapsulating this time-stamp ( see clauses 5.5.1 The SigAndRefsTimeStamp element and 5.5.2 The RefsOnlyTimeStamp element). This element will be added as a child of the UnsignedProperties element.

The XAdES-X-L will be produced by incorporating the certificate path andrevocation information (CRLs or OCSP responses) conveniently encapsulated by XML elements (see clauses 5.6.1 The CertificateValues element and 5.6.2 The RevocationValues element). These elements will be added as children of the UnsignedProperties element.

Below follows the XAdES-X structure.

                                XMLDISG
                                  |
<ds:Signature ID?>- - - - - - - - +- - - - - - +-+-+-+
  <ds:SignedInfo>                 |            | | | |
    <ds:CanonicalizationMethod/>  |            | | | |
    <ds:SignatureMethod/>         |            | | | |
    (<ds:Reference URI? >         |            | | | |
      (<ds:Transforms>)?          |            | | | |
      <ds:DigestMethod>           |            | | | |
      <ds:DigestValue>            |            | | | |
    </ds:Reference>)+             |            | | | |
  </ds:SignedInfo>                |            | | | |
  <ds:SignatureValue>             |            | | | |
  (<ds:KeyInfo>)? - - - - - - - - +            | | | |
                                               | | | |
  <ds:Object>                                  | | | |
                                               | | | |
    <QualifyingProperties>                     | | | |
                                               | | | |
      <SignedProperties>                       | | | |
                                               | | | |
        <SignedSignatureProperties>            | | | |
          (SigningTime)                        | | | |
          (SigningCertificate)                 | | | |
          (SignaturePolicyIdentifier)          | | | |
          (SignatureProductionPlace)?          | | | |
          (SignerRole)?                        | | | |
        </SignedSignatureProperties>           | | | |
                                               | | | |
        <SignedDataObjectProperties>           | | | |
          (DataObjectFormat)*                  | | | |
          (CommitmentTypeIndication)*          | | | |
          (AllDataObjectsTimeStamp)*           | | | |
          (IndividualDataObjectsTimeStamp)*    | | | |
        </SignedDataObjectPropertiesSigned>    | | | |
                                               | | | |
      </SignedProperties>                      | | | |
                                               | | | |
      <UnsignedProperties>                     | | | |
                                               | | | |
        </UnsignedSignatureProperties>         | | | |
          (CounterSignature)*- - - - - - - - - + | | |
          (SignatureTimeStamp)+- - - - - - - -   + | |
          (CompleteCertificateRefs)                | |
          (CompleteRevocationRefs)- - - - - - - - -+ |
          ((SigAndRefsTimeStamp)* |                  |
          (RefsOnlyTimeStamp)*)                      |
        </UnsignedSignatureProperties>- - - - -+-+-+ |
                                               | | | |
      </UnsignedProperties>                    | | | |
                                               | | | |
    </QualifyingProperties>                    | | | |
                                               | | | |
  </ds:Object>                                 | | | |
</ds:Signature>- - - - - - - - - - - - - - - - +-+-+-+
                                               | | | |
                                           XAdES | | |
                                                 | | |
                                           XAdES-T | |
                                                   | |
                                             XAdES-C |
                                                     |
                                               XAdES-X

The structure for XAdES-X-L is shown below.

                                XMLDISG
                                  |
<ds:Signature ID?>- - - - - - - - +- - - - - +-+-+-+-+
  <ds:SignedInfo>                 |          | | | | |
    <ds:CanonicalizationMethod/>  |          | | | | |
    <ds:SignatureMethod/>         |          | | | | |
    (<ds:Reference URI? >         |          | | | | |
      (<ds:Transforms>)?          |          | | | | |
      <ds:DigestMethod>           |          | | | | |
      <ds:DigestValue>            |          | | | | |
    </ds:Reference>)+             |          | | | | |
  </ds:SignedInfo>                |          | | | | |
  <ds:SignatureValue>             |          | | | | |
  (<ds:KeyInfo>)?  - - - - - - - -+          | | | | |
                                             | | | | |
  <ds:Object>                                | | | | |
                                             | | | | |
    <QualifyingProperties>                   | | | | |
                                             | | | | |
      <SignedProperties>                     | | | | |
                                             | | | | |
        <SignedSignatureProperties>          | | | | |
          (SigningTime)                      | | | | |
          (SigningCertificate)               | | | | |
          (SignaturePolicyIdentifier)        | | | | |
          (SignatureProductionPlace)?        | | | | |
          (SignerRole)?                      | | | | |
        </SignedSignatureProperties>         | | | | |
                                             | | | | |
        <SignedDataObjectProperties>         | | | | |
          (DataObjectFormat)*                | | | | |
          (CommitmentTypeIndication)*        | | | | |
          (AllDataObjectsTimeStamp)*         | | | | |
          (IndividualDataObjectsTimeStamp)*  | | | | |
        </SignedDataObjectPropertiesSigned>  | | | | |
                                             | | | | |
      </SignedProperties>                    | | | | |
                                             | | | | |
      <UnsignedProperties>                   | | | | |
                                             | | | | |
        </UnsignedSignatureProperties>       | | | | |
          (CounterSignature)*- - - - - - - - + | | | |
          (SignatureTimeStamp)+- - - - - - - - + | | |
          (CompleteCertificateRefs)              | | |
          (CompleteRevocationRefs)- - - - - - - -+ | |
          ((SigAndRefsTimeStamp)*  |               | |
          (RefsOnlyTimeStamp)*)- - - - - - - - - - + |
          (CertificatesValues)                       |
          (RevocationValues)                         |
        </UnsignedSignatureProperties>- - - -+-+-+-+ |
                                             | | | | |
      </UnsignedProperties>                  | | | | |
                                             | | | | |
    </QualifyingProperties>                  | | | | |
                                             | | | | |
  </ds:Object>                               | | | | |
</ds:Signature>- - - - - - - - - - - - - - - +-+-+-+-+
                                             | | | | |
                                         XAdES | | | |
                                               | | | |
                                         XAdES-T | | |
                                                 | | |
                                           XAdES-C | |
                                                   | |
                                             XAdES-X |
                                                     |
                                              XAdES-X-L

2.3 Archive validation data

Before the algorithms, keys and other cryptographic data used at the timethe XAdES-C was built become weak and the cryptographic functions become vulnerable, the XAdES-X-L should be time-stamped. If possible this should use stronger algorithms (or longer key lengths) than in the original time-stamps. This additional data and time-stamp is called Archive Validation Data (XAdES-A). The time-stamping process may be repeated every time the protection used to time-stamp a previous XAdES-A become weak. A XAdES-A may thus bear multiple embedded time-stamps).

Support for XAdES-A is optional.

An example of an XML Advanced Electronic Signature (XAdES), with the additional validation data for the XAdES-C and XAdES-X-L time-stamped forming the XAdES-A is illustrated in figure 4.

Figure 4. Illustration of XAdES-A

Below follows the structure of XAdES-A.

                                XMLDISG
                                  |
<ds:Signature ID?>- - - - - - - - +- - - - - +-+-+-+-+-+
  <ds:SignedInfo>                 |          | | | | | |
    <ds:CanonicalizationMethod/>  |          | | | | | |
    <ds:SignatureMethod/>         |          | | | | | |
    (<ds:Reference (URI=)? >      |          | | | | | |
      (<ds:Transforms>)?          |          | | | | | |
      <ds:DigestMethod>           |          | | | | | |
      <ds:DigestValue>            |          | | | | | |
    </ds:Reference>)+             |          | | | | | |
  </ds:SignedInfo>                |          | | | | | |
  <ds:SignatureValue>             |          | | | | | |
  (<ds:KeyInfo>)? - - - - - - - - +          | | | | | |
  <ds:Object>                                | | | | | |
                                             | | | | | |
    <QualifyingProperties>                   | | | | | |
                                             | | | | | |
      <SignedProperties>                     | | | | | |
                                             | | | | | |
        <SignedSignatureProperties>          | | | | | |
          (SigningTime)                      | | | | | |
          (SigningCertificate)               | | | | | |
          (SignaturePolicyIdentifier)        | | | | | |
          (SignatureProductionPlace)?        | | | | | |
          (SignerRole)?                      | | | | | |
        </SignedSignatureProperties>         | | | | | |
                                             | | | | | |
        <SignedDataObjectProperties>         | | | | | |
          (DataObjectFormat)*                | | | | | |
          (CommitmentTypeIndication)*        | | | | | |
          (AllDataObjectsTimeStamp)*         | | | | | |
          (IndividualDataObjectsTimeStamp)*  | | | | | |
        </SignedDataObjectPropertiesSigned>  | | | | | |
                                             | | | | | |
      </SignedProperties>                    | | | | | |
                                             | | | | | |
      <UnsignedProperties>                   | | | | | |
                                             | | | | | |
        </UnsignedSignatureProperties>       | | | | | |
          (CounterSignature)*- - - - - - - - + | | | | |
          (SignatureTimeStamp)+- - - - - - - - + | | | |
          (CompleteCertificateRefs)              | | | |
          (CompleteRevocationRefs)- - - - - - - -+ | | |
          ((SigAndRefsTimeStamp)*  |               | | |
          (RefsOnlyTimeStamp)*)- - - - - - - - - - + | |
          (CertificatesValues)                       | |
          (RevocationValues)- - - - - - - - - - - - -+ |
          (ArchiveTimeStamp)+                          |
        </UnsignedSignatureProperties>- - - -+-+-+-+-+ |
                                             | | | | | |
      </UnsignedProperties>                  | | | | | |
                                             | | | | | |
    </QualifyingProperties>                  | | | | | |
                                             | | | | | |
  </ds:Object>                               | | | | | |
                                             | | | | | |
</ds:Signature>- - - - - - - - - - - - - - - +-+-+-+-+-+
                                             | | | | | |
                                         XAdES | | | | |
                                               | | | | |
                                         XAdES-T | | | |
                                                 | | | |
                                           XAdES-C | | |
                                                   | | |
                                             XAdES-X | |
                                                     | |
                                             XAdES-X-L |
                                                       |
                                                 XAdES-A

This form will be produced by adding to the XAdES-X-L XML elementscontaining time-stamps conveniently encapsulated. The time-stamps will be computed over data within the previous structure: XAdES-X-L for the first one, XAdES-X-L plus other time-stamps for the following ones (see clause 5.7.1 The ArchiveTimeStamp element). These elements will be added as children of the UnsignedProperties elements.

3 XML namespace for the present document

The XML namespace URI that must be used by implementations of the present document:

http://uri.etsi.org/01903/v1.1.1#

The following namespace declarations apply for the XML schema definitions throughout the present document:

<?xml version="1.0"?>
<schema
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://uri.etsi.org/01903/v1.1.1#"
  targetNamespace="http://uri.etsi.org/01903/v1.1.1#"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  elementFormDefault="qualified"
>

4 Syntax overview

This clause introduces the syntax for adding qualifying information to anXML signature.

clause 4.1 Technical criteria lists a set of technical criteria that has been taken into account for this syntax proposal.

clause 4.2 The QualifyingProperties specifies an XML element that acts as a container for the qualifying information. Additionally it describes the connection between the XML signature and this container element.

clause 4.3 Incorporating qualifying properties into an XMLsignature shows two ways of incorporating such qualifying information to [XMLDSIG].

4.1 Technical criteria

The following considerations have been taken into account for the syntaxspecification for qualifying information on XML signatures.

The present document specifies how to add qualifying information to an XML signature such that it satisfies both the requirements for an Advanced Electronic Signature according to the European Directive [EU-DIR-ESIG]and for remaining valid over long period of time. TS 101 733 [ESI] identifies all the required information to be added in order to satisfy those requirements. Additionally it defines appropriate data structures for those qualifying properties using ASN.1, that fit for [CMS]style electronic signatures . The aim of the present document is to specify similar XML qualifying properties that carry such qualifying information and are used to amend [XMLDSIG].
The new XML qualifying properties should not be the result of a stubborn translation process from ASN.1 to XML. This would mean neglecting syntactic differences between [CMS] and [XMLDSIG] such as the possible number of signers and multiple signed data objects covered by a single signature, as well as ignoring powerful features of the XML environment such as linking information by using Uniform Resource Identifiers [URI].
XML Schema [XML-schema-part-1][XML-schema-part-2] has been chosen as the normative language for defining the new XML structures in the present document rather than the DTD vocabulary defined in XML 1.0 [XML], since it is namespace aware, allows reuse of existing structures and allows a stricter definition of the allowed contents. However, a DTD of the new XML structures is provided as informative annex of the present document.
XML structures that have been defined in related XML standards such as XML Schema [XML-schema-part-2] and XML-Signature Syntax and Processing [XMLDSIG] have been reused where appropriate.

4.2 The QualifyingProperties

The QualifyingProperties element acts as a container elementfor all the qualifying information that should be added to an XML signature. The element has the following structure:

<xsd:element name="QualifyingProperties" type="QualifyingPropertiesType"/>
<xsd:complexType name="QualifyingPropertiesType">
  <xsd:sequence>
    <xsd:element name="SignedProperties" type="SignedPropertiesType"
      minOccurs="0"/>
    <xsd:element name="UnsignedProperties" type="UnsignedPropertiesType"
      minOccurs="0"/>
  </xsd:sequence>
  <xsd:attribute name="Target" type="xsd:anyURI" use="required"/>
  <xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>

The qualifying properties are split into properties that arecryptographically bound to (i.e. signed by) the XML signature (SignedProperties ), and properties that are not cryptographically bound to the XML signature (UnsignedProperties).

The SignedProperties must be covered by a Reference element of the XML signature. Alignment with the present document mandates that one SignedProperties element MUST exist.

The mandatory Target attribute refers to the XML signature with which the qualifying properties are associated.

The optional Id attribute can be used to make a reference to the QualifyingProperties container.

4.2.1 SignedProperties

The SignedProperties element contains a number of propertiesthat are collectively signed by the [XMLDSIG] signature.

Alignment with the present document mandates that an element SignedSignatureProperties MUST appear.

Below follows the schema definition for SignedProperties element.

<xsd:element name="SignedProperties" type="SignedPropertiesType" />
<xsd:complexType name="SignedPropertiesType">
  <xsd:sequence>
    <xsd:element name="SignedSignatureProperties"
      type="SignedSignaturePropertiesType"/>
      <xsd:element name="SignedDataObjectProperties" 
        type="SignedDataObjectPropertiesType" minOccurs="0"/>
  </xsd:sequence>
  <xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>

The SignedProperties element MUST contain properties thatqualify the [XMLDSIG] signature itself or the signer. They are included as content of the SignedSignatureProperties element.

The SignedProperties element MAY also contain properties that qualify some of the signed data objects. These properties appear as content of the SignedDataObjectProperties element.

The optional Id attribute can be used to make a reference to the SignedProperties element.

4.2.2 UnsignedProperties

The UnsignedProperties element contains a number ofproperties that are not signed by the [XMLDSIG] signature.

<xsd:element name="UnsignedProperties" type="UnsignedPropertiesType" />
  <xsd:complexType name="UnsignedPropertiesType">
    <xsd:sequence>
      <xsd:element name="UnsignedSignatureProperties" 
        type="UnsignedSignaturePropertiesType" minOccurs="0"/>
        <xsd:element name="UnsignedDataObjectProperties" 
          type="UnsignedDataObjectPropertiesType" minOccurs="0"/>
    </xsd:sequence>
    <xsd:attribute name="Id" type="xsd:ID" use="optional"/>
  </xsd:complexType>

The UnsignedProperties element MAY contain properties that qualify XML signature itself or the signer. They are included as content of the UnsignedSignatureProperties element.

The UnsignedProperties element MAY also contain properties that qualify some of the signed data objects. These properties appear as content of the UnsignedDataObjectProperties element.

The optional Id attribute can be used to make a reference to the UnsignedProperties element.

4.2.3 SignedSignatureProperties

This element contains properties that qualify the XML signature that hasbeen specified with the Target attribute of the QualifyingProperties container element.

<xsd:element name="SignedSignatureProperties"   type="SignedSignaturePropertiesType" />

<xsd:complexType name="SignedSignaturePropertiesType">
  <xsd:sequence>
    <xsd:element name="SigningTime" type="xsd:dateTime"/>
    <xsd:element name="SigningCertificate" type="CertIDListType"/>
    <xsd:element name="SignaturePolicyIdentifer" 
     type="SignaturePolicyIdentifierType"/>
    <xsd:element name="SignatureProductionPlace" type="SignatureProductionPlaceType" 
     minOccurs="0"/>
    <xsd:element name="SignerRole" type="SignerRoleType" minOccurs="0"/>
  </xsd:sequence>
</xsd:complexType>

The qualifying property SigningTime is described in detail in clause 5.2.1 The SigningTime element, SigningCertificate in clause 5.2.2 The SigningCertificate element, SignaturePolicyIdentifier in clause 5.2.3 The SignaturePolicyIdentifier element, SignatureProductionPlace in clause 5.2.7 The SignatureProductionPlace element, and SignerRole in clause 5.2.8 The SignerRole element.

4.2.4 SignedDataObjectProperties

This element contains properties that qualify some of the signed dataobjects.

<xsd:element name="SignedDataObjectProperties"   type="SignedDataObjectPropertiesType"/>

<xsd:complexType name="SignedDataObjectPropertiesType">
  <xsd:sequence>
    <xsd:element name="DataObjectFormat" type="DataObjectFormatType" 
      minOccurs="0" maxOccurs="unbounded"/>
    <xsd:element name="CommitmentTypeIndication" 
      type="CommitmentTypeIndicationType" minOccurs="0" 
      maxOccurs="unbounded"/>
    <xsd:element name="AllDataObjectsTimeStamp" type="TimeStampType" 
      minOccurs="0" maxOccurs="unbounded"/>
    <xsd:element name="IndividualDataObjectsTimeStamp" type="TimeStampType" 
      minOccurs="0" maxOccurs="unbounded"/>
  </xsd:sequence>
</xsd:complexType>

The qualifying property AllDataObjectsTimeStamp is describedin detail in clause 5.2.9 The AllDataObjectsTimeStamp element, IndividualDataObjectsTimeStamp in clause 5.2.10 The AllDataObjectsTimeStamp element, DataObjectFormat in clause 5.2.5 The DataObjectFormatelement, and CommitmentTypeIndication in clause 5.2.6 The CommitmentTypeIndication element.

All these properties qualify the signed data object after all the required transforms have been made.

4.2.5 UnsignedSignatureProperties

This element contains properties that qualify the XML signature that hasbeen specified with the Target attribute of the QualifyingProperties container element. The content of this element is not covered by the XML signature.

<xsd:element name="UnsignedSignatureProperties"   type="UnsignedSignaturePropertiesType"/>

<xsd:complexType name="UnsignedSignaturePropertiesType">
  <xsd:sequence>
    <xsd:element name="CounterSignature" type="CounterSignatureType" 
      minOccurs="0" maxOccurs="unbounded"/>
    <xsd:element name="SignatureTimeStamp" type="TimeStampType" 
      minOccurs="0" maxOccurs="unbounded"/>
    <xsd:element name="CompleteCertificateRefs" 
      type="CompleteCertificateRefsType" minOccurs="0"/>
    <xsd:element name="CompleteRevocationRefs" 
      type="CompleteRevocationRefsType" minOccurs="0"/>
    <xsd:choice>
      <xsd:element name="SigAndRefsTimeStamp" type="TimeStampType" 
        minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="RefsOnlyTimeStamp" type="TimeStampType" 
        minOccurs="0" maxOccurs="unbounded"/>
    </xsd:choice>
    <xsd:element name="CertificateValues" type="CertificateValuesType" 
      minOccurs="0"/>
    <xsd:element name="RevocationValues" type="RevocationValuesType" 
      minOccurs="0"/>
    <xsd:element name="ArchiveTimeStamp" type="TimeStampType" 
      minOccurs="0" maxOccurs="unbounded"/>
  </xsd:sequence>
  </xsd:complexType>

The qualifying property CounterSignature is described indetail in clause 5.2.4 The CounterSignature element, SignatureTimeStamp in clause 5.3.1 The SignatureTimeStamp element, CompleteCertificateRefs in clause 5.4.1 The CompleteCertificateRefs element, CompleteRevocationRefs in clause 5.4.2 The CompleteRevocationRefs element, SigAndRefsTimeStamp in clause 5.5.1 The SigAndRefsTimeStamp element, RefsOnlyTimeStamp in clause 5.5.2 The RefsOnlyTimeStamp element, CertificateValues in clause 5.6.1 The CertificateValues element, RevocationValues in clause 5.6.2 The RevocationValues element, and ArchiveTimeStamp in clause 5.7.1 The ArchiveTimeStamp element.

4.2.6 UnsignedDataObjectProperties

This element contains properties that qualify some of the signed data objects. The signature generated by the signer does not cover the content of this element.

<xsd:element name="UnsignedDataObjectProperties" type="UnsignedDataObjectPropertiesType" />

<xsd:complexType name="UnsignedDataObjectPropertiesType">
  <xsd:sequence>
    <xsd:element name="UnsignedDataObjectProperty" type="AnyType" 
      minOccurs="0" maxOccurs="unbounded"/>
  </xsd:sequence>
</xsd:complexType>

TS 101733 [ESI] does not specify the usage of any unsigned propertyqualifying the signed data object. The present document, however, incorporates this element for the shake of completeness and to cope with potential future needs for inclusion of such kind of properties. The schema definition leaves open the definition of the contents of this type. The type AnyType is defined in clause 5.1.1 The AnyType data type.

4.3 Incorporating qualifying properties into an XMLsignature

The present document utilizes the ds:Object auxiliary element from [XMLDSIG]. It MUST be used to incorporate the qualifying properties into the [XMLDSIG] signature. In principle, two different means are provided for this incorporation:

Direct incorporation means that a QualifyingProperties element is put as a child of the ds:Object.
Indirect incorporation means that a QualifyingPropertiesReference element is put as a child of the ds:Object. This element contains information about a QualifyingProperties element that is stored in place different from the signature (see clause 4.3.2 QualifyingPropertiesReference).

However, the following restrictions apply for usingds:Object, QualifyingProperties and QualifyingPropertiesReference:

All instances of the QualifyingProperties and the QualifyingPropertiesReference element MUST occur within a single ds:Object element.
At most one instance of the QualifyingProperties element may occur within this single ds:Object element.
All signed properties must occur within a single QualifyingProperties element. This element can either be a child of the ds:Object element (direct incorporation), or it can be referenced by a QualifyingPropertiesReference element. See clause 4.3.1 SigningProperties for information how to sign properties.
Zero or more instances of the QualifyingPropertiesReference element may occur within the single ds:Object element.

It is out of the scope of the present document to specify the mechanismsrequired to guarantee the correct storage of the distributed QualifyingProperties elements (i.e. that the properties are stored by the entity that has to store them and that they are not undetectable modified).

4.3.1 SigningProperties

As has already been stated, all the properties that should be protected bythe signature have to be collected in a single instance of the QualifyingProperties element. Actually these properties are children of the SignedProperties child of this element.

In order to protect the properties with the signature, a ds:Reference element must be added to the [XMLDSIG] signature. This ds:Reference element MUST be composed in such a way that it uses the SignedProperties element mentioned above as the input for computing its corresponding digest.

Additionally, the present document MANDATES the use of the Type attribute of this particular ds:Reference element, with its value set to

http://uri.etsi.org/01903/v1.1.1#SignedProperties

This value indicates that the data used for hash computation is aSignedProperties element and therefore helps a verifying application to detect the signed properties of a signature conforming with the present document.

If the QualifyingProperties element containing the SignedProperties element is stored in a place different from the signature (indirect incorporation), the result of processing the URI and transforms in this ds:Reference element must be the same as the result of processing the URI and transforms in the QualifyingPropertiesReference element pointing to the aforementioned QualifyingProperties element.

4.3.2 QualifyingPropertiesReference

This element contains information about aQualifyingProperties element that is stored in place different from the signature, for instance in another XML document.

<xsd:element name="QualifyingPropertiesReference"   type="QualifyingPropertiesReferenceType"/>

<xsd:complexType name="QualifyingPropertiesReferenceType">
  <xsd:sequence>
    <xsd:element name="Transforms" type="ds:TransformsType" minOccurs="0"/>
  </xsd:sequence>
  <xsd:attribute name="URI" type="xsd:anyURI" use="required"/>
  <xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>

The mandatory URI attribute provides an identifier for the location of theQualifyingProperties element. This could be for instance a URL to a web site where the information can be retrieved, or a name that the participating applications can use to identify a particular QualifyingProperties element.

The optional ds:Transforms element can be used to specify a chain of tranformations that has to be applied to the data referenced by the URI attribute in order to get the actual representation of the QualifyingProperties element. The processing model for the chain of transformations is as defined in clause http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel of [XMLDSIG].

The optional Id attribute can be used to make a reference to the QualifyingPropertiesReference element.

5 Qualifying properties syntax

clause 5.1 Auxiliary syntax summarizes a set of auxiliary structures that will be neededlater on, while the remaining clauses corresponds to a certain qualifying property.

clause 5.2 Syntax for XAdES describes in detail the qualifying properties that can appear in XAdES electronic signatures forms as described in clause 4 Syntax overview.

clause 5.3 Syntax for XAdES-T form describes in detail the qualifying properties that can appear in XAdES-T electronic signatures forms as described in clause 4 Syntax overview.

clause 5.4 Syntax for XAdES-C form describes in detail the qualifying properties referred to validation data that can appear in the XAdES-C form.

clause 5.5 Syntax for XAdES-X form describes in detail the qualifying properties referred to different time-stamps that can appear in the XAdES-X form.

clause 5.6 Syntax for XAdES-X-L form describes in detail the qualifying properties referred to validation data that can appear in the XAdES-X-L form.

Finally, clause 5.7 Syntax for XAdES-A form describes in detail the qualifying properties referred to different time-stamps that can appear in the XAdES-A form.

5.1 Auxiliary syntax

The following three auxiliary XML structures are utilized in several casesin the subsequent clauses.

5.1.1 The AnyType data type

The AnyType schema data type has a content model that allowsa sequence of arbitrary XML elements that is of unrestricted length. Additionally, an element of this data type can bear an unrestricted number of arbitrary attributes. It is used throughout the remaining parts of this clause wherever the content of an XML element has been left open.

<xsd:complexType name="AnyType" mixed="true">  
  <xsd:sequence>
    <xsd:any namespace="##any"/>
  </xsd:sequence>
  <xsd:anyAttribute namespace="##any"/>
</xsd:complexType>

5.1.2 The ObjectIdentifierType data type

The ObjectIdentifierType data type can be used to identify aparticular data object.

It allows the specification of an unique and permanent identifier of an object. In addition, a textual description of the nature of the data object, and a number of references to documents where additional information about the nature of the data object can be found.

<xsd:complexType name="ObjectIdentifierType">
  <xsd:sequence>
    <xsd:element name="Identifier" type="xsd:anyURI"/>
    <xsd:element name="Description" type="xsd:string" minOccurs="0"/>
    <xsd:element name="DocumentationReferences"
      type="DocumentationReferencesType" minOccurs="0"/>
  </xsd:sequence>
</xsd:complexType>

The Identifier element contains a permanent identifier. Once assigned the identifier can never be re-assigned again. It supports both the mechanism that is used to identify objects in ASN.1 and the mechanism that is usually used to identify objects in an XML environment:

In ASN.1 an Object IDentifier (OID) is used to identify an object. To encode an OID using the ObjectIdentifierType, the element Identifier MUST contain the OID as a Uniform Resource Name [URN-OID] conforming to the way specified in RFC3061. A textual representation enabling humans to easily understand the meaning of the OID MAY be given using the element Description. The present document does not suggest a particular format for such a textual representation.
In an XML environment objects are typically identified by means of an Uniform Resource Identifier [URI]. To encode such a URI using the ObjectIdentifierType, the element Identifier MUST be used.

Please note: Since such a URI represenent a PERMANENT identifier, the URI (scheme, domain name) should be carefully chosen. For example, if a domain ceases to exist, this will also invalidiate all the identifiers specified under the domain, since it could happen that the do- main is reassigned to a different owner who could then change the meaning of the identifiers. .

Should an OID and an URI exist identifying the same object, the present document encourages the use of the URI as explained in the first bullet above.

<xsd:complexType name="IdentifierType"> 
  <xsd:complexContent>
    <xsd:extension base="xsd:anyURI">
      <xsd:attribute name="Qualifier" type="QualifierType" use="optional"/>
    </xsd:extension>
  </xsd:complexContent>
</xsd:complexType>

<xsd:simpleType name="QualifierType">
  <xsd:restriction base="xsd:string">
    <xsd:enumeration value="OIDAsURI"/>
    <xsd:enumeration value="OIDAsURN"/>
  </xsd:restriction>
</xsd:simpleType>

The optional Description element contains an informal textdescribing the object identifier.

The optional DocumentationReferences element consists of an arbitrary number of references pointing to further explanatory documentation of the object identifier.

<xsd:complexType name="DocumentationReferencesType">  
  <xsd:sequence maxOccurs="unbounded">
    <xsd:element name="DocumentationReference" type="xsd:anyURI"/>
  </xsd:sequence>
</xsd:complexType>

5.1.3 The EncapsulatedPKIDataType data type

The EncapsulatedPKIDataType is used to incorporate a piece ofPKI data into an XML structure whereas the PKI data is encoded using an ASN.1 encoding mechanism. Examples of such PKI data that are widely used at the time being include X509 certificates and revocation lists, OCSP responses, attribute certificates and time-stamps.

<xsd:complexType name="EncapsulatedPKIDataType">  
  <xsd:complexContent>
    <xsd:extension base="xsd:base64Binary">
      <xsd:attribute name="Id" type="xsd:ID" use="optional"/>
    </xsd:extension>
  </xsd:complexContent>
</xsd:complexType>

The content of this data type is the piece of PKI data, base64 encoded asdefined in [XMLDSIG]. The optional ID attribute can be used to make a reference to an element of this data type.

5.1.4 The TimeStampType data type

Time-Stamps shall be used with XML Advanced Electronic Signatures in anumber of use cases:

A XML Advanced Electronic Signature with Time-Stamp (XAdES-T) includes a time-stamp over the XML Advanced Electronic Signature (XAdES) to protect against repudiation in case of a key compromise.
Two mechanisms are provided for protection against fraudulence in case of a CA key compromise, obtaining the XAdES-X form:
- A time-stamp only over all certificate and revocation information references of an XML Advanced Electronic Signature with Complete Validation Data (XAdES-C).
- A time-stamp computed over the signature value, the signature time-stamp and the certificate and revocation information references present in the XML Advanced Electronic Signature with Complete Validation Data (XAdES-C).
To provide for long term validity of an XML signature, a time-stamp can be applied over an XML Advanced Electronic Signature with Extended Validation Data (XAdES-X-L) to obtain a XAdES-A form. In this case the time-stamp is called an Archive Time-Stamp. Additional time-stamps can be added to this XAdES-A as time goes on.
Additionally, time-stamps proving that some or all the data objects to be signed have been created before some time can also be added as signed properties to the XAdES.

A time-stamp is obtained by sending the digest value of the given data tothe Time-Stamp Authority (TSA). The returned time-stamp is a signed data that contains the digest value, the identity of the TSA, and the time of stamping. This proves that the given data existed before the time of stamping.

Time-Stamps specified in the present document will be generated on selected parts of the XAdES signature element.

Below follows the schema definition for the data type used for all the time-stamps mentioned above.

<xsd:complexType name="TimeStampType">
  <xsd:sequence>
    <xsd:element name="HashDataInfo" type="HashDataInfoType" 
     maxOccurs="unbounded"/>
    <xsd:choice>
      <xsd:element name="EncapsulatedTimeStamp" 
       type="EncapsulatedPKIDataType"/>
      <xsd:element name="XMLTimeStamp" type="AnyType"/>
    </xsd:choice>
  </xsd:sequence>
</xsd:complexType>

<xsd:complexType name="HashDataInfoType">
  <xsd:sequence>
    <xsd:element name="Transforms" type="ds:TransformsType" minOccurs="0"/>
  </xsd:sequence>
  <xsd:attribute name="uri" type="xsd:anyURI" use="required"/>
</xsd:complexType>

Each HashDataInfo element contains an uriattribute referencing a data object and one ds:Transforms element indicating the transformations to make to this data object as described in [XMLDSIG].

The sequence of HashDataInfo elements will be used to produce the input of the hash computation process whose result will be included in the time-stamp request to be sent to the TSA.

The actual input to the hash computation is obtained as follows. Each data object referenced in the sequence of elements HashDataInfo is transformed according the indications of the corresponding Transforms element. Once all the referenced data objects have been transformed, the resulting octets are concatenated in the order in which the data objects are referenced.

The time-stamp generated by the TSA can be either an ASN.1 data object (as defined in [TSP], use EncapsulatedTimeStamp), or it can be encoded as XML (use XMLTimeStamp). Since at the time being there is no standard for an XML time-stamp, we provide a placeholder for future use.

5.2 Syntax for XAdES

This clause describes in detail the qualifying properties that can appearin XAdES and XAdES-T advanced electronic signatures forms as described in clause 4 Syntax overview.

5.2.1 The `SigningTime` element

The SigningTime property specifies the time at which the signer (purportedly) performed the signing process.

The XML Schema recommendation [XML-schema-part-2] defines an XML type xsd:dateTime that allows for the inclusion of the required information. This is the type selected for the SigningTime element.>

This is a signed property that qualifies the whole signature.

An XML electronic signature aligned with the present document MUST contain exactly one SigningTime element .

Below follows the schema definition for this element:

<xsd:element name="SigningTime" type="xsd:dateTime"/>

5.2.2 The `SigningCertificate` element

According to what has been stated in the Introduction clause, anelectronic signature produced in accordance with the present document incorporates: "a commitment that has been explicitly endorsed under a signature policy, at a given time, by a signer under an identifier, e.g. a name or a pseudonym, and optionally a role".

In many real life environments users will be able to get from different CAs or even from the same CA, different certificates containing the same public key for different names. The prime advantage is that a user can use the same private key for different purposes. Multiple use of the private key is an advantage when a smart card is used to protect the private key, since the storage of a smart card is always limited. When several CAs are involved, each different certificate may contain a different identity, e.g. as a national or as an employee from a company. Thus when a private key is used for various purposes, the certificate is needed to clarify the context in which the private key was used when generating the signature. Where there is the possibility of multiple use of private keys it is necessary for the signer to indicate to the verifier the precise certificate to be used.

Many current schemes simply add the certificate after the signed data and thus are subject to various substitution attacks. An example of a substitution attack is a "bad" CA that would issue a certificate to someone with the public key of someone else. If the certificate from the signer was simply appended to the signature and thus not protected by the signature, any one could substitute one certificate by another and the message would appear to be signed by some one else.

In order to counter this kind of attack, the identifier of the certificate has to be protected by the digital signature from the signer.

The SigningCertificate property is designed to prevent thesimple substitution of the certificate. This property contains references to certificates and digest values computed on them.

The certificate used to verify the signature shall be identified in the sequence; the signature policy may mandate other certificates be present, that may include all the certificates up to the point of trust.

This is a signed property that qualifies the signature.

An XML electronic signature aligned with the present document MUST contain exactly one SigningCertificate element .

Below follows the schema definition:

<xsd:element name="SigningCertificate" type="CertIDListType"/>
<xsd:complexType name="CertIDListType">
  <xsd:sequence>
    <xsd:element name="Cert" type="CertIDType" maxOccurs="unbounded"/>
  </xsd:sequence>
</xsd:complexType>

<xsd:complexType name="CertIDType">
  <xsd:sequence>
    <xsd:element name="CertDigest" type="DigestAlgAndValueType"/>
    <xsd:element name="IssuerSerial" type="ds:X509IssuerSerialType"/>
  </xsd:sequence>
</xsd:complexType>

<xsd:complexType name="DigestAlgAndValueType">
  <xsd:sequence>
    <xsd:element name="DigestMethod" type="ds:DigestMethodType"/>
    <xsd:element name="DigestValue" type="ds:DigestValueType"/>
  </xsd:sequence>
</xsd:complexType>

The SigningCertificate element contains the aforementionedsequence of certificate identifiers and digests computed on the certificates (Cert elements).

The element IssuerSerial contains the identifier of one of the certificates referenced in the sequence. Should the ds:X509IssuerSerial element appear in the signature to denote the same certificate, its value MUST be consistent with the corresponding IssuerSerial element.

If the signer uses an attribute certificate to associate a role with the electronic signature, such a certificate MUST be present in the SignerRole property.

The element CertDigest contains the digest of one of the certificates referenced in the sequence. It contains two elements: DigestMethod indicates the digest algorithm and DigestValue contains the value of the digest.

5.2.3 The `SignaturePolicyIdentifier` element

The signature policy is a set of rules for the creation and validation ofan electronic signature, under which the signature can be determined to be valid. A given legal/contractual context may recognize a particular signature policy as meeting its requirements.

The signature policy needs to be available in human readable form so that it can be assessed to meet the requirements of the legal and contractual context in which it is being applied.

To facilitate the automatic processing of an electronic signature the parts of the signature policy which specify the electronic rules for the creation and validation of the electronic signature also need to be in a computer processable form.

If no signature policy is identified then the signature may be assumed to have been generated/verified without any policy constraints, and hence may be given no specific legal or contractual significance through the context of a signature policy.

As it has been stated before, any electronic signature claiming alignment with the present document must contain an unambiguous way allowing the identification of the Signature. The present document specifies two alternatives:

The electronic signature can contain an explicit and unambiguous identifier of a Signature Policy together with a hash value of the signature policy, so it can be verified that the policy selected by the signer is the one being used by the verifier. An explicit signature policy has a globally unique reference, which, in this way, is bound to an electronic signature by the signer as part of the signature calculation. In these cases, for a given explicit signature policy there shall be one definitive form that has a unique binary encoded value. Finally, a signature policy identified in this way may be qualified by additional information.
Alternatively, the electronic signature can avoid the inclusion of the aforementioned identifier and hash value. This will be possible when the signature policy can be unambiguously derived from the semantics of the type of data object(s) being signed, and some other information, e.g. national laws or private contractual agreements, that mention that a given signature policy must be used for this type of data content. In such cases, the signature will contain a specific empty element indicating that this implied way to identify the signature policy is used instead the identifier and hash value.

The signature policy identifier is a signed property qualifying thesignature.

An XML electronic signature aligned with the present document MUST contain exactly one SignaturePolicyIdentifier element.

Below follows the schema definition for this type:

<xsd:element name="SignaturePolicyIdentifier" type="SignaturePolicyIdentifierType"/>
<xsd:complexType name="SignaturePolicyIdentifierType">
  <xsd:choice>
    <xsd:element name="SignaturePolicyId" type="SignaturePolicyIdType"/>
    <xsd:element name="SignaturePolicyImplied"/>
  </xsd:choice>
</xsd:complexType>

<xsd:complexType name="SignaturePolicyIdType">
  <xsd:sequence>
    <xsd:element name="SigPolicyId" type="ObjectIdentifierType"/>
    <xsd:element ref="ds:Transforms" minOccurs="0"/>
    <xsd:element name="SigPolicyHash" type="DigestAlgAndValueType"/>
    <xsd:element name="SigPolicyQualifiers" 
      type="SigPolicyQualifiersListType" minOccurs="0"/>
  </xsd:sequence>
</xsd:complexType>

<xsd:complexType name="SigPolicyQualifiersListType">
  <xsd:sequence>
    <xsd:element name="SigPolicyQualifier" type="AnyType" 
      maxOccurs="unbounded"/>
  </xsd:sequence>
</xsd:complexType>

The SignaturePolicyId element will appear when the signaturepolicy is identified using the first alternative. The SigPolicyId element contains an identifier that uniquely identifies a specific version of the signature policy. The SigPolicyHash element contains the identifier of the hash algorithm and the hash value of the signature policy. The SigPolicyQualifier element can contain additional information qualifying the signature policy identifier. The optional ds:Transforms element can contain the transformations performed on the signature policy document before computing its hash. The processing model for these transformations is described in [XMLDSIG].

Alternatively, the SignaturePolicyImplied element will appear when the second alternative is used. This empty element indicates that the data object(s) being signed and other external data imply the signature policy.

5.2.3.1 Signature policy qualifiers

Two qualifiers for the signature policy have been identified so far:

A URL where a copy of the Signature Policy (SP) may be obtained.
A user notice that should be displayed when the signature is verified.

Below follows the schema definition for these two elements:

<xsd:element name="SPURI" type="xsd:anyURI"/>
<xsd:element name="SPUserNotice" type="SPUserNoticeType"/>

<xsd:complexType name="SPUserNoticeType">
  <xsd:sequence>
    <xsd:element name="NoticeRef" type="NoticeReferenceType" minOccurs="0"/>
    <xsd:element name="ExplicitText" type="xsd:string" minOccurs="0"/>
  </xsd:sequence>
</xsd:complexType>

<xsd:complexType name="NoticeReferenceType">
  <xsd:sequence>
    <xsd:element name="Organization" type="xsd:string"/>
    <xsd:element name="NoticeNumbers" type="IntegerListType"/>
  </xsd:sequence>
</xsd:complexType>

<xsd:complexType name="IntegerListType">
  <xsd:sequence>
    <xsd:element name="int" type="xsd:integer" minOccurs="0"
      maxOccurs="unbounded"/>
  </xsd:sequence>
</xsd:complexType>

The SPUserNotice element is intended for being displayed whenever the signature is validated. The ExplicitText element contains the text of the notice to be displayed. Other notices could come from the organization issuing the signature policy. The NoticeRef element names an organization and identifies by numbers (NoticeNumbers element) a group of textual statements prepared by that organization, so that the application could get the explicit notices from a notices file.

5.2.4 The `CounterSignature` element

Some electronic signatures may only be valid if they bear more than onesignature. This is the case generally when a contract is signed between two parties. The ordering of the signatures may or may not be important, i.e. one may or may not need to be applied before the other.

Several forms of multiple and counter signatures need to be supported, which fall into two basic categories:

Independent signatures.
Embedded signatures.

Independent signatures are parallel signatures where the ordering of thesignatures is not important. Therefore an independent signature will not appear as a CounterSignature property of another independent one.

Embedded signatures are applied one after the other and are used where the order the signatures are applied is important. Multiple embedded signatures are supported using the CounterSignature unsigned property. Each CounterSignature is carried in one CounterSignature element added to the Signature element to which the CounterSignature is applied.

In a qualified Signature the contents of the CounterSignature element are one or more signatures (i.e. ds:Signature elements) of the SignatureValue in the qualified Signature.

A CounterSignature can itself be qualified by a CounterSignature property. Thus it is possible to construct arbitrarily long series of countersignatures.

This is a unsigned property that qualifies the signature.

Below follows the schema definition for this element.

<xsd:element name="CounterSignature" type="CounterSignatureType" />
<xsd:complexType name="CounterSignatureType">
  <xsd:sequence>
    <xsd:element ref="ds:Signature"/>
  </xsd:sequence>
</xsd:complexType>

The next figure shows a countersigned Signature.

Figure 5. Use of CounterSignature element

5.2.5 The `DataObjectFormat` element

When presenting signed data to a human user it may be important that there is no ambiguity as to the presentation of the signed data object to the relying party. In order for the appropriate representation (text, sound or video) to be selected by the relying party a content hint may be indicated by the signer. If a relying party system does not use the format specified to present the data object to the relying party, the electronic signature may not be valid. Such a behaviour may have been established by the signature policy, for instance.

The DataObjectFormat element provides information that describes the format of the signed data object. This element MUST be present when it is mandatory to present the signed data object to human users on verification. This is a signed property that qualifies one specific signed data object. In consequence, an XML electronic signature aligned with the present document MAY contain more than one DataObjectFormat elements, each one qualifying one signed data object.

Below follows the schema definition for this element.

<xsd:element name="DataObjectFormat" type="DataObjectFormatType"/>
<xsd:complexType name="DataObjectFormatType">
  <xsd:sequence>
    <xsd:element name="Description" type="xsd:string" minOccurs="0"/>
    <xsd:element name="ObjectIdentifier" type="ObjectIdentifierType" 
      minOccurs="0"/>
    <xsd:element name="MimeType" type="xsd:string" minOccurs="0"/>
    <xsd:element name="Encoding" type="xsd:anyURI" minOccurs="0"/>
  </xsd:sequence>
  <xsd:attribute name="ObjectReference" type="xsd:anyURI" 
   use="required"/>
</xsd:complexType>

This element can convey:

Textual information related to the signed data object(s) in element Description.
An identifier indicating the type of the signed data object(s) in element ObjectIdentifier.
An indication of the MIME type of the signed data object(s), in element MimeType.
An indication of the encoding format of the signed data object(s), in element Encoding.

At least one element of Description, ObjectIdentifier and MimeType must be present within the property.

5.2.6 The `CommitmentTypeIndication` element

The commitment type can be indicated in the electronic signature either:

Explicitly using a commitment type indication in the electronic signature.
implicitly or explicitly from the semantics of the signed data object.

If the indicated commitment type is explicit by means of a commitment typeindication in the electronic signature, acceptance of a verified signature implies acceptance of the semantics of that commitment type. The semantics of explicit commitment types indications shall be specified either as part of the signature policy or may be registered for generic use across multiple policies.

If a signature includes a commitment type indication other than one of those recognized under the signature policy the signature shall be treated as invalid.

How commitment is indicated using the semantics of the data object being signed is outside the scope of the present document.

The commitment type may be:

Defined as part of the signature policy, in which case the commitment type has precise semantics that is defined as part of the signature policy.
A registered type, in which case the commitment type has precise semantics defined by registration, under the rules of the registration authority. Such a registration authority may be a trading association or a legislative authority.

The definition of a commitment type includes:

The object identifier for the commitment.
A sequence of qualifiers.

The qualifiers can provide more information about the commitment, it couldprovide, for example, information about the context be it contractual/legal/application specific.

If an electronic signature does not contain a recognized commitment type then the semantics of the electronic signature is dependent on the data object being signed and the context in which it is being used.

This is a signed property that qualifies signed data object(s). In consequence, an XML electronic signature aligned with the present document MAY contain more than one CommitmentTypeIndication elements.

Below follows the schema definition for this element.

<xsd:element name="CommitmentTypeIndication" type="CommitmentTypeIndicationType"/>
<xsd:complexType name="CommitmentTypeIndicationType">
  <xsd:sequence>
    <xsd:element name="CommitmentTypeId" type="ObjectIdentifierType"/>
    <xsd:choice>
      <xsd:element name="ObjectReference" type="xsd:anyURI" 
         minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="AllSignedDataObjects"/>
    </xsd:choice>
    <xsd:element name="CommitmentTypeQualifiers"
      type="CommitmentTypeQualifiersListType" minOccurs="0"/>
  </xsd:sequence>
</xsd:complexType>

<xsd:complexType name="CommitmentTypeQualifiersListType">
  <xsd:sequence>
    <xsd:element name="CommitmentTypeQualifier" 
      type="AnyType" minOccurs="0" maxOccurs="unbounded"/>
  </xsd:sequence>
</xsd:complexType>

The CommitmentTypeId element univocally identifies the type of commitment made by the signer. A number of commitments have been already identified in TS 101 733 [ESI] (and consequently assigned a corresponding OIDs), namely:

Proof of origin indicates that the signer recognizes to have created, approved and sent the signed data object.
Proof of receipt indicates that signer recognizes to have received the content of the signed data object.
Proof of delivery indicates that the TSP providing that indication has delivered a signed data object in a local store accessible to the recipient of the signed data object.
Proof of sender indicates that the entity providing that indication has sent the signed data object (but not necessarily created it).
Proof of approval indicates that the signer has approved the content of the signed data object.
Proof of creation indicates that the signer has created the signed data object (but not necessarily approved, nor sent it).

One ObjectReference element refers to oneds:Reference element of the ds:SignedInfo corresponding with one data object qualified by this property. If some but not all the signed data objects share the same commitment, one ObjectReference element MUST appear for each one of them. However, if all the signed data objects share the same commitment, the AllSignedDataObjects empty element MUST be present.

The CommitmentTypeQualifiers element provides means to include additional qualifying information on the commitment made by the signer.

XML Advanced Electronic Signatures (XAdES)

W3C Note 20 February 2003

Abstract

Status of this Document

Table of Contents

1 Introduction

1.1 Overview

1.2 Definitions of Terms

1.3 Editorial Conventions

2 XML Advanced Electronic Signature Data Structures

2.1 Contents

2.1.1 Contents of XAdES

2.1.2 Contents of XAdES-T

2.1.3 Contents of XAdES-C

2.2 Extended forms of validation data

2.3 Archive validation data

3 XML namespace for the present document

4 Syntax overview

4.1 Technical criteria

4.2 The QualifyingProperties

4.2.1 SignedProperties

4.2.2 UnsignedProperties

4.2.3 SignedSignatureProperties

4.2.4 SignedDataObjectProperties

4.2.5 UnsignedSignatureProperties

4.2.6 UnsignedDataObjectProperties

4.3 Incorporating qualifying properties into an XMLsignature

4.3.1 SigningProperties

4.3.2 QualifyingPropertiesReference

5 Qualifying properties syntax

5.1 Auxiliary syntax

5.1.1 The AnyType data type

5.1.2 The ObjectIdentifierType data type

5.1.3 The EncapsulatedPKIDataType data type

5.1.4 The TimeStampType data type

5.2 Syntax for XAdES

5.2.1 The SigningTime element

5.2.2 The SigningCertificate element

5.2.3 The SignaturePolicyIdentifier element

5.2.3.1 Signature policy qualifiers

5.2.4 The CounterSignature element

5.2.5 The DataObjectFormat element

5.2.6 The CommitmentTypeIndication element

5.2.1 The `SigningTime` element

5.2.2 The `SigningCertificate` element

5.2.3 The `SignaturePolicyIdentifier` element

5.2.4 The `CounterSignature` element

5.2.5 The `DataObjectFormat` element

5.2.6 The `CommitmentTypeIndication` element