This section describes additional elements that you can add to an XAdES to produce higher levels of trusted signatures. 12.4.1 The SignatureTimeStamp ElementA SignatureTimeStamp is a time stamp over the signature to prove that it existed before the stamped time. The intention is to show that the signature existed and was valid when dependence was made on it even if any keys involved in the signature are later revoked. This element may be applied to an XAdES to produce an XAdES-T or to an existing XAdES-T to produce a new XAdES-T that contains multiple time stamps. Its schema follows: Schema Definition: <xsd:element name="SignatureTimeStamp" type="TimeStampType"/> 12.4.2 The CompleteCertificateRefs ElementA long-term signature needs to have its validation data conveniently accessible, including the following items:
If the validation data includes all references, it converts an XAdES-T into an XAdES-C. The CompleteCertificateRefs element described here contains the Certificate references, and the CompleteRevocationRefs element (see Section 12.4.3) includes the revocation information. If you include the certificates and revocation data directly rather than through reference, it converts an XAdES-T or XAdES-C into an XAdES-A suitable for archival storage. You can include full certificates through the CertificateValues element (see Section 12.4.6); you can include full revocation data through the RevocationValues element (see Section 12.4.7). The schema for CompleteCertificateRefs follows: <!-- Start CompleteCertificateRefs --> <xsd:element name="CompleteCertificateRefs" type="CompleteCertificateRefsType"> <xsd:complexType name="CompleteCertificateRefsType"> <xsd:sequence> <xsd:element name="CertRefs" type="CertIDListType" /> </xsd:sequence> <xsd:attribute name="ID" type="xsd:ID" use="optional"/> </xsd:complexType> 12.4.3 The CompleteRevocationRefs ElementYou include the CompleteRevocationRefs element in an XAdES-C as described in Section 12.4.2. Its schema follows: <!-- Start CompleteRevocationRefs --> <xsd:element name="CompleteRevocationRefs" type="CompleteRevocationRefsType"/> <xsd:complexType name="CompleteRevocationRefsType"> <xsd:sequence> <xsd:element name="CRLRefs" type="CRLRefsType" minOccurs="0"/> <xsd:element name="OCSPRefs" type="OCSPRefsType" minOccurs="0"/> <xsd:element name="OtherRefs" type="OtherCertStatusRefsType" minOccurs="0"/> </xsd:sequence> <xsd:attribute name="Id" type="xsd:ID" use="optional"/> </xsd:complexType> <xsd:complexType name="CRLRefsType"> <xsd:sequence> <xsd:element name="CRLRef" type="CRLRefType" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="CRLRefType"> <xsd:sequence> <xsd:element name="DigestAlgAndValue" type="DigestAlgAndValueType"/> <xsd:element name="CRLIdentifier" type="CRLIdentifierType" minOccurs="0"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="CRLIdentifierType"> <xsd:sequence> <xsd:element name="Issuer" type="xsd:string"/> <xsd:element name="IssueTime" type="xsd:dateTime" /> <xsd:element name="Number" type="xsd:"integer" minOccurs="0"/> </xsd:sequence> <xsd:attribute name="URI" type="xsd:anyUri"/> use="optional"/> </xsd:complexType> <xsd:complexType name="OCSPRefsType"> <xsd:sequence> <xsd:element name="OCSPRef" type="OCSPRefType" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="OCSPRefType"> <xsd:sequence> <xsd:element name="OCSPIdentifier" type="OCSPIdentifierType"/> <xsd:element name="DigestAlgAndValue" type="DigestAlgAndValueType" minOccurs="0"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="OCSPIdentifierType"> <xsd:sequence> <xsd:element name="ResponderID" type="xsd:string"/> <xsd:element name="ProducedAt" type="xsd:dateTime"/> </xsd:sequence> <xsd:attribute name="URI" type="xsd:anyUri" use="optional" /> </xsd:complexType> <xsd:complexType name="OtherCertStatusRefsType"> <xsd:sequence> <xsd:element name="OtherRef" type="AnyType" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> As you can see by the three allowed contents of the CrlOcspRef element, it can accommodate references to CRLs, OCSP responses, and other forms of revocation data. 12.4.4 The SigAndRefsTimeStamp ElementYou use the SigAndRefsTimeStamp element to time stamp the certificates and revocation information used to validate a signature at a particular time. It protects against later compromise of the certificate chain or Certification Authority key. Including this element advances an XAdES-C to an XAdES-X. Its schema follows: Schema Definition: <xsd:element name="SigAndRefsTimeStamp" type="TimeStampType"/> 12.4.5 The RefsOnlyTimeStamp ElementIf an ETSI advanced signature does not contain the complete certificates and revocation information, but rather references to them, then you can include the RefsOnlyTimeStamp element to advance an XAdES-C to an XAdES-X. Its schema follows: Schema Definition: <xsd:element name="RefsOnlyTimeStamp" type="TimeStampType"/> 12.4.6 The CertificateValues Property ElementYou use the CertificateValues element to collect all certificates starting from some trusted point down to, but not including, the signer's certificate. This element is included in the XAdES-XL long-term signature format; that format requires all information used in signature verification. There is no reason to sign this element because the certificates contain their own signature covering all relevant data. The schema for the CertificateValues element follows: <!-- Start CertificateValues --> <xsd:element name="CertificateValues" type="CertificateValuesType"/> <xsd:complexType name="CertificateValuesType"> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element name="EncapsulatedX509Certificate" type="EncapsulatedPKIDataType" <xsd:element name="OtherCertificate" type="AnyType" </xsd:choice> <xsd:attribute name="Id" type="xsd:ID<II>"</II>" use="optional"/> </xsd:complexType> 12.4.7 The RevocationValues Property ElementRevocation information can include certificate revocation lists (CRLValues) and responses from an online certificate status server (OCSPValues). Additionally, the standard provides a placeholder for other revocation information (OtherValues) for future use. Certificate revocation lists (CRLValues) consist of a sequence containing at least one certificate revocation list. Each EncapsulatedCRLValue contains a DER-encoded X.509v2 CRL encoded in base-64. OCSP Responses (OCSPValues) consist of a sequence containing at least one OCSP Response. The EncapsulatedOCSPValue element contains the base-64 encoding of a DER-encoded OCSP Response. You must include the full revocation information in the XAdES-XL ETSI advanced signature format using the RevocationValues element. The schema for the RevocationValues element follows. <!-- Start RevocationValues --> <xsd:element name="RevocationValues" type="RevocationValuesType"/> <complexType name="RevocationValuesType"> <xsd:sequence> <xsd:element name="CRLValues" type="CRLValuesType" minOccurs="0"/> <xsd:element name="OCSPValues" type="OCSPValuesType" minOccurs="0"/> <xsd:element name="OtherValues" type="OtherRevocationValuesType" minOccurs="0"/> </xsd:sequence> <xsd:attribute name="Id" type="xsd:ID" use="optional"/> </xsd:complexType> <xsd:complexType name="CRLValuesType"> <xsd:sequence> <xsd:element name="EncapsulatedCRLValue" type="EncapsulatedPKIDataType" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="OCSPValuesType"> <xsd:sequence> <xsd:element name="EncapsulatedOCSPValue" type="EncapsulatedPKIDataType" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="OtherRevocationValuesType"> <xsd:sequence> <xsd:element name="ObjectIdentifer" type="ObjectIdentiferType"/> <xsd:element name="OtherValue" type="AnyType"/> maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <!-- End RevocationValues --> 12.4.8 The XAdESArchiveTimestamp ElementYou use the XAdESArchiveTimestamp element to secure archival signatures. As time passes, old signatures become less reliable due to improvements in cryptanalysis, advances in brute-force computing, and potential compromise. To improve this situation, before the signature weakens too much, you can use a Trusted Service Provider (TSP) to obtain a strong time stamp that will prove that the signature existed before the weakening. TSPs will normally use more secure algorithms/keys and, as time passes, will provide ever stronger signatures. Multiple TSP archival signatures can be obtained over time as necessary. Each XAdESArchiveTimestamp must cover all of the following:
The schema follows: Schema Definition: <xsd:element name="XAdESArchiveTimeStamp" type="TimeStampType"/>
|