12.4 Validation Data Syntax

This section describes additional elements that you can add to an XAdES to produce higher levels of trusted signatures.

12.4.1 The SignatureTimeStamp Element

A SignatureTimeStamp is a time stamp over the signature to prove that it existed before the stamped time. The intention is to show that the signature existed and was valid when dependence was made on it even if any keys involved in the signature are later revoked. This element may be applied to an XAdES to produce an XAdES-T or to an existing XAdES-T to produce a new XAdES-T that contains multiple time stamps. Its schema follows:

 Schema Definition: <xsd:element name="SignatureTimeStamp"              type="TimeStampType"/> 

12.4.2 The CompleteCertificateRefs Element

A long-term signature needs to have its validation data conveniently accessible, including the following items:

  • References to the complete certificate chain involved, or the certificates themselves.

  • References to the complete set of revocation information, or the revocation information itself, needed to prove the signature valid at the time dependence was made on the signature. These data can include certificate revocation lists (CRL) and Online Certificate Status Protocol (OCSP) tokens.

If the validation data includes all references, it converts an XAdES-T into an XAdES-C. The CompleteCertificateRefs element described here contains the Certificate references, and the CompleteRevocationRefs element (see Section 12.4.3) includes the revocation information.

If you include the certificates and revocation data directly rather than through reference, it converts an XAdES-T or XAdES-C into an XAdES-A suitable for archival storage. You can include full certificates through the CertificateValues element (see Section 12.4.6); you can include full revocation data through the RevocationValues element (see Section 12.4.7).

The schema for CompleteCertificateRefs follows:

 <!-- Start CompleteCertificateRefs --> <xsd:element name="CompleteCertificateRefs"              type="CompleteCertificateRefsType"> <xsd:complexType name="CompleteCertificateRefsType">   <xsd:sequence>     <xsd:element name="CertRefs" type="CertIDListType" />   </xsd:sequence>   <xsd:attribute name="ID" type="xsd:ID" use="optional"/> </xsd:complexType> 

12.4.3 The CompleteRevocationRefs Element

You include the CompleteRevocationRefs element in an XAdES-C as described in Section 12.4.2. Its schema follows:

 <!-- Start CompleteRevocationRefs --> <xsd:element name="CompleteRevocationRefs"              type="CompleteRevocationRefsType"/> <xsd:complexType name="CompleteRevocationRefsType">   <xsd:sequence>     <xsd:element name="CRLRefs"                  type="CRLRefsType"                  minOccurs="0"/>     <xsd:element name="OCSPRefs"                  type="OCSPRefsType"                  minOccurs="0"/>     <xsd:element name="OtherRefs"                  type="OtherCertStatusRefsType"                  minOccurs="0"/>   </xsd:sequence>   <xsd:attribute name="Id" type="xsd:ID" use="optional"/> </xsd:complexType> <xsd:complexType name="CRLRefsType">   <xsd:sequence>     <xsd:element name="CRLRef"                  type="CRLRefType"              maxOccurs="unbounded"/>   </xsd:sequence> </xsd:complexType> <xsd:complexType name="CRLRefType">   <xsd:sequence>     <xsd:element name="DigestAlgAndValue"                  type="DigestAlgAndValueType"/>     <xsd:element name="CRLIdentifier"                  type="CRLIdentifierType"                  minOccurs="0"/>   </xsd:sequence> </xsd:complexType> <xsd:complexType name="CRLIdentifierType">   <xsd:sequence>     <xsd:element name="Issuer" type="xsd:string"/>     <xsd:element name="IssueTime" type="xsd:dateTime" />     <xsd:element name="Number" type="xsd:"integer"                  minOccurs="0"/>   </xsd:sequence>   <xsd:attribute name="URI" type="xsd:anyUri"/>                  use="optional"/> </xsd:complexType> <xsd:complexType name="OCSPRefsType">   <xsd:sequence>     <xsd:element name="OCSPRef"                  type="OCSPRefType"                  maxOccurs="unbounded"/>   </xsd:sequence> </xsd:complexType> <xsd:complexType name="OCSPRefType">   <xsd:sequence>     <xsd:element name="OCSPIdentifier"                  type="OCSPIdentifierType"/>     <xsd:element name="DigestAlgAndValue"                  type="DigestAlgAndValueType"                  minOccurs="0"/>   </xsd:sequence> </xsd:complexType> <xsd:complexType name="OCSPIdentifierType">   <xsd:sequence>     <xsd:element name="ResponderID" type="xsd:string"/>     <xsd:element name="ProducedAt" type="xsd:dateTime"/>   </xsd:sequence>   <xsd:attribute name="URI" type="xsd:anyUri"                  use="optional" /> </xsd:complexType> <xsd:complexType name="OtherCertStatusRefsType">   <xsd:sequence>     <xsd:element name="OtherRef" type="AnyType"              maxOccurs="unbounded"/>   </xsd:sequence> </xsd:complexType> 

As you can see by the three allowed contents of the CrlOcspRef element, it can accommodate references to CRLs, OCSP responses, and other forms of revocation data.

12.4.4 The SigAndRefsTimeStamp Element

You use the SigAndRefsTimeStamp element to time stamp the certificates and revocation information used to validate a signature at a particular time. It protects against later compromise of the certificate chain or Certification Authority key. Including this element advances an XAdES-C to an XAdES-X. Its schema follows:

 Schema Definition: <xsd:element name="SigAndRefsTimeStamp"              type="TimeStampType"/> 

12.4.5 The RefsOnlyTimeStamp Element

If an ETSI advanced signature does not contain the complete certificates and revocation information, but rather references to them, then you can include the RefsOnlyTimeStamp element to advance an XAdES-C to an XAdES-X. Its schema follows:

 Schema Definition: <xsd:element name="RefsOnlyTimeStamp"              type="TimeStampType"/> 

12.4.6 The CertificateValues Property Element

You use the CertificateValues element to collect all certificates starting from some trusted point down to, but not including, the signer's certificate. This element is included in the XAdES-XL long-term signature format; that format requires all information used in signature verification. There is no reason to sign this element because the certificates contain their own signature covering all relevant data. The schema for the CertificateValues element follows:

 <!-- Start CertificateValues --> <xsd:element name="CertificateValues"              type="CertificateValuesType"/> <xsd:complexType name="CertificateValuesType">   <xsd:choice minOccurs="0" maxOccurs="unbounded">     <xsd:element name="EncapsulatedX509Certificate"                  type="EncapsulatedPKIDataType"     <xsd:element name="OtherCertificate" type="AnyType"   </xsd:choice>   <xsd:attribute name="Id" type="xsd:ID<II>"</II>" use="optional"/> </xsd:complexType> 

12.4.7 The RevocationValues Property Element

Revocation information can include certificate revocation lists (CRLValues) and responses from an online certificate status server (OCSPValues). Additionally, the standard provides a placeholder for other revocation information (OtherValues) for future use.

Certificate revocation lists (CRLValues) consist of a sequence containing at least one certificate revocation list. Each EncapsulatedCRLValue contains a DER-encoded X.509v2 CRL encoded in base-64.

OCSP Responses (OCSPValues) consist of a sequence containing at least one OCSP Response. The EncapsulatedOCSPValue element contains the base-64 encoding of a DER-encoded OCSP Response.

You must include the full revocation information in the XAdES-XL ETSI advanced signature format using the RevocationValues element. The schema for the RevocationValues element follows.

 <!-- Start RevocationValues --> <xsd:element name="RevocationValues"              type="RevocationValuesType"/> <complexType name="RevocationValuesType">   <xsd:sequence>     <xsd:element name="CRLValues" type="CRLValuesType"                  minOccurs="0"/>     <xsd:element name="OCSPValues" type="OCSPValuesType"                  minOccurs="0"/>     <xsd:element name="OtherValues"                  type="OtherRevocationValuesType"                  minOccurs="0"/>   </xsd:sequence>   <xsd:attribute name="Id" type="xsd:ID"                  use="optional"/> </xsd:complexType> <xsd:complexType name="CRLValuesType">   <xsd:sequence>   <xsd:element name="EncapsulatedCRLValue"                type="EncapsulatedPKIDataType"                maxOccurs="unbounded"/>   </xsd:sequence> </xsd:complexType> <xsd:complexType name="OCSPValuesType">   <xsd:sequence>     <xsd:element name="EncapsulatedOCSPValue"                  type="EncapsulatedPKIDataType"                  maxOccurs="unbounded"/>   </xsd:sequence> </xsd:complexType> <xsd:complexType name="OtherRevocationValuesType">   <xsd:sequence>     <xsd:element name="ObjectIdentifer"                  type="ObjectIdentiferType"/>     <xsd:element name="OtherValue" type="AnyType"/>                  maxOccurs="unbounded"/>   </xsd:sequence> </xsd:complexType> <!-- End RevocationValues --> 

12.4.8 The XAdESArchiveTimestamp Element

You use the XAdESArchiveTimestamp element to secure archival signatures. As time passes, old signatures become less reliable due to improvements in cryptanalysis, advances in brute-force computing, and potential compromise. To improve this situation, before the signature weakens too much, you can use a Trusted Service Provider (TSP) to obtain a strong time stamp that will prove that the signature existed before the weakening. TSPs will normally use more secure algorithms/keys and, as time passes, will provide ever stronger signatures. Multiple TSP archival signatures can be obtained over time as necessary.

Each XAdESArchiveTimestamp must cover all of the following:

  • Required qualifying properties for an XAdES

  • SignatureTimestamp elements

  • The CompleteCertificateRefs element

  • The CompleteRevocationRefs element

  • The CertificateValues element (if it is located elsewhere, this information must be fetched and included)

  • The RevocationValues element (if it is located elsewhere, this information must be fetched and included)

  • The XAdESCCompleteTimestamp element, if present

  • The XAdESCRefOnlyTimestamp element, if present

  • Any previous XAdESArchiveTimeStamp elements

The schema follows:

 Schema Definition: <xsd:element name="XAdESArchiveTimeStamp"              type="TimeStampType"/> 


Some material in this chapter is reprinted from [XAdES] with permission. Such material is © ETSI 2002. Further use, redistribution, modification is strictly prohibited. ETSI standards are available from http://pda.etsi.org/pda/ and http://www.etsi.org/eds/.

Secure XML(c) The New Syntax for Signatures and Encryption
Secure XML: The New Syntax for Signatures and Encryption
ISBN: 0201756056
EAN: 2147483647
Year: 2005
Pages: 186

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net