ETSI's Electronic Signatures and Infrastructures Technical Committee has released a draft technical report XML Format for Signature Policies as a Final Phase 3 deliverable. ETSI SEC is responsible for Electronic Signatures and Infrastructures standardization within ETSI (European Telecommunications Standards Institute); the ESI Working Group of ETSI SEC and Task Forces are acting in co-operation with CEN/ISSS within the ITCSB/EESSI work programme. The technical report "tries to accommodate the information for Signature Policies defined in ETSI TS 101 733 'Electronic Signature Formats' to XML syntax; the document is presented as the starting point of much more extensive work that should be done in a near future on this topic." Clause 8 of the report ('Syntax Overview for Signature Policy') "presents the XML schema definitions for Signature Policies; these definitions are based on the information specified in TS 101 733. Each clause contains a rationale introducing the schema definition, the definition itself, and additional textual explanations." ETSI is also in the process of producing a technical specification (ETSI TS 101 903: XML Advanced Electronic Signatures (XAdES)) that defines a XML format for electronic signatures compliant with the European Directive, as TS 101 733 does for ASN.1 syntax.
- TC Security - Electronic Signatures and Infrastructures (ESI). XML Format for Signature Policies. From: European Telecommunications Standards Institute. Prepared by the ETSI Technical Committee Security (SEC). ETSI Technical Report. Reference: ETSI TR 102 038, V1.1.1 (2002-04); DTR/SEC-004011. 26 pages.
- XML Advanced Electronic Signatures (XAdES). ETSI TS 101 903 V1.1.1 (2002-02) ETSI Technical Specification. Reference: ETSI TS 101 903, V1.1.1 (2002-02); DTS/SEC-004008. 70 pages. Normative Annex B presents the XML schema; Annex C contains the XML DTD.
XML Format for Signature Policies Clause 8 ('Syntax Overview for Signature Policy') presents the XML schema definitions for Signature Policies; these definitions are based on the information specified in TS 101 733. Each clause contains a rationale introducing the schema definition, the definition itself and additional textual explanations. The author expresses the opinion that a "more mature document has to be produced by incorporating what RDF and P3P can offer... such a document will be the result of future work that will be made available in successive versions of the present report..."
Background, extracted from the ETSI TR 102 038 Introduction statement:
The European Directive on a community framework for Electronic Signatures defines an electronic signature as: 'data in electronic form which is attached to or logically associated with other electronic data and which serves as a method of authentication'. An electronic signature as defined in TS 101 733 'Electronic Signature Formats' is a form of advanced electronic signature as defined in the Directive.
ETSI TS 101 733 defines formats for electronic signatures that are compliant with the European Directive. Currently, the ETSI standard uses Abstract Syntax Notation 1 to define the structure of the electronic signature. The structure of the electronic signature defined in TS 101 733 is based on the structure defined in RFC 2630:'Cryptographic Message Syntax'. TS 101 733 satisfies the requirements made by the European Directive by defining new ASN.1 structures that can be added as parts of the fields 'signedAttrs' and 'unsignedAttrs'.
As a consequence of the growing importance of the use of XML on Internet, a standard for XML based digital signatures is currently being produced within W3C and IETF Working Group 'XML-Signature Core Syntax and Processing'. ETSI is in the process of producing a technical specification [ETSI TS 101 903: 'XML Advanced Electronic Signatures (XAdES)'] that defines a XML format for electronic signatures that are compliant with the European Directive, as TS 101 733 does for ASN.1 syntax. An electronic signature produced in accordance with that document provides evidence that can be processed to get confidence that some commitment has been explicitly endorsed under a Signature policy, at a given time, by a signer under an identifier, e.g., a name or a pseudonym, and optionally a role.
TS 101 733 also deals with the Signature Policy issue. Although the present document does not mandate any form of Signature Policy specification, it specifies an ASN.1 based syntax that may be used to define a structured Signature Policy in a way that machines can read and process. The present report deals with the specification of new XML elements able to contain the Signature Policy information specified in TS 101 733.
From the ETSI TR 102 038 document Scope statement:
The present document represents a very first version of a XML format for Signature Policies able to contain information on Signature Policies as specified by ETSI TS 101 733, 'Electronic Signature Formats'. The specifications given being so preliminary, a number of open issues for discussion and even definitions appear throughout the document. Successive versions will gradually improve the new XML types defined aligning them with current efforts in the XML arena (specially those in the RDF 'Resource Description Framework (RDF) Model and Syntax Specification' and 'Resource Description Framework (RDF) Schema Specification 1.0', P3P and 'A P3P Preference Exchange Language 1.0 (APPEL 1.0)', and Certification Practice Statements fields). The present document:
- Contains a mention to current efforts in the XML arena that are strongly related with the object of the present document, namely RDF, P3P and XML formats for CSP.
- Contains a short description of the approach taken for the production of the present document and the approach to be adopted in order to align its contents to the results of the aforementioned work in XML arena. This would likely imply that the final specification will be somehow different to the initial one.
- Contains a first specification for a XML format of a Signature Policy, mainly based on the contents of the ASN.1 structures defined in TS 101 733. However, a number of open issues to discuss and even explicit usage of XML types defined elsewhere (mainly in RDF and P3P), appear, signalling how the specifications will evolve to achieve a more tight alignment with current practices in XML world.
"Clause 2 shows the relevant references for the present document; Clause 4 mentions relevant related work being done at the time the present document has been produced, namely RDF and P3P; Clause 5 outlines the technical approach followed to produce the present document; Clause 6 presents the concepts of signature policy and signature validation policy; Clause 7 shows the namespace definitions for following XML schema definitions [The namespace URI is: http://uri.etsi.org/2038/v1.1.1]; Clause 8 shows the details of the XML schema definitions for the elements able to contain computer processable information of the signature policy. It also contains the rationale for each of the specified elements."
From the XAdES Scope statement: The present document XML Advanced Electronic Signatures (XAdES) defines XML formats for advanced electronic signatures that remain valid over long periods, are compliant the European Directive and incorporate additional useful information in common uses cases. This includes evidence as to its validity even if the signer or verifying party later attempts to deny (repudiates) the validity of the signature. The present document is based on the use of public key cryptography to produce digital signatures, supported by public key certificates. The present document uses a signature policy, implicitly or explicitly referenced by the signer, as the basis for establishing the validity of an electronic signature. The present document uses time-stamps or trusted records (e.g., time-marks) to prove the validity of a signature long after the normal lifetime of critical elements of an electronic signature and to support non-repudiation. It also specifies the optional use of additional time-stamps to provide very long-term protection against key compromise or weakened algorithms..."
From the XAdES Introduction: The present document is intended to cover electronic signatures for various types of transactions, including business transactions (e.g., purchase requisition, contract, and invoice applications). Thus the present document can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc... The present document defines XML formats for advanced electronic signatures that remain valid over long periods, are (1) Proposing [W3C] XML schema definitions for new XML types able to contain the information needed to fulfil the requirement of long term validity and those ones imposed by current use cases and the European Directive. These signatures will be built on XMLDSIG by addition of this information as specified in [W3C 'XML-Signature Syntax and Processing'], using the ds:Object XML element defined there; (2) Specifying the mechanisms used to produce the aforementioned addition of this qualifying information. The present document specifies two main types of properties: signed properties and unsigned properties. The first ones are additional data objects that are also secured by the signature produced by the signer on the ds:SignedInfo element, which implies that the signer has these data objects, computes a hash for all of them and generates the corresponding ds:Reference element. The unsigned properties are data objects added by the signer, by the verifier or by other parties after the production of the signature. They are not secured by the signature in the ds:Signature element (the one computed by the signer); however they can be actually signed by other parties (time-stamps, countersignatures, certificates and CRLs are also signed data objects). The XML advanced electronic signatures defined in the present document will be built by incorporating to the XML signatures as defined in 'XML-Signature Syntax and Processing' one new ds:Object XML element containing the additional qualifying information..."
ETSI (European Telecommunications Standards Institute) "is a not for profit organization whose mission is to produce the telecommunications standards that will be used for decades to come throughout Europe and beyond. It is officially recognized by the European Commission and the EFTA secretariat. ETSI unites 874 members from 54 countries inside and outside Europe, and represents administrations, network operators, manufacturers, service providers, research bodies and users. ETSI plays a major role in developing a wide range of standards and other technical documentation as Europe's contribution to world-wide standardization in telecommunications, broadcasting and information technology."
- European Telecommunications Standards Institute (ETSI)
- ETSI SEC (Security) ETSI SEC is the focal point for security standardization within ETSI.
- European Electronic Signature Standardization Iniative
- Electronic Signatures and Infrastructures Standardisation
- "XML Format for Signature Policies." ETSI TR 102 038, V1.1.1 (2002-04).
- "XML Advanced Electronic Signatures (XAdES)." ETSI TS 101 903, V1.1.1 (2002-02).
- See also: "XML Digital Signature (Signed XML - IETF/W3C)" - Main reference page.