M/460 -

The present document defines multiple profiles for PAdES digital signatures which are digital signatures embedded within a PDF file.
The present document contains a profile for the use of PDF signatures, as described in ISO 32000-2 [1] and based on CMS digital signatures [i.6], that enables greater interoperability for PDF signatures by providing additional restrictions beyond those of ISO 32000-2 [1]. This first profile is not related to ETSI EN 319 142-1 [4].
The present document also contains a second set of profiles that extend the scope of the profile in ETSI EN 319 142-1 [4], while keeping some features that enhance interoperability of PAdES signatures. These profiles define three levels of PAdES extended signatures addressing incremental requirements to maintain the validity of the
signatures over the long term, in a way that a certain level always addresses all the requirements addressed at levels that are below it. These PAdES extended signatures offer a higher degree of optionality than the PAdES baseline signatures specified in ETSI EN 319 142-1 [4]. The present document also defines a third profile for usage of an arbitrary XML document signed with XAdES signatures that is embedded within a PDF file. The profiles defined in the present document provide equivalent requirements to profiles found in ETSI TS 102 778 [i.10]. Procedures for creation, augmentation, and validation of PAdES digital signatures are out of scope and specified in ETSI EN 319 102-1 [i.11]. Guidance on creation, augmentation and validation of PAdES digital signatures including the usage of the different attributes is provided in ETSI TR 119 100 [i.9]. The present document does not repeat the base requirements of the referenced standards, but instead aims to maximize interoperability of digital signatures in various business areas.

REN/ESI-0019411-1v151

The present document specifies generally applicable policy and security requirements for Trust Service Providers
(TSPs) issuing public key certificates, including trusted web site certificates.
The policy and security requirements are defined in terms of requirements for the issuance, maintenance and life-cycle
management of certificates. These policy and security requirements support several reference certificate policies,
defined in clauses 4 and 5.
A framework for the definition of policy requirements for TSPs issuing certificates in a specific context where
particular requirements apply is defined in clause 7.
The present document covers requirements for CA hierarchies, however this is limited to supporting the policies as
specified in the present document. It does not include requirements for root CAs and intermediate CAs for other
purposes.
The present document is applicable to:
• the general requirements of certification in support of cryptographic mechanisms, including digital signatures
for electronic signatures and seals;
• the general requirements of certification authorities issuing TLS/SSL certificates;
• the general requirements of the use of cryptography for authentication and encryption.
The present document does not specify how the requirements identified can be assessed by an independent party,
including requirements for information to be made available to such independent assessors, or requirements on such
assessors.
NOTE: See ETSI EN 319 403 [i.2] for guidance on assessment of TSP's processes and services. The present
document references ETSI EN 319 401 [9] for general policy requirements common to all classes of
TSP's services.
The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4]
and BRG [6].

The present document specifies CAdES digital signatures. CAdES signatures are built on CMS signatures [7], by
incorporation of signed and unsigned attributes, which fulfil certain common requirements (such as the long term
validity of digital signatures, for instance) in a number of use cases.
The present document specifies the ASN.1 definitions for the aforementioned attributes as well as their usage when
incorporating them to CAdES signatures.
The present document specifies formats for CAdES baseline signatures, which provide the basic features necessary for a
wide range of business and governmental use cases for electronic procedures and communications to be applicable to a
wide range of communities when there is a clear need for interoperability of digital signatures used in electronic
documents.
The present document defines four levels of CAdES baseline signatures addressing incremental requirements to
maintain the validity of the signatures over the long term, in a way that a certain level always addresses all the
requirements addressed at levels that are below it. Each level requires the presence of certain CAdES attributes, suitably
profiled for reducing the optionality as much as possible.
Procedures for creation, augmentation and validation of CAdES digital signatures are out of scope and specified in
ETSI EN 319 102-1 [i.5]. Guidance on creation, augmentation and validation of CAdES digital signatures including the
usage of the different properties defined in the present document is provided in ETSI TR 119 100 [i.4].
The present document aims at supporting digital signatures in different regulatory frameworks.
NOTE: Specifically, but not exclusively, CAdES digital signatures specified in the present document aim at
supporting electronic signatures, advanced electronic signatures, qualified electronic signatures,
electronic seals, advanced electronic seals, and qualified electronic seals as per Regulation (EU)
No 910/2014 [i.13].

The present document specifies policy and security requirements relating to the operation and management practices of
TSPs issuing time-stamps.
These policy requirements are applicable to TSPs issuing time-stamps. Such time-stamps can be used in support of
digital signatures or for any application requiring to prove that a datum existed before a particular time.
The present document can be used by independent bodies as the basis for confirming that a TSP can be trusted for
issuing time-stamps.
The present document does not specify protocols used to access the TSUs.
NOTE 1: A time-stamping protocol is defined in IETF RFC 3161 [i.2] including optional update in IETF
RFC 5816 [i.3] and profiled in ETSI EN 319 422 [5].
The present document does not specify how the requirements identified can be assessed by an independent party,
including requirements for information to be made available to such independent assessors, or requirements on such
assessors.
NOTE 2: See ETSI EN 319 403-1 [i.9] for guidance on assessment of TSP's processes and services.
NOTE 3: The present document references ETSI EN 319 401 [4] for general policy requirements common to all
classes of TSP's services.

The present document specifies XAdES digital signatures. XAdES signatures build on XML digital signatures [1], by
incorporation of signed and unsigned qualifying properties, which fulfil certain common requirements (such as the long
term validity of digital signatures, for instance) in a number of use cases.
The present document specifies XML Schema definitions for the aforementioned qualifying properties as well as
mechanisms for incorporating them into XAdES signatures.
The present document specifies formats for XAdES baseline signatures, which provide the basic features necessary for
a wide range of business and governmental use cases for electronic procedures and communications to be applicable to
a wide range of communities when there is a clear need for interoperability of digital signatures used in electronic
documents.
The present document defines four levels of XAdES baseline signatures addressing incremental requirements to
maintain the validity of the signatures over the long term, in a way that a certain level always addresses all the
requirements addressed at levels that are below it. Each level requires the presence of certain XAdES qualifying
properties, suitably profiled for reducing the optionality as much as possible.
Procedures for creation, augmentation, and validation of XAdES digital signatures are out of scope and specified in
ETSI EN 319 102-1 [i.6]. Guidance on creation, augmentation and validation of XAdES digital signatures including the
usage of the different properties defined in the present document is provided in ETSI TR 119 100 [i.11].
The present document aims at supporting electronic signatures in different regulatory frameworks.
NOTE: Specifically but not exclusively, XAdES digital signatures specified in the present document aim at
supporting electronic signatures, advanced electronic signatures, qualified electronic signatures,
electronic seals, advanced electronic seals, and qualified electronic seals as per Regulation (EU)
No 910/2014 [i.1].

The present document specifies a certificate profile for web site certificates that are accessed by the TLS protocol [i.1].
The profile defined in the present document builds on the CA/Browser Forum Baseline requirements [2], Extended
validation guidelines [3] and other parts of the present multipart deliverable.
The present document focuses on requirements on certificate content. Requirements on decoding and processing rules
are limited to aspects required to process certificate content defined in the present document. Further processing
requirements are only specified for cases where it adds information that is necessary for the sake of interoperability.
This profile can be used for legal and natural persons. For certificates issued to legal persons, the profile builds on the
CAB Forum EV Profile [3] or baseline requirements [2]. For certificates issued to natural persons, the profile builds
only on CAB Forum baseline requirements [2].

The present document specifies procedures for:
• the creation of AdES digital signatures (specified in ETSI EN 319 122-1 [i.2], ETSI EN 319 132-1 [i.4], ETSI
EN 319 142-1 [i.6] respectively);
• establishing whether an AdES digital signature is technically valid;
whenever the AdES digital signature is based on public key cryptography and supported by Public Key Certificates
(PKCs). To improve readability of the present document, AdES digital signatures are meant when the term signature is
being used.
NOTE 1: Regulation (EU) No 910/2014 [i.15] defines the terms electronic signature, advanced electronic signature,
electronic seals and advanced electronic seal. These signatures and seals are usually created using digital
signature technology. The present document aims at supporting the Regulation (EU) No 910/2014 [i.15]
for creation and validation of advanced electronic signatures and seals when they are implemented as
AdES digital signatures.
The present document introduces general principles, objects and functions relevant when creating or validating
signatures based on signature creation and validation constraints and defines general classes of signatures that allow for
verifiability over long periods.
The following aspects are considered to be out of scope:
• generation and distribution of Signature Creation Data (keys, etc.), and the selection and use of cryptographic
algorithms;
• format, syntax or encoding of data objects involved, specifically format or encoding for documents to be
signed or signatures created; and
• the legal interpretation of any signature, especially the legal validity of a signature.
NOTE 2: The signature creation and validation procedures specified in the present document provide several
options and possibilities. The selection of these options is driven by a signature creation policy, a
signature augmentation policy or a signature validation policy respectively. Note that legal requirements
can be provided through specific policies, e.g. in the context of qualified electronic signatures as defined
in the Regulation (EU) 910/2014 [i.15].

The present document specifies CAdES digital signatures. CAdES signatures are built on CMS signatures [7], by incorporation of signed and unsigned attributes, which fulfil certain common requirements (such as the long term validity of digital signatures, for instance) in a number of use cases. The present document specifies the ASN.1 definitions for the aforementioned attributes as well as their usage when incorporating them to CAdES signatures. The present document specifies formats for CAdES baseline signatures, which provide the basic features necessary for a wide range of business and governmental use cases for electronic procedures and communications to be applicable to a wide range of communities when there is a clear need for interoperability of digital signatures used in electronic documents. The present document defines four levels of CAdES baseline signatures addressing incremental requirements to maintain the validity of the signatures over the long term, in a way that a certain level always addresses all the requirements addressed at levels that are below it. Each level requires the presence of certain CAdES attributes, suitably profiled for reducing the optionality as much as possible. Procedures for creation, augmentation and validation of CAdES digital signatures are out of scope and specified in ETSI EN 319 102-1 [i.5]. Guidance on creation, augmentation and validation of CAdES digital signatures including the usage of the different properties defined in the present document is provided in ETSI TR 119 100 [i.4]. The present document aims at supporting digital signatures in different regulatory frameworks. NOTE: Specifically, but not exclusively, CAdES digital signatures specified in the present document aim at supporting electronic signatures, advanced electronic signatures, qualified electronic signatures, electronic seals, advanced electronic seals, and qualified electronic seals as per Regulation (EU) No 910/2014 [i.13].

The present document specifies generally applicable policy and security requirements for Trust Service Providers
(TSPs) issuing public key certificates, including trusted web site certificates.
The policy and security requirements are defined in terms of requirements for the issuance, maintenance and life-cycle
management of certificates. These policy and security requirements support several reference certificate policies,
defined in clauses 4 and 5.
A framework for the definition of policy requirements for TSPs issuing certificates in a specific context where
particular requirements apply is defined in clause 7.
The present document covers requirements for CA hierarchies, however this is limited to supporting the policies as
specified in the present document. It does not include requirements for root CAs and intermediate CAs for other
purposes.
The present document is applicable to:
• the general requirements of certification in support of cryptographic mechanisms, including digital signatures
for electronic signatures and seals;
• the general requirements of certification authorities issuing TLS/SSL certificates;
• the general requirements of the use of cryptography for authentication and encryption.
The present document does not specify how the requirements identified can be assessed by an independent party,
including requirements for information to be made available to such independent assessors, or requirements on such
assessors.
NOTE: See ETSI EN 319 403 [i.2] for guidance on assessment of TSP's processes and services. The present
document references ETSI EN 319 401 [8] for general policy requirements common to all classes of
TSP's services.
The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4]
and BRG [5].

The present document specifies general policy requirements relating to Trust Service Providers (TSPs) that are
independent of the type of TSP. It defines policy requirements on the operation and management practices of TSPs.
Other specifications refine and extend these requirements as applicable to particular forms of TSP. The present
document does not specify how the requirements identified can be assessed by an independent party, including
requirements for information to be made available to such independent assessors, or requirements on such assessors.
NOTE: See ETSI EN 319 403 [i.6] for details about requirements for conformity assessment bodies assessing
Trust Service Providers.

The present document specifies requirements on the content of certificates issued to natural persons. This profile builds
on IETF RFC 5280 [1] for generic profiling of Recommendation ITU-T X.509 | ISO/IEC 9594-8 [i.3].
This profile supports the requirements of EU Qualified Certificates as specified in the Regulation (EU)
No 910/2014 [i.5] as well as other forms of certificate. The scope of the present document is primary limited to
facilitate interoperable processing and display of certificate information. This profile therefore excludes support for
some certificate information content options, which can be perfectly valid in a local context but which are not regarded
as relevant or suitable for use in widely deployed applications.
The present document focuses on requirements on certificate content. Requirements on decoding and processing rules
are limited to aspects required to process certificate content defined in the present document. Further processing
requirements are only specified for cases where it adds information that is necessary for the sake of interoperability.
Certain applications or protocols impose specific requirements on certificate content. The present document is based on
the assumption that these requirements are adequately defined by the respective application or protocol. It is therefore
outside the scope of the present document to specify such application or protocol specific certificate content.

The present document provides an overview of the Recommendation ITU-T X.509 | ISO/IEC 9594-8 [i.3] based certificate profiles and the statements for EU Qualified Certificates specified in other parts of ETSI EN 319 412 ([i.4] to [i.7]). It specifies common data structures that are referenced from other parts of ETSI EN 319 412 ([i.4] to [i.7]).
The profiles specified in this multi-part deliverable aim to support both the Regulation (EU) No 910/2014 [i.9] and use of certificates in a wider international context. Within the European context, it aims to support both EU Qualified Certificates and other forms of certificate.

The present document specifies a certificate profile for certificates issued to legal persons. The profile defined in the
present document builds on requirements defined in ETSI EN 319 412-2 [2].
The present document supports the requirements of EU qualified certificates as specified in the Regulation (EU)
No 910/2014 [i.3] as well as other forms of certificate.

The present document contains requirements for the competence, consistent operation and impartiality of conformity
assessment bodies assessing and certifying the conformity of Trust Service Providers (TSPs) and the trust services they
provide towards defined criteria against which they claim conformance.
NOTE 1: Those requirements are independent of the type and class of trust service provided.
The present document also contains requirements for the conformity assessment of trust services component services,
which later forms part of a separate conformity assessment of a TSP.
NOTE 2: This enables a provider of such component services, which are used as part of the service provided by
several TSPs, to avoid having to be assessed several times, or even for a TSP to provide a service based
just on a component service or collection of components whether or not they are recognized as a trust
service under Regulation (EU) No 910/2014 [i.1].
The present document applies the general requirements of ISO/IEC 17065 [1] to the specific requirements of
conformity assessment of TSPs.
The present document is part 1 of a multi-part deliverable. Other parts include:
• ETSI TS 119 403-2 [i.14]: "Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity
Assessment; Part 2: Additional requirements for Conformity Assessment Bodies auditing Trust Service
Providers that issue Publicly-Trusted Certificates".
• ETSI TS 119 403-3 [i.15]: "Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity
Assessment; Part 3: Additional requirements for conformity assessment bodies assessing EU qualified trust
service providers".

The present document defines specific QCStatement for the qcStatements extension as defined in IETF
RFC 3739 [2], clause 3.2.6, including requirements for their use in EU qualified certificates. Some of these
QCStatements can be used for other forms of certificate.
The QCStatements defined in the present document can be used in combination with any certificate profile, either
defined in ETSI EN 319 412-2 [i.2], ETSI EN 319 412-3 [i.5] and ETSI EN 319 412-4 [i.6], or defined elsewhere.
The QCStatements defined in clause 4.3 may be applied to regulatory environments outside the EU. Other
requirements specified in clause 4 are specific to Regulation (EU) No 910/2014 [i.8] but may be adapted for other
regulatory environments.

REN/ESI-0019412-5v231

RTS/ESI-0019412-1v140

RTS/ESI-0019412-1v131

DTR/ESI-0019500

RTS/ESI-0019312v131

RTS/ESI-0019102-2v121

RTS/ESI-0019312v122

RTS/ESI-0019102-1-TSversion

Define a structure for a signature validation report.

RTS/ESI-0019412-1v121

The present document specifies general policy requirements relating to trust service providers (TSPs) that are
independent of the type of TSP. It defines policy requirements on the operation and management practices of TSPs.
Other specifications refine and extend these requirements as applicable to particular forms of TSP. The present
document does not specify how the requirements identified can be assessed by an independent party, including
requirements for information to be made available to such independent assessors, or requirements on such assessors.
NOTE: See ETSI EN 319 403 [i.6]: "Electronic Signatures and Infrastructures (ESI); Requirements for
conformity assessment bodies assessing Trust Service Providers".

The present document specifies generally applicable policy and security requirements for Trust Service Providers (TSP)
issuing public key certificates, including trusted web site certificates.
The policy and security requirements are defined in terms of requirements for the issuance, maintenance and life-cycle
management of certificates. These policy and security requirements support several reference certificate policies,
defined in clauses 4 and 5.
A framework for the definition of policy requirements for TSPs issuing certificates in a specific context where
particular requirements apply is defined in clause 7.
The present document covers requirements for CA hierarchies, however this is limited to supporting the policies as
specified in the present document. It does not include requirements for root CAs and intermediate CAs for other
purposes.
The present document is applicable to:
• the general requirements of certification in support of cryptographic mechanisms, including digital signatures
for electronic signatures and seals;
• the general requirements of certification authorities issuing TLS/SSL certificates;
• the general requirements of the use of cryptography for authentication and encryption.
The present document does not specify how the requirements identified can be assessed by an independent party,
including requirements for information to be made available to such independent assessors, or requirements on such
assessors.
NOTE: See ETSI EN 319 403 [i.2] for guidance on assessment of TSP's processes and services. The present
document references ETSI EN 319 401 [8] for general policy requirements common to all classes of
TSP's services.
The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4]
and BRG [5].

The present document specifies policy and security requirements for the issuance, maintenance and life-cycle
management of EU qualified certificates as defined in Regulation (EU) No 910/2014 [i.1]. These policy and security
requirements support reference certificate policies for the issuance, maintenance and life-cycle management of EU
qualified certificates issued to natural persons (including natural persons associated with a legal person or a website)
and to legal persons (including legal persons associated with a website), respectively.
The present document does not specify how the requirements identified can be assessed by an independent party,
including requirements for information to be made available to such independent assessors, or requirements on such
assessors.
NOTE: See ETSI EN 319 403 [i.6] for guidance on assessment of TSP's processes and services. The present
document references ETSI EN 319 411-1 [2] for general requirements on TSP issuing certificates.

REN/ESI-0019401v221

REN/ESI-0019411-1v121

REN/ESI-0019411-2v221

The present document defines specific QCStatement for the qcStatements extension as defined in IETF
RFC 3739 [2], clause 3.2.6, including requirements for their use in EU qualified certificates. Some of these
QCStatements can be used for other forms of certificate.
The QCStatements defined in the present document can be used in combination with any certificate profile, either
defined in ETSI EN 319 412-2 [i.2], ETSI EN 319 412-3 [i.5] and ETSI EN 319 412-4 [i.6], or defined elsewhere.
The QCStatements defined in clause 4.3 may be applied to regulatory environments outside the EU. Other
requirements specified in clause 4 are specific to Regulation (EU) No 910/2014 [i.8] but may be adapted for other
regulatory environments.

REN/ESI-0019412-5v221

RTS/ESI-0019312v121

RSR/ESI-0019020v112

This multi-part deliverable provides technical specifications for helping implementers and accelerating the development of ASiC containers creation and validation applications. The test results may also be used in conformity assessment for signature creation and validation applications (EN 19 103) with policies requiring conformity to ASiC formats and procedures. First, it will define test suites as complete as possible for supporting the organization of interoperability testing events where different ASiC related applications may check their actual interoperability. Additionally, it will include the specifications required for building software tools for actually testing technical compliance of ASiC against the relevant ASiC related technical specifications. This part 3 will be used by entities interested in testing tools that generate and verify ASiC that claim to be compliant with the ASiC Baseline Profile as specified in EN 19 162.

This multi-part deliverable provides technical specifications for helping implementers and accelerating the development of ASiC containers creation and validation applications. The test results may also be used in conformity assessment for signature creation and validation applications (EN 19 103) with policies requiring conformity to ASiC formats and procedures. First, it will define test suites as complete as possible for supporting the organization of interoperability testing events where different ASiC related applications may check their actual interoperability. Additionally, it will include the specifications required for building software tools for actually testing technical compliance of ASiC against the relevant ASiC related technical specifications. This part 1 provides an overview of the series.

RTS/ESI-0019164-2

This multi-part deliverable provides technical specifications for helping implementers and accelerating the development of ASiC containers creation and validation applications. The test results may also be used in conformity assessment for signature creation and validation applications (EN 19 103) with policies requiring conformity to ASiC formats and procedures. First, it will define test suites as complete as possible for supporting the organization of interoperability testing events where different ASiC related applications may check their actual interoperability. Additionally, it will include the specifications required for building software tools for actually testing technical compliance of ASiC against the relevant ASiC related technical specifications. This part 4 will specify, among other things, rules for testing compliance of signatures against the ASiC specification. It will allow developing a tool that can automatically check that generated ASiC are fully compliant with the relevant aforementioned specifications, without any statement on their validity.

This multi-part deliverable provides technical specifications for helping implementers and accelerating the development of ASiC containers creation and validation applications. The test results may also be used in conformity assessment for signature creation and validation applications (EN 19 103) with policies requiring conformity to ASiC formats and procedures. First, it will define test suites as complete as possible for supporting the organization of interoperability testing events where different ASiC related applications may check their actual interoperability. Additionally, it will include the specifications required for building software tools for actually testing technical compliance of ASiC against the relevant ASiC related technical specifications. This part 5 will specify, among other things, rules for testing compliance of signatures against the ASiC Baseline specification. It will allow developing a tool that can automatically check that Baseline ASiC are fully compliant with the relevant aforementioned specifications, without claiming any statement on their validity.

DTS/ESI-0019614-1

DTS/ESI-0019124-5

DTS/ESI-0019124-2

RTS/ESI-0019134-5

DTR/ESI-0019124-1

DTS/ESI-0019134-3

This multi-part deliverable provides technical specifications for helping  implementers and accelerating the development of PAdES signature creation and validation applications. The test results may also be used in conformity assessment for signature creation and validation applications (EN 19 103) with policies requiring conformity to PAdES formats and procedures. First, it will define test suites as completely as possible for supporting the organization of interoperability testing events where different PAdES related applications may check their actual interoperability. Additionally, it will include the specifications required for building up software tools for actually testing technical compliance of PAdES signatures against the relevant PAdES related technical specifications. This part 4 will specify, among other things, rules for testing compliance of signatures against the PAdES specification. It will allow developing a tool that can automatically check that generated PAdES signatures are fully compliant with EN 319 142, without any statement on their validity.

DTS/ESI-0019124-3

This multi-part deliverable provides technical specifications for helping  implementers and accelerating the development of PAdES signature creation and validation applications. The test results may also be used in conformity assessment for signature creation and validation applications (EN 19 103) with policies requiring conformity to PAdES formats and procedures. First, it will define test suites as completely as possible for supporting the organization of interoperability testing events where different PAdES related applications may check their actual interoperability. Additionally, it will include the specifications required for building up software tools for actually testing technical compliance of PAdES signatures against the relevant PAdES related technical specifications. This part 3 will be used by entities interested in testing tools that generate and verify PAdES signatures that claim to be compliant with the PAdES Baseline Profile as specified in EN 19 142.