ISO 14533-1:2022
(Main)Processes, data elements and documents in commerce, industry and administration — Long term signature — Part 1: Profiles for CMS Advanced Electronic Signatures (CAdES)
Processes, data elements and documents in commerce, industry and administration — Long term signature — Part 1: Profiles for CMS Advanced Electronic Signatures (CAdES)
This document specifies the elements, among those defined in CMS digital signatures and CAdES digital signatures that enable verification of a digital signature over a long period of time. It does not give new technical specifications about the digital signature itself, nor new restrictions of usage of the technical specifications about the digital signatures which have already existed. NOTE CAdES digital signature is the extended specification of Cryptographic message syntax (CMS), used widely.
Titre manque — Partie 1: Titre manque
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO
STANDARD 14533-1
Third edition
2022-06
Processes, data elements and
documents in commerce, industry
and administration — Long term
signature —
Part 1:
Profiles for CMS Advanced Electronic
Signatures (CAdES)
Reference number
ISO 14533-1:2022(E)
© ISO 2022
---------------------- Page: 1 ----------------------
ISO 14533-1:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 14533-1:2022(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols . 4
5 Requirements . 4
6 Long term signature profiles .4
6.1 Defined profiles . 4
6.2 Representation of the required level . 5
6.3 Standard for setting the required level . 5
6.4 Action to take when an optional element is not implemented . 6
6.5 CAdES-T profile . 6
6.5.1 General . 6
6.5.2 Content information . 6
6.5.3 Signed data and Signer Info . 7
6.5.4 Signed attribute and unsigned attribute . 7
6.6 CAdES-A profile . 8
6.6.1 General . 8
6.6.2 Structure of the CAdES-A profile . 9
6.6.3 Additional unsigned attributes . 9
6.7 Time-stamp validation data . 10
Annex A (informative) Supplier’s declaration of conformity and its attachment .12
Annex B (normative) Structure of time-stamp token .17
Bibliography .19
iii
© ISO 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO 14533-1:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 154 Processes, data elements and
documents in commerce, industry and administration.
This third edition cancels and replaces the second edition (ISO 14533-1:2014), which has been
technically revised.
The main changes are as follows:
— Clause 6 and Annex B have been technically revised with the addition of a new archive time-stamp
format: archive-time-stamp-v3 (ATSv3) and an associated attribute ats-hash-index-v3 and with the
addition of other methods defined in ISO 14533-4:2019.
A list of all parts in the ISO 14533 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
iv
© ISO 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 14533-1:2022(E)
Introduction
The purpose of this document is to ensure the interoperability of implementations with respect
to long term signatures that make digital signatures verifiable for a long term. Long term signature
specifications referenced by each implementation cover Cryptographic Message Syntax (CMS) digital
signatures defined in IETF RFC 5652 extended in CAdES digital signatures developed by the European
Telecommunications Standards Institute (ETSI).
ETSI changes ‘CMS Advanced Electronic Signature’ to ‘CAdES Digital Signature’ from TS to EN. In this
document, CAdES is used also in line with the ETSI EN definition.
v
© ISO 2022 – All rights reserved
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 14533-1:2022(E)
Processes, data elements and documents in commerce,
industry and administration — Long term signature —
Part 1:
Profiles for CMS Advanced Electronic Signatures (CAdES)
1 Scope
This document specifies the elements, among those defined in CMS digital signatures and CAdES digital
signatures that enable verification of a digital signature over a long period of time.
It does not give new technical specifications about the digital signature itself, nor new restrictions of
usage of the technical specifications about the digital signatures which have already existed.
NOTE CAdES digital signature is the extended specification of Cryptographic message syntax (CMS), used
widely.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 14533-4, Processes, data elements and documents in commerce, industry and administration — Long
term signature profiles — Part 4: Attributes pointing to (external) proof of existence objects used in long
term signature formats (PoEAttributes)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
long term signature
signature that is made verifiable having the ability to maintain its validity status and to get a proof
of existence of the associated signed data for a long term by implementing measures to enable the
detection of illegal alterations of signature information, including the identification of signing time, the
subject of said signature, and validation data
3.2
profile
rule used to ensure interoperability, related to the optional elements of referenced specifications, the
range of values
3.3
required level
level of requirement for implementing each element constituting a profile (3.2)
1
© ISO 2022 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 14533-1:2022(E)
3.4
cryptographic message syntax
CMS
syntax pertaining to the signature, digest, authentication, and encryption of a given message
Note 1 to entry: Cryptographic message syntax is defined in IETF RFC 5652.
3.5
CMS digital signature
CAdES digital signature
CAdES
digital signature for which the signer can be identified, and any illegal data alteration detected
Note 1 to entry: Note 1to entry: A digital signature is defined in IETF/RFC 5652 and ETSI/EN 319 122-1.
3.6
CAdES-T
CAdES with time
CAdES digital signature with information to ascertain signing time
EXAMPLE Signature time-stamp.
Note 1 to entry: A CAdES digital signature is defined in ETSI/EN 319 122-1.
3.7
CAdES-A
archival CAdES
CAdES digital signature with information that enables the detection of any illegal alterations of
information pertaining to the signature, including the subject of the signature and validation data
EXAMPLE Archive time-stamp.
Note 1 to entry: A CAdES digital signature is defined in ETSI/EN 319 122-1.
3.8
content information
data structure that defines the content in CMS
3.9
signed data
data structure in CMS or related data
3.10
signerinfo
data structure that defines the signature information for each signer or related data
3.11
signed attribute
signature information that is the subject of a signature
3.12
unsigned attribute
signature information that is not the subject of a signature
Note 1 to entry: The signature time-stamp and archive time-stamp are unsigned attributes.
3.13
validation data
certificate and revocation information used to validate a signature and time-stamp
2
© ISO 2022 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 14533-1:2022(E)
3.14
time-stamping authority
TSA
trusted third party (3.19) commissioned to provide proof that certain data existed prior to a certain
point in time
3.15
time-stamp token
TST
data object that binds a representation of a datum to a particular time, thus establishing evidence that
the datum existed before that time
3.16
signature time-stamp
time-stamp affixed to a signature value in order to identify the time when the signature existed
3.17
archive time-stamp
time-stamp affixed to information pertaining to a signature, including the subject of the signature and
validation data (3.13), in order to enable the detection of any illegal alteration
3.18
trust anchor
origin of trust provided in the form of a public key certificate or public key used by the validator to
validate an electronic signature, and generally a public key certificate issued by a trusted root
certification authority
3.19
trusted third party
TTP
security authority or its agent entrusted by another entity in connection with activities related to
security
3.20
certification authority
CA
centre that is entrusted with the development and assignment of public key certificates
Note 1 to entry: Certification authorities can, at their discretion, develop and assign keys to entities, see
ISO/IEC 9594-8.
3.21
certificate
information on the publicly disclosed key as a part of an asymmetric key pair for an entity, signed by a
certification authority (3.20) to prevent forgery
3.22
attribute certificate
certificate (3.21) containing the job, qualification, position, and other attributes and attribute values
3.23
revocation information
information issued by a certification authority (3.20) with respect to a certificate revocated within the
effective period
Note 1 to entry: This information can be collated to determine whether the certificate is still in force.
3
© ISO 2022 – All rights reserved
---------------------- Page: 8 ----------------------
ISO 14533-1:2022(E)
3.24
enhanced security service
ESS
optional enhanced service related to a signature including, but not limited to, information identifying
SigningCertificate and information showing the type of signature
4 Symbols
The following symbols are used for the “required level”.
— C: Conditional;
— M: Mandatory;
— O: Optional;
— P: Prohibited (creation or modification).
5 Requirements
5.1 The generation or validation of CAdES-T data conforms to this document provided that the
following requirements are met:
a) all processing of elements whose required level is “Mandatory” in the CAdES-T profile, as specified
in this document, shall be included;
b) detailed specifications pertaining to the processing of any element whose required level is
“Conditional” in the CAdES-T profile, as specified in this document, shall be provided.
5.2 The generation or validation of CAdES-A data conforms to this document provided that the
following requirements are met:
a) all processing of elements whose required level is “Mandatory” in the CAdES-A profile, as specified
in this document, shall be included;
b) detailed specifications pertaining to the processing of any element whose required level is
“Conditional” in the CAdES-A profile, as specified in this document, shall be provided.
5.3 If first-party conformity assessment is used, the implementer shall make a declaration of
conformity to this document by disclosing the supplier's declaration of compliance and its attachment
(as given in Annex A) containing a description of implementation status (and the specifications for any
“Conditional” elements).
NOTE Figure 1 shows the positioning of the generation and validation of CAdES-T data and CAdES-A data.
6 Long term signature profiles
6.1 Defined profiles
In order to make electronic signatures verifiable for a long term, signing time shall be identifiable, any
illegal alterations of information pertaining to signatures, including the subject of information and
validation data, shall be detectable, and interoperability ensured. To meet these requirements, this
document defines the following two profiles with respect to CAdES:
a) CAdES-T profile: a profile pertaining to the generation and validation of CAdES-T data;
b) CAdES-A profile: a profile pertaining to the generation and validation of CAdES-A data.
4
© ISO 2022 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 14533-1:2022(E)
Figure 1 shows the relation between CAdES-T data and CAdES-A data.
Figure 1 — Relation between CAdES-T data and CAdES-A data
6.2 Representation of the required level
This document defines the following representation methods for the required level (as a profile) of each
element constituting CAdES-T data and CAdES-A data.
a) Mandatory (M): Elements whose required level is “Mandatory” shall be implemented without fail. If
such an element has optional sub-elements, at least one sub-element shall be selected. Any element
whose required level is “Mandatory” and is one of the sub-elements of an optional element shall be
selected whenever the optional element is selected.
b) Optional (O): Elements whose required level is “Optional” may be implemented at the discretion of
the implementer.
c) Conditional (C): Elements whose required level is “Conditional” may be implemented at the
discretion of the implementer provided that detailed specifications for the processing thereof are
provided separately.
d) Prohibited (P): Elements whose required level is ‘Prohibited’ shall not be created or modified, may
be read.
6.3 Standard for setting the required level
The required level of each element constituting CAdES-T data and CAdES-A data shall be set in
accordance with the following requirements.
a) The required level shall be “Mandatory” for elements whose required level is “Mandatory” in the
definition of CAdES, and those necessary for the generation and validation of long term signatures.
The elements whose required level is “Optional” in the definition of CAdES are defined as
“Mandatory”, “Optional” or “Conditional”.
b) The required level shall be “Conditional” for externally defined elements.
EXAMPLE 1 CMSAlgorithmProtection attribute (IETF RFC 6211) as one of the signed attributes, see IETF
RFC 8933.
c) The required level shall be “Conditional” for elements intended to interact with a certain application.
EXAMPLE 2 ContentReference.
d) The required level shall be “Conditional” for elements with an operation-dependent factor, e.g. as
specified in ISO 14533-4.
5
© ISO 2022 – All rights reserved
---------------------- Page: 10 ----------------------
ISO 14533-1:2022(E)
EXAMPLE 3 Attribute certificate; time mark.
NOTE The archiving-type time-stamp defined in ISO/IEC 18014-2 is included in “Time mark or other
method.”
e) The required level shall be “optional” for elements containing only reference information.
6.4 Action to take when an optional element is not implemented
The following action shall be taken when the CAdES data used in a validation transaction contains an
unimplemented element.
a) When the required level of an upper-level element is mandatory and one or more subordinate
optional elements shall be selected, or one or more relevant optional elements shall be selected, the
validator shall be cautioned that validation requires implementation of said element(s); otherwise,
validation cannot be performed.
EXAMPLE In a validation transaction, a BasicOCSPResponse element is detected where only
the processing of CertificateList elements, among all other optional elements in RevocationValues, is
implemented.
b) When CounterSignature is an unimplemented element, the validator shall be cautioned that
validation requires implementation of said element; otherwise, validation cannot be performed.
c) Optional elements other than those specified above may be ignored for implementation.
6.5 CAdES-T profile
6.5.1 General
The required levels of constituent elements of CAdES-T data are specified in 6.5.2 to 6.5.4.
If a certification authority (CA) or other trusted service is trusted to maintain and keep certificates for
the signature validation accessible for an appropriate period of time and parties relying on the signature
validity know the location where the certificates are accessible, there is no need to hold them with the
signature. Otherwise, for the interoperability reasons, the generator should include the signer certificate
in CAdES-T. The fields where the signer certificate or validation data may be included are determined
according to strategies defined in ETSI/EN 319 122-1 v1.1.1, 5.5.3 where for the interoperability reasons
and to prevent the signature to contain m
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.