Certipost e-signing Services. Rev Description of Change Author Date

Similar documents
E-Lock Policy Manager White Paper

ONTARIO LABOUR RELATIONS BOARD. Filing Guide. A Guide to Preparing and Filing Forms and Submissions with the Ontario Labour Relations Board

PAY EQUITY HEARINGS TRIBUNAL. Filing Guide. A Guide to Preparing and Filing Forms and Submissions with the Pay Equity Hearings Tribunal

Cookbook Qermid Defibrillator web service Version This document is provided to you free of charge by the. ehealth platform

SOLA and Lifecycle Manager Integration Guide

Software Usage Policy Template

Admin Report Kit for Exchange Server

Procurement Contract Portal. User Guide

SERVICE LEVEL AGREEMENT. Mission: Certificates Management

SmartPass User Guide Page 1 of 50

Date: October User guide. Integration through ONVIF driver. Partner Self-test. Prepared By: Devices & Integrations Team, Milestone Systems

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

OATS Registration and User Entitlement Guide

Overview of Data Furnisher Batch Processing

Access the site directly by navigating to in your web browser.

WELMEC Guide on evaluation of Purely Digital Parts

PRIVACY AND E-COMMERCE POLICY STATEMENT

Proper Document Usage and Document Distribution. TIP! How to Use the Guide. Managing the News Page

Users, groups, collections and submissions in DSpace. Contents

Point-to-Point Encryption (P2PE)

Please contact technical support if you have questions about the directory that your organization uses for user management.

Patch Management Policy

Introduction to Mindjet on-premise

ComplyWorks Subscription User Guide. October 6, 2011

Author guide to submission and publication

Release Notes Version: - v18.13 For ClickSoftware StreetSmart September 22, 2018

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

Maximo Reporting: Maximo-Cognos Metadata

OVAL Language Design Document

Infrastructure Series

Cookbook ORTHOpride web service Version v1. This document is provided to you free of charge by the. ehealth platform

Cortex Quick Reference Supplier Guide Service Receipt Rejections for Husky Suppliers

RISKMAN REFERENCE GUIDE TO USER MANAGEMENT (Non-Network Logins)

Adverse Action Letters

Extended Traceability Report for Enterprise Architect

Town of Warner, New Hampshire Information Security Policy

PAGE NAMING STRATEGIES

Software Engineering

Cisco Tetration Analytics, Release , Release Notes

ClassFlow Administrator User Guide

Privacy Policy. Information We Collect. Information You Choose to Give Us. Information We Get When You Use Our Services

Test Pilot User Guide

New Tenancy Contact - User manual

Your New Service Request Process: Technical Support Reference Guide for Cisco Customer Journey Platform

INSTALLING CCRQINVOICE

IMPORTING INFOSPHERE DATA ARCHITECT MODELS INFORMATION SERVER V8.7

HP Server Virtualization Solution Planning & Design

Enrolling onto the Open Banking Directory How To Guide

Oracle FLEXCUBE Universal Banking Development Workbench- Screen Development II

Mapping between DFDL 1.0 Infoset and XML Data Model

$ARCSIGHT_HOME/current/user/agent/map. The files are named in sequential order such as:

Enterprise Chat and Developer s Guide to Web Service APIs for Chat, Release 11.6(1)

BlackBerry Server Installation and Upgrade Service

Privacy Policy concerning the use of the website and the use of cookies

UNMETERED LOAD GUIDELINE - DETERMINATION OF DEVICE LOAD AND ANNUAL ENERGY CONSUMPTION FOR UNMETERED DEVICE TYPES

Using SPLAY Tree s for state-full packet classification

Creating a TES Encounter/Transaction Entry Batch

Overview. Enhancement for Policy Configuration Module

Forcepoint UEBA Management of Personal Data

European Federated Validation Service Study. Solution Profile MOA Signature Verification software

Investor Services Online Quick Reference Guide FTP Delivery

CRISP Directory Input File Requirement for MHBE Carriers

UFuRT: A Work-Centered Framework and Process for Design and Evaluation of Information Systems

Digital Imaging and Communications in Medicine (DICOM) Supplement 204 TLS Security Profiles

Customer Information. Agilent 2100 Bioanalyzer System Startup Service G2949CA - Checklist

Update: Users are updated when their information changes (examples: Job Title or Department). o

Stock Affiliate API workflow

FACE Trademark Usage Guidelines & Copyright Permissions

Compliance Guardian 4. User Guide

User Manual. Revised June 18, 2007

Department of Computer Information Systems KEMU

Element Creator for Enterprise Architect

Reporting Requirements Specification

Microsoft Excel Extensions for Enterprise Architect

Setting up the ncipher nshield HSM for use with Kerberized Certificate Authority

Integration Framework for SAP Business One

Final Report. Graphical User Interface for the European Transport Model TREMOVE. June 15 th 2010

Automatic imposition version 5

Kaltura MediaSpace Installation and Upgrade Guide. Version: 5.0

Student participation Students can register online, track progress, express interest and demonstrate proficiency.

Password Management Guidelines

TL 9000 Quality Management System. Measurements Handbook. SFQ Examples

European Component Oriented Architecture (ECOA ) Collaboration Programme: Architecture Specification Part 3: Mechanisms

UNSW Technology Policy:

Administration. User Guide

Simple Object Access Protocol (SOAP)

Ephorus Integration Kit

EMV. Terminal Type Approval Contactless Product. Administrative Process. Version 2.6 February 2017

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment with a Shared Configuration Directory

DNS (Domain Name Service)

OmniPCX Record PCI Compliance 2.3

App Center User Experience Guidelines for Apps for Me

Public Documents Registration of authorities in IMI Guide for Access managers

LiveEngage and Microsoft Dynamics Integration Guide Document Version: 1.0 September 2017

The following screens show some of the extra features provided by the Extended Order Entry screen:

How to use DCI Contract Alerts

EXBO e-signing Automated for scanned invoices

TPCH Data Sharing Policies and Procedures

Mission Antyodaya Android Mobile & Web Application. Frequently Asked Questions

Transcription:

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 1 f 12 Rev Descriptin f Change Authr Date 1.0 First Versin Wim Culier 15/06/2007 Clarificatins t enable this plicy t be used fr mre prducts Wim Culier 23/08/2007 1. Intrductin. Scpe This dcument cvers the plicy rules that are used t state under which cnditins an electrnic signature generatin and validatin methds are valid when used within the cntext f the Certipst e-signing service f Handwritten Equivalent level. Mrever, the present dcument sets the rles and bligatins f all actrs invlved in the e-signing Handwritten Equivalent transactins. These rights and bligatins fr entities invlved in e-signing Handwritten Equivalent transactins are stated in the frm f bth cntract bligatins and technical requirements. Finally, the present dcument versees the technical standards and peratins used t create the electrnic signatures thrugh the Certipst e-signing Handwritten Equivalent service. 1.2. Organizatin f the dcument The rganizatin f this dcument is based n the signature plicy framewrk as defined in ETSI TR 102 041 v.1: Signature plicy reprt. 1.3. Preceding language versin This dcument is translated in several languages. In case f cnflicting cntent between the different languages, the English versin precedes. The different language versins can be fund in the fllwing lcatin: English versin: https://cnnect.e-signing.be/dcuments/e- Signing_HandwrittenEquivalentSignaturePlicy_EN_v.pdf Dutch versin (Nederlandstalige versie): https://cnnect.e-signing.be/dcuments/e- Signing_HandwrittenEquivalentSignaturePlicy_NL_v.pdf French versin (versin francphne): https://cnnect.e-signing.be/dcuments/e- Signing_HandwrittenEquivalentSignaturePlicy_FR_v.pdf 1.4. Definitins Advanced Electrnic Signature: means an electrnic signature that meets the fllwing requirements: It is uniquely linked t the signatry; It is capable f identifying the signatry; It is created using means that the signatry can maintain under his sle cntrl; and It is linked t the data t which it relates in such a manner that any subsequent change f the data is detectable. Certificatin Authrity (CA): An authrity trusted by ne r mre users t create and assign certificates. Optinally the certificatin authrity may create the users keys. Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 2 f 12 Certificate identifier: a unique identifier f a Certificate cnsisting f the name f the CA and f the certificate serial number assigned by the CA. Certificate Plicy: A named set f rules that indicates the applicability f a certificate t a particular cmmunity and/r class f applicatin with cmmn security requirements. Certificate Validity perid: The time interval during which the CA warrants that it will maintain infrmatin abut the status f the certificate. Certificate revcatin list: a list cntaining the serial numbers f revked certificates frm a given CA, tgether with ther revcatin infrmatin. Certificatin path: A chain f multiple certificates, cmprising a certificate f the public key wner (the end entity) signed by ne CA, and zer r mre additinal certificates f CAs signed by ther CAs. Certificatin Service Prvider: an entity r a legal r natural persn wh issues certificates r prvides ther services related t electrnic signatures; [EC 1999/93] CRL distributin pint: A directry entry r ther distributin surce fr CRLs; a CRL distributed thrugh a CRL distributin pint may cntain revcatin entries fr nly a subset f the full set f certificates issued by ne CA r may cntain revcatin entries fr multiple CAs. Data t be signed (DTBS): the cmplete electrnic data t be signed (including bth Signer's Dcument and Signature Attributes) Digital signature: data appended t, r a cryptgraphic transfrmatin f, a data unit that allws a recipient f the data unit t prve the surce and integrity f the data unit and prtect against frgery, e.g. by the recipient. e-signing Framewrk: The Certipst e-signing framewrk is the whle f the Certipst e-signing signature plicies and the cmpnent enfrcing cmpliance t the plicy in questin fr creating and verifying e-signing signatures. This framewrk can be used by different frnt-end applicatins as part f a Certipst prduct r service. e-signing Handwritten Equivalent Service: e-signing Service that is limited t the creatin f signatures accrding t the present Signature Plicy (Handwritten Equivalent signatures). e-signing Service: Any prduct r service that makes use f the Certipst e-signing Framewrk t create electrnic signatures fr the user f the service. Since this dcument is limited t the Handwritten Equivalent type f signature, when this term is mentined further in this dcument this means the e-signing Handwritten Equivalent Service. End entity: A certificate subject that uses its public key fr purpses ther than fr signing certificates. Electrnic signature: means data in electrnic frm that are attached t r lgically assciated with ther electrnic data Hash functin: A functin that maps string f bits t fixed-length strings f bits, satisfying the fllwing tw prperties: - It is cmputatinally unfeasible t find fr a given utput an input that maps t this utput - It is cmputatinally unfeasible t find fr a given input a secnd input which maps t the same utput Initial verificatin: a prcess perfrmed by a Verifier that must be dne sn after a signature is generated in rder t capture the infrmatin that will make it valid fr lng term verificatin. Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 3 f 12 Object identifier: a sequence f numbers that uniquely and permanently references an bject. OCSP: see Online Certificate Status Prtcl Online certificate status prtcl: real time n line trusted surce f certificate status infrmatin. Parallel signature: the applicatin f separate independent signatures t the same Signer s dcument Public key: That key f an entity s asymmetric key pair that can be made public Private key: That key f an entity's asymmetric key pair that shuld nly be used by that entity. Qualified certificate: a certificate which meets the requirements laid dwn in Annex I f the Directive and is prvided by a certificatin-service-prvider wh fulfils the requirements laid dwn in Annex II f the Directive [EC 1999/93] Qualified electrnic signature: an advanced electrnic signature which is based n a qualified certificate and which is created by a secure-signature-creatin device (Nte: Definitin f Art. 5.1 signature taken frm the Directive [4]). Secure Signature Creatin Device: means a signature creatin device that meets the requirements laid dwn in [4], Annex III. Signature attributes: Additinal infrmatin that is signed tgether with the Signer's Dcument. Signature creatin data: means unique data, such as cdes r private cryptgraphic keys, which are used by the signatry t create an electrnic signature. Signature creatin device: means cnfigured sftware r hardware used t implement the signature creatin data. Signature plicy: a set f technical and prcedural requirements fr the creatin and verificatin f an electrnic signature, under which the signature can be determined t be valid. Signature plicy identifier: Object Identifier that unambiguusly identifies a Signature Plicy. Signature plicy issuer: An rganizatin that creates, maintains and publishes a signature plicy. Signature plicy issuer name: A name f a Signature Plicy Issuer. Signature verificatin: a prcess perfrmed by a Verifier either sn after the creatin f an electrnic signature r later t determine if an electrnic signature is valid against a signature plicy implicitly r explicitly referenced. Signature verificatin data: data, such as cdes r public cryptgraphic keys, which are used fr the purpse f verifying an electrnic signature; [EC 1999/93] Signature verificatin device: cnfigured sftware r hardware used t implement the signature verificatindata [EC 1999/93] Signer: Entity that creates an (electrnic) signature (physical r legal persn). Signer s identity: the registered name f the Signer (i.e. as registered by the CSP supplying the Signer s certificate). Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 4 f 12 Signer s dcument: The electrnic data t which the electrnic signature is attached t r lgically assciated with. Time-Mark: A prf-f-existence fr a datum at a particular pint in time, in the frm f a recrd in a secure audit trail, which includes at least a trustwrthy time value and a hash representatin f the datum. Time stamp: A prf-f-existence fr a date at a particular pint in time, in the frm f a data structure signed by a Time Stamping Authrity, which includes at least a trustwrthy time value, a unique identifier fr each newly generated time stamp, an identifier t uniquely indicate the time-stamp plicy under which the time stamp was created, a hash representatin f the datum, i.e. a data imprint assciated with a ne-way cllisin resistant uniquely identified hash-functin. Time stamp authrity: An authrity trusted by ne r mre users t prvide a Time Stamping Service. Time stamp service: A service that prvides a trusted assciatin between a date and a particular pint in time, in rder t establish reliable evidence indicating the time at which the datum existed. Usual verificatin: a prcess perfrmed by a Verifier that may be dne years after the electrnic signature was prduced, des nt need t capture mre data than the data that was captured at the time f initial verificatin. Validatin data: additinal data, cllected by the Signer and/r a Verifier, needed t verify the electrnic signature in rder t meet the requirements f the signature plicy. It may include: certificates, revcatin status infrmatin, time-stamps r Time-Marks. Verifier: An entity that validates r verifies an electrnic signature (physical r legal persn). This may be either a relying party r a third party interested in the validity f an electrnic signature. 2. Certipst e-signing Service 2.1. Certipst e-signing actrs Signer: see abve Verifier: see abve Certipst e-signing service prvider: Certipst e-signing service prvider helps the Signer t create a signature accrding t the present signature plicy, in rder t ensure that the signature generated has a legal value equivalent t a handwritten signature as per the Directive [4] implemented in the Belgian law n electrnic signature [6]. Certipst e-signing service prvider helps the Verifier t assess whether a signature was cmpliant t the present signature plicy, and thus that the signature verified has a legal value equivalent t a handwritten signature as per the Directive [4] implemented in the Belgian law n electrnic signature [6]. 2.2. Certipst e-signing service descriptin The gal f the Certipst e-signing Service is t lwer the barrier fr electrnic dcument signing dramatically by taking the legal and technical cmplexity f this signing away frm the Signer wh applies the signature and Verifier wh trusts the signature. The Certipst e-signing Service is a service that will help users t create and verify Qualified Electrnic Signatures with lng term value. Qualified Electrnic Signatures are electrnic signatures that cmply with the requirements frm the Eurpean Directive [1] and Belgian law [2] cncerning electrnic signatures in such a way that frm a legal pint f view they are autmatically accepted as equivalent t a handwritten signature. As the requirements frm the Eurpean Directive and Belgian law are cmplex fr the general public, Certipst has created this service t take this cmplexity away frm the Signer and the Verifier. By simply using the Certipst e-signing service, bth the Signer and Verifier can be assured f cmpliance f their signature and verificatin methd t the Eurpean Directive and Belgian law. In additin, the Certipst e-signing service ffers a number Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 5 f 12 f supplementary measures t make sure that the cnditins fr lng term nn-repudiatin f signatures are met. 2.3. Supprted standard The signature will be frmatted in the standard XML Advanced Electrnic Signature standard (XAdES) i, t allw all measures t be applied fr lng term nn-repudiatin. XAdES defines several different signature prfiles. Each prfile adds additinal verificatin infrmatin n tp f the encapsulated prfile. The range ges frm the basic XAdES prfile, which is nly sufficient fr very shrt-term prf f nn-repudiatin up t XAdES- A which ffers enugh nn-repudiatin prf elements fr archiving. Fr mre infrmatin see the ETSI standard. The electrnic signature applied accrding t the present Signature Plicy must be frmatted in at least the XAdES-T prfile. This prfile cntains as well a timestamp that can prf at what time the signature was psed. Anther XAdES prfile that encapsulates a XAdES-T such as XAdES-X-L is f curse accepted as well. Fr signatures that have t be prven beynd the expiratin date f the certificate, the XAdES-X-L shuld be used (the XAdES-X-L als cntains the certificate status infrmatin). The signature itself will be created with the Signer s SSCD, the frmatting f the XAdES-T r XAdES-X-L signature dcument (and inclusin f timestamp(s) and pssibly certificate status infrmatin) will be perfrmed n the Certipst e-signing server. At any mment, any party in pssessin f the XAdES-T signature can add revcatin status infrmatin and timestamps t frm a XAdES-X-L. At any mment, any party in pssessin f the XAdES-X-L can add a new timestamp t frm a XAdES-A frmat fr a lng term archiving versin f the signature. All signatures created under this signature plicy will as well include within the XAdES frmat references t the present Signature Plicy in the frm f OID, hash and URL f the present Signature Plicy. 2.4. e-signing creatin The Signer can create a signature accrding t this Signature Plicy using the Certipst e-signing service. Multiple presentatin envirnments can use the Certipst e-signing Framewrk. It is pssible that the Certipst e-signing service will at a certain mment implement ther signature plicies than the present ne. The implementatins based n the Certipst e-signing Handwritten Equivalent Signature Plicy will have the fllwing in cmmn: 1. The user can select a file t be signed 2. The Certipst e-signing service will perfrm a number f verificatins (nt necessarily in this rder): a. Whether the signature is valid fr the specified signed file b. Certificate issued under an accepted Certificate Plicy (see sectin 3.3.3. Certificate requirements). c. Validity f the certificate: certificate nt revked r suspended, certificate within validity perid (between valid frm and valid t dates), full certificate chain validatin (including validatin f all certificates in the chain) When ne f the verificatins fails, the signature prcess will be abrted. 3. The Certipst e-signing service will create the XAdES-T file. This includes the cllectin f a timestamp. In case the e-signing server creates a XAdES-X-L file, this includes the cllectin and inclusin f Certificate status infrmatin and timestamps. 2.5. e-signing verificatin The Verifier can use any means t verify the signature created accrding t this plicy. Hwever, fllwing cnditins must be met. The Certipst e-signing verificatin service implementatin meets all these criteria, and is pen fr use t any Verifier. i ETSI TS 101 903 Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 6 f 12 1. Assurance that the signature is valid fr the specified signed file. 2. Validity f the certificate at the time f signing: certificate nt revked r suspended, certificate nt expired and already valid, full certificate chain validatin (including validatin f all certificates in the chain). This may include the cnstructin f a XAdES-X-L frm the XAdES-T r a XAdES-A frm the XAdES-X-L. 3. Certificate issued under an accepted Certificate Plicy (see sectin 3.3.3. Certificate requirements). 4. Verificatin f all the timestamps in the XAdES-T, XAdES-X-L r XAdES-A (in case additinal timestamps have been added fr lng term nn-repudiatin assurance), including the verificatin that the timestamp validity perids verlap (at any pint in time at least ne f the timestamps shuld be valid t assure in case f algrithm breach that never the nn-repudiatin value might have been cmprmised). 3. Signature plicy infrmatin 3.1. General Certipst e-signing Handwritten Equivalent Signature Plicy infrmatin Fllwing ETSI requirements ii, the Certipst e-signing Handwritten Equivalent signature plicy includes the fllwing data: 3.. Signature Plicy Identifier: Signature Plicy Name: Certipst e-signing Handwritten Equivalent Signature Plicy Signature Plicy OID: 0.3.2062.7.2..1.0 (the last tw digits define the majr and minr versins f the signature plicy respectively) Signature Plicy URL: https://cnnect.e-signing.be/dcuments/e- Signing_HandwrittenEquivalentSignaturePlicy_EN_v1.0.pdf 3.1.2. Date f issue 15 June 2007 3.1.3. Signature Plicy Issuer name: Certipst sa/nv cntact details: Registered ffice: Certipst s.a/n.v. Centre Mnnaie / MuntCentrum B-1000 Bruxelles / Brussel TVA B.T.W. BE 475.396.406 RC Bruxelles / HR Brussel 652.060 Operatinal address: Ninvesteenweg 196, B-9320 Erembdegem Phne: +32 53 60 11 11 - Fax: +32 53 60 11 01 Signature Plicy Issuer OID: 0.3.2062.7 3.2. Signing Perid The present Signature Plicy is valid frm the date f issue till it becmes superseded by a next versin. 3.3. Cmmn Rules ii Specified in reference dcument [ 1] ETSI TR 102 041 (V.1) : «Signature plicy reprt» Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 7 f 12 3.3.1. Rules fr the Signer 3.3.. Absence f time based dynamic cntent The Signer is respnsible that the file being signed des nt cntain any dynamic cntent that might mdify the visualized result f the file during time (e.g. amunts r sentences that change after a certain date). The Signer must nt include such dynamic cntent in any file the Signer creates that will be subject t use f the e- Signing service. In case the Signer wants t sign a dcument that he did nt create himself, he shuld make sure that such dynamic cntent is nt present. That is why we advice against the signing f dcuments cntaining macr s r ther executable cde. We advice in such a case t cnvert the file first t a frmat that des nt cntain dynamic cntent such as TIFF, PDF, JPEG, 3.3.1.2. Dcuments accepted by law Althugh that the Belgian Law [6] lays dwn the cnditins fr electrnic signatures t be accepted as equivalent t handwritten signatures, ther laws smetimes lay dwn cnditins that rule ut electrnic signatures after all. Additinally, fr sme transactins, electrnic dcuments and/r electrnic signatures may nt be allwed accrding t the applicable cntractual cnditins (e.g. a certain frm f cmmunicatin was cntractually agreed that rules ut the use f electrnic signatures). The Signer is respnsible that the file being signed is accepted by law and applicable cntracts t be signed electrnically. In the present Signature Plicy, n exhaustive list can be prvided f types f cntent that are nt allwed by Belgian law t be signed electrnically, but particularly the types f cntent listed belw shuld be investigated by the Signer: testament cheque, rder nte and bill f exchange unilateral engagement by a nn-merchant t pay a certain amunt r gd f value cntracts which need t be registered, such as cntracts t rent a huse (by lack f e-registratin) authentic acts ( authentieke akten, "actes authentiques"), such as the cntract t buy real estate and dnatins. sme kinds f mandate, such as the mandate fr authentic acts, the mandate t accept a dnatin r the mandate t be present at the executin f civil state acts. Transactin under anther cuntry s legislatin might be subject t similar exceptins. 3.3.1.3. Signed attributes The fllwing set f Signed Attributes will be prvided by the Signer: Signing time Signing Certificate (including the full certificate path) Signature Plicy (in the frm f OID, hash and URL f the current Signature Plicy) 3.3.1.4. Unsigned attributes The fllwing set f Unsigned Attributes shuld be prvided by the Signer. If nt added by the Signer, they may be added by the Verifier. Timestamps: this must include SignatureTimeStamps (timestamp n the signature itself), this shuld include SigAndRef TimeStamps (timestamp n the cmbinatin f the signature and the references t validatin infrmatin) an may include ArchiveTimeStamps (timestamps added ver time t maintain lng term nn-repudiatin value) Cuntersignature (pssibly, nt mandatry) Certificate values: this must include the CmpleteCertificate Refs and shuld include the Certificate- Values Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 8 f 12 Certificate status references: this must include the CmpleteRevcatinData Refs and shuld include the RevcatinValues 3.3.2. Rules fr the Verifier 3.3.2.1. Signed attributes Signing time: nly t be used as an indicatin, nly a timestamp can give cnclusive infrmatin abut a time reference. The ldest timestamp within the XAdES structure will be used t determine signing time. Signing Certificate: Full verificatin f the signing certificate fr the signing time (signing time during the lifetime f the certificate, certificate nt revked r suspended, full verificatin n the certificate chain) Nte: Althugh the XAdES-X-L frmat cntains certificate verificatin data, this certificate verificatin data can have been cllected nt taking a cautinary perid in cnsideratin (see cautinary perid in the sectin 3.3.3.2 Timestamping). Perfrming a new nline certificate status verificatin can nly cnclusively give the crrect status if this new nline verificatin is perfrmed after the cautinary perid but befre the expiratin f the certificate. Often certificate status infrmatin services d nt keep mentin n revcatin r suspensin n expired certificates. Therefre the way the verificatin is perfrmed depends n the state f the certificate at verificatin time. When perfrming a verificatin befre expiratin f the Signature certificate: The Verifier shuld as well perfrm a new nline certificate status verificatin. In case this new verificatin shws the certificate being revked r suspended, the Verifier shuld nt trust the signature in case the date and time f revcatin r suspensin is earlier r equal t signing date and time, even if the certificate revcatin data included in the XAdES-X-L signature claims the certificate t have been valid at that time. Only when the Verifier can nt btain such new status infrmatin, the certificate status infrmatin frm the XAdES-X-L itself can be used as nly certificate status infrmatin, implying an acceptance f the resulting risk. When perfrming a verificatin after expiratin f the Signature certificate: The certificate status infrmatin frm the XAdES-X-L itself must be used as nly certificate status infrmatin, implying an acceptance f the resulting risk. A new nline certificate status verificatin cannt be trusted upn t cntain crrect revcatin data abut the certificate. Signature Plicy: The Verifier shuld check that this is indeed the Signature Plicy that was identified in the XAdES structure (by hash cmparisn). 3.3.2.2. Unsigned attributes The fllwing set f Unsigned Attributes shuld be prvided by the Signer. If nt added by the Signer, they may be added by the Verifier. Timestamps: Several timestamps can have been applied. Except the verificatin f the validity f the timestamps themselves and the timestamp signing certificates, the Verifier shuld make sure that timestamps are included in such a way that the timestamp validity perids verlap (at any pint in time at least ne f the timestamps shuld be valid t assure in case f algrithm breach that never the nn-repudiatin value might have been cmprmised), and this fr the perid between the Signing time and the mment f the verificatin. Cuntersignature (pssibly, nt mandatry): Same checks as n the first signature. Certificate values: Used in the verificatins abve. Certificate status references: Used in the verificatins abve. Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 9 f 12 3.3.3. Trust cnditins 3.3.3.1. Signing Certificate 3.3.3.. Certificate requirements The trust pints that must be used fr the start f prcessing f the Signing Certificate path (the self-signed certificates fr the CAs) are limited t: Belgium Electrnic Identity card (eid) certificates: Belgium Rt CA Certipst E-Trust certificates: Certificate Path Length Belgacm E-Trust Rt CA fr qualified certificates Certipst E-Trust TOP Rt CA GTE CyberTrust Glbal Rt N limitatin n Certificate Path Length applies. Acceptable Certificate Plicies Only certificate plicies are accepted that apply t Qualified Certificates stred n SSCD. Naming cnstraints N naming cnstraints apply. Explicit Indicatin f the certificate plicies eid Certipst E-Trust 2.16.56..1.2.1 (eid Citizen signing certificate) 2.16.56..1.7.2 (eid Freigner signing certificate) 0.3.2062.7..3.3.x (Certipst E-Trust qualified fr qualified signatures fr physical persns) 0.3.2062.7..4.2.x (Certipst E-Trust qualified fr qualified signatures fr legal persns) 0.3.2062.7..101.x (Certipst E-Trust qualified fr qualified signatures fr physical persns) 0.3.2062.7..112.x (Certipst E-Trust qualified fr qualified signatures fr legal persns) 0.3.2062.7..121.x (Certipst E-Trust qualified fr qualified signatures fr cmmunities) 3.3.3.1.2. Revcatin Requirements Revcatin status infrmatin n the Signer certificate shuld be validated in the fllwing way: eid certificates: The OCSP service shuld be used. When the OCSP service cannt be used fr whatever reasn, full CRLs shuld be used. Certipst certificates: Full CRLs shuld be used. Revcatin status infrmatin n the CA certificates in the Signer certificate chain shuld be validated in the fllwing way: eid certificates: The OCSP service shuld be used. When the OCSP service cannt be used fr whatever reasn, full CRLs shuld be used. Certipst certificates: Full CRLs shuld be used. Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 10 f 12 3.3.3.2. Timestamping Time Stamping Authrities Public Key Rules The certificate f the time stamping authrities public key shuld include the timestamping ExtendedKeyUsage (OID: 1.3.6.1.5.5.7.3.8). Naming cnstraints N naming cnstraints apply. Cautinary Perid At the time f the creatin f the signature XAdES-X-L frmat by the e-signing service prvider, a validatin will be perfrmed n the validity f the certificate used fr signing. This includes the verificatin whether the certificate was nt revked r suspended during at the mment it was used fr signing. Such verificatin is prefrmed by getting revcatin infrmatin frm the certificate issuer (CRL r OCSP). Sme time ges by between the mment that the certificate was requested t be revked and the time that the revcatin services (CRL r OCSP server) publish this status. That means that there is a small risk that the revcatin status cllected during the creatin f the XAdES-X-L is nt crrect (the certificate being cnsidered valid while it is nt). As a result there is a risk that the XAdES-X-L claims a valid signature, while in reality the signature is nt valid. A means t eliminate this risk is by waiting fr a certain perid (cautinary perid r grace perid) after the actual signature befre creating the XAdES-X-L. If this grace perid is larger then the time that it takes fr the certificate status service t publish the revcatin infrmatin the risk is cmpletely mitigated. Hwever in this Signature Plicy, it was chsen nt t impse such a grace perid fr the fllwing reasns: 1. The certificates allwed by this Signature Plicy are stred n an SSCD, which limits cnsiderably the risk f abuse f a stlen r lst certificate. 2. Including a grace perid wuld in mst cases disrupt the nrmal flw f events in which the signature takes part in such a way that this wuld mre then ffset the psitive effect f applying such grace perid. 3. Even if the XAdES-X-L des nt cntain verificatin infrmatin frm after such grace perid, present signature plicy requests the Verifier t verify the revcatin data nline t assess whether the signing certificate was nt revked r suspended at the time f signature. Maximum Acceptable Time Nt applicable. 3.3.3.2.1. Certificate requirements Belgacm E-Trust Rt CA fr Qualified Certificates Certificate Path Length N limitatin n Certificate Path Length applies. Acceptable Certificate Plicies There is n specific indicatin n the acceptable Certificate Plicies. Naming cnstraints N naming cnstraints apply. 3.3.3.2.2. Revcatin Requirements Revcatin status infrmatin n the timestamping certificate shuld be validated in the fllwing way: Certipst certificates: Full CRLs shuld be used. Revcatin status infrmatin n the CA certificates in the timestamping certificate chain shuld be validated in the fllwing way: Certipst certificates: Full CRLs shuld be used. Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 11 f 12 3.3.3.3. Attributes N attribute signing is part f this signature plicy. 3.3.3.4. Algrithm Cnstraints Fllwing Signer algrithm cnstraints apply t signatures created under this Signature Plicy: The Signing Algrithms : One f the fllwing algrithms shuld be used: RSA / SHA1, RSA/SHA256, RSA/SHA512 Minimum Key Length: The Certificate Plicies that are accepted define the minimum key length. This signature plicy des nt define Algrithm Cnstraints n certificates r timestamping authrities. 3.3.3.5. Cmmn Extensins N cmmn extensins have been defined in this signature plicy. 3.4. Cmmitment Rules Nt applicable. 3.5. Signature Validatin Plicy Extensins N Signature Validatin Plicy Extensins are applicable. 3.6. Area f applicatin, Business Applicatin dmain, transactinal cntext This signature plicy applies t the cntext f a Certipst e-signing Handwritten Equivalent transactin. 3.7. Cmputer- prcessible vs. human-readable signature plicy Tw frmats f signature plicies can be implemented: Cmputer-prcessible plicy and human readable signature plicy. Frm the develpers pint f view it wuld be cnvenient, if the plicy is available in a cmputerprcessible frmat. Hwever, because it is the Signer that gives a cmmitment with regard t the cntent f the signed dcument as per this plicy, there must always be a human readable versin f the plicy. Mrever, the Signer must be able t read the plicy befre creating a signature under it. Fr the reasns we have expressed abve, Certipst pted fr a human-readable plicy. 3.8. Explicit vs. implicit signature plicy The reference t a signature plicy within a signed dcument may be either implicit r explicit. We pted fr an explicit reference t the signature plicy indicated by the Signer within the electrnic signature (and thus prtected by the electrnic signature frm the Signer). In this case, the benefit is t allw a prcessing f the electrnic signatures, even lng after they have been generated and utside their riginal cntext f use (e.g. in frnt f a judge). The Signature Plicy is identifiable by a unique identifier, e.g. an OID (Object IDentifier), and verifiable using a hash f the signature plicy. S each time an electrnic signature is generated, it includes within the signed dcument the unique identifier f the signature plicy, the hash value f the signature plicy and a lcatin (URL)) where a cpy f the Signature Plicy may be btained. 3.9. Certipst e-signing Handwritten Equivalent signature plicy publicatin Befre signing, a Signer shuld be sure which security plicy will apply. In the same way, when verifying an electrnic signature, a Verifier needs t make sure t use the crrect security plicy. Certipst issues its wn signature plicies and make them available t end-entities by placing them n a secure web site (that can be accessed via SSL). By this way, an end-entity (a Signer r Verifier) has the guarantee that he is in pssessin f the genuine plicy. Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

Certipst e-signing Handwritten Equivalent Signature Plicy Dcument OID: 0.3.2062.7.2.. Apprval Status: Apprved Versin: 12 f 12 3.10. Certipst e-signing Handwritten Equivalent signature plicy archiving In case the current versin f this signature plicy is superseded, the next versin f the signature plicy will identify the repsitry where the current signature plicy versin will be archived and hw a Verifier can get access. This might be required fr the verificatin f electrnic signature created under the current signature plicy versin. 3.11. Certipst e-signing Handwritten Equivalent signature plicy cnfrmance statements The present Signature Plicy claims cnfrmance t ETSI TS 101 903, ETSI TR 102 041 and t the Belgian Law f 9th July 2001. 4. References [1]: ETSI TR 102 041 (v.1): Signature plicy reprt. [2]: ETSI TS ETSI TS 101 903 (v1.2.2): XML Advanced Electrnic Signatures (XAdES). [3]: RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revcatin List (CRL) Prfile. [4]: EC 1999/93: Eurpean Cmmunity (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES [5]: ETSI TR 102 045 (v.1): Signature Plicy fr Extended Business Mdel. [6]: The 9th f July 2001 Belgian Law abut electrnic signatures. Handwritten Equivalent Signature Plicy Versin Cpyright 2007 Certipst sa/nv. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback