Policy for packaging of electronic signatures for long-term validation (LTV)
This policy can be downloaded as a PDF here: Packaging-Policy-LTV-1.3.pdf
1 Policy and location
Policy ID | urn:signicat:packagingpolicy:ltv:1.3 |
As part of combined policy ID1 |
urn:signicat:packagingpolicy:ltv:[signature packaging policy name]:1.3:[signature packaging policy version] |
Name | Policy for Packaging of ESignatures for LongTerm Validation |
1 This policy needs to be accompanied by a signature packaging policy, and they may be referenced together using a combined Policy ID
2 Version
Date | Specification version | Change |
2015-03-31 | 1.3 | – Chapter 6: Now requires that seal is on XAdES BaselineB form. – Chapter 1: Correction of the name. – References: Specified that XAdES is version 1.4.1 |
2014-10-16 | 1.2 | – Extracted the non signature specific rules from the combined packaging policy document for urn:signicat:packagingpolicy:ltv:bankidse:1.1:1.2, into a separate policy document for the LTV policy. – Added General LTV-SDO Profile – Removed URL, as this is not stable enough for policy |
3 Introduction
This packaging service policy defines requirements for packaging of electronic signatures, in the context of signature
creation and initial verification, for the purpose of implementing long-term validation support.
This policy needs to be accompanied by a signature packaging policy.
3.1 About packaging policies
The purpose of a packaging policy is to specify requirements for the packaging process, and highlevel
requirements for the prior signature creation and verification process.
The primary users of this policy will be electronic signature users (relying parties). The policy will help electronic signature users to better understand the information contained in a package, and on what basis it can be trusted and used.
The policy will also be useful for implementers of the packaging service.
3.2 The relation to a signature packaging policy
This is the general policy for packaging of electronic signatures for long-term validation, referred to as the LTV
packaging policy. It defines general requirements that are not specific to the signature type.
It needs to be accompanied by a signature packaging policy. The signature packaging policy will define
requirements that are specific to the type of signature that is subject to packaging.
3.3 Scope
This packaging policy defines requirements for packaging of electronic signatures for long-term validation in context of
with the signature creation and initial verification.
Requirements for the creation and verification processes, including collection of data needed by the packaging
process will be set by the accompanying signature packaging policy.
3.4 Structure
The normative parts of the policy are:
- General process requirement defines highlevel requirements for the overall packaging process.
- Package formatting requirements defines requirements for the format used for the package
- Sealing requirements defines requirements for the TSP signature on the package
- General LTV-SDO profile defines a general LTV-SDO profile
- Trust anchors for validation of the seal ETSI TS 103 171 V2.1.1 (201203)
3.5 Versioning and backwards compatibility
Packaging policy version numbers consists of a major and a minor number, denoting
major and minor versions.
A change of minor version is always backwards compatible, and and the new policy may be brought into effect
without notifying relying parties.
A change of major version may introduce non-backwards compatible changes.
3.6 Contents
1 Policy ID and location………………………………………………………………………………………………………………………..1
2 Version…………………………………………………………………………………………………………………………………………….1
3 Introduction……………………………………………………………………………………………………………………………………..1
4 General process requirements (normative)………………………………………………………………………………………….4
5 Package formatting requirements (normative)…………………………………………………………………………………. …4
6 Sealing requirements (normative)………………………………………………………………………………………………………4
7 General LTV-SDO Profile (normative)………………………………………………………………………………………………….6
8 Appendix A (normative): Trust anchors used in validation of the seal……………………………………………………8
3.7 Terms and acronyms
Term | Explanation |
TSP | Trusted Service Provider the entity implementing this policy by packaging the signature |
Longterm validation | The concept of validating an electronic signature long-term (months, and sometimes years) after it was created. |
Native signature | The electronic signature that is to be packaged for long-term validation |
Original document | The document signed with the native signature |
Seal | This is the Trusted Service Providers signature on the package. It is commonly referred to as the Seal |
3.8 References
Short name | Resource |
XAdES | ETSI TS 101 903 1.4.1: “XML Advanced Electronic Signatures (XAdES) |
XMLDSIG | W3C XML Signature Syntax and Processing http://www.w3.org/TR/xmldsigcore/ |
XAdES-BASELINE | ETSI TS 103 171 V2.1.1 (201203): “XAdES Baseline Profile“ |
4 General process requirements (normative)
- Packaging of the native signature is done such that it provides support for long-term validation of the
native signature. - Packaging is performed immediately following signature creation and initial verification.
- Packaging is done only if initial verification succeeds.
- Validation data used in the initial verification are included in the package, to enable recreation of the
validation process at a later point in time
5 Package formatting requirements (normative)
Package formatting is the process of putting all information elements together in a package.
5.1 Format
The package must be formatted according to the following format specification:
Name | Long-Term Validation extended Signed Data Object |
Version* | 1.X |
Available at* | https://id.signicat.com/definitions/xsd/LtvSdo-1.X |
* The ‘X’ means that the minor version number is not specified. It will be replaced by the actual minor version
in the URL.
6 Sealing requirements (normative)
This section contains requirements to the TSP signature on the package, also called the seal.
- The seal covers the complete package, such that all information in the package is protected by the signature.
- The seal is a XAdES [XADES] signature on form BaselineB [XADESBASELINE].1
- The signature is verified immediately following signature creation.
- Signature verification is done according to XMLDSig Core Validation [XMLDSIG]
- Verification includes certificate validation of the signing certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix B.
- All certificates and revocation values used in the initial verification of the signature are included in the
XAdES structure. - The signature does not include timestamps.
- The package is signed according to an explicit signature policy which is available together with this
policy
1Note that this implies the existence of the DataObjectFormat element through an implicit dependency (see
[XADESBASELINE:6.3.3])
7 General LTV-SDO Profile (normative)
7.1 Introduction
This chapter defines the general profile for use of LTV-SDO for packaging of electronic signatures for long-term
validation. The rules here are to be followed by all packaging under this policy, regardless of signature type and
other signature packaging policy rules.
The signature packaging policy will define a specific profile with additional rules.
7.2 About LTV-SDO profiles
The LTV-SDO format is a generic format for packaging electronic signatures for long-term validation. An LTV-SDO
Profile specifies how the LTV-SDO format is used for a specific means, and in a specific context, by defining
additional requirements and constraints to which XML Elements and attributes must be present, their possible
values, and the semantics of these their values.
7.3 Description/SignerDescription
Element/Attribute | Semantics | Format/Possible values | Required |
SignerDisplayName | The signers name | A string with the signers name. |
Yes |
SignerUniqueId | An ID that uniquely identifies the signer in the scope of the signature type. |
Defined in the signature packaging policy |
Yes |
SignerNationalId | The signers national id identifies the signer by some nationwide IDnumber. This value is tightly connected with SignerNationality and SignerNationalIdType. |
Defined in the signature packaging policy |
Defined in the signature packaging policy |
SignerNationality | The nationality for the SignerNationalId. |
Defined in the signature packaging policy |
When SignerNationalId is present |
SignerNationalIdType | The type of national id given in SignerNationalId. |
Defined in the signature packaging policy |
When SignerNationalId is present |
7.4 Description/DocumentDescription
Element/Attribute | Semantic | Format/Possible values | Required |
DocumentMimeType | Mime Type of the original document | A string with a valid MIME Type. Example: “application/pdf” |
Yes |
DocumentTitle | Short description of the original document, suitable to be used as title. |
A relatively short string with a document title. Example: “Loan Agreement” |
Yes |
DocumentDigest | Digest of the original, unsigned document. Algorithm must be SHA256 or better. |
String, containing the Base64encoded hash of the document. |
Yes |
DocumentDigest@alg | The actual hash algorithm used to compute the value of DocumentDigest |
A String containing the algorithm identifier. Possible values are algorithm identifiers defined by W3C, for example: http://www.w3.org/2001/0 4/xmlenc#sha256 |
Yes |
7.5 Description/SignatureDescription
Element/Attribute | Semantics | Format/Possible Values | Required |
SignatureTypeFriendlyName | Descriptive name of the electronic signature type, suitable to present to the end user |
Defined in the signature packaging policy |
Yes |
SignatureFormatFriendlyName | Descriptive name of the electronic signature format, suitable to present to the end user. |
Defined in the signature packaging policy |
Yes |
SigningTime | An approximation of the time the signature was created. Collected by the verifier from a secure time source immediately after the signature is received from the signature creation client. |
xades:signingTime (XML DateTime) value. |
Yes |
7.6 NativeSignature/NativeSdo
Element/Attribute | Sematics | Format/Possible values | Required |
(element content) | The electronic signature as produced by the native signature system. |
String, containing the Base64encoded signature |
Yes |
@Format | The format of the signed data object, as a Signicat format identifier. |
Defined in the signature packaging policy |
Yes |
@Version | The version of the format of the signed data object. |
String containing the version number |
Yes |
@MimeType | The mime type of the signed data object. | Defined in the signature packaging policy |
Yes |
7.7 NativeSignature/NativeSignatureQualifyingProperties
Element/Attribute | Semantics | Format/Possible values | Required |
SigningTime | The signing time, as collected by the TSP from a trusted time source |
xades:signingTime (XML DateTime) value |
Yes |
8 Appendix A (normative): Trust anchors used in validation of the seal
The following certificates are used as trust anchor in Certificate Path Validation and OCSP Response validation
when validating the seal (the TSP signature).
8.1 Buypass Class 3 CA 1
—–BEGIN CERTIFICATE—– MIIDUzCCAjugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJOTzEd MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE1MDUwOTE0MTMwM1owSzEL MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI +MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQABZ6OMySU9E2NdFm/soT4JXJEVKirZgCFP Bdy7pYmrEzMqnji3jG8CcmPHc3ceCQa6Oyh7pEfJYWsICCD8igWKH7y6xsL+z27s EzNxZy5p+qksP2bAEllNC1QCkoS72xLvg3BweMhT+t/Gxv/ciC8HwEmdMldg0/L2 mSlf56oBzKwzqBwKu5HEA6BvtjT5htOzdlSY9EqBs1OdTUDs5XcTRa9bqh/YL0yC e/4qxFi7T/ye/QNlGioOw6UgFpRreaaiErS7GqQjel/wroQk5PMr+4okoyeYZdow dXb8GZHo2+ubPzK/QJcHJrrM85SFSnonk8+QQtS4Wxam58tAA915 8 —–END CERTIFICATE—– |
8.2 Buypass Class 3 CA 1 extended lifetime
—–BEGIN CERTIFICATE—– MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJOTzEd MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE2MDUwOTE0MTMwM1owSzEL MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI +MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCFpYJ6LryjhPCuxwMa6pdG+o9tLL1AgTUU WzJzPlbXKRJPkT60DiLptFhhcqu0/hEDz5hAkWXU6gydQlk3lZQodNLWj9Db+WyY casAxUSacqSuR/RT7G+myQEJ4Bl+4cBFjTY6McWCNifctCsJMhlNm3puHNytqwRy T2DoICHrURrzfaqnZ0hkNnf26Yhs0BDjWE/R+5SbzqmEVlLGVfZW8QzQMRNEnPkH Mg3Ah6doPqjO+1+UAJgeI+dC9epf+iQgGlBdzw3NLYtqbs3fsHu2/40bbOum0qfI Q8MLRyH/421x8g3MeJ7SAUQ8+fU5RzbkZUfnpGLIcH82viL3C9Pg —–END CERTIFICATE—– |
8.3 Buypass Class 3 Root CA
—–BEGIN CERTIFICATE—– MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9 tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX 0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c /3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D 34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3 AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2 HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv 033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41 3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq 4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= —–END CERTIFICATE—– |