1 Introduction 1 简介
1.1
Overview 1.1 概述
Electronic commerce is emerging as the future way of doing business
between companies across local, wide area and global networks. Trust in this
way of doing business is essential for the success and continued development
of electronic commerce. It is therefore important that companies using this
electronic means of doing business have suitable security controls and
mechanisms in place to protect their transactions and to ensure trust and
confidence with their business partners. In this respect the electronic
signature is an important security component that can be used to protect
information and provide trust in electronic business.
电子商务正逐渐成为本地、广域和全球网络中公司间未来商业活动的方式。对这种商业方式的信任对于电子商务的成功和持续发展至关重要。因此,使用这种电子商业方式的公司必须建立适当的安全控制和机制,以保护其交易,并确保与商业伙伴之间的信任和信心。在这方面,电子签名是用于保护信息和提供电子商务信任的重要安全组件。
The European Directive [EU-DIR-ESIG] defines an
electronic signature as: "data in electronic form which is attached to or
logically associated with other electronic data and which serves as a method
of authentication".
欧洲指令[EU-DIR-ESIG]将电子签名定义为:"以电子形式存在的数据,该数据附加到或逻辑关联于其他电子数据,并作为身份验证方法使用"。
The present document is intended to cover electronic signatures for
various types of transactions, including business transactions (e.g. purchase
requisition, contract, and invoice applications). Thus the present document
can be used for any transaction between an individual and a company, between
two companies, between an individual and a governmental body, etc.
本文件旨在涵盖各种类型的交易中的电子签名,包括商业交易(例如采购申请、合同和发票申请)。因此,本文件可用于个人与公司之间、公司之间、个人与政府机构之间等的任何交易。
An electronic signature produced in accordance with the present document
provides evidence that can be processed to get confidence that some
commitment has been explicitly endorsed under a signature policy, at a given
time, by a signer under an identifier, e.g. a name or a pseudonym, and
optionally a role. The signature policy specifies the technical and
procedural requirements on signature creation and validation in order to meet
a particular business need. A given legal/contractual context may recognize a
particular signature policy as meeting its requirements. For example, a
specific signature policy may be recognized by court of law as meeting the
requirements of the European Directive for electronic commerce.
根据本文件生成的电子签名可提供证据,经处理后可确信某项承诺在特定时间由标识符(例如姓名或别名,可选角色)下的签署人明确根据签名政策予以认可。签名政策规定了签名创建和验证的技术及程序要求,以满足特定的业务需求。特定的法律/合同环境可能认可某个签名政策符合其要求。例如,某个特定的签名政策可能被法院认可为符合电子商业欧洲指令的要求。
The ETSI standard TS 101 733 [ESI] defines formats for
advanced electronic signatures that remain valid over long periods, are
compliant with the European Directive [EU-DIR-ESIG] and incorporate additional useful
information in common use cases (like indication of the commitment got by the
signature production). Currently, it uses Abstract Syntax Notation 1 (ASN.1)
and is based on the structure defined in RFC 2630 [CMS]
(in the present document the signatures aligned with this RFC will be denoted
as [CMS] signatures).
欧洲电信标准化协会标准 TS 101 733 [ESI] 定义了长期有效的先进电子签名格式,符合欧洲指令 [EU-DIR-ESIG],并在常见用例中包含额外有用信息(如签名生成时获得的承诺指示)。目前,该标准使用抽象语法标记 1(ASN.1),并基于 RFC 2630 [CMS] 中定义的结构(在本文档中,与该 RFC 一致的签名将标记为 [CMS] 签名)。
TS 101 733 [ESI]:
Defines new ASN.1 types able to contain information for qualifying
the [CMS] signatures so that they fulfil the
aforementioned requirements.
定义了新的 ASN.1 类型,能够包含用于使 [CMS] 签名满足上述要求的信息。
Specifies how this qualifying information must be incorporated to
the [CMS] signatures.
规定了如何将此资格信息整合到 [CMS] 签名中。
Currently, the IETF W3C XML-Signature Working Group has developed a syntax
for XML signatures: "XML-Signature Syntax and Processing"[XMLDSIG]. This syntax provides a basic functionality for
digitally signing several data objects at the same time. It also provides
basic means to incorporate any kind of needed qualifying information.
目前,IETF W3C XML-Signature 工作组已制定了一种用于 XML 签名的语法:"XML-Signature Syntax and Processing" [XMLDSIG]。该语法提供了一种基本功能,能够同时为多个数据对象进行数字签名,并提供基本方法来包含任何所需的限定信息。
The present document defines XML formats for advanced electronic
signatures that remain valid over long periods, are compliant with the
European Directive [EU-DIR-ESIG] and incorporate
additional useful information in common uses cases, by:
本文件定义了长期有效的先进电子签名的 XML 格式,这些格式符合欧洲指令 [EU-DIR-ESIG],并在常见使用场景中包含额外有用的信息,具体通过以下方式:
Proposing XML schema [XML-schema-part-1][XML-schema-part-2] definitions for new XML
types able to contain the information needed to fulfil the requirement of
long term validity and those ones imposed by current use cases and the
European Directive [EU-DIR-ESIG].
提出用于新 XML 类型的 XML 模式 [XML-schema-part-1] [XML-schema-part-2] 定义,这些类型能够包含满足长期有效性要求以及当前使用场景和欧洲指令 [EU-DIR-ESIG] 所提出要求所需的信息。
Specifying the mechanisms used to produce the aforementioned
addition of this qualifying information.
指定用于生成上述限定信息附加内容的机制。
The present document specifies two main types of properties: signed
properties and unsigned properties. The first ones are additional data
objects that are also secured by the signature produced by the signer on the
ds:SignedInfo element, which implies that the signer has these data objects,
computes a hash for all of them and generates the corresponding ds:Reference
element. The unsigned properties are data objects added by the signer, by the
verifier or by other parties after the production of the signature. They are
not secured by the signature in the ds:Signature element (the one computed by
the signer); however they can be actually signed by other parties
(time-stamps, countersignatures, certificates and CRLs are also signed data
objects).
本文件规定了两种主要类型的属性:已签名属性和未签名属性。前者是附加数据对象,它们也通过签名者对 ds:SignedInfo 元素上产生的签名进行安全保护,这意味着签名者拥有这些数据对象,计算它们的哈希值并生成相应的 ds:Reference 元素。未签名属性是由签名者、验证者或其他方在签名生成后添加的数据对象。它们不被 ds:Signature 元素(由签名者计算的那个)中的签名所保护;然而,它们实际上可以被其他方签名(时间戳、副签名、证书和 CRL 也是被签名的数据对象)。
1.2 Definitions of Terms
1.2 术语定义
The following terms are used within this document with the particular
meaning indicated below:
本文件中使用的下列术语具有特定的含义:
1.3 Editorial Conventions
1.3 编辑惯例
Throughouht the rest of the present document, the terms "qualifying
information", "properties" or "qualifying properties" will be used to refer
to the information added to the [XMLDSIG] to get a XML
Advanced Electronic Signature as specified in this document.
在本文件其余部分中,"qualifying information"、"properties"或"qualifying properties"这些术语将用于指代添加到[XMLDSIG]中以获得本文件中规定的 XML 高级电子签名所添加的信息。
For the present document the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this specification are to be interpreted as described in
RFC2119 [Keywords]:
对于本文件,本规范中的关键词 "MUST"、"MUST NOT"、"REQUIRED"、"SHALL"、"SHALL NOT"、" SHOULD"、"SHOULD NOT"、"RECOMMENDED"、"MAY" 和 "OPTIONAL" 应按照 RFC2119 [关键词] 中所述进行解释:
2 XML Advanced
Electronic Signature Data Structures
2 XML 高级电子签名数据结构
The present document defines different forms of electronic signatures,
each one satisfying requirements that will be shown in the corresponding
clauses.
本文件定义了不同形式的电子签名,每种签名都满足相应条款中所示的要求。
The present document defines different forms of electronic signatures,
each one satisfying requirements that will be shown in the corresponding
clauses.
本文件定义了不同形式的电子签名,每种签名都满足相应条款中所示的要求。
The current clause presents the first three forms: the XML Advanced
Electronic Signature (XAdES), the XAdES with Time-Stamp (XAdES-T) and the
XAdES with Complete VALIDATION DATA (XAdES-C). Clause 2.2
Extended forms of validation data introduces extended forms to the
XAdES (XAdES-X and XAdES-X-L) to meet additional requirements. Finally,
clause 2.3
Archive validation data presents the format for archiving signatures
in a way that they are protected if the cryptographic data become weak
(XAdES-A).
当前条款介绍了前三种形式:XML 高级电子签名(XAdES)、带时间戳的 XAdES(XAdES-T)和带完整验证数据的 XAdES(XAdES-C)。条款 2.2 验证数据的扩展形式向 XAdES 引入了扩展形式(XAdES-X 和 XAdES-X-L),以满足额外要求。最后,条款 2.3 存档验证数据介绍了签名存档的格式,使其在加密数据变得薄弱时得到保护(XAdES-A)。
The first three forms are the following ones:
前三种形式如下:
The XML Advanced Electronic Signature (XAdES). Its format is the one
defined in [XMLDSIG] with the addition of signed
properties (SigningTime, SigningCertificate,
SignaturePolicyIdentifier,
SignatureProductionPlace, SignerRole,
AllDataObjectsTimeStamp,
IndividualDataObjectsTimeStamp,
DataObjectFormat and CommitmentTypeIndication)
and unsigned properties (CounterSignature)
XML 高级电子签名(XAdES)。其格式为[XMLDSIG]中定义的格式,增加了已签名属性( SigningTime 、 SigningCertificate 、 SignaturePolicyIdentifier 、 SignatureProductionPlace 、 SignerRole 、 AllDataObjectsTimeStamp 、 IndividualDataObjectsTimeStamp 、 DataObjectFormat 和 CommitmentTypeIndication )和未签名属性( CounterSignature )
The XML Advanced Electronic Signature with Time-Stamp (XAdES-T),
which adds a time-stamp to the XAdES, to take initial steps towards
providing long term validity. This form or a time record should be
created close to the time that the XAdES was produced to provide
protection against repudiation.
带有时间戳的 XML 高级电子签名(XAdES-T),通过为 XAdES 添加时间戳,为提供长期有效性迈出初步步骤。这种形式或时间记录应在 XAdES 生成时附近创建,以提供拒绝否认的保护。
The XML Advanced Electronic Signature with Complete validation data
(XAdES -C), which adds to the XAdES-T the references to the set of data
supporting the validity of the electronic signatur (i.e. the remaining
references to the certification path and its associated revocation status
information). Note that this does not contain the actual data of the
certification path and its associated revocation status information,
which is far more voluminous.
带有完整验证数据的 XML 高级电子签名(XAdES-C),在 XAdES-T 的基础上增加了对支持电子签名有效性的数据集的引用(即对证书路径及其相关撤销状态信息的剩余引用)。请注意,这并不包含证书路径及其相关撤销状态信息的实际数据,这些数据量要大得多。
The XAdES satisfies the legal requirements for advanced electronic
signatures as defined in the European Directive [EU-DIR-ESIG] on electronic signatures. It provides
basic authentication and integrity protection and can be created without
accessing on-line (time-stamping) services. However, without the addition of
a time-stamp or a secure time record the electronic signature does not
protect against the threat that the signer later denies having created the
electronic signature (i.e. does not provide non-repudiation of its
existence).
XAdES 符合欧洲电子签名指令[EU-DIR-ESIG]中定义的高级电子签名的法律要求。它提供基本的身份验证和完整性保护,并且可以在不访问在线(时间戳)服务的情况下创建。然而,如果没有添加时间戳或安全时间记录,电子签名无法防止签署者后来否认创建了电子签名(即不提供其存在的不否认保障)。
The XAdES-T timestamp should be created close to the time that XAdES was
created to provide protection against repudiation. At this time all the data
needed to complete the validation may not be available but what information
is readily available may be used to carry out some of the initial checks. For
example, only part of the revocation information may be available for
verification at that point in time.
XAdES-T 时间戳应在 XAdES 创建时间附近创建,以提供不否认保障。此时,可能并非所有完成验证所需的数据都可用,但可以立即获取的信息可用于执行部分初始检查。例如,在这一点上,可能只有部分撤销信息可用于验证。
Support for XAdES-C by the verifier is mandated as soon as there is a need
for a subsequent verification.
验证器对 XAdES-C 的支持是当需要后续验证时强制要求的。
The signer shall provide at least the XAdES form, but in some cases
maydecide to provide the XAdES-T form and in the extreme case could provide
the XAdES-C form. If the signer does not provide XAdES-T, the verifier shall
either create the XAdES-T on first receipt of an electronic signature or
shall keep a secure record of the current time with the XAdES. Either of
these two approaches provide independent evidence of the existence of the
signature at the time it was first verified which should be near the time it
was created, and so protects against later repudiation of the existence of
the signature. If the signer does not provide XAdES-C the verifier shall
create the XAdES-C when the complete set of revocation and other validation
data is available. Generally, the XAdES-C form cannot be created at the same
time as the XAdES, as it is necessary to allow time for any revocation
information to be captured. Also, if a certificate is found to be temporarily
suspended, it will be necessary to wait until the end of the suspension
period.
签名者应至少提供 XAdES 格式,但在某些情况下可以选择提供 XAdES-T 格式,极端情况下可能提供 XAdES-C 格式。如果签名者未提供 XAdES-T,验证者应在首次收到电子签名时创建 XAdES-T,或应将当前时间与 XAdES 一起安全记录。这两种方法中的任何一种都能提供独立证据,证明签名在首次验证时存在,这应接近其创建时间,从而防止后来否认签名存在。如果签名者未提供 XAdES-C,验证者应在完整的撤销和其他验证数据可用时创建 XAdES-C。通常,XAdES-C 格式不能与 XAdES 同时创建,因为需要时间来捕获任何撤销信息。此外,如果发现证书被临时暂停,则需要等待暂停期结束。
The signer should only create the XAdES-C in situations where it was
prepared to wait for a sufficient length of time after creating the XAdES
form before dispatching the XAdES-C. This, however, has the advantage that
the verifier can be presented with the complete set of data supporting the
validity of the XAdES.
签名者只有在创建 XAdES 表单后愿意等待足够长的时间再发送 XAdES-C 的情况下,才应创建 XAdES-C。然而,这样做的好处是验证者可以展示支持 XAdES 有效性的完整数据集。
An XML Advanced Electronic Signature XAdES is illustrated in figure 1.
图 1 展示了 XML 高级电子签名 XAdES。
Figure 1. Illustration of a XAdES
图 1. XAdES 的示意图
Below follows the structure of the XAdES built by direct incorporation
ofthe qualifying information in the corresponding new XML elements to the [XMLDSIG] (see clause 4.3
Incorporating qualifying properties into an XMLsignature for further
details). In the example "?" denotes zero or one occurrence; "+" denotes one
or more occurrences; and "*" denotes zero or more occurrences.
以下是 XAdES 的结构,它通过将限定信息直接整合到相应的新的 XML 元素中构建而成[XMLDSIG](参见第 4.3 条“将限定属性整合到 XML 签名中”以获取更多详细信息)。在示例中,“?”表示零次或一次出现;“+”表示一次或多次出现;而“*”表示零次或多次出现。
The XML schema definition in clause 5 Qualifying properties
syntax defines the prefix "ds" for all the XML elements already
defined in [XMLDSIG], and states that the default
namespace is the one defined for the present document. In consequence, in the
examples of this clause, the elements already defined in [XMLDSIG] appear with the prefix "ds", whereas the new
XML elements defined in the present document appear without prefix.
条款 5“限定属性语法”中的 XML 模式定义规定了所有在[XMLDSIG]中已定义的 XML 元素的命名空间前缀“ds”,并声明默认命名空间为当前文档所定义的命名空间。因此,在本条款的示例中,[XMLDSIG]中已定义的元素会使用前缀“ds”,而本文档中定义的新 XML 元素则不使用前缀。
XMLDSIG
|
<ds:Signature ID?>- - - - - - - - -+- - - - -+
<ds:SignedInfo> | |
<ds:CanonicalizationMethod/> | |
<ds:SignatureMethod/> | |
(<ds:Reference URI? > | |
(<ds:Transforms>)? | |
<ds:DigestMethod> | |
<ds:DigestValue> | |
</ds:Reference>)+ | |
</ds:SignedInfo> | |
<ds:SignatureValue> | |
(<ds:KeyInfo>)?- - - - - - - - - + |
|
<ds:Object> |
|
<QualifyingProperties> |
|
<SignedProperties> |
|
<SignedSignatureProperties> |
(SigningTime) |
(SigningCertificate) |
(SignaturePolicyIdentifier) |
(SignatureProductionPlace)? |
(SignerRole)? |
</SignedSignatureProperties> |
|
<SignedDataObjectProperties> |
(DataObjectFormat)* |
(CommitmentTypeIndication)* |
(AllDataObjectsTimeStamp)* |
(IndividualDataObjectsTimeStamp)* |
</SignedDataObjectProperties> |
|
</SignedProperties> |
|
<UnsignedProperties> |
|
<UnsignedSignatureProperties> |
(CounterSignature)* |
</UnsignedSignatureProperties> |
|
</UnsignedProperties> |
|
</QualifyingProperties> |
|
</ds:Object> |
|
</ds:Signature>- - - - - - - - - - - - - - - +
|
XAdES
|
Readers must take into account that the XAdES forms build up on the[XMLDSIG] by adding new XML elements containing
qualifying information within the shown [XMLDSIG]ds:Object element, according to the
rules defined in the present document. This ds:Object element
will act as a bag for the whole set of qualifying properties defined in the
present document, conveniently grouped.
读者必须注意,XAdES 形式是在[XMLDSIG]的基础上构建的,通过在显示的[XMLDSIG] ds:Object 元素中添加包含限定信息的新的 XML 元素,并按照本文档中定义的规则进行。这个 ds:Object 元素将作为包含本文档中定义的所有限定属性的集合容器,并合理分组。
Other [XMLDSIG]ds:Object elements with
different contents CAN be added within the structure shown above to satisfy
requirements other than the ones expressed in the present document. This also
applies to the rest of the examples of structures of XAdES forms shown in
this clause.
可以在上述结构中添加其他不同内容的[XMLDSIG] ds:Object 元素,以满足本文档未表达的其他要求。这也适用于本条款中显示的其他 XAdES 形式结构的示例。
Detailed explanation of the purposes of each property will be given
throughout clause 5 Qualifying
properties syntax.
条款 5“限定属性语法”将详细解释每个属性的目的。
An XML Advanced Electronic Signature (XAdES), with the additional
validation data forming the XAdES-T and XAdES-C is illustrated in figure2.
一个 XML 高级电子签名(XAdES),其中附加的验证数据形成 XAdES-T 和 XAdES-C,如图 2 所示。
Figure 2. Illustration of a XAdES,XAdES-T and XAdES-C
图 2. XAdES、XAdES-T 和 XAdES-C 的示意图
Below follows the structure of XAdES-T signature.
以下是 XAdES-T 签名的结构。
XMLDISG
|
<ds:Signature ID?>- - - - - - - - +- - - - +- - - +
<ds:SignedInfo> | | |
<ds:CanonicalizationMethod/> | | |
<ds:SignatureMethod/> | | |
(<ds:Reference URI? > | | |
(<ds:Transforms>)? | | |
<ds:DigestMethod> | | |
<ds:DigestValue> | | |
</ds:Reference>)+ | | |
</ds:SignedInfo> | | |
<ds:SignatureValue> | | |
(<ds:KeyInfo>)? - - - - - - - - + | |
| |
<ds:Object> | |
| |
<QualifyingProperties> | |
| |
<SignedProperties> | |
| |
<SignedSignatureProperties> | |
(SigningTime) | |
(SigningCertificate) | |
(SignaturePolicyIdentifier) | |
(SignatureProductionPlace)? | |
(SignerRole)? | |
</SignedSignatureProperties> | |
| |
<SignedDataObjectProperties> | |
(DataObjectFormat)* | |
(CommitmentTypeIndication)* | |
(AllDataObjectsTimeStamp)* | |
(IndividualDataObjectsTimeStamp)*| |
</SignedDataObjectProperties> | |
| |
</SignedProperties> | |
| |
<UnSignedProperties> | |
| |
<UnsignedSignatureProperties> | |
(CounterSignature)*- - - - - - - + |
(SignatureTimeStamp)+ |
</UnsignedSignatureProperties>- - -+ |
| |
</UnsignedProperties> | |
| |
</QualifyingProperties> | |
| |
</ds:Object> | |
| |
</ds:Signature>- - - - - - - - - - - - - - +- - - +
| |
XAdES |
|
XAdES-T
|
Below follows the structure for XAdES-C.
以下是 XAdES-C 的结构。
XMLDISG
|
<ds:Signature ID?>- - - - - - - - +- - - - - - +-+-+
<ds:SignedInfo> | | | |
<ds:CanonicalizationMethod/> | | | |
<ds:SignatureMethod/> | | | |
(<ds:Reference URI? > | | | |
(<ds:Transforms>)? | | | |
<ds:DigestMethod> | | | |
<ds:DigestValue> | | | |
</ds:Reference>)+ | | | |
</ds:SignedInfo> | | | |
<ds:SignatureValue> | | | |
(<ds:KeyInfo>)? - - - - - - - - + | | |
| | |
<ds:Object> | | |
| | |
<QualifyingProperties> | | |
| | |
<SignedProperties> | | |
| | |
<SignedSignatureProperties> | | |
(SigningTime) | | |
(SigningCertificate) | | |
(SignaturePolicyIdentifier) | | |
(SignatureProductionPlace)? | | |
(SignerRole)? | | |
</SignedSignatureProperties> | | |
| | |
<SignedDataObjectProperties> | | |
(DataObjectFormat)* | | |
(CommitmentTypeIndication)* | | |
(AllDataObjectsTimeStamp)* | | |
(IndividualDataObjectsTimeStamp)* | | |
</SignedDataObjectProperties> | | |
| | |
</SignedProperties> | | |
| | |
<UnsignedProperties> | | |
| | |
</UnsignedSignatureProperties> | | |
(CounterSignature)*- - - - - - - - - + | |
(SignatureTimeStamp)+- - - - - - - - - + |
(CompleteCertificateRefs) |
(CompleteRevocationRefs) |
</UnsignedSignatureProperties>- - - - +-+ |
| | |
</UnsignedProperties> | | |
| | |
</QualifyingProperties> | | |
| | |
</ds:Object> | | |
| | |
</ds:Signature>- - - - - - - - - - - - - - - -+-+-+
| | |
XadES | |
| |
XAdES-T |
|
XAdES-C
|
2.1
Contents 2.1 内容
2.1.1 Contents of XAdES
2.1.1 XAdES 的内容
As it has been stated, a XAdES signature will build on [XMLDSIG] by incorporation of one ds:Object
that will be the bag for the whole set of qualifying properties. Some of them
will be signed (signed qualifying information grouped within one new element,
SignedProperties, see clause 4.2.1
SignedProperties) and others will not be signed (unsigned qualifying
information, grouped within the UnsignedProperties element, see
clause 4.2.2
UnsignedProperties).
如前所述,XAdES 签名将基于[XMLDSIG]通过整合一个 ds:Object 来构建,该 ds:Object 将作为整个合格属性集的容器。其中一些将被签名(签名的合格信息将分组在一个新的元素 SignedProperties 内,参见条款 4.2.1 SignedProperties),而另一些则不会被签名(未签名的合格信息将分组在 UnsignedProperties 元素内,参见条款 4.2.2 UnsignedProperties)。
In a XAdES the signature SHALL be applied in the usual way of [XMLDSIG] over the data object(s) to be signed and on the
whole set of signed properties (SignedProperties element). The
mandatory information in the SignedProperties element is:
在 XAdES 中,签名应按照[XMLDSIG]的常规方式应用于待签名的数据对象(s)以及整个签名属性集( SignedProperties 元素)。 SignedProperties 元素中的必填信息包括:
An unambiguous reference to the signer's certificate, e.g. the
certificate itself or a reference to it together with a hash value of the
certificate. This is particularly important when a signer holds a number
of different certificates containing the same public key, to avoid claims
by a verifier that the signature implies another certificate with
different semantics. This is also important when the signer holds
different certificates containing different public keys in order to
provide the verifier with the correct signature verification data.
Finally, it is also important in case the issuing key of the CA providing
the certificate would be compromised (clause 5.2.2 The
SigningCertificate element).
对签名者证书的明确引用,例如证书本身或包含证书引用及其哈希值的引用。这在签名者持有多个包含相同公钥的不同证书时尤其重要,以避免验证者声称该签名意味着具有不同语义的另一个证书。当签名者持有包含不同公钥的不同证书时,这也是重要的,以便向验证者提供正确的签名验证数据。最后,在提供证书的 CA 的签发密钥可能被泄露的情况下,这也是重要的(条款 5.2.2 签名证书元素)。
An unambiguous way allowing the identification of the signature
policy under which the electronic signature has been produced (clause 5.2.3
The SignaturePolicyIdentifier element). This will ensure that the
verifier will be able to use the same signature policy during the
verification process. A signature policy is needed to clarify the precise
role and commitments that the signer intends to assume with respect to
the signed data object, and to avoid claims by the verifier that a
different signature policy was implied by the signer.
一种明确的方式,允许识别电子签名生成时所依据的签名策略(条款 5.2.3 签名策略标识符元素)。这将确保验证器能够在验证过程中使用相同的签名策略。需要签名策略来明确签名者意图对已签名数据对象承担的精确角色和承诺,并避免验证器声称签名者暗示了不同的签名策略。
The signing time, specifying the time at which the signer claims to
have performed the signing process (clause 5.2.1 The SigningTime
element).
签名时间,指定签名者声称执行签名过程的时间(条款 5.2.1 签名时间元素)。
In addition, the signature can also cover other signed
propertiescontaining the following information:
此外,签名还可以涵盖其他已签名的属性,包含以下信息:
The data object(s) format(s) that identifies the format of a signed
data object (when electronic signatures are not exchanged in a restricted
context) to enable the verifier to be presented or use it (text, sound or
video) in exactly the same way as intended by the signer (clause 5.2.5 The
DataObjectFormat element).
已签名数据对象的格式,用于标识已签名数据对象的格式(当电子签名不在受限上下文中交换时),以使验证器能够以与签名者完全相同的方式呈现或使用它(文本、声音或视频)(条款 5.2.5 数据对象格式元素)。
The commitment type(s) undertaken by the signer in signing (a)
signed data object(s) in the context of the selected signature policy
(when an explicit commitment is being used); This will be required where
a Signature Policy specifies more than a single commitment type, each of
which might have different legal interpretations of the intent of the
signature (e.g. proof of origin, proof of receipt, proof of creation... )
(clause 5.2.6
The CommitmentTypeIndication element).
在选定签名策略的上下文中,签名者在签署(一个或多个)已签名数据对象时所承担的承诺类型(当使用显式承诺时);这将在签名策略指定超过一种承诺类型时需要,每种承诺类型可能对签名的意图有不同的法律解释(例如,来源证明、收到证明、创建证明等)(条款 5.2.6 承诺类型指示元素)。
The claimed or certified role assumed by the signer in creating the
signature (clause 5.2.8 The SignerRole
element).
签名者在创建签名时所声称或认证的角色(条款 5.2.8 签名者角色元素)。
The purported place where the signer claims to have produced the
signature (clause 5.2.7
The SignatureProductionPlace element).
签名者声称已生成签名的地点(条款 5.2.7 签名生成地点元素)。
2.1.2
Contents of XAdES-T
2.1.2 XAdES-T 的内容
The signer or the verifier can build an XAdES-T by adding to the
existentXAdES (as a child of UnsignedProperties element), an XML
element (clause 5.1.3
The EncapsulatedPKIDataType data type) encapsulating a time-stamp on
the [XMLDSIG] digital signature value, generated by a
TSA to prove that the electronic signature was performed before that time
(clause 5.3.1 The
SignatureTimeStamp element).
签名者或验证者可以通过向现有的 XAdES(作为 UnsignedProperties 元素的子元素)添加一个封装了由 TSA 生成的[XMLDSIG]数字签名值时间戳的 XML 元素(条款 5.1.3 EncapsulatedPKIDataType 数据类型),来构建 XAdES-T,以证明电子签名是在该时间之前完成的(条款 5.3.1 SignatureTimeStamp 元素)。
2.1.3
Contents of XAdES-C
2.1.3 XAdES-C 的内容
The signer or the verifier of an electronic signature can create
theXAdES-C form by incorporating to the XAdES-T references to the complete
set of data supporting its validity (certificate path, certificate revocation
lists, OCSP responses [OCSP], etc). The signer or the
verifier will create this form by incorporating to the XAdES-T these
references, within an XML element whose definition will be given in the
present document (clauses 5.4.1
The CompleteCertificateRefs element and 5.4.2
The CompleteRevocationRefs element). This element will be added as a
child of the UnsignedProperties element.
电子签名的签名者或验证者可以通过将支持其有效性的完整数据集的引用(证书路径、证书吊销列表、OCSP 响应[OCSP]等)纳入 XAdES-T 来创建 XAdES-C 格式。签名者或验证者将通过在本文档中定义的 XML 元素(条款 5.4.1 CompleteCertificateRefs 元素和条款 5.4.2 CompleteRevocationRefs 元素)内添加这些引用来创建此格式。该元素将作为 UnsignedProperties 元素的子元素添加。
2.2
Extended forms of validation data
2.2 验证数据的扩展格式
The complete validation data (XAdES-C) described above may be extended
toform an XAdES with eXtended validation data (XAdES-X) to meet following
additional requirements.
上述完整验证数据(XAdES-C)可以扩展形成扩展验证数据(XAdES-X),以满足以下附加要求。
Firstly, if there is a risk that any keys used in the certificate
chain or in the revocation status information may be compromised. The
case of a broken algorithm is different and is addressed later on in the
archived form of an electronic signature. It is necessary to additionally
time-stamp all the certification path references and revocation status
references, contained in the XAdES-C (see clause 5.5.2
The RefsOnlyTimeStamp element). Alternativelly, the time-stamp
can be applied to the digital signature (ds:Signature
element), the time-stamp(s) present in the XAdES-T form and the
aforementioned references (see clause 5.5.1
The SigAndRefsTimeStamp element).
首先,如果证书链或撤销状态信息中使用的任何密钥存在被攻破的风险。算法损坏的情况不同,将在电子签名的归档形式中稍后讨论。需要额外对 XAdES-C 中包含的所有证书路径引用和撤销状态引用进行时间戳(参见第 5.5.2 条 The RefsOnlyTimeStamp 元素)。或者,时间戳可以应用于数字签名( ds:Signature 元素)、XAdES-T 形式中存在的时间戳以及上述引用(参见第 5.5.1 条 The SigAndRefsTimeStamp 元素)。
Secondly, when the certification path data and revocation status
data is not stored for the long term elsewhere, then there is a need to
add them to the signature (XAdES-X-L).
其次,当证书路径数据和吊销状态数据未在其他地方长期存储时,则需要将它们添加到签名中(XAdES-X-L)。
 |
Figure 3. Illustration of XAdES-X andXAdES-X-L
图 3. XAdES-X 和 XAdES-X-L 的示意图
Note it may be possible to omit the time-stamp over certification
pathreferences and revocation status references while still adding the
Certification path data and revocation status data.
注意,即使省略了证书路径引用和撤销状态引用的时间戳,仍然可以添加证书路径数据和撤销状态数据。
The XAdES-X validation data is created by adding to a previously
generatedXAdES-C a time-stamp over the references to the complete set of data
supporting its validity or over the sequence formed by ds:SignatureValue
element, the previous time-stamp(s) present in the XAdES-T form and the
aforementioned references. Again, this new form will be achieved by adding an
XML element conveniently encapsulating this time-stamp ( see clauses 5.5.1 The
SigAndRefsTimeStamp element and 5.5.2 The
RefsOnlyTimeStamp element). This element will be added as a child of
the UnsignedProperties element.
XAdES-X 验证数据是通过在先前生成的 XAdES-C 中添加一个时间戳来创建的,该时间戳覆盖了支持其有效性的全部数据集的引用,或覆盖由 ds:SignatureValue 元素形成的序列、XAdES-T 形式中存在的先前时间戳以及上述引用。同样,这种新形式将通过添加一个方便封装此时间戳的 XML 元素来实现(参见条款 5.5.1 SigAndRefsTimeStamp 元素和 5.5.2 RefsOnlyTimeStamp 元素)。该元素将作为 UnsignedProperties 元素的子元素添加。
The XAdES-X-L will be produced by incorporating the certificate path
andrevocation information (CRLs or OCSP responses) conveniently encapsulated
by XML elements (see clauses 5.6.1 The
CertificateValues element and 5.6.2 The
RevocationValues element). These elements will be added as children
of the UnsignedProperties element.
XAdES-X-L 将通过将方便封装的证书路径和撤销信息(CRLs 或 OCSP 响应)通过 XML 元素(参见条款 5.6.1 CertificateValues 元素和 5.6.2 RevocationValues 元素)来生成。这些元素将作为 UnsignedProperties 元素的子元素添加。
Below follows the XAdES-X structure.
以下是 XAdES-X 结构。
XMLDISG
|
<ds:Signature ID?>- - - - - - - - +- - - - - - +-+-+-+
<ds:SignedInfo> | | | | |
<ds:CanonicalizationMethod/> | | | | |
<ds:SignatureMethod/> | | | | |
(<ds:Reference URI? > | | | | |
(<ds:Transforms>)? | | | | |
<ds:DigestMethod> | | | | |
<ds:DigestValue> | | | | |
</ds:Reference>)+ | | | | |
</ds:SignedInfo> | | | | |
<ds:SignatureValue> | | | | |
(<ds:KeyInfo>)? - - - - - - - - + | | | |
| | | |
<ds:Object> | | | |
| | | |
<QualifyingProperties> | | | |
| | | |
<SignedProperties> | | | |
| | | |
<SignedSignatureProperties> | | | |
(SigningTime) | | | |
(SigningCertificate) | | | |
(SignaturePolicyIdentifier) | | | |
(SignatureProductionPlace)? | | | |
(SignerRole)? | | | |
</SignedSignatureProperties> | | | |
| | | |
<SignedDataObjectProperties> | | | |
(DataObjectFormat)* | | | |
(CommitmentTypeIndication)* | | | |
(AllDataObjectsTimeStamp)* | | | |
(IndividualDataObjectsTimeStamp)* | | | |
</SignedDataObjectPropertiesSigned> | | | |
| | | |
</SignedProperties> | | | |
| | | |
<UnsignedProperties> | | | |
| | | |
</UnsignedSignatureProperties> | | | |
(CounterSignature)*- - - - - - - - - + | | |
(SignatureTimeStamp)+- - - - - - - - + | |
(CompleteCertificateRefs) | |
(CompleteRevocationRefs)- - - - - - - - -+ |
((SigAndRefsTimeStamp)* | |
(RefsOnlyTimeStamp)*) |
</UnsignedSignatureProperties>- - - - -+-+-+ |
| | | |
</UnsignedProperties> | | | |
| | | |
</QualifyingProperties> | | | |
| | | |
</ds:Object> | | | |
</ds:Signature>- - - - - - - - - - - - - - - - +-+-+-+
| | | |
XAdES | | |
| | |
XAdES-T | |
| |
XAdES-C |
|
XAdES-X
|
The structure for XAdES-X-L is shown below.
XAdES-X-L 的结构如下所示。
XMLDISG
|
<ds:Signature ID?>- - - - - - - - +- - - - - +-+-+-+-+
<ds:SignedInfo> | | | | | |
<ds:CanonicalizationMethod/> | | | | | |
<ds:SignatureMethod/> | | | | | |
(<ds:Reference URI? > | | | | | |
(<ds:Transforms>)? | | | | | |
<ds:DigestMethod> | | | | | |
<ds:DigestValue> | | | | | |
</ds:Reference>)+ | | | | | |
</ds:SignedInfo> | | | | | |
<ds:SignatureValue> | | | | | |
(<ds:KeyInfo>)? - - - - - - - -+ | | | | |
| | | | |
<ds:Object> | | | | |
| | | | |
<QualifyingProperties> | | | | |
| | | | |
<SignedProperties> | | | | |
| | | | |
<SignedSignatureProperties> | | | | |
(SigningTime) | | | | |
(SigningCertificate) | | | | |
(SignaturePolicyIdentifier) | | | | |
(SignatureProductionPlace)? | | | | |
(SignerRole)? | | | | |
</SignedSignatureProperties> | | | | |
| | | | |
<SignedDataObjectProperties> | | | | |
(DataObjectFormat)* | | | | |
(CommitmentTypeIndication)* | | | | |
(AllDataObjectsTimeStamp)* | | | | |
(IndividualDataObjectsTimeStamp)* | | | | |
</SignedDataObjectPropertiesSigned> | | | | |
| | | | |
</SignedProperties> | | | | |
| | | | |
<UnsignedProperties> | | | | |
| | | | |
</UnsignedSignatureProperties> | | | | |
(CounterSignature)*- - - - - - - - + | | | |
(SignatureTimeStamp)+- - - - - - - - + | | |
(CompleteCertificateRefs) | | |
(CompleteRevocationRefs)- - - - - - - -+ | |
((SigAndRefsTimeStamp)* | | |
(RefsOnlyTimeStamp)*)- - - - - - - - - - + |
(CertificatesValues) |
(RevocationValues) |
</UnsignedSignatureProperties>- - - -+-+-+-+ |
| | | | |
</UnsignedProperties> | | | | |
| | | | |
</QualifyingProperties> | | | | |
| | | | |
</ds:Object> | | | | |
</ds:Signature>- - - - - - - - - - - - - - - +-+-+-+-+
| | | | |
XAdES | | | |
| | | |
XAdES-T | | |
| | |
XAdES-C | |
| |
XAdES-X |
|
XAdES-X-L
|
2.3
Archive validation data
2.3 存档验证数据
Before the algorithms, keys and other cryptographic data used at the
timethe XAdES-C was built become weak and the cryptographic functions become
vulnerable, the XAdES-X-L should be time-stamped. If possible this should use
stronger algorithms (or longer key lengths) than in the original time-stamps.
This additional data and time-stamp is called Archive Validation Data
(XAdES-A). The time-stamping process may be repeated every time the
protection used to time-stamp a previous XAdES-A become weak. A XAdES-A may
thus bear multiple embedded time-stamps).
在 XAdES-C 构建时使用的算法、密钥和其他加密数据变得薄弱,加密功能变得易受攻击之前,XAdES-X-L 应进行时间戳。如果可能,这应使用比原始时间戳更强的算法(或更长的密钥长度)。这些附加数据和时间戳称为存档验证数据(XAdES-A)。时间戳过程可能每次使用的时间戳保护变得薄弱时都会重复。因此,一个 XAdES-A 可能包含多个嵌入的时间戳。
Support for XAdES-A is optional.
对 XAdES-A 的支持是可选的。
An example of an XML Advanced Electronic Signature (XAdES), with the
additional validation data for the XAdES-C and XAdES-X-L time-stamped forming
the XAdES-A is illustrated in figure 4.
图 4 说明了 XML 高级电子签名(XAdES)的一个示例,其中用于 XAdES-C 和 XAdES-X-L 时间戳的附加验证数据形成了 XAdES-A。
Figure 4. Illustration of XAdES-A
图 4. XAdES-A 的说明
Below follows the structure of XAdES-A.
以下是 XAdES-A 的结构。
XMLDISG
|
<ds:Signature ID?>- - - - - - - - +- - - - - +-+-+-+-+-+
<ds:SignedInfo> | | | | | | |
<ds:CanonicalizationMethod/> | | | | | | |
<ds:SignatureMethod/> | | | | | | |
(<ds:Reference (URI=)? > | | | | | | |
(<ds:Transforms>)? | | | | | | |
<ds:DigestMethod> | | | | | | |
<ds:DigestValue> | | | | | | |
</ds:Reference>)+ | | | | | | |
</ds:SignedInfo> | | | | | | |
<ds:SignatureValue> | | | | | | |
(<ds:KeyInfo>)? - - - - - - - - + | | | | | |
<ds:Object> | | | | | |
| | | | | |
<QualifyingProperties> | | | | | |
| | | | | |
<SignedProperties> | | | | | |
| | | | | |
<SignedSignatureProperties> | | | | | |
(SigningTime) | | | | | |
(SigningCertificate) | | | | | |
(SignaturePolicyIdentifier) | | | | | |
(SignatureProductionPlace)? | | | | | |
(SignerRole)? | | | | | |
</SignedSignatureProperties> | | | | | |
| | | | | |
<SignedDataObjectProperties> | | | | | |
(DataObjectFormat)* | | | | | |
(CommitmentTypeIndication)* | | | | | |
(AllDataObjectsTimeStamp)* | | | | | |
(IndividualDataObjectsTimeStamp)* | | | | | |
</SignedDataObjectPropertiesSigned> | | | | | |
| | | | | |
</SignedProperties> | | | | | |
| | | | | |
<UnsignedProperties> | | | | | |
| | | | | |
</UnsignedSignatureProperties> | | | | | |
(CounterSignature)*- - - - - - - - + | | | | |
(SignatureTimeStamp)+- - - - - - - - + | | | |
(CompleteCertificateRefs) | | | |
(CompleteRevocationRefs)- - - - - - - -+ | | |
((SigAndRefsTimeStamp)* | | | |
(RefsOnlyTimeStamp)*)- - - - - - - - - - + | |
(CertificatesValues) | |
(RevocationValues)- - - - - - - - - - - - -+ |
(ArchiveTimeStamp)+ |
</UnsignedSignatureProperties>- - - -+-+-+-+-+ |
| | | | | |
</UnsignedProperties> | | | | | |
| | | | | |
</QualifyingProperties> | | | | | |
| | | | | |
</ds:Object> | | | | | |
| | | | | |
</ds:Signature>- - - - - - - - - - - - - - - +-+-+-+-+-+
| | | | | |
XAdES | | | | |
| | | | |
XAdES-T | | | |
| | | |
XAdES-C | | |
| | |
XAdES-X | |
| |
XAdES-X-L |
|
XAdES-A
|
This form will be produced by adding to the XAdES-X-L XML
elementscontaining time-stamps conveniently encapsulated. The time-stamps
will be computed over data within the previous structure: XAdES-X-L for the
first one, XAdES-X-L plus other time-stamps for the following ones (see
clause 5.7.1 The
ArchiveTimeStamp element). These elements will be added as children
of the UnsignedProperties elements.
此表单将通过向包含方便封装的时间戳的 XAdES-X-L XML 元素中添加内容来生成。时间戳将基于前一个结构中的数据计算:第一个基于 XAdES-X-L,后续的基于 XAdES-X-L 加上其他时间戳(参见第 5.7.1 条“存档时间戳元素”)。这些元素将作为 UnsignedProperties 元素的子元素添加。
3 XML namespace for the
present document
3 本文档的 XML 命名空间
The XML namespace URI that must be used by implementations of the present
document:
本文档的实现必须使用的 XML 命名空间 URI:
http://uri.etsi.org/01903/v1.1.1#
The following namespace declarations apply for the XML schema definitions
throughout the present document:
以下命名空间声明适用于本文档中整个 XML 模式定义:
<?xml version="1.0"?>
<schema
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://uri.etsi.org/01903/v1.1.1#"
targetNamespace="http://uri.etsi.org/01903/v1.1.1#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified"
>
|
4 Syntax overview 4 语法概述
This clause introduces the syntax for adding qualifying information to
anXML signature.
本条款介绍了向 XML 签名添加限定信息的语法。
clause 4.1 Technical
criteria lists a set of technical criteria that has been taken into
account for this syntax proposal.
条款 4.1 技术标准列出了为该语法提案考虑的一组技术标准。
clause 4.2 The
QualifyingProperties specifies an XML element that acts as a
container for the qualifying information. Additionally it describes the
connection between the XML signature and this container element.
条款 4.2 限定属性指定了一个作为限定信息容器的 XML 元素。此外,它还描述了 XML 签名与该容器元素之间的连接。
clause 4.3
Incorporating qualifying properties into an XMLsignature shows two
ways of incorporating such qualifying information to [XMLDSIG].
条款 4.3 将限定属性合并到 XML 签名中展示了将此类限定信息合并到[XMLDSIG]中的两种方法。
4.1 Technical criteria 4.1 技术标准
The following considerations have been taken into account for the
syntaxspecification for qualifying information on XML signatures.
在 XML 签名合格信息的语法规范中,已考虑以下因素。
The present document specifies how to add qualifying information to
an XML signature such that it satisfies both the requirements for an
Advanced Electronic Signature according to the European Directive [EU-DIR-ESIG]and for remaining valid over long
period of time. TS 101 733 [ESI] identifies all the
required information to be added in order to satisfy those requirements.
Additionally it defines appropriate data structures for those qualifying
properties using ASN.1, that fit for [CMS]style
electronic signatures . The aim of the present document is to specify
similar XML qualifying properties that carry such qualifying information
and are used to amend [XMLDSIG].
本文件规定了如何向 XML 签名添加合格信息,使其满足欧洲指令[EU-DIR-ESIG]中关于高级电子签名的需求,并保持长期有效性。TS 101 733 [ESI]确定了所有需要添加的信息,以满足这些要求。此外,它还使用 ASN.1 定义了适用于[CMS]风格电子签名的合格属性的数据结构。本文件的目标是规定类似的 XML 合格属性,这些属性携带合格信息,并用于修订[XMLDSIG]。
The new XML qualifying properties should not be the result of a
stubborn translation process from ASN.1 to XML. This would mean
neglecting syntactic differences between [CMS] and [XMLDSIG] such as the possible number of signers and
multiple signed data objects covered by a single signature, as well as
ignoring powerful features of the XML environment such as linking
information by using Uniform Resource Identifiers [URI].
新的 XML 资格属性不应是 ASN.1 到 XML 的固执翻译过程的结果。这意味着会忽视[CMS]和[XMLDSIG]之间的句法差异,例如签名者的可能数量和单个签名所覆盖的多个已签名数据对象,同时也会忽略 XML 环境中的强大功能,例如使用统一资源标识符[URI]链接信息。
XML Schema [XML-schema-part-1][XML-schema-part-2] has been chosen as the
normative language for defining the new XML structures in the present
document rather than the DTD vocabulary defined in XML 1.0 [XML], since it is namespace aware, allows reuse of
existing structures and allows a stricter definition of the allowed
contents. However, a DTD of the new XML structures is provided as
informative annex of the present document.
XML 模式[XML-schema-part-1][XML-schema-part-2]被选为本文件中定义新 XML 结构的规范性语言,而不是 XML 1.0[XML]中定义的 DTD 词汇,因为它具有命名空间感知能力,允许重用现有结构,并允许更严格地定义允许的内容。然而,本文件提供了新 XML 结构的 DTD 作为信息性附录。
XML structures that have been defined in related XML standards such
as XML Schema [XML-schema-part-2] and
XML-Signature Syntax and Processing [XMLDSIG] have
been reused where appropriate.
在相关 XML 标准(如 XML 模式[XML-schema-part-2]和 XML 签名语法和处理[XMLDSIG])中定义的 XML 结构在适当的地方被重用。
4.2 The
QualifyingProperties
4.2 资格属性
The QualifyingProperties element acts as a container
elementfor all the qualifying information that should be added to an XML
signature. The element has the following structure:
QualifyingProperties 元素作为容器元素,用于存放应添加到 XML 签名中的所有合格信息。该元素具有以下结构:
<xsd:element name="QualifyingProperties" type="QualifyingPropertiesType"/>
<xsd:complexType name="QualifyingPropertiesType">
<xsd:sequence>
<xsd:element name="SignedProperties" type="SignedPropertiesType"
minOccurs="0"/>
<xsd:element name="UnsignedProperties" type="UnsignedPropertiesType"
minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Target" type="xsd:anyURI" use="required"/>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
|
The qualifying properties are split into properties that
arecryptographically bound to (i.e. signed by) the XML signature
(SignedProperties ), and properties that are not
cryptographically bound to the XML signature
(UnsignedProperties).
合格属性分为两类:一类是与 XML 签名( SignedProperties )加密绑定(即由 XML 签名签名)的属性,另一类是与 XML 签名( UnsignedProperties )未加密绑定的属性。
The SignedProperties must be covered by a
Reference element of the XML signature. Alignment with the
present document mandates that one SignedProperties element MUST
exist.
SignedProperties 必须被 XML 签名的 Reference 元素所覆盖。与本文档的一致性要求必须存在一个 SignedProperties 元素。
The mandatory Target attribute refers to the XML signature
with which the qualifying properties are associated.
必须的 Target 属性指的是与合格属性相关联的 XML 签名。
The optional Id attribute can be used to make a reference to
the QualifyingProperties container.
可选的 Id 属性可用于引用 QualifyingProperties 容器。
4.2.1
SignedProperties 4.2.1 签名属性
The SignedProperties element contains a number of
propertiesthat are collectively signed by the [XMLDSIG] signature.
SignedProperties 元素包含由 [XMLDSIG] 签名共同签名的多个属性。
Alignment with the present document mandates that an element
SignedSignatureProperties MUST appear.
与当前文档一致,要求元素 SignedSignatureProperties 必须出现。
Below follows the schema definition for SignedProperties
element.
以下是 SignedProperties 元素的模式定义。
<xsd:element name="SignedProperties" type="SignedPropertiesType" />
<xsd:complexType name="SignedPropertiesType">
<xsd:sequence>
<xsd:element name="SignedSignatureProperties"
type="SignedSignaturePropertiesType"/>
<xsd:element name="SignedDataObjectProperties"
type="SignedDataObjectPropertiesType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
|
The SignedProperties element MUST contain properties
thatqualify the [XMLDSIG] signature itself or the
signer. They are included as content of the
SignedSignatureProperties element.
SignedProperties 元素必须包含能够限定 [XMLDSIG] 签名本身或签名者的属性。这些属性作为 SignedSignatureProperties 元素的内容包含。
The SignedProperties element MAY also contain properties that
qualify some of the signed data objects. These properties appear as content
of the SignedDataObjectProperties element.
SignedProperties 元素还可以包含能够限定部分已签名数据对象的属性。这些属性作为 SignedDataObjectProperties 元素的内容出现。
The optional Id attribute can be used to make a reference to
the SignedProperties element.
可选的 Id 属性可用于引用 SignedProperties 元素。
4.2.2
UnsignedProperties
4.2.2 未签名属性
The UnsignedProperties element contains a number ofproperties
that are not signed by the [XMLDSIG] signature.
UnsignedProperties 元素包含一些未由 [XMLDSIG] 签名属性。
<xsd:element name="UnsignedProperties" type="UnsignedPropertiesType" />
<xsd:complexType name="UnsignedPropertiesType">
<xsd:sequence>
<xsd:element name="UnsignedSignatureProperties"
type="UnsignedSignaturePropertiesType" minOccurs="0"/>
<xsd:element name="UnsignedDataObjectProperties"
type="UnsignedDataObjectPropertiesType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
|
The UnsignedProperties element MAY contain properties that
qualify XML signature itself or the signer. They are included as content of
the UnsignedSignatureProperties element.
UnsignedProperties 元素可以包含使 XML 签名本身或签名者有效的属性。它们作为 UnsignedSignatureProperties 元素的内容包含在内。
The UnsignedProperties element MAY also contain properties
that qualify some of the signed data objects. These properties appear as
content of the UnsignedDataObjectProperties element.
UnsignedProperties 元素也可以包含一些限定已签名数据对象的属性。这些属性作为 UnsignedDataObjectProperties 元素的子内容出现。
The optional Id attribute can be used to make a reference to the
UnsignedProperties element.
可选的 Id 属性可用于引用 UnsignedProperties 元素。
4.2.3
SignedSignatureProperties
4.2.3 已签名的签名属性
This element contains properties that qualify the XML signature that
hasbeen specified with the Target attribute of the
QualifyingProperties container element.
该元素包含限定由 QualifyingProperties 容器元素的 Target 属性指定的 XML 签名的属性。
<xsd:element name="SignedSignatureProperties" type="SignedSignaturePropertiesType" />
<xsd:complexType name="SignedSignaturePropertiesType">
<xsd:sequence>
<xsd:element name="SigningTime" type="xsd:dateTime"/>
<xsd:element name="SigningCertificate" type="CertIDListType"/>
<xsd:element name="SignaturePolicyIdentifer"
type="SignaturePolicyIdentifierType"/>
<xsd:element name="SignatureProductionPlace" type="SignatureProductionPlaceType"
minOccurs="0"/>
<xsd:element name="SignerRole" type="SignerRoleType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
|
The qualifying property SigningTime is described in detail in
clause 5.2.1 The
SigningTime element, SigningCertificate in clause 5.2.2 The
SigningCertificate element, SignaturePolicyIdentifier in
clause 5.2.3 The
SignaturePolicyIdentifier element,
SignatureProductionPlace in clause 5.2.7 The
SignatureProductionPlace element, and SignerRole in
clause 5.2.8 The
SignerRole element.
限定属性 SigningTime 在条款 5.2.1 签署时间元素中详细描述, SigningCertificate 在条款 5.2.2 签署证书元素中, SignaturePolicyIdentifier 在条款 5.2.3 签署策略标识符元素中, SignatureProductionPlace 在条款 5.2.7 签署生产地点元素中,以及 SignerRole 在条款 5.2.8 签署者角色元素中。
4.2.4
SignedDataObjectProperties
4.2.4 签署数据对象属性
This element contains properties that qualify some of the signed
dataobjects.
该元素包含限定部分已签署数据对象的属性。
<xsd:element name="SignedDataObjectProperties" type="SignedDataObjectPropertiesType"/>
<xsd:complexType name="SignedDataObjectPropertiesType">
<xsd:sequence>
<xsd:element name="DataObjectFormat" type="DataObjectFormatType"
minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="CommitmentTypeIndication"
type="CommitmentTypeIndicationType" minOccurs="0"
maxOccurs="unbounded"/>
<xsd:element name="AllDataObjectsTimeStamp" type="TimeStampType"
minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="IndividualDataObjectsTimeStamp" type="TimeStampType"
minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
The qualifying property AllDataObjectsTimeStamp is
describedin detail in clause 5.2.9 The
AllDataObjectsTimeStamp element,
IndividualDataObjectsTimeStamp in clause 5.2.10
The AllDataObjectsTimeStamp element, DataObjectFormat in
clause 5.2.5 The
DataObjectFormatelement, and CommitmentTypeIndication in
clause 5.2.6 The
CommitmentTypeIndication element.
限定属性 AllDataObjectsTimeStamp 在条款 5.2.9 所有数据对象时间戳元素中详细描述, IndividualDataObjectsTimeStamp 在条款 5.2.10 所有数据对象时间戳元素中, DataObjectFormat 在条款 5.2.5 数据对象格式元素中,以及 CommitmentTypeIndication 在条款 5.2.6 承诺类型指示元素中。
All these properties qualify the signed data object after all the required
transforms have been made.
所有这些属性在完成所有必需的转换后,使已签名数据对象合格。
4.2.5
UnsignedSignatureProperties
4.2.5 未签名签名属性
This element contains properties that qualify the XML signature that
hasbeen specified with the Target attribute of the
QualifyingProperties container element. The content of this
element is not covered by the XML signature.
该元素包含使 XML 签名合格的属性,该 XML 签名由 QualifyingProperties 容器元素的 Target 属性指定。此元素的 内容不受 XML 签名约束。
<xsd:element name="UnsignedSignatureProperties" type="UnsignedSignaturePropertiesType"/>
<xsd:complexType name="UnsignedSignaturePropertiesType">
<xsd:sequence>
<xsd:element name="CounterSignature" type="CounterSignatureType"
minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="SignatureTimeStamp" type="TimeStampType"
minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="CompleteCertificateRefs"
type="CompleteCertificateRefsType" minOccurs="0"/>
<xsd:element name="CompleteRevocationRefs"
type="CompleteRevocationRefsType" minOccurs="0"/>
<xsd:choice>
<xsd:element name="SigAndRefsTimeStamp" type="TimeStampType"
minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="RefsOnlyTimeStamp" type="TimeStampType"
minOccurs="0" maxOccurs="unbounded"/>
</xsd:choice>
<xsd:element name="CertificateValues" type="CertificateValuesType"
minOccurs="0"/>
<xsd:element name="RevocationValues" type="RevocationValuesType"
minOccurs="0"/>
<xsd:element name="ArchiveTimeStamp" type="TimeStampType"
minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
The qualifying property CounterSignature is described
indetail in clause 5.2.4 The
CounterSignature element, SignatureTimeStamp in clause
5.3.1
The SignatureTimeStamp element, CompleteCertificateRefs
in clause 5.4.1
The CompleteCertificateRefs element,
CompleteRevocationRefs in clause 5.4.2
The CompleteRevocationRefs element, SigAndRefsTimeStamp
in clause 5.5.1 The
SigAndRefsTimeStamp element, RefsOnlyTimeStamp in clause
5.5.2 The
RefsOnlyTimeStamp element, CertificateValues in clause
5.6.1 The
CertificateValues element, RevocationValues in clause 5.6.2 The
RevocationValues element, and ArchiveTimeStamp in clause
5.7.1 The
ArchiveTimeStamp element.
使 XML 签名合格的属性 CounterSignature 在条款 5.2.4 中的 CounterSignature 元素中详细描述, SignatureTimeStamp 在条款 5.3.1 中的 SignatureTimeStamp 元素中描述, CompleteCertificateRefs 在条款 5.4.1 中的 CompleteCertificateRefs 元素中描述, CompleteRevocationRefs 在条款 5.4.2 中的 CompleteRevocationRefs 元素中描述, SigAndRefsTimeStamp 在条款 5.5.1 中的 SigAndRefsTimeStamp 元素中描述, RefsOnlyTimeStamp 在条款 5.5.2 中的 RefsOnlyTimeStamp 元素中描述, CertificateValues 在条款 5.6.1 中的 CertificateValues 元素中描述, RevocationValues 在条款 5.6.2 中的 RevocationValues 元素中描述,以及 ArchiveTimeStamp 在条款 5.7.1 中的 ArchiveTimeStamp 元素中描述。
4.2.6
UnsignedDataObjectProperties
4.2.6 未签名数据对象属性
This element contains properties that qualify some of the signed data
objects. The signature generated by the signer does not cover the content of
this element.
此元素包含一些限定已签名数据对象的属性。签名者生成的签名不涵盖此元素的内容。
<xsd:element name="UnsignedDataObjectProperties" type="UnsignedDataObjectPropertiesType" />
<xsd:complexType name="UnsignedDataObjectPropertiesType">
<xsd:sequence>
<xsd:element name="UnsignedDataObjectProperty" type="AnyType"
minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
TS 101733 [ESI] does not specify the usage of any
unsigned propertyqualifying the signed data object. The present document,
however, incorporates this element for the shake of completeness and to cope
with potential future needs for inclusion of such kind of properties. The
schema definition leaves open the definition of the contents of this type.
The type AnyType is defined in clause 5.1.1
The AnyType data type.
TS 101733 [ESI] 没有规定用于签署数据对象的任何未签名属性。然而,本文件为了完整性和应对未来可能需要包含此类属性的需求,包含了该元素。模式定义对该类型的內容保持开放。类型 AnyType 在第 5.1.1 条的 AnyType 数据类型中定义。
4.3
Incorporating qualifying properties into an XMLsignature
4.3 将限定属性纳入 XML 签名
The present document utilizes the ds:Object auxiliary element
from [XMLDSIG]. It MUST be used to incorporate the
qualifying properties into the [XMLDSIG] signature. In
principle, two different means are provided for this incorporation:
本文件使用 [XMLDSIG] 中的 ds:Object 辅助元素。必须使用它将限定属性纳入 [XMLDSIG] 签名。原则上,提供了两种不同的方法来实现这种纳入:
Direct incorporation means that a QualifyingProperties
element is put as a child of the ds:Object.
直接包含意味着将一个 QualifyingProperties 元素作为 ds:Object 的子元素。
Indirect incorporation means that a
QualifyingPropertiesReference element is put as a child of
the ds:Object. This element contains information about a
QualifyingProperties element that is stored in place
different from the signature (see clause 4.3.2
QualifyingPropertiesReference).
间接包含是指将一个 QualifyingProperties Reference 元素作为 ds:Object 元素的子元素。该元素包含有关存储在签名不同位置上的 QualifyingProperties 元素的信息(参见第 4.3.2 条款 QualifyingPropertiesReference)。
However, the following restrictions apply for usingds:Object,
QualifyingProperties and
QualifyingPropertiesReference:
然而,在使用 ds:Object 、 QualifyingProperties 和 QualifyingPropertiesReference 时,适用以下限制:
All instances of the QualifyingProperties and the
QualifyingPropertiesReference element MUST occur within a
single ds:Object element.
QualifyingProperties 和 QualifyingPropertiesReference 元素的全部实例必须位于单个 ds:Object 元素内。
At most one instance of the QualifyingProperties
element may occur within this single ds:Object element.
在该单个 ds:Object 元素内,最多只能出现一个 QualifyingProperties 元素的实例。
All signed properties must occur within a single
QualifyingProperties element. This element can either be a
child of the ds:Object element (direct incorporation), or it
can be referenced by a QualifyingPropertiesReference
element. See clause 4.3.1
SigningProperties for information how to sign properties.
所有已签名属性必须位于一个 QualifyingProperties 元素内。该元素可以是 ds:Object 元素的子元素(直接嵌入),也可以被 QualifyingPropertiesReference 元素引用。有关如何签名属性的信息,请参阅第 4.3.1 节 SigningProperties。
Zero or more instances of the
QualifyingPropertiesReference element may occur within the
single ds:Object element.
在单个 ds:Object 元素内可以出现零个或多个 QualifyingPropertiesReference 元素。
It is out of the scope of the present document to specify the
mechanismsrequired to guarantee the correct storage of the distributed
QualifyingProperties elements (i.e. that the properties are
stored by the entity that has to store them and that they are not
undetectable modified).
在本文件范围内,不涉及指定保证分布式 QualifyingProperties 元素正确存储的机制(即,属性由必须存储它们的实体存储,且它们没有被无法检测地修改)。
4.3.1
SigningProperties
As has already been stated, all the properties that should be protected
bythe signature have to be collected in a single instance of the
QualifyingProperties element. Actually these properties are
children of the SignedProperties child of this element.
如前所述,所有需要通过签名进行保护的属性都必须收集在 QualifyingProperties 元素的单个实例中。实际上,这些属性是该元素 SignedProperties 子元素的孩子。
In order to protect the properties with the signature, a
ds:Reference element must be added to the [XMLDSIG] signature. This ds:Reference
element MUST be composed in such a way that it uses the
SignedProperties element mentioned above as the input for
computing its corresponding digest.
为了用签名保护属性,[XMLDSIG] 签名中必须添加一个 ds:Reference 元素。该 ds:Reference 元素必须以如下所述的 SignedProperties 元素作为计算其对应摘要的输入来构成。
Additionally, the present document MANDATES the use of the
Type attribute of this particular ds:Reference
element, with its value set to
此外,本文件规定必须使用该特定 ds:Reference 元素的 Type 属性,并将其值设置为
http://uri.etsi.org/01903/v1.1.1#SignedProperties
This value indicates that the data used for hash computation is
aSignedProperties element and therefore helps a verifying
application to detect the signed properties of a signature conforming with
the present document.
该值表示用于哈希计算的 data 是一个 SignedProperties 元素,因此有助于验证应用程序检测符合本文件规定的签名的已签名属性。
If the QualifyingProperties element containing the
SignedProperties element is stored in a place different from the
signature (indirect incorporation), the result of processing the URI and
transforms in this ds:Reference element must be the same as the
result of processing the URI and transforms in the
QualifyingPropertiesReference element pointing to the
aforementioned QualifyingProperties element.
如果包含 SignedProperties 元素的 QualifyingProperties 元素存储在签名不同的位置(间接包含),则在这个 ds:Reference 元素中处理 URI 和转换的结果必须与在指向上述 QualifyingProperties 元素的 QualifyingPropertiesReference 元素中处理 URI 和转换的结果相同。
4.3.2
QualifyingPropertiesReference
This element contains information about aQualifyingProperties
element that is stored in place different from the signature, for instance in
another XML document.
该元素包含有关存储在签名不同位置(例如在另一个 XML 文档中)的 QualifyingProperties 元素的信息。
<xsd:element name="QualifyingPropertiesReference" type="QualifyingPropertiesReferenceType"/>
<xsd:complexType name="QualifyingPropertiesReferenceType">
<xsd:sequence>
<xsd:element name="Transforms" type="ds:TransformsType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="URI" type="xsd:anyURI" use="required"/>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
|
The mandatory URI attribute provides an identifier for the
location of theQualifyingProperties element. This could be for
instance a URL to a web site where the information can be retrieved, or a
name that the participating applications can use to identify a particular
QualifyingProperties element.
强制性的 URI 属性为 QualifyingProperties 元素的位置提供标识符。这可以是一个可以检索信息的网站 URL,或者参与应用程序可以用来识别特定 QualifyingProperties 元素的名字。
The optional ds:Transforms element can be used to specify a
chain of tranformations that has to be applied to the data referenced by the
URI attribute in order to get the actual representation of the
QualifyingProperties element. The processing model for the chain
of transformations is as defined in clause http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel
of [XMLDSIG].
可选的 ds:Transforms 元素可用于指定必须应用于 URI 属性所引用数据的转换链,以获取 QualifyingProperties 元素的实际表示。转换链的处理模型如 [XMLDSIG] 中条款 http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel 所定义。
The optional Id attribute can be used to make a reference to
the QualifyingPropertiesReference element.
可选的 Id 属性可用于引用 QualifyingProperties Reference 元素。
5 Qualifying properties syntax
5 限定属性的语法
clause 5.1
Auxiliary syntax summarizes a set of auxiliary structures that will
be neededlater on, while the remaining clauses corresponds to a certain
qualifying property.
条款 5.1 辅助语法总结了后续将需要的一组辅助结构,而其余条款则对应于特定的限定属性。
clause 5.2 Syntax for XAdES
describes in detail the qualifying properties that can appear in XAdES
electronic signatures forms as described in clause 4 Syntax overview.
条款 5.2 XAdES 语法详细描述了在第 4 条“语法概述”中所述的 XAdES 电子签名表单中可以出现的限定属性。
clause 5.3 Syntax for XAdES-T
form describes in detail the qualifying properties that can appear in
XAdES-T electronic signatures forms as described in clause 4 Syntax overview.
条款 5.3 XAdES-T 表单语法详细描述了在第 4 条“语法概述”中所述的 XAdES-T 电子签名表单中可以出现的限定属性。
clause 5.4 Syntax for XAdES-C
form describes in detail the qualifying properties referred to
validation data that can appear in the XAdES-C form.
条款 5.4 XAdES-C 表单语法详细描述了在第 4 条“语法概述”中所述的 XAdES-C 表单中可以出现的与验证数据相关的限定属性。
clause 5.5 Syntax for XAdES-X
form describes in detail the qualifying properties referred to
different time-stamps that can appear in the XAdES-X form.
条款 5.5 XAdES-X 表单语法详细描述了在第 4 条“语法概述”中所述的 XAdES-X 表单中可以出现的与不同时间戳相关的限定属性。
clause 5.6 Syntax for XAdES-X-L
form describes in detail the qualifying properties referred to
validation data that can appear in the XAdES-X-L form.
条款 5.6 XAdES-X-L 表单的语法详细描述了可在 XAdES-X-L 表单中出现的、与验证数据相关的限定属性。
Finally, clause 5.7 Syntax for
XAdES-A form describes in detail the qualifying properties referred
to different time-stamps that can appear in the XAdES-A form.
最后,条款 5.7 XAdES-A 表单的语法详细描述了可在 XAdES-A 表单中出现的、与不同时间戳相关的限定属性。
5.1 Auxiliary
syntax 5.1 辅助语法
The following three auxiliary XML structures are utilized in several
casesin the subsequent clauses.
以下三种辅助 XML 结构在后续条款的多个情况下被使用。
5.1.1
The AnyType data type
5.1.1 任意类型数据类型
The AnyType schema data type has a content model that allowsa
sequence of arbitrary XML elements that is of unrestricted length.
Additionally, an element of this data type can bear an unrestricted number of
arbitrary attributes. It is used throughout the remaining parts of this
clause wherever the content of an XML element has been left open.
AnyType 模式数据类型具有一个内容模型,允许一个由任意 XML 元素组成的序列,该序列的长度不受限制。此外,该数据类型的元素可以带有任意数量的任意属性。它在本条款的其余部分中用于描述 XML 元素的内容,而内容尚未明确指定。
<xsd:complexType name="AnyType" mixed="true">
<xsd:sequence>
<xsd:any namespace="##any"/>
</xsd:sequence>
<xsd:anyAttribute namespace="##any"/>
</xsd:complexType>
|
5.1.2
The ObjectIdentifierType data type
5.1.2 对象标识符类型数据类型
The ObjectIdentifierType data type can be used to identify
aparticular data object.
ObjectIdentifierType 数据类型可用于标识特定的数据对象。
It allows the specification of an unique and permanent identifier of an
object. In addition, a textual description of the nature of the data object,
and a number of references to documents where additional information about
the nature of the data object can be found.
它允许指定对象的唯一且永久的标识符。此外,还允许指定数据对象性质的文本描述,以及一些文档的引用,这些文档中包含有关数据对象性质的其他信息。
<xsd:complexType name="ObjectIdentifierType">
<xsd:sequence>
<xsd:element name="Identifier" type="xsd:anyURI"/>
<xsd:element name="Description" type="xsd:string" minOccurs="0"/>
<xsd:element name="DocumentationReferences"
type="DocumentationReferencesType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
|
The Identifier element contains a permanent identifier. Once
assigned the identifier can never be re-assigned again. It supports both the
mechanism that is used to identify objects in ASN.1 and the mechanism that is
usually used to identify objects in an XML environment:
Identifier 元素包含一个永久的标识符。一旦分配了该标识符,就永远不能再重新分配。它支持用于在 ASN.1 中标识对象的机制,以及通常用于在 XML 环境中标识对象的机制:
In ASN.1 an Object IDentifier (OID) is used to identify an object.
To encode an OID using the ObjectIdentifierType, the element
Identifier MUST contain the OID as a Uniform Resource Name
[URN-OID] conforming to the way specified in RFC3061. A textual
representation enabling humans to easily understand the meaning of the
OID MAY be given using the element Description. The present
document does not suggest a particular format for such a textual
representation.
在 ASN.1 中,使用对象标识符(OID)来标识对象。要使用 ObjectIdentifierType 编码 OID,元素 Identifier 必须包含符合 RFC3061 中指定方式的统一资源名称[URN-OID]的 OID。可以使用元素 Description 提供一种文本表示形式,使人类能够轻松理解 OID 的含义。本文件不推荐这种文本表示形式的特定格式。
In an XML environment objects are typically identified by means of
an Uniform Resource Identifier [URI]. To encode such a
URI using the ObjectIdentifierType, the element
Identifier MUST be used.
在 XML 环境中,对象通常通过统一资源标识符[URI]来标识。要使用 ObjectIdentifierType 编码此类 URI,必须使用元素 Identifier 。
Please note: Since such a URI represenent a PERMANENT identifier,
the URI (scheme, domain name) should be carefully chosen. For example, if
a domain ceases to exist, this will also invalidiate all the identifiers
specified under the domain, since it could happen that the do- main is
reassigned to a different owner who could then change the meaning of the
identifiers. .
请注意:由于此类 URI 代表永久性标识符,URI(方案、域名)应谨慎选择。例如,如果某个域名停止存在,这将使该域名下指定的所有标识符失效,因为有可能该域名被重新分配给不同的所有者,而该所有者可能会改变标识符的含义。
Should an OID and an URI exist identifying the same object, the present
document encourages the use of the URI as explained in the first bullet
above.
如果 OID 和 URI 标识同一对象,本文件鼓励按照上述第一点所述使用 URI。
<xsd:complexType name="IdentifierType">
<xsd:complexContent>
<xsd:extension base="xsd:anyURI">
<xsd:attribute name="Qualifier" type="QualifierType" use="optional"/>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<xsd:simpleType name="QualifierType">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="OIDAsURI"/>
<xsd:enumeration value="OIDAsURN"/>
</xsd:restriction>
</xsd:simpleType>
|
The optional Description element contains an informal
textdescribing the object identifier.
可选的 Description 元素包含一个描述对象标识符的非正式文本。
The optional DocumentationReferences element consists of an
arbitrary number of references pointing to further explanatory documentation
of the object identifier.
可选的 DocumentationReferences 元素由任意数量的指向对象标识符进一步说明文档的引用组成。
<xsd:complexType name="DocumentationReferencesType">
<xsd:sequence maxOccurs="unbounded">
<xsd:element name="DocumentationReference" type="xsd:anyURI"/>
</xsd:sequence>
</xsd:complexType>
|
5.1.3
The EncapsulatedPKIDataType data type
5.1.3 封装 PKI 数据类型
The EncapsulatedPKIDataType is used to incorporate a piece
ofPKI data into an XML structure whereas the PKI data is encoded using an
ASN.1 encoding mechanism. Examples of such PKI data that are widely used at
the time being include X509 certificates and revocation lists, OCSP
responses, attribute certificates and time-stamps.
EncapsulatedPKIDataType 用于将 PKI 数据片段嵌入到 XML 结构中,而 PKI 数据使用 ASN.1 编码机制进行编码。目前广泛使用的此类 PKI 数据示例包括 X509 证书和吊销列表、OCSP 响应、属性证书和时间戳。
<xsd:complexType name="EncapsulatedPKIDataType">
<xsd:complexContent>
<xsd:extension base="xsd:base64Binary">
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
|
The content of this data type is the piece of PKI data, base64 encoded
asdefined in [XMLDSIG]. The optional ID
attribute can be used to make a reference to an element of this data type.
该数据类型的内容是 PKI 数据片段,按照[XMLDSIG]中定义的 base64 编码。可选的 ID 属性可用于引用此数据类型的一个元素。
5.1.4
The TimeStampType data type
5.1.4 TimeStampType 数据类型
Time-Stamps shall be used with XML Advanced Electronic Signatures in
anumber of use cases:
时间戳应在多种用例中与 XML 高级电子签名(XAdES)一起使用:
A XML Advanced Electronic Signature with Time-Stamp (XAdES-T)
includes a time-stamp over the XML Advanced Electronic Signature (XAdES)
to protect against repudiation in case of a key compromise.
带有时间戳的 XML 高级电子签名(XAdES-T)包括对 XML 高级电子签名(XAdES)的时间戳,以在密钥被攻破的情况下防止否认。
Two mechanisms are provided for protection against fraudulence in
case of a CA key compromise, obtaining the XAdES-X form:
在 CA 密钥被攻破的情况下,提供了两种机制来防止欺诈,获得 XAdES-X 形式:
A time-stamp only over all certificate and revocation
information references of an XML Advanced Electronic Signature with
Complete Validation Data (XAdES-C).
对具有完整验证数据(XAdES-C)的 XML 高级电子签名中所有证书和撤销信息引用进行仅时间戳。
A time-stamp computed over the signature value, the signature
time-stamp and the certificate and revocation information references
present in the XML Advanced Electronic Signature with Complete
Validation Data (XAdES-C).
对签名值、签名时间戳以及存在于具有完整验证数据(XAdES-C)的 XML 高级电子签名中的证书和撤销信息引用进行计算得到的时间戳。
To provide for long term validity of an XML signature, a time-stamp
can be applied over an XML Advanced Electronic Signature with Extended
Validation Data (XAdES-X-L) to obtain a XAdES-A form. In this case the
time-stamp is called an Archive Time-Stamp. Additional time-stamps can be
added to this XAdES-A as time goes on.
为了确保 XML 签名的长期有效性,可以对具有扩展验证数据(XAdES-X-L)的 XML 高级电子签名应用时间戳,以获得 XAdES-A 格式。在这种情况下,该时间戳称为存档时间戳。随着时间的推移,可以继续向该 XAdES-A 添加额外的时间戳。
Additionally, time-stamps proving that some or all the data objects
to be signed have been created before some time can also be added as
signed properties to the XAdES.
此外,还可以将证明某些或所有待签数据对象在某个时间之前已创建的时间戳作为已签名属性添加到 XAdES 中。
A time-stamp is obtained by sending the digest value of the given data
tothe Time-Stamp Authority (TSA). The returned time-stamp is a signed data
that contains the digest value, the identity of the TSA, and the time of
stamping. This proves that the given data existed before the time of
stamping.
一个时间戳是通过将给定数据的摘要值发送到时间戳授权机构(TSA)获得的。返回的时间戳是一个包含摘要值、TSA 身份和时间戳时间的签名数据。这证明了给定数据在时间戳时间之前存在。
Time-Stamps specified in the present document will be generated on
selected parts of the XAdES signature element.
本文件中指定的时间戳将在 XAdES 签名元素的选定部分生成。
Below follows the schema definition for the data type used for all the
time-stamps mentioned above.
以下是用于上述所有时间戳的数据类型的模式定义。
<xsd:complexType name="TimeStampType">
<xsd:sequence>
<xsd:element name="HashDataInfo" type="HashDataInfoType"
maxOccurs="unbounded"/>
<xsd:choice>
<xsd:element name="EncapsulatedTimeStamp"
type="EncapsulatedPKIDataType"/>
<xsd:element name="XMLTimeStamp" type="AnyType"/>
</xsd:choice>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="HashDataInfoType">
<xsd:sequence>
<xsd:element name="Transforms" type="ds:TransformsType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="uri" type="xsd:anyURI" use="required"/>
</xsd:complexType>
|
Each HashDataInfo element contains an
uriattribute referencing a data object and one
ds:Transforms element indicating the transformations to make to
this data object as described in [XMLDSIG].
每个 HashDataInfo 元素包含一个引用数据对象的 uri 属性,以及一个 ds:Transforms 元素,表示按照[XMLDSIG]中描述的要对该数据对象进行的转换。
The sequence of HashDataInfo elements will be used to produce
the input of the hash computation process whose result will be included in
the time-stamp request to be sent to the TSA.
HashDataInfo 元素的序列将用于生成哈希计算过程的输入,其结果将包含在发送给时间戳认证机构(TSA)的时间戳请求中。
The actual input to the hash computation is obtained as follows. Each data
object referenced in the sequence of elements HashDataInfo is
transformed according the indications of the corresponding
Transforms element. Once all the referenced data objects have
been transformed, the resulting octets are concatenated in the order in which
the data objects are referenced.
哈希计算的实际输入按以下方式获得。序列中的每个数据对象 HashDataInfo 都根据相应 Transforms 元素的指示进行转换。一旦所有引用的数据对象都已转换,则按数据对象引用的顺序将生成的八位字节连接起来。
The time-stamp generated by the TSA can be either an ASN.1 data object (as
defined in [TSP], use EncapsulatedTimeStamp), or it can be
encoded as XML (use XMLTimeStamp). Since at the time being there is no
standard for an XML time-stamp, we provide a placeholder for future use.
TSA 生成的时间戳可以是 ASN.1 数据对象(如[TSP]中定义的,使用 EncapsulatedTimeStamp),也可以作为 XML 编码(使用 XMLTimeStamp)。由于目前还没有 XML 时间戳的标准,我们提供了一个占位符以备将来使用。
5.2 Syntax for
XAdES
5.2 XAdES 的语法
This clause describes in detail the qualifying properties that can
appearin XAdES and XAdES-T advanced electronic signatures forms as described
in clause 4 Syntax overview.
本条款详细描述了在 XAdES 和 XAdES-T 高级电子签名形式中(如第 4 条“语法概述”所述)可以出现的限定属性。
5.2.1 The
SigningTime element 5.2.1 SigningTime 元素
The SigningTime property specifies the time at which the
signer (purportedly) performed the signing process.
SigningTime 属性指定了签名者(据称)执行签名过程的时间。
The XML Schema recommendation [XML-schema-part-2] defines an XML type
xsd:dateTime that allows for the inclusion of the required
information. This is the type selected for the SigningTime
element.>
XML 模式建议[XML-schema-part-2]定义了一种 XML 类型 xsd:dateTime ,允许包含所需信息。这是为 SigningTime 元素选择的类型。>
This is a signed property that qualifies the whole signature.
这是一个限定整个签名的签名属性。
An XML electronic signature aligned with the present document MUST contain
exactly one SigningTime element .
与本文档一致的 XML 电子签名必须包含恰好一个 SigningTime 元素。
Below follows the schema definition for this element:
以下是此元素的模式定义:
<xsd:element name="SigningTime" type="xsd:dateTime"/>
|
5.2.2 The
SigningCertificate element 5.2.2 SigningCertificate 元素
According to what has been stated in the Introduction clause, anelectronic
signature produced in accordance with the present document incorporates: "a
commitment that has been explicitly endorsed under a signature policy, at a
given time, by a signer under an identifier, e.g. a name or a pseudonym, and
optionally a role".
根据引言条款中所述,根据本文件生成的电子签名包含:"在特定时间,由一个标识符(例如姓名或别名)下的签署人,根据签名政策明确认可的一种承诺,以及可选的角色"。
In many real life environments users will be able to get from different
CAs or even from the same CA, different certificates containing the same
public key for different names. The prime advantage is that a user can use
the same private key for different purposes. Multiple use of the private key
is an advantage when a smart card is used to protect the private key, since
the storage of a smart card is always limited. When several CAs are involved,
each different certificate may contain a different identity, e.g. as a
national or as an employee from a company. Thus when a private key is used
for various purposes, the certificate is needed to clarify the context in
which the private key was used when generating the signature. Where there is
the possibility of multiple use of private keys it is necessary for the
signer to indicate to the verifier the precise certificate to be used.
在许多实际环境中,用户可以从不同的 CA 或甚至从同一个 CA 获取包含相同公钥但用于不同名称的不同证书。主要优势在于用户可以使用同一个私钥用于不同目的。当使用智能卡保护私钥时,私钥的多次使用是一个优势,因为智能卡的存储空间总是有限的。当涉及多个 CA 时,每个不同的证书可能包含不同的身份,例如作为国家身份或公司员工身份。因此,当私钥用于多种目的时,需要证书来明确私钥在生成签名时所使用的上下文。在存在私钥多次使用的可能性时,需要签名者向验证者指明要使用的确切证书。
Many current schemes simply add the certificate after the signed data and
thus are subject to various substitution attacks. An example of a
substitution attack is a "bad" CA that would issue a certificate to someone
with the public key of someone else. If the certificate from the signer was
simply appended to the signature and thus not protected by the signature, any
one could substitute one certificate by another and the message would appear
to be signed by some one else.
当前许多方案仅将证书附加在已签名数据之后,因此容易受到各种替换攻击。替换攻击的一个例子是"不良"的 CA 机构向某人签发使用他人公钥的证书。如果签名者的证书只是简单地附加在签名上而没有受到签名保护,任何人都可以用一个证书替换另一个证书,使得消息看起来像是被其他人签名的。
In order to counter this kind of attack, the identifier of the certificate
has to be protected by the digital signature from the signer.
为了对抗这种攻击,证书的标识符必须受到签名者数字签名的保护。
The SigningCertificate property is designed to prevent
thesimple substitution of the certificate. This property contains references
to certificates and digest values computed on them.
SigningCertificate 属性旨在防止证书的简单替换。该属性包含对证书的引用以及在这些证书上计算的摘要值。
The certificate used to verify the signature shall be identified in the
sequence; the signature policy may mandate other certificates be present,
that may include all the certificates up to the point of trust.
用于验证签名的证书应在序列中明确标识;签名策略可能要求存在其他证书,这些证书可能包括直至信任点的所有证书。
This is a signed property that qualifies the signature.
这是一个用于限定签名的属性。
An XML electronic signature aligned with the present document MUST contain
exactly one SigningCertificate element .
与本文档一致的 XML 电子签名必须包含且仅包含一个 SigningCertificate 元素。
Below follows the schema definition:
以下为模式定义:
<xsd:element name="SigningCertificate" type="CertIDListType"/>
<xsd:complexType name="CertIDListType">
<xsd:sequence>
<xsd:element name="Cert" type="CertIDType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CertIDType">
<xsd:sequence>
<xsd:element name="CertDigest" type="DigestAlgAndValueType"/>
<xsd:element name="IssuerSerial" type="ds:X509IssuerSerialType"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="DigestAlgAndValueType">
<xsd:sequence>
<xsd:element name="DigestMethod" type="ds:DigestMethodType"/>
<xsd:element name="DigestValue" type="ds:DigestValueType"/>
</xsd:sequence>
</xsd:complexType>
|
The SigningCertificate element contains the
aforementionedsequence of certificate identifiers and digests computed on the
certificates (Cert elements).
SigningCertificate 元素包含上述证书标识符序列以及针对证书(Cert 元素)计算的摘要。
The element IssuerSerial contains the identifier of one of
the certificates referenced in the sequence. Should the
ds:X509IssuerSerial element appear in the signature to denote
the same certificate, its value MUST be consistent with the corresponding
IssuerSerial element.
元素 IssuerSerial 包含序列中引用的一个证书的标识符。如果 ds:X509IssuerSerial 元素出现在签名中以表示同一证书,其值必须与相应的 IssuerSerial 元素一致。
If the signer uses an attribute certificate to associate a role with the
electronic signature, such a certificate MUST be present in the
SignerRole property.
如果签名者使用属性证书将角色与电子签名关联,则此类证书必须在 SignerRole 属性中存在。
The element CertDigest contains the digest of one of the
certificates referenced in the sequence. It contains two elements:
DigestMethod indicates the digest algorithm and
DigestValue contains the value of the digest.
元素 CertDigest 包含序列中引用的一个证书的摘要。它包含两个元素: DigestMethod 指示摘要算法, DigestValue 包含摘要的值。
5.2.3 The
SignaturePolicyIdentifier element 5.2.3 元素 SignaturePolicyIdentifier
The signature policy is a set of rules for the creation and validation
ofan electronic signature, under which the signature can be determined to be
valid. A given legal/contractual context may recognize a particular signature
policy as meeting its requirements.
签名策略是一套用于创建和验证电子签名的规则,根据这些规则可以判定签名是否有效。在特定的法律/合同环境中,可能会认可某个特定的签名策略满足其要求。
The signature policy needs to be available in human readable form so that
it can be assessed to meet the requirements of the legal and contractual
context in which it is being applied.
签名策略需要以人类可读的形式提供,以便能够评估其是否符合所应用的法律和合同环境的要求。
To facilitate the automatic processing of an electronic signature the
parts of the signature policy which specify the electronic rules for the
creation and validation of the electronic signature also need to be in a
computer processable form.
为了促进电子签名的自动处理,签名策略中指定电子签名创建和验证电子规则的部分也需要以计算机可处理的形式存在。
If no signature policy is identified then the signature may be assumed to
have been generated/verified without any policy constraints, and hence may be
given no specific legal or contractual significance through the context of a
signature policy.
如果未识别签名策略,则假定签名可能在没有任何策略约束的情况下生成/验证,因此可能不会通过签名策略的上下文赋予其特定的法律或合同意义。
As it has been stated before, any electronic signature claiming alignment
with the present document must contain an unambiguous way allowing the
identification of the Signature. The present document specifies two
alternatives:
如前所述,任何声称与本文档一致的电子签名都必须包含一个明确的方式,允许识别签名。本文档规定了两种替代方案:
The electronic signature can contain an explicit and unambiguous
identifier of a Signature Policy together with a hash value of the
signature policy, so it can be verified that the policy selected by the
signer is the one being used by the verifier. An explicit signature
policy has a globally unique reference, which, in this way, is bound to
an electronic signature by the signer as part of the signature
calculation. In these cases, for a given explicit signature policy there
shall be one definitive form that has a unique binary encoded value.
Finally, a signature policy identified in this way may be qualified by
additional information.
电子签名可以包含一个明确且无歧义的签名策略标识符,以及签名策略的哈希值,以便验证签名者选择的策略就是验证者正在使用的策略。显式签名策略具有全球唯一的引用,通过这种方式,由签名者将其作为签名计算的一部分与电子签名绑定。在这些情况下,对于给定的显式签名策略,应当有一种唯一二进制编码值的确定形式。最后,以这种方式识别的签名策略可以通过附加信息进行资格认定。
Alternatively, the electronic signature can avoid the inclusion of
the aforementioned identifier and hash value. This will be possible when
the signature policy can be unambiguously derived from the semantics of
the type of data object(s) being signed, and some other information, e.g.
national laws or private contractual agreements, that mention that a
given signature policy must be used for this type of data content. In
such cases, the signature will contain a specific empty element
indicating that this implied way to identify the signature policy is used
instead the identifier and hash value.
或者,电子签名可以避免包含上述标识符和哈希值。当签名策略可以从被签名数据对象的语义以及其他信息(例如国家法律或私人合同协议,这些信息指明必须使用特定签名策略来处理此类数据内容)中明确推导出来时,这是可行的。在这种情况下,签名将包含一个特定的空元素,表明使用这种隐含的方式来识别签名策略,而不是使用标识符和哈希值。
The signature policy identifier is a signed property qualifying
thesignature.
签名策略标识符是一个对签名进行资格认证的已签名属性。
An XML electronic signature aligned with the present document MUST contain
exactly one SignaturePolicyIdentifier element.
符合本文件的 XML 电子签名必须且仅包含一个 SignaturePolicyIdentifier 元素。
Below follows the schema definition for this type:
以下是此类型的模式定义:
<xsd:element name="SignaturePolicyIdentifier" type="SignaturePolicyIdentifierType"/>
<xsd:complexType name="SignaturePolicyIdentifierType">
<xsd:choice>
<xsd:element name="SignaturePolicyId" type="SignaturePolicyIdType"/>
<xsd:element name="SignaturePolicyImplied"/>
</xsd:choice>
</xsd:complexType>
<xsd:complexType name="SignaturePolicyIdType">
<xsd:sequence>
<xsd:element name="SigPolicyId" type="ObjectIdentifierType"/>
<xsd:element ref="ds:Transforms" minOccurs="0"/>
<xsd:element name="SigPolicyHash" type="DigestAlgAndValueType"/>
<xsd:element name="SigPolicyQualifiers"
type="SigPolicyQualifiersListType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="SigPolicyQualifiersListType">
<xsd:sequence>
<xsd:element name="SigPolicyQualifier" type="AnyType"
maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
The SignaturePolicyId element will appear when the
signaturepolicy is identified using the first alternative. The
SigPolicyId element contains an identifier that uniquely
identifies a specific version of the signature policy. The
SigPolicyHash element contains the identifier of the hash
algorithm and the hash value of the signature policy. The
SigPolicyQualifier element can contain additional information
qualifying the signature policy identifier. The optional
ds:Transforms element can contain the transformations performed
on the signature policy document before computing its hash. The processing
model for these transformations is described in [XMLDSIG].
当使用第一种替代方案识别签名策略时, SignaturePolicyId 元素将出现。 SigPolicyId 元素包含一个唯一标识特定版本签名策略的标识符。 SigPolicyHash 元素包含签名策略的哈希算法标识符和签名策略的哈希值。 SigPolicyQualifier 元素可以包含补充信息以限定签名策略标识符。可选的 ds:Transforms 元素可以包含在计算其哈希值之前对签名策略文档执行的操作转换。这些转换的处理模型在[XMLDSIG]中描述。
Alternatively, the SignaturePolicyImplied element will appear
when the second alternative is used. This empty element indicates that the
data object(s) being signed and other external data imply the signature
policy.
或者,当使用第二种替代方案时, SignaturePolicyImplied 元素会出现。这个空元素表示被签署的数据对象和其他外部数据意味着签名策略。
5.2.3.1
Signature policy qualifiers
5.2.3.1 签名策略限定符
Two qualifiers for the signature policy have been identified so far:
到目前为止,已经确定了签名策略的两个限定符:
Below follows the schema definition for these two elements:
以下是这两个元素的架构定义:
<xsd:element name="SPURI" type="xsd:anyURI"/>
<xsd:element name="SPUserNotice" type="SPUserNoticeType"/>
<xsd:complexType name="SPUserNoticeType">
<xsd:sequence>
<xsd:element name="NoticeRef" type="NoticeReferenceType" minOccurs="0"/>
<xsd:element name="ExplicitText" type="xsd:string" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="NoticeReferenceType">
<xsd:sequence>
<xsd:element name="Organization" type="xsd:string"/>
<xsd:element name="NoticeNumbers" type="IntegerListType"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="IntegerListType">
<xsd:sequence>
<xsd:element name="int" type="xsd:integer" minOccurs="0"
maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
The SPUserNotice element is intended for being displayed
whenever the signature is validated. The ExplicitText element
contains the text of the notice to be displayed. Other notices could come
from the organization issuing the signature policy. The
NoticeRef element names an organization and identifies by
numbers (NoticeNumbers element) a group of textual statements
prepared by that organization, so that the application could get the explicit
notices from a notices file.
SPUserNotice 元素用于在验证签名时显示。 ExplicitText 元素包含要显示的提示文本。其他提示信息可能来自发布签名策略的组织。 NoticeRef 元素命名一个组织,并通过数字( NoticeNumbers 元素)标识该组织准备的一组文本声明,以便应用程序可以从提示文件中获取明确的提示信息。
5.2.4 The
CounterSignature element 5.2.4 CounterSignature 元素
Some electronic signatures may only be valid if they bear more than
onesignature. This is the case generally when a contract is signed between
two parties. The ordering of the signatures may or may not be important, i.e.
one may or may not need to be applied before the other.
某些电子签名可能只有在包含多个签名时才有效。这通常发生在双方签署合同时。签名的顺序可能重要也可能不重要,即一个签名可能需要在另一个签名之前应用,也可能不需要。
Several forms of multiple and counter signatures need to be supported,
which fall into two basic categories:
需要支持多种多重和交叉签名形式,它们分为两大基本类别:
Independent signatures are parallel signatures where the ordering of
thesignatures is not important. Therefore an independent signature will not
appear as a CounterSignature property of another independent
one.
独立签名是并行签名,其中签名的顺序并不重要。因此,一个独立签名不会作为另一个独立签名的 CounterSignature 属性出现。
Embedded signatures are applied one after the other and are used where the
order the signatures are applied is important. Multiple embedded signatures
are supported using the CounterSignature unsigned property. Each
CounterSignature is carried in one CounterSignature
element added to the Signature element to which the
CounterSignature is applied.
嵌入式签名是依次应用的,并且用于签名应用的顺序很重要。使用 CounterSignature 无符号属性支持多个嵌入式签名。每个 CounterSignature 被包含在一个添加到 CounterSignature 应用于的 Signature 元素中的 CounterSignature 元素中。
In a qualified Signature the contents of the CounterSignature
element are one or more signatures (i.e. ds:Signature elements)
of the SignatureValue in the qualified
Signature.
在合格签名中, CounterSignature 元素的包含内容是一个或多个 SignatureValue 中在 qualified 签名中的签名(即 ds:Signature 元素)。
A CounterSignature can itself be qualified by a
CounterSignature property. Thus it is possible to construct
arbitrarily long series of countersignatures.
一个 CounterSignature 可以本身被 CounterSignature 属性合格化。因此,可以构建任意长的计数签名系列。
This is a unsigned property that qualifies the signature.
这是一个用于限定签名的未签名属性。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="CounterSignature" type="CounterSignatureType" />
<xsd:complexType name="CounterSignatureType">
<xsd:sequence>
<xsd:element ref="ds:Signature"/>
</xsd:sequence>
</xsd:complexType>
|
The next figure shows a countersigned Signature.
下一张图展示了一个 countersigned Signature。
Figure 5. Use of CounterSignature element
图 5. CounterSignature 元素的使用
5.2.5 The
DataObjectFormat element 5.2.5 DataObjectFormat 元素
When presenting signed data to a human user it may be important that there
is no ambiguity as to the presentation of the signed data object to the
relying party. In order for the appropriate representation (text, sound or
video) to be selected by the relying party a content hint may be indicated by
the signer. If a relying party system does not use the format specified to
present the data object to the relying party, the electronic signature may
not be valid. Such a behaviour may have been established by the signature
policy, for instance.
当向人类用户展示已签名数据时,确保对依赖方的已签名数据对象展示没有歧义可能非常重要。为了让依赖方选择适当的表示形式(文本、声音或视频),签名者可以指示内容提示。如果依赖方系统不使用指定的格式向依赖方展示数据对象,则电子签名可能无效。这种行为可能由签名策略建立,例如。
The DataObjectFormat element provides information that
describes the format of the signed data object. This element MUST be present
when it is mandatory to present the signed data object to human users on
verification. This is a signed property that qualifies one specific signed
data object. In consequence, an XML electronic signature aligned with the
present document MAY contain more than one DataObjectFormat
elements, each one qualifying one signed data object.
DataObjectFormat 元素提供描述已签名数据对象格式的信息。当验证时必须向人类用户展示已签名数据对象时,此元素必须存在。这是一个限定特定已签名数据对象的已签名属性。因此,与本文档一致的 XML 电子签名可能包含多个 DataObjectFormat 元素,每个元素限定一个已签名数据对象。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="DataObjectFormat" type="DataObjectFormatType"/>
<xsd:complexType name="DataObjectFormatType">
<xsd:sequence>
<xsd:element name="Description" type="xsd:string" minOccurs="0"/>
<xsd:element name="ObjectIdentifier" type="ObjectIdentifierType"
minOccurs="0"/>
<xsd:element name="MimeType" type="xsd:string" minOccurs="0"/>
<xsd:element name="Encoding" type="xsd:anyURI" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="ObjectReference" type="xsd:anyURI"
use="required"/>
</xsd:complexType>
|
This element can convey:
此元素可以传达:
Textual information related to the signed data object(s) in element
Description.
与已签名数据对象相关的文本信息,位于元素 Description 中。
An identifier indicating the type of the signed data object(s) in
element ObjectIdentifier.
一个标识元素 ObjectIdentifier 中已签名数据对象类型的标识符。
An indication of the MIME type of the signed data object(s), in
element MimeType.
一个指示元素 MimeType 中已签名数据对象 MIME 类型的指示。
An indication of the encoding format of the signed data object(s),
in element Encoding.
一个指示元素 Encoding 中已签名数据对象编码格式的指示。
At least one element of Description,
ObjectIdentifier and MimeType must be present
within the property.
属性中必须至少包含 Description 、 ObjectIdentifier 和 MimeType 中的一个元素。
5.2.6 The
CommitmentTypeIndication element 5.2.6 CommitmentTypeIndication 元素
According to what has been stated in the Introduction clause, anelectronic
signature produced in accordance with the present document incorporates: "a
commitment that has been explicitly endorsed under a signature policy, at a
given time, by a signer under an identifier, e.g. a name or a pseudonym, and
optionally a role".
根据引言条款中所述,根据本文件生成的电子签名包含:"在特定时间,由一个标识符(例如姓名或别名)下的签署人根据签名政策明确认可的一种承诺,可选地包括角色"。
The commitment type can be indicated in the electronic signature
either:
承诺类型可以在电子签名中通过以下方式指示:
If the indicated commitment type is explicit by means of a commitment
typeindication in the electronic signature, acceptance of a verified
signature implies acceptance of the semantics of that commitment type. The
semantics of explicit commitment types indications shall be specified either
as part of the signature policy or may be registered for generic use across
multiple policies.
如果通过电子签名中的承诺类型指示明确指定了承诺类型,则接受经过验证的签名意味着接受该承诺类型的语义。明确承诺类型指示的语义应作为签名策略的一部分进行指定,或者可以在多个策略中注册以供通用使用。
If a signature includes a commitment type indication other than one of
those recognized under the signature policy the signature shall be treated as
invalid.
如果签名包含签名策略中未识别的承诺类型指示,则该签名应被视为无效。
How commitment is indicated using the semantics of the data object being
signed is outside the scope of the present document.
使用被签署数据对象的语义来表示承诺范围超出了本文件的范围。
The commitment type may be:
承诺类型可能是:
Defined as part of the signature policy, in which case the
commitment type has precise semantics that is defined as part of the
signature policy.
作为签名策略的一部分定义,在这种情况下,承诺类型具有精确的语义,该语义作为签名策略的一部分定义。
A registered type, in which case the commitment type has precise
semantics defined by registration, under the rules of the registration
authority. Such a registration authority may be a trading association or
a legislative authority.
注册类型,在这种情况下,承诺类型具有由注册机构根据注册规则定义的精确语义。此类注册机构可以是贸易协会或立法机构。
The definition of a commitment type includes:
一个承诺类型的定义包括:
The qualifiers can provide more information about the commitment, it
couldprovide, for example, information about the context be it
contractual/legal/application specific.
限定符可以提供更多关于承诺的信息,例如,它可以提供有关上下文的信息,无论是合同/法律/特定应用。
If an electronic signature does not contain a recognized commitment type
then the semantics of the electronic signature is dependent on the data
object being signed and the context in which it is being used.
如果电子签名不包含已识别的承诺类型,那么电子签名的语义取决于所签署的数据对象及其使用环境。
This is a signed property that qualifies signed data object(s). In
consequence, an XML electronic signature aligned with the present document
MAY contain more than one CommitmentTypeIndication elements.
这是一个限定已签署数据对象的已签署属性。因此,符合本文件规定的 XML 电子签名可以包含多个 CommitmentTypeIndication 元素。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="CommitmentTypeIndication" type="CommitmentTypeIndicationType"/>
<xsd:complexType name="CommitmentTypeIndicationType">
<xsd:sequence>
<xsd:element name="CommitmentTypeId" type="ObjectIdentifierType"/>
<xsd:choice>
<xsd:element name="ObjectReference" type="xsd:anyURI"
minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="AllSignedDataObjects"/>
</xsd:choice>
<xsd:element name="CommitmentTypeQualifiers"
type="CommitmentTypeQualifiersListType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CommitmentTypeQualifiersListType">
<xsd:sequence>
<xsd:element name="CommitmentTypeQualifier"
type="AnyType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
The CommitmentTypeId element univocally identifies the type
of commitment made by the signer. A number of commitments have been already
identified in TS 101 733 [ESI] (and consequently assigned
a corresponding OIDs), namely:
CommitmentTypeId 元素明确标识签署者所做出的承诺类型。TS 101 733 [ESI]中已经识别了若干承诺类型(并因此分配了相应的 OID),具体包括:
Proof of origin indicates that the signer recognizes to have
created, approved and sent the signed data object.
来源证明表明签署者确认其创建了、批准并发送了已签署的数据对象。
Proof of receipt indicates that signer recognizes to have received
the content of the signed data object.
收到证明表明签名者确认已收到已签名数据对象的内容。
Proof of delivery indicates that the TSP providing that indication
has delivered a signed data object in a local store accessible to the
recipient of the signed data object.
交付证明表明提供该证明的 TSP 已将已签名数据对象交付给可访问该已签名数据对象的接收者。
Proof of sender indicates that the entity providing that indication
has sent the signed data object (but not necessarily created it).
发送者证明表明提供该证明的实体已发送已签名数据对象(但不一定创建它)。
Proof of approval indicates that the signer has approved the content
of the signed data object.
批准证明表明签名者已批准已签名数据对象的内容。
Proof of creation indicates that the signer has created the signed
data object (but not necessarily approved, nor sent it).
创建证明表明签名者已创建已签名数据对象(但不一定已批准,也不一定已发送)。
One ObjectReference element refers to
oneds:Reference element of the ds:SignedInfo
corresponding with one data object qualified by this property. If some but
not all the signed data objects share the same commitment, one
ObjectReference element MUST appear for each one of them.
However, if all the signed data objects share the same commitment, the
AllSignedDataObjects empty element MUST be present.
一个 ObjectReference 元素引用一个与该属性定义的符合数据对象对应的 ds:Reference 元素。如果部分但不是所有已签名的数据对象共享相同的承诺,则每个对象必须出现一个 ObjectReference 元素。然而,如果所有已签名的数据对象共享相同的承诺,则必须存在一个 AllSignedDataObjects 空元素。
The CommitmentTypeQualifiers element provides means to
include additional qualifying information on the commitment made by the
signer.
CommitmentTypeQualifiers 元素提供了一种包含签名者所做承诺的附加限定信息的方式。
5.2.7 The
SignatureProductionPlace element 5.2.7 SignatureProductionPlace 元素
In some transactions the purported place where the signer was at the
timeof signature creation may need to be indicated. In order to provide this
information a new property may be included in the signature.
在某些交易中,需要标明签名创建时签名者的声称地点。为了提供这些信息,可以在签名中包含一个新的属性。
This property specifies an address associated with the signer at a
particular geographical (e.g. city) location.
此属性指定与签名者在特定地理位置(例如城市)相关联的地址。
This is a signed property that qualifies the signer.
这是一个使签名者具有资格的已签名属性。
An XML electronic signature aligned with the present document MAY contain
at most one SignatureProductionPlace element.
与本文档一致的 XML 电子签名最多可以包含一个 SignatureProductionPlace 元素。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="SignatureProductionPlace" type="SignatureProductionPlaceType"/>
<xsd:complexType name="SignatureProductionPlaceType">
<xsd:sequence>
<xsd:element name="City" type="xsd:string" minOccurs="0"/>
<xsd:element name="StateOrProvince" type="xsd:string" minOccurs="0"/>
<xsd:element name="PostalCode" type="xsd:string" minOccurs="0"/>
<xsd:element name="CountryName" type="xsd:string" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
|
5.2.8 The
SignerRole element 5.2.8 SignerRole 元素
According to what has been stated in the Introduction clause, anelectronic
signature produced in accordance with the present document incorporates: "a
commitment that has been explicitly endorsed under a signature policy, at a
given time, by a signer under an identifier, e.g. a name or a pseudonym, and
optionally a role".
根据引言部分所述,根据本文件生成的电子签名包含:"在特定时间,由标识符(例如姓名或别名)下的签署人,根据签名政策明确认可的一种承诺,并且可选地包含角色"。
While the name of the signer is important, the position of the signer
within a company or an organization can be even more important. Some
contracts may only be valid if signed by a user in a particular role, e.g. a
Sales Director. In many cases who the sales Director really is, is not that
important but being sure that the signer is empowered by his company to be
the Sales Director is fundamental.
虽然签署人的姓名很重要,但签署人在公司或组织中的职位可能更为重要。某些合同可能只有在特定角色(例如销售总监)的用户签署时才有效。在许多情况下,销售总监的真实身份并不重要,但确保签署人有权被其公司任命为销售总监是根本的。
The present document defines two different ways for providing this
feature:
本文件定义了两种提供此功能的不同方法:
Unlike public key certificates that bind an identifier to a public
key,Attribute Certificates bind the identifier of a certificate to some
attributes of its owner, like a role. The Attribute Authority will be most of
the time under the control of an organization or a company that is best
placed to know which attributes are relevant for which individual. The
Attribute Authority may use or point to public key certificates issued by any
CA, provided that the appropriate trust may be placed in that CA. Attribute
Certificates may have various periods of validity. That period may be quite
short, e.g. one day. While this requires that a new Attribute Certificate is
obtained every day, valid for that day, this can be advantageous since
revocation of such certificates may not be needed. When signing, the signer
will have to specify which Attribute Certificate it selects.
与将标识符绑定到公钥的公钥证书不同,属性证书将证书的标识符绑定到其所有者的某些属性,例如角色。属性认证机构通常由最了解哪些属性对哪些个人相关的组织或公司控制。属性认证机构可以使用或指向任何 CA 签发的公钥证书,前提是可以在该 CA 中建立适当的信任。属性证书可以有不同的有效期。这个期限可能相当短,例如一天。虽然这要求每天获得一个新的属性证书,该证书有效期为当天,但这可以带来优势,因为可能不需要吊销此类证书。在签名时,签名者必须指定它选择的属性证书。
This is a signed property that qualifies the signer.
这是一个使签名者具有资格的已签名属性。
An XML electronic signature aligned with the present document MAY contain
at most one SignerRole element.
根据本文件规定的 XML 电子签名最多可包含一个 SignerRole 元素。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="SignerRole" type="SignerRoleType"/>
<xsd:complexType name="SignerRoleType">
<xsd:sequence>
<xsd:element name="ClaimedRoles" type="ClaimedRolesListType"
minOccurs="0"/>
<xsd:element name="CertifiedRoles" type="CertifiedRolesListType"
minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="ClaimedRolesListType">
<xsd:sequence>
<xsd:element name="ClaimedRole" type="AnyType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CertifiedRolesListType">
<xsd:sequence>
<xsd:element name="CertifiedRole" type="EncapsulatedPKIDataType"
maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
This property contains a sequence of roles that the signer can
play(element SignerRole). At least one of the two elements
ClaimedRoles or CertifiedRoles must be present.
此属性包含签名者可以扮演的角色序列(元素 SignerRole )。必须存在 ClaimedRoles 或 CertifiedRoles 中的至少一个元素。
The ClaimedRoles element contains a sequence of roles claimed
by the signer but not certified. Additional contents types may be defined on
a domain application basis and be part of this element. The namespaces given
to the corresponding XML schemas will allow their unambiguous identification
in the case these roles use XML.
ClaimedRoles 元素包含签名者声称但未经认证的角色序列。在特定领域应用的基础上可以定义其他内容类型,并将其作为此元素的一部分。分配给相应 XML 架构的命名空间将允许在角色使用 XML 的情况下对其进行明确识别。
The CertifiedRoles element contains one or more wrapped
attribute certificates for the signer.
CertifiedRoles 元素包含一个或多个为签名者打包的属性证书。
5.2.9 The
AllDataObjectsTimeStamp element 5.2.9 AllDataObjectsTimeStamp 元素
The AllDataObjectsTimeStamp element contains the
time-stampcomputed ds:Reference elements within the
ds:SignedInfo referencing whatever the signer wants to sign
except the SignedProperties element.
AllDataObjectsTimeStamp 元素包含时间戳计算的 ds:Reference 元素,这些元素引用了签名者想要签名的任何内容,除了 SignedProperties 元素。
The application must compose the HashDataInfo element(s) in a
way that the data referenced by all HashDataInfo together
results in the sequence of ds:Reference elements described
above.
应用程序必须以某种方式组合 HashDataInfo 元素,使得所有 HashDataInfo 元素引用的数据结果形成上述描述的 ds:Reference 元素序列。
The AllDataObjectsTimeStamp element is a signed property.
AllDataObjectsTimeStamp 元素是一个已签名的属性。
Several instances of this property from different TSAs can occur within
the same XAdES.
同一个 XAdES 中可以包含来自不同时间戳授权机构(TSAs)的该属性的多个实例。
Below follows the schema definition for this element.
下面是该元素的架构定义。
<xsd:element name="AllDataObjectsTimeStamp" type="TimeStampType"/>
|
5.2.10
The AllDataObjectsTimeStamp element 5.2.10 AllDataObjectsTimeStamp 元素
The IndividualDataObjectsTimeStamp element contains the
time-stamp computed before the signature production, over a sequence formed
by SOME ds:Reference elements within the
ds:SignedInfo. Note that this sequence cannot contain a
ds:Reference computed on the SignedProperties
element.
IndividualDataObjectsTimeStamp 元素包含在签名生成之前计算的时间戳,该时间戳覆盖由 ds:SignedInfo 中的若干 ds:Reference 元素形成的序列。请注意,该序列不能包含在 SignedProperties
element 上计算的 ds:Reference 。
The application must compose the HashDataInfo element(s) in a
way that the data referenced by all HashDataInfo together
results in the sequence of ds:Reference elements mentioned
above.
应用程序必须以某种方式组合 HashDataInfo 元素,使得所有 HashDataInfo 元素引用的数据结果形成上述 ds:Reference 元素的序列。
The IndividualDataObjectsTimeStamp element is a signed
property that qualifies the signed data object(s).
IndividualDataObjectsTimeStamp 元素是一个签名属性,用于限定签名数据对象。
Several instances of this property can occur within the same XAdES.
这种属性可以在同一个 XAdES 中多次出现。
Below follows the schema definition for this element.
以下是该元素的架构定义。
<xsd:element name="IndividualDataObjectsTimeStamp" type="TimeStampType"/>
|
5.3
Syntax for XAdES-T form
5.3 XAdES-T 形式的语法
This clause describes in detail the time-stamps that can appear in the
XAdES-T form.
本条款详细描述了 XAdES-T 表单中可能出现的时戳。
5.3.1 The
SignatureTimeStamp element 5.3.1 SignatureTimeStamp 元素
An important property for long standing signatures is that a signature,
having been found once to be valid, shall continue to be so months or years
later.
对于长期存在的签名而言,一个签名一旦被证实有效,就应当在未来数月或数年后继续保持有效性。
A signer, verifier or both may be required to provide on request, proof
that a digital signature was created or verified during the validity period
of the all the certificates that make up the certificate path. In this case,
the signer, verifier or both will also be required to provide proof that all
the user and CA certificates used were not revoked when the signature was
created or verified.
签名者、验证者或两者都可能被要求在要求时提供证明,证明数字签名是在构成证书路径的所有证书的有效期内创建或验证的。在这种情况下,签名者、验证者或两者还必须提供证明,证明在签名创建或验证时,所有使用的用户和 CA 证书均未被吊销。
It would be quite unacceptable, to consider a signature as invalid even if
the keys or certificates were later compromised. Thus there is a need to be
able to demonstrate that the signature key was valid around the time that the
signature was created to provide long term evidence of the validity of a
signature.
认为即使密钥或证书后来被攻破,签名也无效,这是完全不可接受的。因此,需要能够证明签名创建时签名密钥是有效的,以提供签名长期有效性的证据。
Time-stamping by a Time-Stamping Authority (TSA) can provide such
evidence. A time-stamp is obtained by sending the hash value of the given
data to the TSA. The returned time-stamp is a signed data object that
contains the hash value, the identity of the TSA, and the time of stamping.
This proves that the given data existed before the time of stamping.
由时间戳机构(TSA)进行时间戳可以提供这种证据。通过将给定数据的哈希值发送给 TSA 来获取时间戳。返回的时间戳是一个包含哈希值、TSA 身份和时间戳的已签名数据对象。这证明了给定数据在时间戳之前已经存在。
Time-stamping an electronic signature (XAdES) before the revocation of the
signer's private key and before the end of the validity of the certificate,
provides evidence that the signature has been created while the certificate
was valid and before it was revoked.
在签名者的私钥被吊销之前以及证书有效期结束之前对电子签名(XAdES)进行时间戳,可以证明签名是在证书有效且未被吊销时创建的。
If a recipient wants to hold a valid electronic signature he will have to
ensure that he has obtained a valid time-stamp for it, before that key (and
any key involved in the validation) is revoked. The sooner the time-stamp is
obtained after the signing time, the better.
如果收件人想要持有有效的电子签名,他必须确保在相关密钥(以及任何参与验证的密钥)被吊销之前,已经为该签名获取了有效的时间戳。时间戳获取越接近签名时间,效果越好。
It is important to note that signatures may be generated "off-line" and
time-stamped at a later time by anyone, for example by the signer or any
recipient interested in the value of the signature. The time-stamp can thus
be provided by the signer together with the signed data object, or obtained
by the recipient following receipt of the signed data object.
需要注意的是,签名可以由任何人“离线”生成,并在稍后时间进行时间戳处理,例如由签名者或任何对签名价值感兴趣的收件人。因此,时间戳可以由签名者随签名数据对象一同提供,或由收件人在收到签名数据对象后获取。
The Signature Validation Policy can specify a maximum acceptable time
difference which is allowed between the time indicated in the
SigningTime element and the time indicated by the
SignatureTimeStamp element. If this delay is exceeded then the
electronic signature shall be considered as invalid.
签名验证策略可以指定一个最大可接受的时间差,该时间差允许在 SigningTime 元素指示的时间和 SignatureTimeStamp 元素指示的时间之间存在。如果这个延迟超过了这个时间差,那么电子签名应被视为无效。
The SignatureTimeStamp encapsulates the time-stamp over the
ds:SignatureValue element.
SignatureTimeStamp 元素封装了 ds:SignatureValue 元素上的时间戳。
The SignatureTimeStamp element is an unsigned property
qualifying the signature. A XAdES-T form MAY contain several
SignatureTimeSamp elements, obtained from different TSAs.
SignatureTimeStamp 元素是一个无符号属性,用于限定签名。一个 XAdES-T 表单可能包含多个 SignatureTimeSamp 元素,这些元素来自不同的 TSA。
Below follows the schema definition for this element:
以下是该元素的 schema 定义:
<xsd:element name="SignatureTimeStamp" type="TimeStampType"/>
|
The SignatureTimeStamp element contains a single
HashDataInfo element that refers to the
ds:SignatureValue element of the [XMLDSIG] signature. That is, the input for the timestamp
hash computation is the ds:SignatureValue XML element.
SignatureTimeStamp 元素包含一个 HashDataInfo 元素,该元素引用 [XMLDSIG] 签名中的 ds:SignatureValue 元素。也就是说,时间戳哈希计算的输入是 ds:SignatureValue XML 元素。
5.4
Syntax for XAdES-C form
5.4 XAdES-C 表单的语法
This clause describes in detail the additional qualifying properties
referred to validation data that can appear in the XAdES-C form.
本条款详细描述了在 XAdES-C 格式中可能出现的、与验证数据相关的附加限定属性。
When dealing with long term electronic signatures, all the data used in
the verification (namely, certificate path and revocation information) of
such signatures must be stored and conveniently time-stamped as has been
stated in clause 4 Syntax overview for
arbitration purposes.
在处理长期电子签名时,所有用于验证此类签名的数据(即证书路径和撤销信息)必须按照第 4 条“语法概述”中所述,进行存储并方便地进行时间戳,以用于仲裁目的。
In some environments, it can be convenient to add these data to the
electronic signature (as unsigned properties) building up a XAdES-A form.
在某些环境中,将此类数据添加到电子签名(作为未签名属性)以构建 XAdES-A 格式可能较为方便。
Alternatively, other systems can consider convenient, for the purpose of
arbitration, to archive them elsewhere. In such cases each electronic
signature must incorporate references to all these data in the XAdES-C form.
This format builds up taking XAdES-T signature and incorporating additional
data required for validation:
或者,其他系统可以考虑将它们存档在其他地方,以用于仲裁目的。在这种情况下,每个电子签名都必须包含对 XAdES-C 格式中所有这些数据的引用。这种格式构建在 XAdES-T 签名的基础上,并包含了验证所需的附加数据:
The sequence of references to the full set of CA certificates that
have been used to validate the electronic signature up to (but not
including ) the signer's certificate.
指用于验证电子签名(直到但不包括签名者证书)所使用的全部 CA 证书的引用序列。
A full set of references to the revocation data that have been used
in the validation of the signer and CA certificates.
指用于验证签名者和 CA 证书的撤销数据的完整引用集。
5.4.1
The CompleteCertificateRefs element 5.4.1 CompleteCertificateRefs 元素
This clause defines the XML element able to carry the aforementioned
references to the certificates: the CompleteCertificateRefs
element.
本条款定义了能够承载上述证书引用的 XML 元素: CompleteCertificateRefs 元素。
This is an unsigned property that qualifies the signature.
这是一个未签名的属性,用于限定签名。
An XML electronic signature aligned with the present document MAY contain
at most one CompleteCertificateRefs element.
与本文档一致的 XML 电子签名最多可以包含一个 CompleteCertificateRefs 元素。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="CompleteCertificateRefs" type="CompleteCertificateRefsType"/>
<xsd:complexType name="CompleteCertificateRefsType">
<xsd:sequence>
<xsd:element name="CertRefs" type="CertIDListType" />
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
|
The CertRefs element contains a sequence of Cert
elements already defined in clause 5.2.2 The
SigningCertificate element, incorporating the digest of each
certificate and optionally the issuer and serial number identifier.
CertRefs 元素包含已在条款 5.2.2 中定义的 Cert 元素序列。这些元素包含每个证书的摘要,并可选包含发行者和序列号标识符。
5.4.2
The CompleteRevocationRefs element 5.4.2 CompleteRevocationRefs 元素
As it was stated in the previous clause, the XAdES-C signatures add to the
XAdES-T the full set of references to the revocation data that have been used
in the validation of the signer and CAs certificates. They provide means to
retrieve the actual revocation data archived elsewhere in case of dispute
and, in this way, to illustrate that the verifier has taken due diligence of
the available revocation information.
如前条款所述,XAdES-C 签名在 XAdES-T 的基础上增加了用于验证签名者和 CA 证书的全部撤销数据引用。它们提供了检索存档在其他地方的实际撤销数据的方法,在发生争议时使用,并通过这种方式证明验证者已充分尽到对可用撤销信息的核查责任。
Currently two major types of revocation data are managed in most of the
systems, namely CRLs and responses of on-line certificate status servers,
obtained through protocols designed for these purposes, like OCSP protocol [OCSP].
目前大多数系统中管理着两种主要的撤销数据类型,即 CRL 和在线证书状态服务器响应,这些数据通过为这些目的设计的协议获取,例如 OCSP 协议[OCSP]。
This clause defines the CompleteRevocationRefs element that
will carry the full set of revocation information used for the verification
of the electronic signature.
本条款定义了将携带用于电子签名验证的全部撤销信息的 CompleteRevocationRefs 元素。
This is an unsigned property that qualifies the signature.
这是一个未签名属性,用于限定签名。
An XML electronic signature aligned with the present document MAY contain
at most one CompleteRevocationRefs element.
与本文档一致的 XML 电子签名最多可以包含一个 CompleteRevocationRefs 元素。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="CompleteRevocationRefs"
type="CompleteRevocationRefsType"/>
<xsd:complexType name="CompleteRevocationRefsType">
<xsd:sequence>
<xsd:element name="CRLRefs" type="CRLRefsType" minOccurs="0"/>
<xsd:element name="OCSPRefs" type="OCSPRefsType" minOccurs="0"/>
<xsd:element name="OtherRefs" type="OtherCertStatusRefsType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<xsd:complexType name="CRLRefsType">
<xsd:sequence>
<xsd:element name="CRLRef" type="CRLRefType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CRLRefType">
<xsd:sequence>
<xsd:element name="DigestAlgAndValue" type="DigestAlgAndValueType"/>
<xsd:element name="CRLIdentifier" type="CRLIdentifierType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CRLIdentifierType">
<xsd:sequence>
<xsd:element name="Issuer" type="xsd:string"/>
<xsd:element name="IssueTime" type="xsd:dateTime" />
<xsd:element name="Number" type="xsd:integer" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="URI" type="xsd:anyURI" use="optional"/>
</xsd:complexType>
<xsd:complexType name="OCSPRefsType">
<xsd:sequence>
<xsd:element name="OCSPRef" type="OCSPRefType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="OCSPRefType">
<xsd:sequence>
<xsd:element name="OCSPIdentifier" type="OCSPIdentifierType"/>
<xsd:element name="DigestAlgAndValue" type="DigestAlgAndValueType"
minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="OCSPIdentifierType">
<xsd:sequence>
<xsd:element name="ResponderID" type="xsd:string"/>
<xsd:element name="ProducedAt" type="xsd:dateTime"/>
</xsd:sequence>
<xsd:attribute name="URI" type="xsd:anyURI" use="optional"/>
</xsd:complexType>
<xsd:complexType name="OtherCertStatusRefsType">
<xsd:sequence>
<xsd:element name="OtherRef" type="AnyType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
The CompleteRevocationRefs element can contain:
CompleteRevocationRefs 元素可以包含:
Sequences of references to CRLs (CRLRefs element).
CRL 引用序列( CRLRefs 元素)。
Sequences of references to OCSP responses (OCSPRefs
element).
OCSP 响应引用序列( OCSPRefs 元素)。
Other references to alternative forms of revocation data
(OtherRefs element).
其他替代撤销数据形式的引用( OtherRefs 元素)。
Each element in a CRLRefs sequence (CrlRef
element) identifies one CRL. This identification is made by means of:
序列中的每个元素( CrlRef 元素)标识一个 CRL。这种标识通过以下方式实现:
The digest of the entire DER encoded (DigestAlgAndValue
element).
整个 DER 编码的摘要( DigestAlgAndValue 元素)。
A set of data (CRLIdentifier element) including the
issuer (Issuer element), the time when the CRL was issued
(IssueTime element) and optionally the number of the CRL
(Number element). The Identifier element can be
dropped if the CRL could be inferred from other information. Its
URI attribute could serve to indicate where the identified
CRL is archived.
一组数据( CRLIdentifier 元素),包括发行者( Issuer 元素)、CRL 发布时间( IssueTime 元素),以及可选的 CRL 编号( Number 元素)。如果 CRL 可以从其他信息中推断出来,则可以省略 Identifier 元素。其 URI 属性可用于指示已标识的 CRL 的存档位置。
Each element in a OCSPRefs sequence (OcspRef
element) identifies one OCSP response. This identification is made by means
of:
序列中的每个元素( OcspRef 元素)标识一个 OCSP 响应。这种标识通过以下方式实现:
A set of data (OCSPIdentifier element) including the
name of the server that has produced the referenced response
(ResponderID element) and the time indication in the
"ProducedAt" field of the referenced response (ProducedAt
element). The optional URI attribute could serve to indicate
where the OCSP response identified is archived.
一组数据( OCSPIdentifier 元素),包括生成所引用响应的服务器名称( ResponderID 元素)以及所引用响应的"ProducedAt"字段中的时间指示( ProducedAt 元素)。可选的 URI 属性可用于指示所识别的 OCSP 响应的归档位置。
The digest computed on the DER encoded OCSP
(DigestAlgAndValue element) response, since it may be needed
to differentiate between two OCSP responses by the same server with their
"ProducedAt" fields within the same second.
计算在 DER 编码的 OCSP( DigestAlgAndValue 元素)响应上的摘要,因为可能需要通过服务器在同一个秒内具有相同"ProducedAt"字段的两个 OCSP 响应之间进行区分。
Alternative forms of validation data can be included in this property
making use of the OtherRefs element, a sequence whose items
(OtherRef elements) can contain any kind of information.
可以使用 OtherRefs 元素在此属性中包含验证数据的替代形式,这是一个序列,其项目( OtherRef 元素)可以包含任何类型的信息。
5.5
Syntax for XAdES-X form
5.5 XAdES-X 表单的语法
This clause describes in detail time-stamps that can appear in the XAdES-X
form.
本条款详细描述了 XAdES-X 形式中可能出现的时戳。
Time-stamped extended electronic signatures are needed when there is a
requirement to safeguard against the possibility of a CA key in the
certificate chain ever being compromised. A verifier may be required to
provide on request, proof that the certification path and the revocation
information used a the time of the signature were valid, even in the case
where one of the issuing keys or [OCSP] responder keys is
later compromised.
当需要防止证书链中的 CA 密钥可能被攻破时,需要使用带时戳的扩展电子签名。验证器可能需要应要求提供证明,证明在签名时使用的认证路径和撤销信息是有效的,即使在签名的发行密钥或[OCSP]响应者密钥之后被攻破的情况下也是如此。
The current document defines two ways of using time-stamps to protect
against this compromise:
当前文档定义了两种使用时间戳来防止这种妥协的方式:
Time-stamp the sequence formed by the digital signature
(ds:Signature element), the time-stamp(s) present in the
XAdES-T form, the certification path references and the revocation status
references, when an OCSP response is used to get the status of the
certificate from the signer.
当使用 OCSP 响应从签名者处获取证书状态时,对由数字签名( ds:Signature 元素)、XAdES-T 表单中存在的时间戳、证书路径引用和撤销状态引用形成的序列进行时间戳。
Time-stamp only the certification path and revocation information
references when a CRL is used to get the status of the certificate from
the signer.
当使用 CRL 从签名者处获取证书状态时,仅对证书路径和撤销信息引用进行时间戳。
The signer, verifier or both may obtain the time-stamp.
签名者、验证者或两者均可获取时间戳。
5.5.1 The
SigAndRefsTimeStamp element 5.5.1 SigAndRefsTimeStamp 元素
When an OCSP response is used, it is necessary to time-stamp in particular
that response in the case the key from the responder would be compromised.
Since the information contained in the OCSP response is user specific and
time specific, an individual time-stamp is needed for every signature
received. Instead of placing the time-stamp only over the certification path
references and the revocation information references, which include the OCSP
response, the time-stamp is placed on the the digital signature
(ds:Signature element), the time-stamp(s) present in the XAdES-T
form, the certification path references and the revocation status references.
For the same cryptographic price, this provides an integrity mechanism over
the XAdES-C. Any modification can be immediately detected. It should be
noticed that other means of protecting/detecting the integrity of the XAdES-C
exist and could be used.
当使用 OCSP 响应时,如果响应者的密钥可能被泄露,必须对特定的响应进行时间戳。由于 OCSP 响应中包含的信息是用户特定和时效特定的,因此需要对收到的每个签名进行单独的时间戳。而不是仅在包含 OCSP 响应的证书路径引用和撤销信息引用上放置时间戳,时间戳被放置在数字签名( ds:Signature 元素)、XAdES-T 表单中存在的时间戳、证书路径引用和撤销状态引用上。以相同的加密成本,这为 XAdES-C 提供了完整性机制。任何修改都可以立即检测到。应该注意的是,存在其他保护/检测 XAdES-C 完整性的方法,并且可以使用这些方法。
The form obtained by the concatenation of successive time-stamps of this
type is an XAdES-X (XML Advanced Electronic Signature with extended
validation data).
通过连接这种类型的时间戳获得的表单是一个 XAdES-X(带有扩展验证数据的 XML 高级电子签名)。
The SigAndRefsTimeStamp element is an unsigned property
qualifying the signature. A XAdES-X form MAY contain several
SigAndRefsTimeStamp elements, obtained from different TSAs.
SigAndRefsTimeStamp 元素是一个无符号属性,用于限定签名。XAdES-X 表单可以包含多个 SigAndRefsTimeStamp 元素,这些元素来自不同的 TSA。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="SigAndRefsTimeStamp" type="TimeStampType"/>
|
The SigAndRefsTimeStamp element contains the folliowing
HashDataInfo elements:
SigAndRefsTimeStamp 元素包含以下 HashDataInfo 元素:
One referring to the ds:SignatureValue element of the
qualified [XMLDSIG] signature.
一个指向合格 [XMLDSIG] 签名中 ds:SignatureValue 元素的元素。
One per each SignatureTimeStamp property element
present in XAdES-T.
每个在 XAdES-T 中出现的 SignatureTimeStamp 属性元素各一个。
One referring to the CompleteCertificateRefs property
element.
一个指向 CompleteCertificateRefs 属性元素的。
One referring to the CompleteRevocationRefs property
element.
一个指向 CompleteRevocationRefs 属性元素的。
That is, the input for the timestamp hash computation is a sequence of the
following XML elements:
也就是说,时间戳哈希计算的输入是一系列以下 XML 元素:
(ds:SignatureValue, SignatureTimeStamp+,
CompleteCertificateRefs,
CompleteRevocationRefs).
( ds:SignatureValue , SignatureTimeStamp +, CompleteCertificateRefs , CompleteRevocationRefs )。
5.5.2 The
RefsOnlyTimeStamp element 5.5.2 RefsOnlyTimeStamp 元素
Time-Stamping each ES with Complete Validation Data as defined above may
not be efficient, particularly when the same set of CA certificates and CRL
information is used to validate many signatures.
使用上述定义的完整验证数据对每个 ES 进行时间戳可能效率不高,特别是当使用相同的 CA 证书和 CRL 信息来验证许多签名时。
Time-Stamping CA certificates will stop any attacker from issuing bogus CA
certificates that could be claimed to exist before the CA key was
compromised. Any bogus time-stamped CA certificates will show that the
certificate was created after the legitimate CA key was compromised. In the
same way, time-stamping CA CRLs, will stop any attacker from issuing bogus CA
CRLs which could be claimed to exist before the CA key was compromised.
对 CA 证书进行时间戳将阻止任何攻击者签发虚假的 CA 证书,这些证书可能被声称在 CA 密钥被攻破之前就已存在。任何虚假的时间戳 CA 证书都会显示该证书是在合法 CA 密钥被攻破后才创建的。同样地,对 CA CRL 进行时间戳将阻止任何攻击者签发虚假的 CA CRL,这些 CRL 可能被声称在 CA 密钥被攻破之前就已存在。
Time-Stamping of commonly used certificates and CRLs can be done
centrally, e.g. inside a company or by a service provider. This method
reduces the amount of data the verifier has to time-stamp, for example it
could reduce to just one time-stamp per day (i.e. in the case were all the
signers use the same CA and the CRL applies for the whole day). The
information that needs to be time-stamped is not the actual certificates and
CRLs but the unambiguous references to those certificates and CRLs.
常用证书和 CRL 的时间戳可以集中进行,例如在公司内部或由服务提供商进行。这种方法减少了验证者需要时间戳的数据量,例如可以减少到每天只需一个时间戳(即所有签名者都使用相同的 CA,并且 CRL 适用于整天)。需要时间戳的信息不是实际的证书和 CRL,而是指向这些证书和 CRL 的不明确引用。
The form obtained by the concatenation of successive time-stamps of this
type is an XAdES-X (XML Advanced Electronic Signature with extended
validation data).
通过连续时间戳的串联所获得的表单是一种 XAdES-X(带有扩展验证数据的 XML 高级电子签名)。
The hash sent to the TSA will be computed then over the concatenation of
CompleteCertificateRefs and CompleteRevocationRefs
elements.
将向时间戳颁发机构(TSA)发送的哈希值将计算在 CompleteCertificateRefs 和 CompleteRevocationRefs 元素的串联上。
The RefsOnlyTimeStamp element is an unsigned property
qualifying the signature. A XAdES-X form MAY contain several
RefsOnlyTimeStamp elements, obtained from different TSAs.
RefsOnlyTimeStamp 元素是一个无符号属性,用于限定签名。XAdES-X 表单可以包含来自不同时间戳颁发机构(TSA)的多个 RefsOnlyTimeStamp 元素。
Below follows the schema definition for this element.
以下是此元素的方案定义。
"><xsd:element name="RefsOnlyTimeStamp" type="TimeStampType"/>
|
The SigAndRefsTimeStamp element contains two
HashDataInfo elements:
SigAndRefsTimeStamp 元素包含两个 HashDataInfo elements :
The first one refers to the CompleteCertificateRefs
property element.
第一个是指向 CompleteCertificateRefs 属性元素的。
The second one refers to the CompleteRevocationRefs
property element.
第二个是指向 CompleteRevocationRefs 属性元素的。
That is, the input for the timestamp hash computation is a sequence of the
following XML elements:
也就是说,时间戳哈希计算的输入是一个以下 XML 元素序列:
(CompleteCertificateRefs,CompleteRevocationRefs)
5.6
Syntax for XAdES-X-L form
5.6 XAdES-X-L 形式的语法
This clause describes in detail the additional qualifying properties
referred to validation data that can appear in the XAdES-X-L form.
本条款详细描述了在 XAdES-X-L 形式中可以出现的、与验证数据相关的附加限定属性。
5.6.1 The
CertificateValues element 5.6.1 CertificateValues 元素
A verifier will have to prove that the certification path was valid, at
the time of the validation of the signature, up to a trust point according to
the naming constraints and the certificate policy constraints from the
"Signature Validation Policy". "Signature Validation Policy" is the term used
for the set of rules specifically devoted to the validation process in the
Signature Policy. It will be necessary to capture all the certificates from
the certification path, starting with those from the signer and ending up
with those of the certificate from one trusted root of the "Signature
validation policy".
验证器必须证明,在签名验证时,根据命名约束和来自"签名验证策略"的证书策略约束,认证路径在信任点之前是有效的。"签名验证策略"是指专门用于签名策略中验证过程的规则集。需要捕获认证路径上的所有证书,从签名者的证书开始,到"签名验证策略"的一个可信根证书为止。
When dealing with long term electronic signatures, all the data used in
the verification (including the certificate path) must be conveniently
archived. The archiving of all this material with the electronic signature
gives place to the XAdES-X-L form.
处理长期电子签名时,所有用于验证的数据(包括证书路径)都必须方便地存档。电子签名与所有这些材料的存档导致了 XAdES-X-L 格式的出现。
In principle, the CertificateValues element contains the full
set of certificates that have been used to validate the electronic signature,
including the signer's certificate. However, it is not necessary to include
one of those certificates into this property, if the certificate is already
present in the ds:KeyInfo element of the signature.
原则上, CertificateValues 元素包含用于验证电子签名的所有证书,包括签名者的证书。但是,如果证书已经存在于签名的 ds:KeyInfo 元素中,则无需将其中之一包含在此属性中。
In fact, both the signer certificate (referenced in the mandatory
SigningCertificate property element) and all certificates
referenced in the CompleteCertificateRefs property element must
be present either in the ds:KeyInfo element of the signature or
in the CertificateValues property element.
事实上,签名者证书(在必须的 SigningCertificate 属性元素中引用)以及 CompleteCertificateRefs 属性元素中引用的所有证书都必须出现在签名中的 ds:KeyInfo 元素或 CertificateValues 属性元素中。
The CertificateValues is an unsigned property and qualifies
the XML signature.
CertificateValues 是一个未签名的属性,用于限定 XML 签名。
An XML electronic signature aligned with the present document MAY contain
at most one CertificateValues element.
与本文档一致的 XML 电子签名最多可以包含一个 CertificateValues 元素。
<xsd:element name="CertificateValues" type="CertificateValuesType"/>
<xsd:complexType name="CertificateValuesType">
<xsd:choice minOccurs="0" maxOccurs="unbounded">
<xsd:element name="EncapsulatedX509Certificate"
type="EncapsulatedPKIDataType"/>
<xsd:element name="OtherCertificate" type="AnyType"/>
</xsd:choice>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
|
The EncapsulatedX509Certificate element is able to contain
the base64 encoding of a DER-encoded X.509 certificate. The
OtherCertificate element is a placeholder for potential future
new formats of certificates.
EncapsulatedX509Certificate 元素能够包含 DER 编码的 X.509 证书的 base64 编码。 OtherCertificate 元素是用于潜在未来新证书格式的占位符。
5.6.2 The
RevocationValues element 5.6.2 RevocationValues 元素
When dealing with long term electronic signatures, all the revocation data
used in the verification of such signatures must be stored and conveniently
time-stamped as has been stated in clause 4
Syntax overview for arbitration purposes.
在处理长期电子签名时,所有用于验证此类签名的撤销数据都必须按照第 4 条“仲裁目的的语法概述”所述进行存储和方便的时间戳记录。
Currently two major types of revocation data are managed in most of the
systems, namely CRLs and responses of on-line certificate status servers,
obtained through protocols designed for these purposes, like [OCSP] protocol.
目前,大多数系统中管理着两种主要的撤销数据类型,即 CRLs 和在线证书状态服务器(通过为这些目的设计的协议,如[OCSP]协议)获取的响应。
When using CRLs to get revocation information, a verifier will have to
make sure that he or she gets at the time of the first verification the
appropriate certificate revocation information from the signer's CA. This
should be done as soon as possible to minimize the time delay between the
generation and verification of the signature. This involves checking that the
signer certificate serial number is not included in the CRL. The signer, the
verifier or any other third party may obtain either this CRL. If obtained by
the signer, then it shall be conveyed to the verifier. Additional CRLs for
the CA certificates in the certificate path must also be checked by the
verifier. It may be convenient to archive these CRLs within an XAdES-A for
ease of subsequent verification or arbitration.
在使用 CRL 获取吊销信息时,验证者必须确保在首次验证时能够从签名者的 CA 获取适当的证书吊销信息。这应尽快完成,以尽量减少签名生成和验证之间的时间延迟。这包括检查签名者证书序列号是否包含在 CRL 中。签名者、验证者或任何其他第三方都可以获取此 CRL。如果由签名者获取,则应将其传达给验证者。验证者还必须检查证书路径中 CA 证书的附加 CRL。为了便于后续验证或仲裁,可以将这些 CRL 存档在 XAdES-A 中。
When using [OCSP] to get revocation information, a
verifier will have to make sure that she or he gets at the time of the first
verification an OCSP response that contains the status "valid". This should
be done as soon as possible after the generation of the signature. The
signer, the verifier or any other third party may fetch this OCSP response.
Since OCSP responses are transient and thus are not archived by any TSP
including CA, it is the responsibility of every verifier to make sure that it
is stored in a safe place. The simplest way is to store them associated with
the electronic signature in its XAdES-X-L form.
当使用[OCSP]获取吊销信息时,验证者必须确保在首次验证时获得包含"有效"状态的 OCSP 响应。这应在签名生成后尽快完成。签名者、验证者或任何其他第三方都可以获取此 OCSP 响应。由于 OCSP 响应是临时的,因此不会被任何 TSP(包括 CA)存档,因此每个验证者的责任是确保将其保存在安全的地方。最简单的方法是将其与电子签名一起以 XAdES-X-L 形式存储。
The RevocationValues property element is used to hold the
values of the revocation information which are to be shipped with the XML
signature in case of an XML Advanced Electronic Signature with Extended
Validation Data (XAdES-X-Long).
RevocationValues 属性元素用于存储吊销信息值,这些值将在具有扩展验证数据(XAdES-X-Long)的 XML 高级电子签名中随 XML 签名一起传输。
This is a unsigned property that qualifies the signature.
这是一个无符号属性,用于限定签名。
An XML electronic signature aligned with the present document MAY contain
at most one RevocationValues element.
符合本文件规定的 XML 电子签名最多可以包含一个 RevocationValues 元素。
Below follows the schema definition for this element.
下面是该元素的架构定义。
<xsd:element name="RevocationValues" type="RevocationValuesType"/>
<xsd:complexType name="RevocationValuesType">
<xsd:sequence>
<xsd:element name="CRLValues" type="CRLValuesType" minOccurs="0"/>
<xsd:element name="OCSPValues" type="OCSPValuesType" minOccurs="0"/>
<xsd:element name="OtherValues" type="OtherCertStatusValuesType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
|
Revocation information can include Certificate Revocation Lists
(CRLValues) or responses from an online certificate status
server (OCSPValues). Additionally a placeholder for other
revocation information (OtherValues) is provided for future
use.
吊销信息可以包括证书吊销列表( CRLValues )或来自在线证书状态服务器的响应( OCSPValues )。此外还提供了一个其他吊销信息的占位符( OtherValues )供将来使用。
<xsd:complexType name="CRLValuesType">
<xsd:sequence>
<xsd:element name="EncapsulatedCRLValue" type="EncapsulatedPKIDataType"
maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
Certificate Revocation Lists (CRLValues) consist of a
sequence of at least one Certificate Revocation List. Each
EncapsulatedCRLValue will contain the base64 encoding of a
DER-encoded X509 CRL.
证书吊销列表( CRLValues )由至少一个证书吊销列表的序列组成。每个 EncapsulatedCRLValue 将包含 DER 编码的 X509 CRL 的 base64 编码。
"><xsd:complexType name="OCSPValuesType">
<xsd:sequence>
<xsd:element name="EncapsulatedOCSPValue"
type="EncapsulatedPKIDataType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
OCSP Responses (OCSPValues) consist of a sequence of at least
one OCSP Response. The EncapsulatedOCSPValue element contains
the base64 encoding of a DER-encoded OCSP Response.
OCSP 响应( OCSPValues )由至少一个 OCSP 响应的序列组成。 EncapsulatedOCSPValue 元素包含 DER 编码的 OCSP 响应的 base64 编码。
"><xsd:complexType name="OtherCertStatusValuesType">
<xsd:sequence>
<xsd:element name="OtherValue" type="AnyType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
|
The OtherValues element provides a placeholder for other
revocation information that can be used in the future. The
ObjectIdentifier element is used to specify the type of
revocation information that is contained by the subsequent Value
element.
OtherValues 元素为未来可能使用的其他撤销信息提供占位符。 ObjectIdentifier 元素用于指定后续 Value 元素所包含的撤销信息类型。
5.7
Syntax for XAdES-A form
5.7 XAdES-A 表单的语法
This clause describes in detail time-stamps that can appear in the XAdES-A
form.
本条款详细描述了 XAdES-A 表单中可能出现的时间戳。
5.7.1 The
ArchiveTimeStamp element 5.7.1 ArchiveTimeStamp 元素
Advances in computing increase the probability of being able to break
algorithms and compromise keys. There is therefore a requirement to be able
to protect electronic signatures against this possibility.
计算机技术的进步增加了破解算法和危及密钥的可能性。因此,需要能够保护电子签名免受这种可能性的侵害。
Over a period of time weaknesses may occur in the cryptographic algorithms
used to create an electronic signature (e.g. due to the time available for
cryptoanalysis, or improvements in cryptoanalytical techniques). Before such
weaknesses become likely, a verifier should take extra measures to maintain
the validity of the electronic signature. Several techniques could be used to
achieve this goal depending on the nature of the weakened cryptography. In
order to simplify matters, a single technique, called Archive validation data
(XAdES-A form), covering all the cases is being used in the present
document.
随着时间的推移,用于创建电子签名的加密算法可能会出现弱点(例如,由于密码分析可用的时间或密码分析技术的改进)。在这样弱点变得可能之前,验证者应采取额外措施来维持电子签名的有效性。根据弱化密码的性质,可以使用多种技术来实现这一目标。为了简化问题,本文件中采用了一种单一技术,称为存档验证数据(XAdES-A 形式),涵盖所有情况。
Archive validation data consists of the complete validation data and the
complete certificate and revocation data, time-stamped together with the
electronic signature. The Archive validation data is necessary if the hash
function and the crypto algorithms that were used to create the signature are
no longer secure. Also, if it cannot be assumed that the hash function used
by the Time-Stamping Authority is secure, then nested time-stamps of Archived
Electronic Signature are required.
归档验证数据由完整的验证数据、完整的证书和吊销数据组成,并与电子签名一起带有时间戳。如果用于创建签名的哈希函数和密码算法不再安全,则必须使用归档验证数据。此外,如果无法假定时间戳机构使用的哈希函数是安全的,那么归档电子签名的嵌套时间戳是必需的。
The potential for Trusted Service Provider (TSP) key compromise should be
significantly lower than for user keys, because TSP(s) are expected to use
stronger cryptography and better key protection. It can be expected that new
algorithms (or old ones with greater key lengths) will be used. In such a
case, a sequence of time-stamps will protect against forgery. Each time-stamp
needs to be affixed before either the compromise of the signing key or of the
cracking of the algorithms used by the TSA. TSAs (Time-Stamping Authorities)
should have long keys (e.g. which at the time of drafting the present
document was 2048 bits for the signing RSA algorithm) and/or a "good" or
different algorithm.
可信服务提供商(TSP)密钥被攻破的可能性应显著低于用户密钥,因为预期 TSP 将使用更强的密码学和更好的密钥保护。可以预期将使用新算法(或具有更长密钥的旧算法)。在这种情况下,一系列时间戳将防止伪造。每个时间戳都需要在签名密钥被攻破或 TSA 使用的算法被破解之前附加。时间戳机构(TSAs)应具有长密钥(例如,在起草本文件时,签名 RSA 算法的密钥为 2048 位)和/或“良好”或不同的算法。
Nested time-stamps will also protect the verifier against key compromise
or cracking the algorithm on the old electronic signatures.
嵌套时间戳也将保护验证者免受密钥泄露或破解旧电子签名算法的影响。
The process will need to be performed and iterated before the
cryptographic algorithms used for generating the previous time-stamp are no
longer secure. Archive validation data may thus bear multiple embedded
time-stamps.
在用于生成先前时间戳的加密算法不再安全之前,需要执行并迭代该过程。因此,存档验证数据可能包含多个嵌入的时间戳。
The hash sent to the TSA (messageImprint) will be computed on the
XAdES-X-L form of the electronic signature and the signed data objects, ie on
the sequence formed as explained below.
发送给时间戳颁发机构(messageImprint)的哈希值将基于电子签名的 XAdES-X-L 格式和已签名数据对象计算,即基于以下所述形成的序列。
The ArchiveTimeStamp element is an unsigned property
qualifying the signature. A XAdES-A form MAY contain several
ArchiveTimeStamp elements.
ArchiveTimeStamp 元素是一个未签名的属性,用于描述签名。XAdES-A 格式可能包含多个 ArchiveTimeStamp 元素。
Below follows the schema definition for this element.
以下是此元素的架构定义。
<xsd:element name="ArchiveTimeStamp" type="TimeStampType"/>
|
The XAdESArchiveTimeStamp element contains the following sequence of
HashDataInfo elements:
XAdESArchiveTimeStamp 元素包含以下 HashDataInfo 元素序列:
One HashDataInfo element for each data object signed by
the [XMLDSIG] signature. The result of application
of the transforms specified each HashDataInfo must be exactly the same as
the octet stream that was originally used for computing the digest value
of the corresponding ds:Reference.
每个由[XMLDSIG]签名签署的数据对象有一个 HashDataInfo 元素。每个 HashDataInfo 指定的转换应用结果必须与用于计算相应 ds:Reference 摘要值的原始八位字节流完全相同。
One HashDataInfo element for the
ds:SignedInfo element. The result of application of the
transforms specified in this HashDataInfo must be exactly
the same as the octet stream that was originally used for computing the
signature value of the [XMLDSIG] signature.
一个 HashDataInfo 元素用于 ds:SignedInfo 元素。在此 HashDataInfo 中指定的转换应用结果必须与用于计算[XMLDSIG]签名签名值的原始八位字节流完全相同。
One HashDataInfo element for the
SignedSignatureProperties element.
一个 HashDataInfo 元素用于 SignedSignatureProperties 元素。
One HashDataInfo element for the
SignedDataObjectProperties element.
一个 HashDataInfo 元素用于 SignedDataObjectProperties 元素。
One HashDataInfo element for the
ds:SignatureValue element.
一个 HashDataInfo 元素用于 ds:SignatureValue 元素。
One HashDataInfo element per each
SignatureTimeStamp property.
每个 SignatureTimeStamp 属性一个 HashDataInfo 元素。
One HashDataInfo element for the
CompleteCertificateRefs property.
一个 HashDataInfo 元素用于 CompleteCertificateRefs 属性。
One HashDataInfo element for the
CompleteRevocationRefs property.
一个 HashDataInfo 元素用于 CompleteRevocationRefs 属性。
One HashDataInfo element for the
CertificatesValues property (add this property previously if
not already present).
一个 HashDataInfo 元素用于 CertificatesValues 属性(如果之前不存在,请先添加此属性)。
One HashDataInfo element for the
RevocationValues property (add this property previously if
not already present).
一个 HashDataInfo 元素用于 RevocationValues 属性(如果之前不存在,请先添加此属性)。
One HashDataInfo element per each
SigAndRefsTimeStamp property (if present).
每个 SigAndRefsTimeStamp 属性对应一个 HashDataInfo 元素(如果存在)。
One HashDataInfo element per each property
RefsOnlyTimeStamp (if present).
每个属性 RefsOnlyTimeStamp 一个 HashDataInfo 元素(如果存在)。
One HashDataInfo element per each any previous
XAdESArchiveTimestamp property (if present).
每个先前存在的 XAdESArchiveTimestamp 属性一个 HashDataInfo 元素(如果存在)。
6 Definitions 6 定义
Attribute Certificate 属性证书
A set of attributes of a user together with some other information, rendered
unforgeable by the digital signature created using the private key of the
certification authority wihich issued it (definition taken from [X509v3])
一组用户属性以及一些其他信息,通过使用签发它的认证机构的私钥创建的数字签名使其防伪造(定义源自[X509v3])
Data Object
(Content/Document)
数据对象(内容/文档)
See definition in http://www.w3.org/TR/xmldsig-core/#def-DataObject
参见定义:http://www.w3.org/TR/xmldsig-core/#def-DataObject
Signature 签名
See definition in http://www.w3.org/TR/xmldsig-core/#def-Signature
参见定义:http://www.w3.org/TR/xmldsig-core/#def-Signature
7 References 7 引用
- CMS
- RFC 2630:Cryptographic Message Syntax. R. Housley. June 1999. http://www.ietf.org/rfc/rfc2630.txt
RFC 2630:密码消息语法。R. Housley。1999 年 6 月。http://www.ietf.org/rfc/rfc2630.txt
- ESI
- ETSI TS 101 733: Electronic Signature Formats. http://www.etsi.org
ETSI TS 101 733: 电子签名格式。http://www.etsi.org
- ESI-XAdES
- ETSI TS 101 903: XML Advanced Electronic Signatures (XAdES). http://uri.etsi.org/01903/v1.1.1#
ETSI TS 101 903: XML 高级电子签名(XAdES)。http://uri.etsi.org/01903/v1.1.1#
- ES-SMIME
- RFC 2634: Enhanced Security Services for S/MIME. P. Hoffman. June
1999. http://www.ietf.org/rfc/rfc2634.txt
RFC 2634: S/MIME 增强安全服务。P. Hoffman。1999 年 6 月。http://www.ietf.org/rfc/rfc2634.txt
- EU-DIR-ESIG
- Directive 1999/93/EC of the European Parliament and of the Council of
13 December 1999 on a Community framework for electronic
signatures.
欧洲议会和理事会 1999 年 12 月 13 日关于电子签名社区框架的指令 1999/93/EC。
- Keywords 关键词
- RFC 2119: Key words for use in RFCs to Indicate Requirement Levels.
S. Bradner . March 1997. http://www.ietf.org/rfc/rfc2119.txt
RFC 2119:用于在 RFC 中指示需求级别的关键词。S. Bradner。1997 年 3 月。http://www.ietf.org/rfc/rfc2119.txt
- OCSP
- RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate
Status Protocolol - OCSP. M. Myers, R. Ankney, A. Malpani, S. Galperin,
C. Adams. June 1999. http://www.ietf.org/rfc/rfc2560.txt
RFC 2560: X.509 互联网公钥基础设施在线证书状态协议 - OCSP。M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams。1999 年 6 月。http://www.ietf.org/rfc/rfc2560.txt
- TSP
- RFC 3161: Internet X.509 Public Key Infrastructure Time Stamp
Protocol (TSP). P. Cain, D. Pinkas, R. Zuccherato. August 2001. http://www.ietf.org/rfc/rfc3161.txt
RFC 3161: 互联网 X.509 公钥基础设施时间戳协议(TSP)。P. Cain, D. Pinkas, R. Zuccherato。2001 年 8 月。http://www.ietf.org/rfc/rfc3161.txt
- TSPProf
- ETSI TS 101 861: Time stamping profile. http://www.etsi.org
ETSI TS 101 861: 时间戳配置文件。http://www.etsi.org
- URI
- RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax. T.
Berners-Lee, R. Fielding, U.C. Irvine, L. Masinter. August 1998. http://www.ietf.org/rfc/rfc2396.txt
RFC 2396: 统一资源标识符 (URI): 通用语法。T. Berners-Lee, R. Fielding, U.C. Irvine, L. Masinter。1998 年 8 月。http://www.ietf.org/rfc/rfc2396.txt
- URN
- RFC 2141: URN Syntax. R. Moats. May 1997. http://www.ietf.org/rfc/rfc2141.txt
RFC 2141: URN 语法。R. Moats。1997 年 5 月。http://www.ietf.org/rfc/rfc2141.txt
- URN-NM
- RFC 2611: URN Namespace Definition Mechanisms. L. Daigle, D. van
Gulik, R. Iannella, P. Falstrom. June 1999. http://www.ietf.org/rfc/rfc2611.txt
RFC 2611: URN 命名空间定义机制。L. Daigle, D. van Gulik, R. Iannella, P. Falstrom。1999 年 6 月。http://www.ietf.org/rfc/rfc2611.txt
- URN-OID
- RFC 3061: A URN Namespace of Object Identifiers. M. Mealling.
February 2001. http://www.ietf.org/rfc/rfc3061.txt
RFC 3061: 一个对象标识符的 URN 命名空间。M. Mealling。2001 年 2 月。http://www.ietf.org/rfc/rfc3061.txt
- XML
- Extensible Markup Language (XML) 1.0 (Second Edition). W3C
Recommendation. T. Bray, E. Maler, J. Paoli, C. M. Sperberg-McQueen.
October 2000. http://www.w3.org/TR/2000/REC-xml-20001006
可扩展标记语言 (XML) 1.0 (第二版)。W3C 建议书。T. Bray, E. Maler, J. Paoli, C. M. Sperberg-McQueen。2000 年 10 月。http://www.w3.org/TR/2000/REC-xml-20001006
- XMLDSIG
- XML-Signature Syntax and Processing. W3C Recommendation. Donald
Eastlake, Joseph Reagle, David Solo. February 2002. http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
XML 签名语法和处理。W3C 建议书。Donald Eastlake, Joseph Reagle, David Solo。2002 年 2 月。http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
- XML-schema-part-1
- XML-Schema Part 1: Structures. W3C Recommendation. D. Beech, M.
Maloney, N. Mendelsohn, H. Thompson. May 2001. http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/
XML-Schema 第 1 部分:结构。W3C 推荐标准。D. Beech, M. Maloney, N. Mendelsohn, H. Thompson。2001 年 5 月。http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/
- XML-schema-part-2
- XML-Schema Part 2: Datatypes. W3C Recommendation. P. Biron, A.
Malhotra. May 2001. http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/
XML-Schema 第 2 部分:数据类型。W3C 推荐标准。P. Biron, A. Malhotra。2001 年 5 月。http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/
- X509v3
- ITU-T Recommendation X.509 version 3 (1997). "Information Technology
- Open Systems Interconnection - The Directory Authentication
Framework" ISO/IEC 9594-8:1997.
ITU-T 建议书 X.509 版本 3 (1997 年)。“信息技术 - 开放系统互联 - 目录认证框架” ISO/IEC 9594-8:1997。
- X509Prof
- RFC 2459: Internet X.509 Public Key Infrastructure Certificate and
CRL Profile. R. Housley, W. Polk, D. Solo. January 1999. http://www.ietf.org/rfc/rfc2459.txt
RFC 2459:互联网 X.509 公钥基础设施证书和 CRL 配置文件。R. Housley, W. Polk, D. Solo。1999 年 1 月。http://www.ietf.org/rfc/rfc2459.txt
8 Appendix A. Schema Definitions
8 附录 A. 模式定义
<?xml version="1.0" encoding="UTF-8"?>
<xsd:schema targetNamespace="http://uri.etsi.org/01903/v1.1.1#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://uri.etsi.org/01903/v1.1.1#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" elementFormDefault="qualified">
<!-- Start auxiliary types definitions: AnyType, ObjectIdentifierType, EncapsulatedPKIDataType and TimestampType-->
<!-- Start AnyType -->
<xsd:element name="Any" type="AnyType"/><xsd:complexType name="AnyType" mixed="true">
<xsd:sequence>
<xsd:any namespace="##any"/>
</xsd:sequence>
<xsd:anyAttribute namespace="##any"/>
</xsd:complexType>
<!-- End AnyType -->
<!-- Start ObjectIdentifierType-->
<xsd:element name="ObjectIdentifier" type="ObjectIdentifierType"/>
<xsd:complexType name="ObjectIdentifierType">
<xsd:sequence><
xsd:element name="Identifier" type="IdentifierType"/>
<xsd:element name="Description" type="xsd:string" minOccurs="0"/>
<xsd:element name="DocumentationReferences" type="DocumentationReferencesType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="IdentifierType">
<xsd:complexContent>
<xsd:extension base="xsd:anyURI">
<xsd:attribute name="Qualifier" type="QualifierType" use="optional"/>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<xsd:simpleType name="QualifierType">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="OIDAsURI"/>
<xsd:enumeration value="OIDAsURN"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="DocumentationReferencesType">
<xsd:sequence maxOccurs="unbounded">
<xsd:element name="DocumentationReference" type="xsd:anyURI"/>
</xsd:sequence>
</xsd:complexType>
<!-- End ObjectIdentifierType-->
<!-- Start EncapsulatedPKIDataType-->
<xsd:element name="EncapsulatedPKIData" type="EncapsulatedPKIDataType"/>
<xsd:complexType name="EncapsulatedPKIDataType">
<xsd:complexContent>
<xsd:extension base="xsd:base64Binary">
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<!-- End EncapsulatedPKIDataType -->
<!-- Start TimeStampType -->
<xsd:element name="TimeStamp" type="TimeStampType"/>
<xsd:complexType name="TimeStampType">
<xsd:sequence>
<xsd:element name="HashDataInfo" type="HashDataInfoType" maxOccurs="unbounded"/>
<xsd:choice>
<xsd:element name="EncapsulatedTimeStamp" type="EncapsulatedPKIDataType"/>
<xsd:element name="XMLTimeStamp" type="AnyType"/>
</xsd:choice>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="HashDataInfoType">
<xsd:sequence>
<xsd:element name="Transforms" type="ds:TransformsType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="uri" type="xsd:anyURI" use="required"/>
</xsd:complexType>
<!-- End TimeStampType -->
<!-- End auxiliary types definitions-->
<!-- Start container types -->
<!-- Start QualifyingProperties -->
<xsd:element name="QualifyingProperties" type="QualifyingPropertiesType"/>
<xsd:complexType name="QualifyingPropertiesType">
<xsd:sequence>
<xsd:element name="SignedProperties" type="SignedPropertiesType" minOccurs="0"/>
<xsd:element name="UnsignedProperties" type="UnsignedPropertiesType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Target" type="xsd:anyURI" use="required"/>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<!-- End QualifyingProperties -->
<!-- Start SignedProperties-->
<xsd:element name="SignedProperties" type="SignedPropertiesType"/>
<xsd:complexType name="SignedPropertiesType">
<xsd:sequence>
<xsd:element name="SignedSignatureProperties" type="SignedSignaturePropertiesType"/>
<xsd:element name="SignedDataObjectProperties" type="SignedDataObjectPropertiesType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<!-- End SignedProperties-->
<!-- Start UnsignedProperties-->
<xsd:element name="UnsignedProperties" type="UnsignedPropertiesType" />
<xsd:complexType name="UnsignedPropertiesType">
<xsd:sequence>
<xsd:element name="UnsignedSignatureProperties" type="UnsignedSignaturePropertiesType" minOccurs="0"/>
<xsd:element name="UnsignedDataObjectProperties" type="UnsignedDataObjectPropertiesType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<!-- End UnsignedProperties-->
<!-- Start SignedSignatureProperties-->
<xsd:element name="SignedSignatureProperties" type="SignedSignaturePropertiesType" />
<xsd:complexType name="SignedSignaturePropertiesType">
<xsd:sequence>
<xsd:element name="SigningTime" type="xsd:dateTime"/>
<xsd:element name="SigningCertificate" type="CertIDListType"/>
<xsd:element name="SignaturePolicyIdentifier" type="SignaturePolicyIdentifierType"/>
<xsd:element name="SignatureProductionPlace" type="SignatureProductionPlaceType" minOccurs="0"/>
<xsd:element name="SignerRole" type="SignerRoleType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<!-- End SignedSignatureProperties-->
<!-- Start SignedDataObjectProperties-->
<xsd:element name="SignedDataObjectProperties" type="SignedDataObjectPropertiesType"/>
<xsd:complexType name="SignedDataObjectPropertiesType">
<xsd:sequence>
<xsd:element name="DataObjectFormat" type="DataObjectFormatType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="CommitmentTypeIndication" type="CommitmentTypeIndicationType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="AllDataObjectsTimeStamp" type="TimeStampType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="IndividualDataObjectsTimeStamp" type="TimeStampType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- End SignedDataObjectProperties-->
<!-- Start UnsignedSignatureProperties-->
<xsd:element name="UnsignedSignatureProperties" type="UnsignedSignaturePropertiesType"/>
<xsd:complexType name="UnsignedSignaturePropertiesType">
<xsd:sequence>
<xsd:element name="CounterSignature" type="CounterSignatureType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="SignatureTimeStamp"type="TimeStampType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="CompleteCertificateRefs" type="CompleteCertificateRefsType" minOccurs="0"/>
<xsd:element name="CompleteRevocationRefs" type="CompleteRevocationRefsType" minOccurs="0"/>
<xsd:choice>
<xsd:element name="SigAndRefsTimeStamp" type="TimeStampType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="RefsOnlyTimeStamp" type="TimeStampType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:choice>
<xsd:element name="CertificateValues" type="CertificateValuesType" minOccurs="0"/>
<xsd:element name="RevocationValues" type="RevocationValuesType" minOccurs="0"/>
<xsd:element name="ArchiveTimeStamp" type="TimeStampType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- End UnsignedSignatureProperties-->
<!-- Start UnsignedDataObjectProperties-->
<xsd:element name="UnsignedDataObjectProperties" type="UnsignedDataObjectPropertiesType" />
<xsd:complexType name="UnsignedDataObjectPropertiesType">
<xsd:sequence>
<xsd:element name="UnsignedDataObjectProperty" type="AnyType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- End UnsignedDataObjectProperties-->
<!-- Start QualifyingPropertiesReference-->
<xsd:element name="QualifyingPropertiesReference" type="QualifyingPropertiesReferenceType"/>
<xsd:complexType name="QualifyingPropertiesReferenceType">
<xsd:sequence>
<xsd:element name="Transforms" type="ds:TransformsType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="URI" type="xsd:anyURI" use="required"/>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<!-- End QualifyingPropertiesReference-->
<!-- End container types -->
<!-- Start SigningTime element -->
<xsd:element name="SigningTime" type="xsd:dateTime"/>
<!-- End SigningTime element -->
<!-- Start SigningCertificate -->
<xsd:element name="SigningCertificate" type="CertIDListType"/>
<xsd:complexType name="CertIDListType">
<xsd:sequence>
<xsd:element name="Cert" type="CertIDType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CertIDType">
<xsd:sequence>
<xsd:element name="CertDigest" type="DigestAlgAndValueType"/>
<xsd:element name="IssuerSerial" type="ds:X509IssuerSerialType"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="DigestAlgAndValueType">
<xsd:sequence>
<xsd:element name="DigestMethod" type="ds:DigestMethodType"/>
<xsd:element name="DigestValue" type="ds:DigestValueType"/>
</xsd:sequence>
</xsd:complexType>
<!-- End SigningCertificate -->
<!-- Start SignaturePolicyIdentifier -->
<xsd:element name="SignaturePolicyIdentifier" type="SignaturePolicyIdentifierType"/>
<xsd:complexType name="SignaturePolicyIdentifierType">
<xsd:choice>
<xsd:element name="SignaturePolicyId" type="SignaturePolicyIdType"/>
<xsd:element name="SignaturePolicyImplied"/>
</xsd:choice>
</xsd:complexType>
<xsd:complexType name="SignaturePolicyIdType">
<xsd:sequence>
<xsd:element name="SigPolicyId" type="ObjectIdentifierType"/>
<xsd:element ref="ds:Transforms" minOccurs="0"/>
<xsd:element name="SigPolicyHash" type="DigestAlgAndValueType"/>
<xsd:element name="SigPolicyQualifiers" type="SigPolicyQualifiersListType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="SigPolicyQualifiersListType">
<xsd:sequence>
<xsd:element name="SigPolicyQualifier" type="AnyType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:element name="SPURI" type="xsd:anyURI"/>
<xsd:element name="SPUserNotice" type="SPUserNoticeType"/>
<xsd:complexType name="SPUserNoticeType">
<xsd:sequence>
<xsd:element name="NoticeRef" type="NoticeReferenceType" minOccurs="0"/>
<xsd:element name="ExplicitText" type="xsd:string" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="NoticeReferenceType">
<xsd:sequence>
<xsd:element name="Organization" type="xsd:string"/>
<xsd:element name="NoticeNumbers" type="IntegerListType"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="IntegerListType">
<xsd:sequence>
<xsd:element name="int" type="xsd:integer" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- End SignaturePolicyIdentifier -->
<!-- Start CounterSignature -->
<xsd:element name="CounterSignature" type="CounterSignatureType"/>
<xsd:complexType name="CounterSignatureType">
<xsd:sequence>
<xsd:element ref="ds:Signature"/>
</xsd:sequence>
</xsd:complexType>
<!-- End CounterSignature -->
<!-- Start DataObjectFormat -->
<xsd:element name="DataObjectFormat" type="DataObjectFormatType"/>
<xsd:complexType name="DataObjectFormatType">
<xsd:sequence>
<xsd:element name="Description" type="xsd:string" minOccurs="0"/>
<xsd:element name="ObjectIdentifier" type="ObjectIdentifierType" minOccurs="0"/>
<xsd:element name="MimeType" type="xsd:string" minOccurs="0"/>
<xsd:element name="Encoding" type="xsd:anyURI" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="ObjectReference" type="xsd:anyURI" use="required"/>
</xsd:complexType>
<!-- End DataObjectFormat -->
<!-- Start CommitmentTypeIndication -->
<xsd:element name="CommitmentTypeIndication" type="CommitmentTypeIndicationType"/>
<xsd:complexType name="CommitmentTypeIndicationType">
<xsd:sequence>
<xsd:element name="CommitmentTypeId" type="ObjectIdentifierType"/>
<xsd:choice>
<xsd:element name="ObjectReference" type="xsd:anyURI" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="AllSignedDataObjects"/>
</xsd:choice>
<xsd:element name="CommitmentTypeQualifiers" type="CommitmentTypeQualifiersListType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CommitmentTypeQualifiersListType">
<xsd:sequence>
<xsd:element name="CommitmentTypeQualifier" type="AnyType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- End CommitmentTypeIndication -->
<!-- Start SignatureProductionPlace -->
<xsd:element name="SignatureProductionPlace" type="SignatureProductionPlaceType"/>
<xsd:complexType name="SignatureProductionPlaceType">
<xsd:sequence>
<xsd:element name="City" type="xsd:string" minOccurs="0"/>
<xsd:element name="StateOrProvince" type="xsd:string" minOccurs="0"/>
<xsd:element name="PostalCode" type="xsd:string" minOccurs="0"/>
<xsd:element name="CountryName" type="xsd:string" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<!-- End SignatureProductionPlace -->
<!-- Start SignerRole -->
<xsd:element name="SignerRole" type="SignerRoleType"/>
<xsd:complexType name="SignerRoleType">
<xsd:sequence>
<xsd:element name="ClaimedRoles" type="ClaimedRolesListType"
minOccurs="0"/>
<xsd:element name="CertifiedRoles" type="CertifiedRolesListType"
minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="ClaimedRolesListType">
<xsd:sequence>
<xsd:element name="ClaimedRole" type="AnyType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CertifiedRolesListType">
<xsd:sequence>
<xsd:element name="CertifiedRole" type="EncapsulatedPKIDataType"
maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- End SignerRole -->
<xsd:element name="AllDataObjectsTimeStamp" type="TimeStampType"/>
<xsd:element name="IndividualDataObjectsTimeStamp" type="TimeStampType"/>
<xsd:element name="SignatureTimeStamp" type="TimeStampType"/>
<!-- Start CompleteCertificateRefs -->
<xsd:element name="CompleteCertificateRefs" type="CompleteCertificateRefsType"/>
<xsd:complexType name="CompleteCertificateRefsType">
<xsd:sequence>
<xsd:element name="CertRefs" type="CertIDListType" />
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<!-- End CompleteCertificateRefs -->
<!-- Start CompleteRevocationRefs-->
<xsd:element name="CompleteRevocationRefs" type="CompleteRevocationRefsType"/>
<xsd:complexType name="CompleteRevocationRefsType">
<xsd:sequence>
<xsd:element name="CRLRefs" type="CRLRefsType" minOccurs="0"/>
<xsd:element name="OCSPRefs" type="OCSPRefsType" minOccurs="0"/>
<xsd:element name="OtherRefs" type="OtherCertStatusRefsType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<xsd:complexType name="CRLRefsType">
<xsd:sequence>
<xsd:element name="CRLRef" type="CRLRefType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CRLRefType">
<xsd:sequence>
<xsd:element name="DigestAlgAndValue" type="DigestAlgAndValueType"/>
<xsd:element name="CRLIdentifier" type="CRLIdentifierType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CRLIdentifierType">
<xsd:sequence>
<xsd:element name="Issuer" type="xsd:string"/>
<xsd:element name="IssueTime" type="xsd:dateTime" />
<xsd:element name="Number" type="xsd:integer" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="URI" type="xsd:anyURI" use="optional"/>
</xsd:complexType>
<xsd:complexType name="OCSPRefsType">
<xsd:sequence>
<xsd:element name="OCSPRef" type="OCSPRefType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="OCSPRefType">
<xsd:sequence>
<xsd:element name="OCSPIdentifier" type="OCSPIdentifierType"/>
<xsd:element name="DigestAlgAndValue" type="DigestAlgAndValueType"
minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="OCSPIdentifierType">
<xsd:sequence>
<xsd:element name="ResponderID" type="xsd:string"/>
<xsd:element name="ProducedAt" type="xsd:dateTime"/>
</xsd:sequence>
<xsd:attribute name="URI" type="xsd:anyURI" use="optional"/>
</xsd:complexType>
<xsd:complexType name="OtherCertStatusRefsType">
<xsd:sequence>
<xsd:element name="OtherRef" type="AnyType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- End CompleteRevocationRefs-->
<xsd:element name="SigAndRefsTimeStamp" type="TimeStampType"/>
<xsd:element name="RefsOnlyTimeStamp" type="TimeStampType"/>
<!-- Start CertificateValues -->
<xsd:element name="CertificateValues" type="CertificateValuesType"/>
<xsd:complexType name="CertificateValuesType">
<xsd:choice minOccurs="0" maxOccurs="unbounded">
<xsd:element name="EncapsulatedX509Certificate" type="EncapsulatedPKIDataType"/>
<xsd:element name="OtherCertificate" type="AnyType"/>
</xsd:choice>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<!-- End CertificateValues -->
<!-- Start RevocationValues-->
<xsd:element name="RevocationValues" type="RevocationValuesType"/>
<xsd:complexType name="RevocationValuesType">
<xsd:sequence>
<xsd:element name="CRLValues" type="CRLValuesType" minOccurs="0"/>
<xsd:element name="OCSPValues" type="OCSPValuesType" minOccurs="0"/>
<xsd:element name="OtherValues" type="OtherCertStatusValuesType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="Id" type="xsd:ID" use="optional"/>
</xsd:complexType>
<xsd:complexType name="CRLValuesType">
<xsd:sequence>
<xsd:element name="EncapsulatedCRLValue" type="EncapsulatedPKIDataType"
maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="OCSPValuesType">
<xsd:sequence>
<xsd:element name="EncapsulatedOCSPValue"
type="EncapsulatedPKIDataType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="OtherCertStatusValuesType">
<xsd:sequence>
<xsd:element name="OtherValue" type="AnyType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- End RevocationValues-->
<xsd:element name="ArchiveTimeStamp" type="TimeStampType"/>
</xsd:schema>
|
9 Appendix B. DTD
9 附录 B. DTD
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % Any.ANY ''>
<!ENTITY % XMLTimeStamp.ANY ''>
<!-- Start Any -->
<!ELEMENT Any (#PCDATA %Any.ANY;)*>
<!-- End Any -->
<!-- Start ObjectIdentifier -->
<!ELEMENT ObjectIdentifier (Identifier, Description?, DocumentationReferences?)>
<!ELEMENT Identifier (#PCDATA)>
<!ATTLIST Identifier
Qualifier (OIDAsURI | OIDAsURN) #IMPLIED
>
<!ELEMENT Description (#PCDATA)>
<!ELEMENT DocumentationReferences (DocumentationReference)+>
<!ELEMENT DocumentationReference (#PCDATA)>
<!-- End ObjectIdentifier -->
<!-- Start EncapsulatedPKIData -->
<!ELEMENT EncapsulatedPKIData (#PCDATA)>
<!ATTLIST EncapsulatedPKIData
Id ID #IMPLIED
>
<!-- End EncapsulatedPKIData -->
<!-- Start EncapsulatedTimeStamp -->
<!ELEMENT TimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!ELEMENT HashDataInfo (Transforms?)>
<!ATTLIST HashDataInfo
uri CDATA #REQUIRED
>
<!ELEMENT EncapsulatedTimeStamp (#PCDATA)>
<!ATTLIST EncapsulatedTimeStamp
Id ID #IMPLIED
>
<!ELEMENT XMLTimeStamp (#PCDATA %XMLTimeStamp.ANY;)*>
<!-- End EncapsulatedTimeStamp -->
<!-- Start container types -->
<!-- Start QualifyingProperties -->
<!ELEMENT QualifyingProperties (SignedProperties, UnsignedProperties?)>
<!ATTLIST QualifyingProperties
Target CDATA #REQUIRED
Id ID #IMPLIED
>
<!ELEMENT SignedProperties (SignedSignatureProperties, SignedDataObjectProperties?)>
<!ATTLIST SignedProperties
Id ID #IMPLIED
>
<!ELEMENT UnsignedProperties (UnsignedSignatureProperties?, UnsignedDataObjectProperties?)>
<!ATTLIST UnsignedProperties
Id ID #IMPLIED
>
<!-- End QualifyingProperties -->
<!-- Start SignedSignatureProperties, SignedDataObjectProperties,
UnsignedSignatureProperties, UnsignedDataObjectProperties -->
<!ELEMENT SignedSignatureProperties (SigningTime, SigningCertificate,
SignaturePolicyIdentifier, SignatureProductionPlace?, SignerRole?)
>
<!ELEMENT SignedDataObjectProperties (DataObjectFormat*, CommitmentTypeIndication*,
AllDataObjectsTimeStamp*, IndividualDataObjectsTimeStamp*)
>
<!ELEMENT UnsignedSignatureProperties (CounterSignature*, SignatureTimeStamp*,
CompleteCertificateRefs?, CompleteRevocationRefs?,
(SigAndRefsTimeStamp* | RefsOnlyTimeStamp*), CertificateValues?,
RevocationValues?, ArchiveTimeStamp*)
>
<!ELEMENT UnsignedDataObjectProperties (UnsignedDataObjectProperty*)>
<!ELEMENT UnsignedDataObjectProperty (#PCDATA %Any.ANY; )*>
<!-- End SignedSignatureProperties, SignedDataObjectProperties,
UnsignedSignatureProperties, UnsignedDataObjectProperties -->
<!-- Start QualifyingPropertiesReference -->
<!ELEMENT QualifyingPropertiesReference (Transforms?)>
<!ATTLIST QualifyingPropertiesReference
URI CDATA #REQUIRED
Id ID #IMPLIED
>
<!-- End QualifyingPropertiesReference -->
<!-- End container types -->
<!-- Start SigningTime -->
<!ELEMENT SigningTime (#PCDATA)>
<!-- End SigningTime -->
<!-- Start SigningCertificate -->
<!ELEMENT SigningCertificate (Cert+)>
<!ELEMENT Cert (CertDigest, IssuerSerial)>
<!ELEMENT CertDigest (DigestMethod, DigestValue)>
<!ELEMENT IssuerSerial (X509IssuerName, X509SerialNumber)>
<!-- End SigningCertificate -->
<!-- Start SignaturePolicyIdentifier -->
<!ELEMENT SignaturePolicyIdentifier (SignaturePolicyId | SignaturePolicyImplied)>
<!ELEMENT SignaturePolicyId (SigPolicyId, Transforms?, SigPolicyHash, SigPolicyQualifiers?)>
<!ELEMENT SignaturePolicyImplied ANY>
<!ELEMENT SigPolicyId (Identifier, Description?, DocumentationReferences?)>
<!ELEMENT SigPolicyHash (DigestMethod, DigestValue)>
<!ELEMENT SigPolicyQualifiers (SigPolicyQualifier+)>
<!ELEMENT SigPolicyQualifier (#PCDATA %Any.ANY; )*>
<!-- End SignaturePolicyIdentifier -->
<!-- Start SPURI and SPUserNotice -->
<!ELEMENT SPURI (#PCDATA)>
<!ELEMENT SPUserNotice (NoticeRef?, ExplicitText?)>
<!ELEMENT NoticeRef (Organization, NoticeNumbers)>
<!ELEMENT ExplicitText (#PCDATA)>
<!ELEMENT Organization (#PCDATA)>
<!ELEMENT NoticeNumbers (#PCDATA)*>
<!-- End SPURI and SPUserNotice -->
<!-- Start CounterSignature -->
<!ELEMENT CounterSignature (Signature)>
<!-- End CounterSignature -->
<!-- Start DataObjectFormat -->
<!ELEMENT DataObjectFormat (Description?, ObjectIdentifier?, MimeType?, Encoding?)>
<!ATTLIST DataObjectFormat
ObjectReference CDATA #REQUIRED
>
<!ELEMENT MimeType (#PCDATA)>
<!ELEMENT Encoding (#PCDATA)>
<!-- End DataObjectFormat -->
<!-- Start CommitmentTypeIndication -->
<!ELEMENT CommitmentTypeIndication (CommitmentTypeId,
(ObjectReference* | AllSignedDataObjects), CommitmentTypeQualifiers?)
>
<!ELEMENT CommitmentTypeId (Identifier, Description?, DocumentationReferences?)>
<!ELEMENT ObjectReference (#PCDATA)>
<!ELEMENT AllSignedDataObjects ANY>
<!ELEMENT CommitmentTypeQualifiers (CommitmentTypeQualifier*)>
<!ELEMENT CommitmentTypeQualifier (#PCDATA%Any.ANY; )*>
<!-- End CommitmentTypeIndication -->
<!-- Start SignatureProductionPlace -->
<!ELEMENT SignatureProductionPlace (City?, StateOrProvince?, PostalCode?, CountryName?)>
<!ELEMENT City (#PCDATA)>
<!ELEMENT StateOrProvince (#PCDATA)>
<!ELEMENT PostalCode (#PCDATA)>
<!ELEMENT CountryName (#PCDATA)>
<!-- End SignatureProductionPlace -->
<!-- Start SignerRole -->
<!-- Start SignerRole -->
<!ELEMENT SignerRole (ClaimedRoles?, CertifiedRoles?)>
<!ELEMENT ClaimedRoles (ClaimedRole+)>
<!ELEMENT CertifiedRoles (CertifiedRole+)>
<!ELEMENT ClaimedRole (#PCDATA %Any.ANY; )*>
<!ELEMENT CertifiedRole (#PCDATA)>
<!ATTLIST CertifiedRole
Id ID #IMPLIED
>
<!-- End SignerRole -->
<!-- Start AllDataObjectsTimeStamp, IndividualDataObjectsTimeStamp, SignatureTimeStamp -->
<!ELEMENT AllDataObjectsTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!ELEMENT IndividualDataObjectsTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!ELEMENT SignatureTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!-- End AllDataObjectsTimeStamp, IndividualDataObjectsTimeStamp, SignatureTimeStamp -->
<!-- Start CompleteCertificateRefs -->
<!ELEMENT CompleteCertificateRefs (CertRefs)>
<!ATTLIST CompleteCertificateRefs
Id ID #IMPLIED
>
<!ELEMENT CertRefs (Cert+)>
<!-- End CompleteCertificateRefs -->
<!-- Start CompleteRevocationRefs -->
<!ELEMENT CompleteRevocationRefs (CRLRefs?, OCSPRefs?, OtherRefs?)>
<!ATTLIST CompleteRevocationRefs
Id ID #IMPLIED
>
<!ELEMENT CRLRefs (CRLRef+)>
<!ELEMENT OCSPRefs (OCSPRef+)>
<!ELEMENT OtherRefs (OtherRef+)>
<!ELEMENT CRLRef (DigestAlgAndValue,CRLIdentifier?)>
<!ELEMENT OCSPRef (OCSPIdentifier, DigestAlgAndValue?)>
<!ELEMENT OtherRef (#PCDATA %Any.ANY; )*>
<!ELEMENT DigestAlgAndValue (DigestMethod, DigestValue)>
<!ELEMENT CRLIdentifier (Issuer, IssueTime, Number?)>
<!ATTLIST Identifier
URI CDATA #IMPLIED
>
<!ELEMENT OCSPIdentifier (ResponderID, ProducedAt)>
<!ATTLIST Identifier
URI CDATA #IMPLIED
>
<!ELEMENT Issuer (#PCDATA)>
<!ELEMENT IssueTime (#PCDATA)>
<!ELEMENT Number (#PCDATA)>
<!ELEMENT ResponderID (#PCDATA)>
<!ELEMENT ProducedAt (#PCDATA)>
<!-- End CompleteRevocationRefs -->
<!-- Start SigAndRefsTimeStamp, RefsOnlyTimeStamp -->
<!ELEMENT SigAndRefsTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!ELEMENT RefsOnlyTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!-- End SigAndRefsTimeStamp, RefsOnlyTimeStamp -->
<!-- Start CertificateValues -->
<!ELEMENT CertificateValues (EncapsulatedX509Certificate | OtherCertificate)*>
<!ATTLIST CertificateValues
Id ID #IMPLIED
>
<!ELEMENT EncapsulatedX509Certificate (#PCDATA)>
<!ATTLIST EncapsulatedX509Certificate
Id ID #IMPLIED
>
<!ELEMENT OtherCertificate (#PCDATA %Any.ANY; )*>
<!-- End CertificateValues -->
<!-- Start RevocationValues -->
<!ELEMENT RevocationValues (CRLValues?, OCSPValues?, OtherValues?)>
<!ATTLIST RevocationValues
Id ID #IMPLIED
>
<!ELEMENT CRLValues (EncapsulatedCRLValue+)>
<!ELEMENT OCSPValues (EncapsulatedOCSPValue+)>
<!ELEMENT OtherValues (OtherValue+)>
<!ELEMENT EncapsulatedCRLValue (#PCDATA)>
<!ATTLIST EncapsulatedCRLValue
Id ID #IMPLIED
>
<!ELEMENT EncapsulatedOCSPValue (#PCDATA)>
<!ATTLIST EncapsulatedOCSPValue
Id ID #IMPLIED
>
<!ELEMENT OtherValue (#PCDATA%Any.ANY; )*>
<!-- End RevocationValues -->
<!-- Start ArchiveTimeStamp -->
<!ELEMENT ArchiveTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!-- End ArchiveTimeStamp -->
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % Any.ANY ''>
<!ENTITY % XMLTimeStamp.ANY ''>
<!-- Start Any -->
<!ELEMENT Any (#PCDATA %Any.ANY;)*>
<!-- End Any -->
<!-- Start ObjectIdentifier -->
<!ELEMENT ObjectIdentifier (Identifier, Description?, DocumentationReferences?)>
<!ELEMENT Identifier (#PCDATA)>
<!ATTLIST Identifier
Qualifier (OIDAsURI | OIDAsURN) #IMPLIED
>
<!ELEMENT Description (#PCDATA)>
<!ELEMENT DocumentationReferences (DocumentationReference)+>
<!ELEMENT DocumentationReference (#PCDATA)>
<!-- End ObjectIdentifier -->
<!-- Start EncapsulatedPKIData -->
<!ELEMENT EncapsulatedPKIData (#PCDATA)>
<!ATTLIST EncapsulatedPKIData
Id ID #IMPLIED
>
<!-- End EncapsulatedPKIData -->
<!-- Start EncapsulatedTimeStamp -->
<!ELEMENT TimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!ELEMENT HashDataInfo (Transforms?)>
<!ATTLIST HashDataInfo
uri CDATA #REQUIRED
>
<!ELEMENT EncapsulatedTimeStamp (#PCDATA)>
<!ATTLIST EncapsulatedTimeStamp
Id ID #IMPLIED
>
<!ELEMENT XMLTimeStamp (#PCDATA %XMLTimeStamp.ANY;)*>
<!-- End EncapsulatedTimeStamp -->
<!-- Start container types -->
<!-- Start QualifyingProperties -->
<!ELEMENT QualifyingProperties (SignedProperties, UnsignedProperties?)>
<!ATTLIST QualifyingProperties
Target CDATA #REQUIRED
Id ID #IMPLIED
>
<!ELEMENT SignedProperties (SignedSignatureProperties, SignedDataObjectProperties?)>
<!ATTLIST SignedProperties
Id ID #IMPLIED
>
<!ELEMENT UnsignedProperties (UnsignedSignatureProperties?, UnsignedDataObjectProperties?)>
<!ATTLIST UnsignedProperties
Id ID #IMPLIED
>
<!-- End QualifyingProperties -->
<!-- Start SignedSignatureProperties, SignedDataObjectProperties,
UnsignedSignatureProperties, UnsignedDataObjectProperties -->
<!ELEMENT SignedSignatureProperties (SigningTime, SigningCertificate,
SignaturePolicyIdentifier, SignatureProductionPlace?, SignerRole?)
>
<!ELEMENT SignedDataObjectProperties (DataObjectFormat*,
CommitmentTypeIndication*, AllDataObjectsTimeStamp*, IndividualDataObjectsTimeStamp*)
>
<!ELEMENT UnsignedSignatureProperties (CounterSignature*, SignatureTimeStamp*,
CompleteCertificateRefs?, CompleteRevocationRefs?,
(SigAndRefsTimeStamp* | RefsOnlyTimeStamp*), CertificateValues?,
RevocationValues?, ArchiveTimeStamp*)
>
<!ELEMENT UnsignedDataObjectProperties (UnsignedDataObjectProperty*)>
<!ELEMENT UnsignedDataObjectProperty (#PCDATA %Any.ANY; )*>
<!-- End SignedSignatureProperties, SignedDataObjectProperties,
UnsignedSignatureProperties, UnsignedDataObjectProperties -->
<!-- Start QualifyingPropertiesReference -->
<!ELEMENT QualifyingPropertiesReference (Transforms?)>
<!ATTLIST QualifyingPropertiesReference
URI CDATA #REQUIRED
Id ID #IMPLIED
>
<!-- End QualifyingPropertiesReference -->
<!-- End container types -->
<!-- Start SigningTime -->
<!ELEMENT SigningTime (#PCDATA)>
<!-- End SigningTime -->
<!-- Start SigningCertificate -->
<!ELEMENT SigningCertificate (Cert+)>
<!ELEMENT Cert (CertDigest, IssuerSerial)>
<!ELEMENT CertDigest (DigestMethod, DigestValue)>
<!ELEMENT IssuerSerial (X509IssuerName, X509SerialNumber)>
<!-- End SigningCertificate -->
<!-- Start SignaturePolicyIdentifier -->
<!ELEMENT SignaturePolicyIdentifier (SignaturePolicyId | SignaturePolicyImplied)>
<!ELEMENT SignaturePolicyId (SigPolicyId, Transforms?, SigPolicyHash, SigPolicyQualifiers?)>
<!ELEMENT SignaturePolicyImplied ANY>
<!ELEMENT SigPolicyId (Identifier, Description?, DocumentationReferences?)>
<!ELEMENT SigPolicyHash (DigestMethod, DigestValue)>
<!ELEMENT SigPolicyQualifiers (SigPolicyQualifier+)>
<!ELEMENT SigPolicyQualifier (#PCDATA %Any.ANY; )*>
<!-- End SignaturePolicyIdentifier -->
<!-- Start SPURI and SPUserNotice -->
<!ELEMENT SPURI (#PCDATA)>
<!ELEMENT SPUserNotice (NoticeRef?, ExplicitText?)>
<!ELEMENT NoticeRef (Organization, NoticeNumbers)>
<!ELEMENT ExplicitText (#PCDATA)>
<!ELEMENT Organization (#PCDATA)>
<!ELEMENT NoticeNumbers (#PCDATA)*>
<!-- End SPURI and SPUserNotice -->
<!-- Start CounterSignature -->
<!ELEMENT CounterSignature (Signature)>
<!-- End CounterSignature -->
<!-- Start DataObjectFormat -->
<!ELEMENT DataObjectFormat (Description?, ObjectIdentifier?, MimeType?, Encoding?)>
<!ATTLIST DataObjectFormat
ObjectReference CDATA #REQUIRED
>
<!ELEMENT MimeType (#PCDATA)>
<!ELEMENT Encoding (#PCDATA)>
<!-- End DataObjectFormat -->
<!-- Start CommitmentTypeIndication -->
<!ELEMENT CommitmentTypeIndication (CommitmentTypeId,
(ObjectReference* | AllSignedDataObjects), CommitmentTypeQualifiers?)
>
<!ELEMENT CommitmentTypeId (Identifier, Description?, DocumentationReferences?)>
<!ELEMENT ObjectReference (#PCDATA)>
<!ELEMENT AllSignedDataObjects ANY>
<!ELEMENT CommitmentTypeQualifiers (CommitmentTypeQualifier*)>
<!ELEMENT CommitmentTypeQualifier (#PCDATA%Any.ANY; )*>
<!-- End CommitmentTypeIndication -->
<!-- Start SignatureProductionPlace -->
<!ELEMENT SignatureProductionPlace (City?, StateOrProvince?, PostalCode?, CountryName?)>
<!ELEMENT City (#PCDATA)>
<!ELEMENT StateOrProvince (#PCDATA)>
<!ELEMENT PostalCode (#PCDATA)>
<!ELEMENT CountryName (#PCDATA)>
<!-- End SignatureProductionPlace -->
<!-- Start SignerRole -->
<!-- Start SignerRole -->
<!ELEMENT SignerRole (ClaimedRoles?, CertifiedRoles?)>
<!ELEMENT ClaimedRoles (ClaimedRole+)>
<!ELEMENT CertifiedRoles (CertifiedRole+)>
<!ELEMENT ClaimedRole (#PCDATA %Any.ANY; )*>
<!ELEMENT CertifiedRole (#PCDATA)>
<!ATTLIST CertifiedRole
Id ID #IMPLIED
>
<!-- End SignerRole -->
<!-- Start AllDataObjectsTimeStamp, IndividualDataObjectsTimeStamp, SignatureTimeStamp -->
<!ELEMENT AllDataObjectsTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!ELEMENT IndividualDataObjectsTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!ELEMENT SignatureTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!-- End AllDataObjectsTimeStamp, IndividualDataObjectsTimeStamp, SignatureTimeStamp -->
<!-- Start CompleteCertificateRefs -->
<!ELEMENT CompleteCertificateRefs (CertRefs)>
<!ATTLIST CompleteCertificateRefs
Id ID #IMPLIED
>
<!ELEMENT CertRefs (Cert+)>
<!-- End CompleteCertificateRefs -->
<!-- Start CompleteRevocationRefs -->
<!ELEMENT CompleteRevocationRefs (CRLRefs?, OCSPRefs?, OtherRefs?)>
<!ATTLIST CompleteRevocationRefs
Id ID #IMPLIED
>
<!ELEMENT CRLRefs (CRLRef+)>
<!ELEMENT OCSPRefs (OCSPRef+)>
<!ELEMENT OtherRefs (OtherRef+)>
<!ELEMENT CRLRef (DigestAlgAndValue,CRLIdentifier?)>
<!ELEMENT OCSPRef (OCSPIdentifier, DigestAlgAndValue?)>
<!ELEMENT OtherRef (#PCDATA %Any.ANY; )*>
<!ELEMENT DigestAlgAndValue (DigestMethod, DigestValue)>
<!ELEMENT CRLIdentifier (Issuer, IssueTime, Number?)>
<!ATTLIST Identifier
URI CDATA #IMPLIED
>
<!ELEMENT OCSPIdentifier (ResponderID, ProducedAt)>
<!ATTLIST Identifier
URI CDATA #IMPLIED
>
<!ELEMENT Issuer (#PCDATA)>
<!ELEMENT IssueTime (#PCDATA)>
<!ELEMENT Number (#PCDATA)>
<!ELEMENT ResponderID (#PCDATA)>
<!ELEMENT ProducedAt (#PCDATA)>
<!-- End CompleteRevocationRefs -->
<!-- Start SigAndRefsTimeStamp, RefsOnlyTimeStamp -->
<!ELEMENT SigAndRefsTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!ELEMENT RefsOnlyTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!-- End SigAndRefsTimeStamp, RefsOnlyTimeStamp -->
<!-- Start CertificateValues -->
<!ELEMENT CertificateValues (EncapsulatedX509Certificate | OtherCertificate)*>
<!ATTLIST CertificateValues
Id ID #IMPLIED
>
<!ELEMENT EncapsulatedX509Certificate (#PCDATA)>
<!ATTLIST EncapsulatedX509Certificate
Id ID #IMPLIED
>
<!ELEMENT OtherCertificate (#PCDATA %Any.ANY; )*>
<!-- End CertificateValues -->
<!-- Start RevocationValues -->
<!ELEMENT RevocationValues (CRLValues?, OCSPValues?, OtherValues?)>
<!ATTLIST RevocationValues
Id ID #IMPLIED
>
<!ELEMENT CRLValues (EncapsulatedCRLValue+)>
<!ELEMENT OCSPValues (EncapsulatedOCSPValue+)>
<!ELEMENT OtherValues (OtherValue+)>
<!ELEMENT EncapsulatedCRLValue (#PCDATA)>
<!ATTLIST EncapsulatedCRLValue
Id ID #IMPLIED
>
<!ELEMENT EncapsulatedOCSPValue (#PCDATA)>
<!ATTLIST EncapsulatedOCSPValue
Id ID #IMPLIED
>
<!ELEMENT OtherValue (#PCDATA%Any.ANY; )*>
<!-- End RevocationValues -->
<!-- Start ArchiveTimeStamp -->
<!ELEMENT ArchiveTimeStamp (HashDataInfo+, (EncapsulatedTimeStamp | XMLTimeStamp))>
<!-- End ArchiveTimeStamp -->
|
10 Appendix C.
Incorporation of Qualifying Properties
10 附录 C. 包含限定属性
As stated in the normative part of the present document, new elements have
been defined to incorporate properties (both signed and unsigned) that
qualify the whole signature, the signer or individual signed data objects:
QualifyingProperties, SignedProperties,
UnsignedProperties, SignedSignatureProperties,
UnsignedSignatureProperties,
SignedDataObjectProperties and UnsignedDataProperties.
如本文件规范性部分所述,已定义新的元素来包含限定整个签名、签名者或单个已签名数据对象的属性(包括已签名和未签名属性): QualifyingProperties 、 SignedProperties 、 UnsignedProperties 、 SignedSignatureProperties 、 UnsignedSignatureProperties 、 SignedDataObjectProperties 和 UnsignedDataProperties。
This annex shows an example of direct incorporation of qualifying
properties and one example of indirect incorporation of these properties.
本附录展示了一个直接包含限定属性的示例,以及一个间接包含这些属性的示例。
Below follows the resulting general structure of direct incorporation.
以下为直接包含产生的结果结构。
<ds:Signature ID?>
<ds:SignedInfo>
<ds:CanonicalizationMethod/>
<ds:SignatureMethod/>
(<ds:Reference URI? >
(<ds:Transforms>)?
<ds:DigestMethod>
<ds:DigestValue>
</Reference>)+
</ds:SignedInfo>
<ds:SignatureValue>
(<ds:KeyInfo>)?
<ds:Object>
<SignedProperties>
<SignedSignatureProperties>
<!-- Collection of signed XML elements with
properties qualifying the signature or the
signer -->
</SignedSignatureProperties>
<SignedDataObjectProperties>
<!-- Collection of signed XML elements with
properties individually qualifying signed data
objects -->
</SignedDataObjectPropertiesSigned>
</SignedProperties>
<UnsignedProperties>
</UnsignedSignatureProperties>
<!-- Collection of unsigned XML elements with
properties qualifying signature or signer -->
</UnsignedSignatureProperties>
<UnSignedDataObjectProperties>
<!-- Collection of signed XML elements with
properties individually qualifying signed
data objects -->
</UnSignedDataObjectProperties>
</UnsignedProperties>
</ds:Object>
</ds:Signature>
<ds:Signature ID?>
<ds:SignedInfo>
<ds:CanonicalizationMethod/>
<ds:SignatureMethod/>
(<ds:Reference URI? >
(<ds:Transforms>)?
<ds:DigestMethod>
<ds:DigestValue>
</Reference>)+
</ds:SignedInfo>
<ds:SignatureValue>
(<ds:KeyInfo>)?
<ds:Object>
<SignedProperties>
<SignedSignatureProperties>
<!-- Collection of signed XML elements with
properties qualifying the signature or the
signer -->
</SignedSignatureProperties>
<SignedDataObjectProperties>
<!-- Collection of signed XML elements with
properties individually qualifying signed data
objects -->
</SignedDataObjectPropertiesSigned>
</SignedProperties>
<UnsignedProperties>
</UnsignedSignatureProperties>
<!-- Collection of unsigned XML elements with
properties qualifying signature or signer -->
</UnsignedSignatureProperties>
<UnSignedDataObjectProperties>
<!-- Collection of signed XML elements with
properties individually qualifying signed
data objects -->
</UnSignedDataObjectProperties>
</UnsignedProperties>
</ds:Object>
</ds:Signature>
|
Below follows an example showing the inclusion of three sets of qualifying
properties:
下面是一个包含三组限定属性的示例:
The first one includes signed properties qualifying the signature,
namely:
第一组包括用于限定签名的签名属性,具体为:
The time of signature production (element
SigningTime).
签名生成时间(元素 SigningTime )。
A restricted set of references to certificates to be used in
verifying a signature. This also includes a reference to the
certificate containing the public key corresponding to the private
key used in the signature computation (element
SigningCertificate).
一组用于验证签名的证书引用。这还包括包含与签名计算中使用的私钥相对应的公钥的证书的引用(元素 SigningCertificate )。
An identification of the signature policy under which the
signature has been produced and will have to be verified (element
SignaturePolicyIdentifier).
签名所依据的签名策略,该签名已生成并需进行验证的标识(元素 SignaturePolicyIdentifier )。
The second one includes signed properties qualifying the signed data
object, namely:
第二个包括对已签名数据对象的签名属性,具体为:
A time-stamp of the signed data object, proving that the content
has been produced before the time indicated in the time-stamp
(element AllDataObjectsTimeStamp).
已签名数据对象的时间戳,证明内容是在时间戳指示的时间之前产生的(元素 AllDataObjectsTimeStamp )。
An indication of the format of the signed object (element
DataObjectFormat).
已签名对象的格式指示(元素 DataObjectFormat )。
The third one includes unsigned properties qualifying the signature,
namely:
第三个包括对签名的无符号属性进行资格认证,具体包括:
A time-stamp on the electronic signature itself, proving that
the signature was produced before the time indicated by such
time-stamp (element SignatureTimeStamp).
电子签名本身的时间戳,证明该签名是在时间戳所示时间之前产生的(元素 SignatureTimeStamp) )。
The references to the full set of CA certificates that the
verifier of the electronic signature has used to validate the
electronic signatur (element
CompleteCertificateRefs).
电子签名验证者用于验证电子签名的完整 CA 证书集的引用(元素 CompleteCertificateRefs )。
The references to the revocation material (CRLs or OCSP
responses) used in the validation of the signer and CA certificates
used the full to validate the electronic signature (element
CompleteRevocationRefs).
用于验证签名者和 CA 证书的撤销材料(CRLs 或 OCSP 响应)的引用,这些 CA 证书用于验证电子签名(元素 CompleteRevocationRefs )。
The time-stamp generated over the electronic signature with the
aforementioned qualifying information (element
SigAndRefsTimeStamp).
在上述具有限定信息的电子签名上生成的时戳(元素 SigAndRefsTimeStamp )。
The full set of CA certificates that the verifier of the
electronic signature has used to validate the electronic signature
(element CertificateValues).
电子签名验证者用于验证电子签名的完整 CA 证书集(元素 CertificateValues )。
The revocation material (CRLs or OCSP responses) used in the
validation of the signer and CA certificates used the full to
validate the electronic signature (element
RevocationValues).
用于验证签名者和 CA 证书的撤销材料(CRLs 或 OCSP 响应),这些证书被完整用于验证电子签名(元素 RevocationValues )。
[s01]<ds:Signature Id="SignatureWithSignedAndUnsignedProperties" xmlns="http://www.w3.org/2000/09/xmldsig#>
[s02] <ds:SignedInfo>
[s03] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000710"/>
[s04] <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
[s05] <ds:Reference URI="<http://www.example.org/docToBeSigned>" Id="FirstSignedDocument">
[s06] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha"/>
[s07] <ds:DigestValue>h9kmx3rvDH75vKtNpi4NbeBGDnl=</ds:DigestValue>
[s08] </ds:Reference>
[s09] <ds:Reference URI="#SignedProperties"
Type="http://uri.etsi.org/01903/v1.1.1#SignedProperties">
[s10] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
[s11] <ds:DigestValue>.. </ds:DigestValue>
[s12] </ds:Reference>
[s13] </ds:SignedInfo>
[s14] <ds:SignatureValue>....</SignatureValue>
[s15] <ds:KeyInfo> <ds:KeyValue>...</ds:KeyValue></ds:KeyInfo>
[s16] <ds:Object xmlns="http://uri.etsi.org/01903/v1.1.1#" xmlns:ds=" http://www.w3.org/2000/09/xmldsig#">
[s17] <QualifyingProperties>
[s18] <SignedProperties Target="#SignatureWithSignedAndUnsignedProperties" Id="SignedProperties">
[s19] <SignedSignatureProperties >
[s20] <SigningTime>2000-11-18T12:10:00Z</SigningTime>
[s21] <SigningCertificate>....</SigningCertificate >
[s22] <SignaturePolicyIdentifier>....</ SignaturePolicyIdentifier >
[s23] </SignedSignatureProperties>
[s24] <SignedDataObjectProperties>
[s25] <DataObjectFormat>....</DataObjectFormat>
[s26] <AllDataObjectsTimeStamp>.. </AllDataObjectsTimeStamp>
[s27] </SignedDataObjectProperties>
[s28] </SignedProperties>
[s29] <UnsignedProperties >
[s30] <UnsignedSignatureProperties>
[s31] <SignatureTimeStamp>...</SignatureTimeStamp>
[s32] <CompleteCertificateRefs>...</CompleteCertificateRefs>
[s33] <CompleteRevocationRefs>...</CompleteRevocationRefs>
[s34] <SigAndRefsTimeStamp>...</SigAndRefsTimeStamp >
[s35] <CertificateValues>....</CertificateValues>
[s36] <RevocationValues>...</RevocationValues>
[s37] </UnsignedSignatureProperties>
[s38] </UnsignedProperties>
[s39] </QualifyingProperties>
[s40] </ds:Object>
[s41]</ds:Signature>
|
[s01] Beginning of the XML signature. The namespace by default is the
namespace defined in XML-DIGSIG.
[s01] XML 签名的开始。默认的命名空间是 XML-DIGSIG 中定义的命名空间。
[s02]-[s13] The ds:SignedInfo element contains the
information that is actually signed.
[s02]-[s13] ds:SignedInfo 元素包含实际签署的信息。
[s03] The ds:CanonicalizationMethod element indicates the
algorithm used to get a canonical representation of the
ds:SignedInfo element before being signed.
[s03] ds:CanonicalizationMethod 元素指示用于在签署前获取 ds:SignedInfo 元素规范表示的算法。
[s04] The ds:SignatureMethod indicates the algorithms used to
sign ds:SignedInfo.
[s04] ds:SignatureMethod 指示用于签署 ds:SignedInfo 的算法。
[s05] to [s16] ds:Reference elements contain the digest value
and indication on the digest algorithm for each data object that has to be
(indirectly) signed. Each one also has a reference to the corresponding data
object. These elements also have the Id attribute that can be
used to make individual references each one of them.
[s05]-[s16] ds:Reference 元素包含每个需要(间接)签署的数据对象的摘要值和摘要算法指示。每个元素都有一个对应数据对象的引用。这些元素还具有 Id 属性,可用于使它们中的每一个具有单独的引用。
[s05-s08] The first ds:Reference element. Its
URI attribute references the data object that has to be signed.
ds:DigestMethod indicates the digest algorithm (sha1 in this
case) and ds:DigestValue contains the digest value filtered in
base 64.
[s05-s08] 第一个 ds:Reference 元素。其 URI 属性引用了待签名的数据对象。 ds:DigestMethod 指示了摘要算法(此处为 sha1)并且 ds:DigestValue 包含了以 base64 编码过滤的摘要值。
[s09-s12] The second ds:Reference element. Its
URI attribute points to the SignedProperties
element(using the URI attribute) that contains the whole set of
signed properties. ds:DigestMethod indicates the digest
algorithm (sha1 in this case) and ds:DigestValue contains the
digest value filtered in base. This means that the digest value of that
SignedProperties is included in ds:SignedInfo and
in consequence signed when this element is signed. The ds:Type
attribute indicates that this element is a reference to the
SignatureProperties element as mandated in clause 4.3.1
SigningProperties.
[s09-s12] 第二个 ds:Reference 元素。其 URI 属性指向包含所有已签名属性的 SignedProperties 元素(通过 URI 属性)。 ds:DigestMethod 指示了摘要算法(此处为 sha1)并且 ds:DigestValue 包含了以 base64 编码的摘要值。这意味着该 SignedProperties 的摘要值包含在 ds:SignedInfo 中,并且当该元素被签名时,该摘要值也会被签名。 ds:Type 属性表明该元素是对 SignatureProperties 元素的引用,如第 4.3.1 节 "SigningProperties" 中所规定。
[s14] ds:SignatureValue contains the computed digital
signature of ds:SignedInfo in base 64.
[s14] ds:SignatureValue 包含了以 base64 编码的 ds:SignedInfo 的计算数字签名。
[s15] ds:KeyInfo contains cryptographic material to verify
the signature.
[s15] ds:KeyInfo 包含用于验证签名的加密材料。
[s16-s40] ds:Object contains three elements with the
properties qualifying both the signature and the signed data object.
[s16-s40] ds:Object 包含三个元素,这些元素具有同时适用于签名和已签名数据对象的属性。
[s17-39] QualifyingProperties contains the full set of
qualifying properties both signed (SignedProperties) and
unsigned (UnsignedProperties). The namespace by default is
changed for this element and its contents to the one defined as namespace by
default in the schema definition given in the present document in order not
to have to qualify the whole set of elements. Additionally, as elements
already defined in [XMLDSIG] are used in the
definitions, its namespace is also defined (prefix ds).
[s17-39] QualifyingProperties 包含全部的限定属性,包括已签名的( SignedProperties )和未签名的( UnsignedProperties )。此元素的命名空间及其内容默认更改为本文件中给出的模式定义中定义的默认命名空间,以避免必须限定所有元素。此外,由于在 [XMLDSIG] 中已定义的元素被用于定义中,其命名空间也被定义(前缀 ds )。
[s18-s28] SignedProperties contains the whole set of
qualifying properties that are signed grouped in two sequences. The first one
(SignedSignatureProperties) contains all the signed properties
that qualify the signature. The second one
(SignedDataObjectProperties) contains all the signed properties
that individually qualify each signed data object.
[s18-s28] SignedProperties 包含全部的限定属性,这些属性已签名并分为两个序列。第一个序列( SignedSignatureProperties )包含所有限定签名的已签名属性。第二个序列( SignedDataObjectProperties )包含所有单独限定每个已签名数据对象的已签名属性。
[s19-ss23] SignedSignatureProperties contains all the signed
properties that qualify the signature (SigningTime,
SigningCertificate, SignaturePolicyIdentifier).
[s19-ss23] SignedSignatureProperties 包含所有限定签名的已签名属性( SigningTime , SigningCertificate , SignaturePolicyIdentifier )。
[s20] SigningTime contains the value of the signing instant
when the signature has been computed.
[s20] SigningTime 包含签名计算时的签名时间值。
[s21] SigningCertificate contains, as stated above, a
restricted set of references to certificates to be used in verifying a
signature.
[s21] SigningCertificate 如上所述,包含用于验证签名的证书的有限集。
[s24-27] SignedDataObjectProperties contains all the signed
properties that individually qualify each signed data object
(AllDataObjectsTimeStamp, DataObjectFormat).
[s24-27] SignedDataObjectProperties 包含所有已签名的属性,这些属性单独地使每个已签名的数据对象( AllDataObjectsTimeStamp , DataObjectFormat )具有资格。
[s25] DataObjectFormat identifies the format of the signed
data object.
[s25] DataObjectFormat 识别已签名数据对象的格式。
[s26] AllDataObjectsTimeStamp is a time-stamp issued for the
signed data object.
[s26] AllDataObjectsTimeStamp 是为已签名数据对象签发的时间戳。
[s29-38] UnsignedProperties contains the whole set of
qualifying properties that are NOT signed.
[s29-38] UnsignedProperties 包含所有未签名的合格属性。
[s30-s37] UnsignedSignatureProperties the whole set of
unsigned properties that qualify the signature.
[s30-s37] UnsignedSignatureProperties 包含所有使签名合格的未签名属性。
[s31] SignatureTimeStamp contains a time-stamp for the
signature itself.
[s31] SignatureTimeStamp 包含签名本身的时间戳。
[s32] CompleteCertificateRefs contains references to CA
certificates in the certification path used to verify the signature.
[s32] CompleteCertificateRefs 包含用于验证签名所使用的认证路径中的 CA 证书的引用。
[s33] CompleteRevocationRefs contains references to
revocation information used to verify the signature.
[s33] CompleteRevocationRefs 包含用于验证签名的撤销信息。
[s34] SigAndRefsTimeStamp contains a time-stamp over the
XAdES-C form of the electronic signature.
[s34] SigAndRefsTimeStamp 包含电子签名 XAdES-C 形式的时戳。
[s35] CertificateValues contains the values of the
certificates referenced in CompleteCertificateRefs.
[s35] CertificateValues 包含在 CompleteCertificateRefs 中引用的证书的值。
[s36] RevocationValues contains the revocation data used to
validate the electronic signature.
[s36] RevocationValues 包含用于验证电子签名的撤销数据。
NOTE: The tree shown in the example above does not explicitly show certain
optional XML elements (like ds:Transforms For a complete
description of this tree see XML-Signature Core Syntax and Processing [XMLDSIG].
注意:上述示例中显示的树形结构并未明确展示某些可选的 XML 元素(如 ds:Transforms )。有关此树形结构的完整描述,请参阅 XML 签名核心语法和处理[XMLDSIG]。
Below will follow the example of indirect incorporation of all the
unsigned properties. In this example, the signed properties will be directly
incorporated into the ds:Signature element as in the previous
example. However, the unsigned properties will be separately stored in other
place. To incorporate these properties use is made of the
QualifyingPropertiesReference element pointing to the element
containing them.
下面将展示所有未签名属性的间接包含示例。在此示例中,已签名属性将像前一个示例那样直接包含在 ds:Signature 元素中。然而,未签名属性将单独存储在其他位置。为了包含这些属性,使用 QualifyingPropertiesReference 元素指向包含它们的元素。
Below follows the contents of the XAdES itself.
下面是 XAdES 本身的内容。
[s01]<ds:Signature Id="SignatureWithSignedAndUnsignedProperties" xmlns="http://www.w3.org/2000/09/xmldsig#">
[s02] <ds:SignedInfo>
[s03] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000710"/>
[s04] <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
[s05] <ds:Reference URI="<http://www.example.org/docToBeSigned>" Id="FirstSignedDocument">
[s06] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha"/>
[s07] <ds:DigestValue>h9kmx3rvDH75vKtNpi4NbeBGDnl=</ds:DigestValue>
[s08] </ds:Reference>
[s09] <ds:Reference URI="#SignedProperties "
Type=http://uri.etsi.org/01903/v1.1.1#SignedProperties">
[s10] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
[s11] <ds:DigestValue>...</ds:DigestValue>
[s12] </ds:Reference>
[s13] </ds:SignedInfo>
[s14] <ds:SignatureValue>.....</SignatureValue>
[s15] <ds:KeyInfo> <ds:KeyValue>...</ds:KeyValue></ds:KeyInfo>
[s16] <ds:Object xmlns="http://uri.etsi.org/01903/v1.1.1#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
[s17] <QualifyingProperties>
[s18] <SignedProperties Target="#SignatureWithSignedAndUnsignedProperties" Id="SignedProperties">
[s19] <SignedSignatureProperties >
[s20] <SigningTime>2000-11-18T12:10:00Z</SigningTime>
[s21] <SigningCertificate>...</SigningCertificate >
[s22] <SignaturePolicyIdentifier>....</ SignaturePolicyIdentifier >
[s23] </SignedSignatureProperties>
[s24] <SignedDataObjectProperties>
[s25] <DataObjectFormat>....</DataObjectFormat>
[s26] <AllDataObjectsTimeStamp>...</AllDataObjectsTimeStamp>
[s27] </SignedDataObjectProperties>
[s28] </SignedProperties>
[s28] <QualifyingPropertiesReference>
[s29] <Transforms> .. </Transforms>
[s30] <URI>http://www.ac.upc.es/ETSI-XML/Indirect-Incorporation/example1#QualifyingProperties</URI>
[s31] </ QualifyingPropertiesReference>
[s32] </QualifyingProperties>
[s33] </ds:Object>
[s34]</ds:Signature>
|
[s1-s27] These lines are the same as in the first example. They show how
the signed properties are directly incorporated.
[s1-s27] 这些行与第一个示例相同。它们展示了如何直接嵌入已签名属性。
[s28-s32] These lines show how to indirectly incorporate the unsigned
properties stored in other place using the
QualifyingPropertiesReference element.
[s28-s32] 这些行展示了如何使用 QualifyingPropertiesReference 元素间接嵌入存储在其他位置的无签名属性。
[s29] The ds:Transforms element contains the whole set of
transformations to compute on the file where the unsigned properties are
stored.
[s29] ds:Transforms 元素包含了在存储无签名属性的文件上需要计算的完整转换集。
[s30] The URI element contains the URI pointing
to the QualifyingProperties element that contains those
qualifying properties that are being indirectly incorporated. In this case,
it points to the file found in
http://www.ac.upc.es/ETSI-XML/Indirect-Incorporation/example1, which contains
this element. This example ends showing that part of the file found in
http://www.ac.upc.es/ETSI-XML/Indirect-Incorporation/example1 that contains
the QualifyingProperties element referenced in the
QualifyingPropertiesReference.
[s30] URI 元素包含了指向 QualifyingProperties 元素的 URI ,该 QualifyingProperties 元素包含了那些被间接嵌入的限定属性。在这种情况下,它指向位于 http://www.ac.upc.es/ETSI-XML/Indirect-Incorporation/example1 的文件,该文件包含此元素。此示例结束,展示了位于 http://www.ac.upc.es/ETSI-XML/Indirect-Incorporation/example1 的文件的一部分,该部分包含 QualifyingPropertiesReference 中引用的 QualifyingProperties 元素。
<!-- This is the part of the file found in <http://www.ac.upc.es/ETSI-XML/Indirect-Incorporation/example1>
that contains the QualifyingProperties element containing the unsigned properties that are indirectly
incorporated in the advanced electronic signature -->
[si] <QualifyingProperties>
[si+1] <UnsignedProperties >
[si+2] <UnsignedSignatureProperties>
[si+3] <SignatureTimeStamp....</SignatureTimeStamp>
[si+4] <CompleteCertificateRefs>..</CompleteCertificateRefs>
[si+5] <CompleteRevocationRefs>...</CompleteRevocationRefs>
[si+6] <SigAndRefsTimeStamp>...</SigAndRefsTimeStamp >
[si+7] <CertificateValues>...</CertificateValues>
[si+8] <RevocationValues>...</RevocationValues>
[si+9] </UnsignedSignatureProperties>
[si+10] </UnsignedProperties>
[si+11] </QualifyingProperties>
<!-- Below would follow the rest of the file -->
|
In the example above the QualifyingProperties element is
shown that is part of the file found in
http://www.ac.upc.es/ETSI-XML/Indirect-Incorporation/example1 and that is
pointed by the URI element in the
QualifyingPropertiesReference in the advanced electronic
signature.
在上述示例中显示了 QualifyingProperties 元素,它是位于 http://www.ac.upc.es/ETSI-XML/Indirect-Incorporation/example1 文件中的一部分,并且被高级电子签名中的 QualifyingPropertiesReference 中的 URI 元素指向。
11 Author's Adress 11 作者地址
Juan Carlos Cruellas Ibarz
胡安·卡洛斯·克鲁埃拉斯·伊巴茨
Universitat Politecnica de Catalunya (UPC)
加泰罗尼亚理工大学(UPC)
Departament de Arquitectura de Computadors (DAC)
计算机架构系 (DAC)
c/ Jordi Girona 1-3, Modul D6.103, Barcelona
地址:Jordi Girona 1-3, Modul D6.103, 巴塞罗那
Spain 西班牙
Phone: +34 93 4016790
电话:+34 93 4016790
Email: mailto:cruellas@ac.upc.es
Gregor Karlinger 格雷戈尔·卡林格
Institute for Applied Information Processing and Communications (IAIK)
应用信息处理与通信研究所 (IAIK)
Inffeldgasse 16a, 8010 Graz
Inffeldgasse 16a, 8010 格拉茨
Austria 奥地利
Phone: +43 (316) 873 5541
电话: +43 (316) 873 5541
Email: mailto:gregor.kerlinger@iaik.at
邮箱: mailto:gregor.kerlinger@iaik.at
Denis Pinkas 丹尼斯·平卡斯
Bull Services 牛服务
Rue Jean Jaures BP 68
让·茹尔街 BP 68
78340 Les Clayes sous Bois
78340 勒克莱西苏布瓦
France 法国
Phone: +33 1 30 80 75 24
电话:+33 1 30 80 75 24
Email: mailto:Denis.Pinkas@bull.net
邮箱:mailto:Denis.Pinkas@bull.net
John Ross 约翰·罗斯
Security and Standards 安全和标准
192 Moulsham Street Chelmsford Essex
England UK CM2 OLG
Phone: +44 1245 347 021
电话: +44 1245 347 021
Email: mailto:ross@secstan.com
邮箱: mailto:ross@secstan.com
