Skip to end of metadata
Go to start of metadata
 MOCES I E-Signatures for Long-Term Validation (packaging policy)

Policy ID and location

Policy ID

urn:signicat:packagingpolicy:ltv:mocesi:1.0:1.0

Name

Policy for Packaging of MOCESI E-Signatures for Long-Term Validation 

URL

https://id.signicat.com/definitions/packagingpolicy/ltv-1.0/mocesi-1.0


Introduction

This packaging service policy defines requirements for packaging of employee digital signature (MOCESI) E-signatures for long-term validation in connection with the signature creation and initial verification.

About Packaging Policies

The purpose of a packaging policy is to specify requirements for the packaging process, and high-level requirements for the prior signature creation and verification process. 

The primary users of this policy will be e-signature users (relying parties). The policy will help e-signature users to better understand the information contained in a package, and on what basis it can be trusted and used.

The policy will also be useful for implementers of the packaging service.

Scope

This packaging policy defines requirements for packaging of MOCESI E-signatures for long-term validation in connection with the signature creation and initial verification.

The policy also sets some high level requirements for the creation and verification processes, and requires them to collect certain data that is needed by the packaging process. 

The policy does not set detailed requirements for the signature creation and verification processes, because those requirements are controlled by NemID.

Structure 

The normative parts of the policy are listed below.

  1. General process requirement defines high-level requirements for the overall packaging process.
  2. Signature creation requirement defines requirements for the creation of the packaged signature (the “native” signature).
  3. Signature verification requirements verification defines requirements for the verification of the native signature. 
  4. Signature enrichment and hardening requirements defines requirements for the signature enrichment and hardening process. 
  5. Package formatting requirements defines requirements for the format used for the package
  6. Sealing requirements defines requirements for the TSP signature on the package

 

Contents

  1.  Policy ID and location 1
  2.  Version 1
  3.  Introduction 1
  4.  General process requirements (normative) 3
  5.  Signature creation requirements (normative) 4
  6.  Signature verification requirements (normative) 4
  7.  Signature enrichment and hardening requirements (normative) 4
  8.  Package formatting requirements (normative) 6
  9.  Sealing requirements (normative) 6
  10.  Appendix A: Trust anchors used in validation of the native signature 7
  11.  Appendix B: Trust anchors used in validation of the seal 8

 

Terms and acronyms

Term 

Explanation

TSP

Trusted Service Provider - the entity implementing this policy by packaging the signature.

Long-term validation

The concept of validating an e-signature long time (months, and some times years) after it was created. 

Native signature

The e-signature that is to be packaged for long-term validation

Original document

The document signed with the native signature

Signature enrichment

 

The addition of extra information about the document, the signer, the context or the signing and verification process. 

Signature hardening 

The addition of information that strengthens the non-reputability of the signature.

Native signature qualifying properties 

A common term for information that strengthens the native e-signature and makes it suitable for long-term validation.

Seal

This is the Trusted Service Providers signature on the package. It is commonly referred to as the Seal.

POCES

OCES Personal Certificates

MOCES

OCES Employee Certificates

- MOCESI is the original Employee Digital Signature

- MOCESII is the NemID Employee Certificate which will eventually replace MOCESI

 

References

Short name

Resource

XMLDSIG

http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/

XAdES

ETSI TS 101 903: “XML Advanced Electronic Signatures (XAdES)

General process requirements (normative)

  1. Packaging of the native signature is done such that it provides support for long-term validation of the native signature. 
  2. Packaging is performed immediately following signature creation and initial verification.
  3. Packaging is done only if initial verification succeeds.
  4. Validation data used in the initial verification is included in the package.

Signature creation requirements (normative)

This section defines requirements for the creation of the packaged signature (the “native” signature).

  1. The signers certificate must be of type MOCESI (not MOCESII or POCES).
  2. The original document can be either on plain text format or PDF format.
  3. Signature creation is performed according to the NemID requirements and guidelines at signature creation time. 
  4. Signing of PDF documents is done as follows:
    1. Before the NemID client is launched the PDF is shown to the user.
    2. Then the PDF is Base64-encoded and put into the signproperties applet parameter with property name attachedpdf
    3. The signtext parameter is set to a text which declares that the user commits to the PDF which he has just read. This text is shown to the signer in the NemID client.

Signature verification requirements (normative)

This section defines requirements for the verification of the native signature.

  1. Signature verification is done according to current NemID requirements and guidelines at signature verification time.
  2. The process will always include verification of signature according to XMLDSig Core Validation [XMLDSIG]
  3. The process will include certificate validation of the signing certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix A.

Signature enrichment and hardening requirements (normative)

This section defines requirements for the signature enrichment and hardening done as part of the packaging. 

Native Signature Qualifying Properties

The following information is included in the package as native signature qualifying properties:

  1. The revocation information that was used in the initial verification of the native signature.
  2. All certificates that was used in initial verification, when not already included in the native signature.
  3. The signing time, as collected by the TSP from a trusted time source.

Signature creation context

The following information is collected from the signature creation context

Information about the client platform:

  1. Client OS and browser, as provided by the client browser.
  2. Client Java version

Information about the server platform:

  1. Server OS and Java version
  2. List of important server software components with versions

Signature verification context

The following information is collected from the signature verification context:

Information about the client platform:

  1. Client OS and browser, as specified by the browser through the HTTP Header “User-Agent”
  2. Client Java version

Information about the server platform:

  1. Server OS and Java version
  2. Version of the NemID API used (“OOAPI”)
  3. List of important server software components with versions

Signature external context

The following information is collected from the signature external context:

  1. The description of the external context as provided by the user of the packaging service.

Additional information

No additional information is collected.

Audit trail 

Audit trail entries are collected for important events, for the purpose of strengthening the non-reputability of the signature, and to support forensics. This could include events like, for example:

  1. “PDF shown to the signer”
  2. “Signature created”
  3. “Signature core validation succeeded”
  4. “Certificate path validation succeeded”
  5. “Revocation check succeeded” 

Package formatting requirements (normative)

Package formatting is the process of putting all information elements together in a package.

Format

The package must be formatted according to the following format specification:

Name

Long Time Validation extended Signed Data Object 

Version *)

1.X 

Available at *)

https://id.signicat.com/definitions/xsd/LtvSdo-1.X

 

*) The 'X' means that the minor version number is not specified. It should be replaced by the actual minor version in the URL.

Sealing requirements (normative)

This section contains requirements to the TSP signature on the package, also called the seal.

  1. The seal covers the complete package, such that all information in the package is protected by the signature.
  2. The seal is a XAdES signature.
  3. The signature is verified immediately following signature creation.
  4. Signature verification is done according to XMLDSig Core Validation [XMLDSIG]
  5. Verification includes certificate validation of the signing certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix B.
  6. All certificates and revocation values used in the initial verification of the signature are included in the XAdES structure.
  7. The signature does not include time-stamps.
  8. The package is signed according to an explicit signature policy which is available together with this policy. 

 

 

Appendix A: Trust anchors used in validation of the native signature

The following certificate is used as trust anchor in Certificate Path Validation and OCSP Response validation when validating the native signature. 

TDC OCES CA

-----BEGIN CERTIFICATE-----

MIIFGTCCBAGgAwIBAgIEPki9xDANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJE

SzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQTAeFw0wMzAyMTEw

ODM5MzBaFw0zNzAyMTEwOTA5MzBaMDExCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNU

REMxFDASBgNVBAMTC1REQyBPQ0VTIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A

MIIBCgKCAQEArGL2YSCyz8DGhdfjeebM7fI5kqSXLmSjhFuHnEz9pPPEXyG9VhDr

2y5h7JNp46PMvZnDBfwGuMo2HP6QjklMxFaaL1a8z3sM8W9Hpg1DTeLpHTk0zY0s

2RKY+ePhwUp8hjjEqcRhiNJerxomTdXkoCJHhNlktxmW/OwZ5LKXJk5KTMuPJItU

GBxIYXvViGjaXbXqzRowwYCDdlCqT9HU3Tjw7xb04QxQBr/q+3pJoSgrHPb8FTKj

dGqPqcNiKXEx5TukYBdedObaE+3pHx8b0bJoc8YQNHVGEBDjkAB2QMuLt0MJIf+r

TpPGWOmlgtt3xDqZsXKVSQTwtyv6e1mO3QIDAQABo4ICNzCCAjMwDwYDVR0TAQH/

BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgewGA1UdIASB5DCB4TCB3gYIKoFQgSkB

AQEwgdEwLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuY2VydGlmaWthdC5kay9yZXBv

c2l0b3J5MIGdBggrBgEFBQcCAjCBkDAKFgNUREMwAwIBARqBgUNlcnRpZmlrYXRl

ciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMi4yMDguMTY5LjEu

MS4xLiBDZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIg

T0lEIDEuMi4yMDguMTY5LjEuMS4xLjARBglghkgBhvhCAQEEBAMCAAcwgYEGA1Ud

HwR6MHgwSKBGoESkQjBAMQswCQYDVQQGEwJESzEMMAoGA1UEChMDVERDMRQwEgYD

VQQDEwtUREMgT0NFUyBDQTENMAsGA1UEAxMEQ1JMMTAsoCqgKIYmaHR0cDovL2Ny

bC5vY2VzLmNlcnRpZmlrYXQuZGsvb2Nlcy5jcmwwKwYDVR0QBCQwIoAPMjAwMzAy

MTEwODM5MzBagQ8yMDM3MDIxMTA5MDkzMFowHwYDVR0jBBgwFoAUYLWF7FZkfhIZ

J2cdUBVLc647+RIwHQYDVR0OBBYEFGC1hexWZH4SGSdnHVAVS3OuO/kSMB0GCSqG

SIb2fQdBAAQQMA4bCFY2LjA6NC4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEACrom

JkbTc6gJ82sLMJn9iuFXehHTuJTXCRBuo7E4A9G28kNBKWKnctj7fAXmMXAnVBhO

inxO5dHKjHiIzxvTkIvmI/gLDjNDfZziChmPyQE+dF10yYscA+UYyAFMP8uXBV2Y

caaYb7Z8vTd/vuGTJW1v8AqtFxjhA7wHKcitJuj4YfD9IQl+mo6paH1IYnK9AOoB

mbgGglGBTvH1tJFUuSN6AJqfXY3gPGS5GhKSKseCRHI53OI8xthV9RVOyAUO28bQ

YqbsFbS1AoLbrIyigfCbmTH1ICCoiGEKB5+U/NDXG8wuF/MEJ3Zn61SD/aSQfgY9

BKNDLdr8C2LqL19iUw==

-----END CERTIFICATE-----

 

Appendix B: Trust anchors used in validation of the seal

The following certificates are used as trust anchor in Certificate Path Validation and OCSP Response validation when validating the seal (the TSP signature).

Buypass Class 3 CA 1

-----BEGIN CERTIFICATE----- 

MIIDUzCCAjugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg 

Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE1MDUwOTE0MTMwM1owSzEL 

MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD 

VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP 

ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg 

isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z 

NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI 

+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R 

hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ 

mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw 

AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQABZ6OMySU9E2NdFm/soT4JXJEVKirZgCFP 

Bdy7pYmrEzMqnji3jG8CcmPHc3ceCQa6Oyh7pEfJYWsICCD8igWKH7y6xsL+z27s 

EzNxZy5p+qksP2bAEllNC1QCkoS72xLvg3BweMhT+t/Gxv/ciC8HwEmdMldg0/L2 

mSlf56oBzKwzqBwKu5HEA6BvtjT5htOzdlSY9EqBs1OdTUDs5XcTRa9bqh/YL0yC 

e/4qxFi7T/ye/QNlGioOw6UgFpRreaaiErS7GqQjel/wroQk5PMr+4okoyeYZdow 

dXb8GZHo2+ubPzK/QJcHJrrM85SFSnonk8+QQtS4Wxam58tAA915 

-----END CERTIFICATE----- 

 

Buypass Class 3 CA 1 - extended life-time

-----BEGIN CERTIFICATE----- 

MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg 

Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE2MDUwOTE0MTMwM1owSzEL 

MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD 

VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP 

ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg 

isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z 

NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI 

+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R 

hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ 

mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw 

AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCFpYJ6LryjhPCuxwMa6pdG+o9tLL1AgTUU 

WzJzPlbXKRJPkT60DiLptFhhcqu0/hEDz5hAkWXU6gydQlk3lZQodNLWj9Db+WyY 

casAxUSacqSuR/RT7G+myQEJ4Bl+4cBFjTY6McWCNifctCsJMhlNm3puHNytqwRy 

T2DoICHrURrzfaqnZ0hkNnf26Yhs0BDjWE/R+5SbzqmEVlLGVfZW8QzQMRNEnPkH 

Mg3Ah6doPqjO+1+UAJgeI+dC9epf+iQgGlBdzw3NLYtqbs3fsHu2/40bbOum0qfI 

Q8MLRyH/421x8g3MeJ7SAUQ8+fU5RzbkZUfnpGLIcH82viL3C9Pg 

-----END CERTIFICATE----- 

 

Buypass Class 3 Root CA

-----BEGIN CERTIFICATE----- 

MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg 

Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow 

TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw 

HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB 

BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y 

ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E 

N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9 

tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX 

0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c 

/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X 

KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY 

zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS 

O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D 

34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP 

K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3 

AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv 

Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj 

QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV 

cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS 

IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2 

HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa 

O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv 

033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u 

dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE 

kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41 

3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD 

u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq 

4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= 

-----END CERTIFICATE-----

 MOCES II E-Signatures for Long-Term Validation (packaging policy)

Policy ID and location

Policy ID

urn:signicat:packagingpolicy:ltv:mocesii:1.0:1.0

Name

Policy for Packaging of MOCESII E-Signatures for Long-Term Validation 

URL

https://id.signicat.com/definitions/packagingpolicy/ltv-1.0/mocesii-1.0

Introduction

This packaging service policy defines requirements for packaging of NemID employee certificate (MOCESII) E-signatures for long-term validation in connection with the signature creation and initial verification.

About Packaging Policies

The purpose of a packaging policy is to specify requirements for the packaging process, and high-level requirements for the prior signature creation and verification process. 

The primary users of this policy will be e-signature users (relying parties). The policy will help e-signature users to better understand the information contained in a package, and on what basis it can be trusted and used.

The policy will also be useful for implementers of the packaging service.

Scope

This packaging policy defines requirements for packaging of MOCESII E-signatures for long-term validation in connection with the signature creation and initial verification.

The policy also sets some high level requirements for the creation and verification processes, and requires them to collect certain data that is needed by the packaging process. 

The policy does not set detailed requirements for the signature creation and verification processes, because those requirements are controlled by NemID.

Structure 

The normative parts of the policy are listed below.

  1. General process requirement defines high-level requirements for the overall packaging process.
  2. Signature creation requirement defines requirements for the creation of the packaged signature (the “native” signature).
  3. Signature verification requirements verification defines requirements for the verification of the native signature. 
  4. Signature enrichment and hardening requirements defines requirements for the signature enrichment and hardening process. 
  5. Package formatting requirements defines requirements for the format used for the package
  6. Sealing requirements defines requirements for the TSP signature on the package

 

Contents

  1.  Policy ID and location 1
  2.  Version 1
  3.  Introduction 1
  4.  General process requirements (normative) 3
  5.  Signature creation requirements (normative) 4
  6.  Signature verification requirements (normative) 4
  7.  Signature enrichment and hardening requirements (normative) 4
  8.  Package formatting requirements (normative) 6
  9.  Sealing requirements (normative) 6
  10.  Appendix A: Trust anchors used in validation of the native signature 7
  11.  11 Appendix B: Trust anchors used in validation of the seal 8

Terms and acronyms

Term 

Explanation

TSP

Trusted Service Provider - the entity implementing this policy by packaging the signature.

Long-term validation

The concept of validating an e-signature long time (months, and some times years) after it was created. 

Native signature

The e-signature that is to be packaged for long-term validation

Original document

The document signed with the native signature

Signature enrichment

 

The addition of extra information about the document, the signer, the context or the signing and verification process. 

Signature hardening 

The addition of information that strengthens the non-reputability of the signature.

Native signature qualifying properties 

A common term for information that strengthens the native e-signature and makes it suitable for long-term validation.

Seal

This is the Trusted Service Providers signature on the package. It is commonly referred to as the Seal.

POCES

OCES Personal Certificates

MOCES

OCES Employee Certificates

- MOCESI is the original Employee Digital Signature

- MOCESII is the NemID Employee Certificate which will eventually replace MOCESI

 

References

Short name

Resource

XMLDSIG

http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/

XAdES

ETSI TS 101 903: “XML Advanced Electronic Signatures (XAdES)

General process requirements (normative)

  1. Packaging of the native signature is done such that it provides support for long-term validation of the native signature. 
  2. Packaging is performed immediately following signature creation and initial verification.
  3. Packaging is done only if initial verification succeeds.
  4. Validation data used in the initial verification is included in the package.

Signature creation requirements (normative)

This section defines requirements for the creation of the packaged signature (the “native” signature).

  1. The signers certificate must be of type MOCESII (not MOCESI or POCES).
  2. The original document can be either on plain text format or PDF format.
  3. Signature creation is performed according to the NemID requirements and guidelines at signature creation time. 
  4. Signing of PDF documents is done as follows:
    1. Before the NemID client is launched the PDF is shown to the user.
    2. Then the PDF is Base64-encoded and put into the signproperties applet parameter with property name attachedpdf
    3. The signtext parameter is set to a text which declares that the user commits to the PDF which he has just read. This text is shown to the signer in the NemID client.

Signature verification requirements (normative)

This section defines requirements for the verification of the native signature.

  1. Signature verification is done according to current NemID requirements and guidelines at signature verification time.
  2. The process will always include verification of signature according to XMLDSig Core Validation [XMLDSIG]
  3. The process will include certificate validation of the signing certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix A.

Signature enrichment and hardening requirements (normative)

This section defines requirements for the signature enrichment and hardening done as part of the packaging. 

Native Signature Qualifying Properties

The following information is included in the package as native signature qualifying properties:

  1. The revocation information that was used in the initial verification of the native signature.
  2. All certificates that was used in initial verification, when not already included in the native signature.
  3. The signing time, as collected by the TSP from a trusted time source.

Signature creation context

The following information is collected from the signature creation context

Information about the client platform:

  1. Client OS and browser, as provided by the client browser.
  2. Client Java version

Information about the server platform:

  1. Server OS and Java version
  2. List of important server software components with versions

Signature verification context

The following information is collected from the signature verification context:

Information about the client platform:

  1. Client OS and browser, as specified by the browser through the HTTP Header “User-Agent”
  2. Client Java version

Information about the server platform:

  1. Server OS and Java version
  2. Version of the NemID API used (“OOAPI”)
  3. List of important server software components with versions

Signature external context

The following information is collected from the signature external context:

  1. The description of the external context as provided by the user of the packaging service.

Additional information

No additional information is collected.

Audit trail 

Audit trail entries are collected for important events, for the purpose of strengthening the non-reputability of the signature, and to support forensics. This could include events like, for example:

  1. “PDF shown to the signer”
  2. “Signature created”
  3. “Signature core validation succeeded”
  4. “Certificate path validation succeeded”
  5. “Revocation check succeeded” 

Package formatting requirements (normative)

Package formatting is the process of putting all information elements together in a package.

Format

The package must be formatted according to the following format specification:

Name

Long Time Validation extended Signed Data Object 

Version *)

1.X 

Available at *)

https://id.signicat.com/definitions/xsd/LtvSdo-1.X

 

*) The 'X' means that the minor version number is not specified. It should be replaced by the actual minor version in the URL.

Sealing requirements (normative)

This section contains requirements to the TSP signature on the package, also called the seal.

  1. The seal covers the complete package, such that all information in the package is protected by the signature.
  2. The seal is a XAdES signature.
  3. The signature is verified immediately following signature creation.
  4. Signature verification is done according to XMLDSig Core Validation [XMLDSIG]
  5. Verification includes certificate validation of the signing certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix B.
  6. All certificates and revocation values used in the initial verification of the signature are included in the XAdES structure.
  7. The signature does not include time-stamps.
  8. The package is signed according to an explicit signature policy which is available together with this policy. 

 

 

Appendix A: Trust anchors used in validation of the native signature

The following certificate is used as trust anchor in Certificate Path Validation and OCSP Response validation when validating the native signature. 

TRUST2408 OCES Primary CA

-----BEGIN CERTIFICATE-----

MIIGHDCCBASgAwIBAgIES45gAzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJE

SzESMBAGA1UEChMJVFJVU1QyNDA4MSIwIAYDVQQDExlUUlVTVDI0MDggT0NFUyBQ

cmltYXJ5IENBMB4XDTEwMDMwMzEyNDEzNFoXDTM3MTIwMzEzMTEzNFowRTELMAkG

A1UEBhMCREsxEjAQBgNVBAoTCVRSVVNUMjQwODEiMCAGA1UEAxMZVFJVU1QyNDA4

IE9DRVMgUHJpbWFyeSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB

AJlJodr3U1Fa+v8HnyACHV81/wLevLS0KUk58VIABl6Wfs3LLNoj5soVAZv4LBi5

gs7E8CZ9w0F2CopW8vzM8i5HLKE4eedPdnaFqHiBZ0q5aaaQArW+qKJx1rT/AaXt

alMB63/yvJcYlXS2lpexk5H/zDBUXeEQyvfmK+slAySWT6wKxIPDwVapauFY9QaG

+VBhCa5jBstWS7A5gQfEvYqn6csZ3jW472kW6OFNz6ftBcTwufomGJBMkonf4ZLr

6t0AdRi9jflBPz3MNNRGxyjIuAmFqGocYFA/OODBRjvSHB2DygqQ8k+9tlpvzMRr

kU7jq3RKL+83G1dJ3/LTjCLz4ryEMIC/OJ/gNZfE0qXddpPtzflIPtUFVffXdbFV

1t6XZFhJ+wBHQCpJobq/BjqLWUA86upsDbfwnePtmIPRCemeXkY0qabC+2Qmd2Fe

xyZphwTyMnbqy6FG1tB65dYf3mOqStmLa3RcHn9+2dwNfUkh0tjO2FXD7drWcU0O

I9DW8oAypiPhm/QCjMU6j6t+0pzqJ/S0tdAo+BeiXK5hwk6aR+sRb608QfBbRAs3

U/q8jSPByenggac2BtTN6cl+AA1Mfcgl8iXWNFVGegzd/VS9vINClJCe3FNVoUnR

YCKkj+x0fqxvBLopOkJkmuZw/yhgMxljUi2qYYGn90OzAgMBAAGjggESMIIBDjAP

BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjARBgNVHSAECjAIMAYGBFUd

IAAwgZcGA1UdHwSBjzCBjDAsoCqgKIYmaHR0cDovL2NybC5vY2VzLnRydXN0MjQw

OC5jb20vb2Nlcy5jcmwwXKBaoFikVjBUMQswCQYDVQQGEwJESzESMBAGA1UEChMJ

VFJVU1QyNDA4MSIwIAYDVQQDExlUUlVTVDI0MDggT0NFUyBQcmltYXJ5IENBMQ0w

CwYDVQQDEwRDUkwxMB8GA1UdIwQYMBaAFPZt+LFIs0FDAduGROUYBbdezAY3MB0G

A1UdDgQWBBT2bfixSLNBQwHbhkTlGAW3XswGNzANBgkqhkiG9w0BAQsFAAOCAgEA

VPAQGrT7dIjD3/sIbQW86f9CBPu0c7JKN6oUoRUtKqgJ2KCdcB5ANhCoyznHpu3m

/dUfVUI5hc31CaPgZyY37hch1q4/c9INcELGZVE/FWfehkH+acpdNr7j8UoRZlkN

15b/0UUBfGeiiJG/ugo4llfoPrp8bUmXEGggK3wyqIPcJatPtHwlb6ympfC2b/Ld

v/0IdIOzIOm+A89Q0utx+1cOBq72OHy8gpGb6MfncVFMoL2fjP652Ypgtr8qN9Ka

/XOazktiIf+2Pzp7hLi92hRc9QMYexrV/nnFSQoWdU8TqULFUoZ3zTEC3F/g2yj+

FhbrgXHGo5/A4O74X+lpbY2XV47aSuw+DzcPt/EhMj2of7SA55WSgbjPMbmNX0rb

oenSIte2HRFW5Tr2W+qqkc/StixgkKdyzGLoFx/xeTWdJkZKwyjqge2wJqws2upY

EiThhC497+/mTiSuXd69eVUwKyqYp9SD2rTtNmF6TCghRM/dNsJOl+osxDVGcwvt

WIVFF/Onlu5fu1NHXdqNEfzldKDUvCfii3L2iATTZyHwU9CALE+2eIA+PIaLgnM1

1oCfUnYBkQurTrihvzz9PryCVkLxiqRmBVvUz+D4N5G/wvvKDS6t6cPCS+hqM482

cbBsn0R9fFLO4El62S9eH1tqOzO20OAOK65yJIsOpSE=

-----END CERTIFICATE-----

 

Appendix B: Trust anchors used in validation of the seal

The following certificates are used as trust anchor in Certificate Path Validation and OCSP Response validation when validating the seal (the TSP signature).

Buypass Class 3 CA 1

-----BEGIN CERTIFICATE----- 

MIIDUzCCAjugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg 

Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE1MDUwOTE0MTMwM1owSzEL 

MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD 

VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP 

ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg 

isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z 

NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI 

+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R 

hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ 

mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw 

AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQABZ6OMySU9E2NdFm/soT4JXJEVKirZgCFP 

Bdy7pYmrEzMqnji3jG8CcmPHc3ceCQa6Oyh7pEfJYWsICCD8igWKH7y6xsL+z27s 

EzNxZy5p+qksP2bAEllNC1QCkoS72xLvg3BweMhT+t/Gxv/ciC8HwEmdMldg0/L2 

mSlf56oBzKwzqBwKu5HEA6BvtjT5htOzdlSY9EqBs1OdTUDs5XcTRa9bqh/YL0yC 

e/4qxFi7T/ye/QNlGioOw6UgFpRreaaiErS7GqQjel/wroQk5PMr+4okoyeYZdow 

dXb8GZHo2+ubPzK/QJcHJrrM85SFSnonk8+QQtS4Wxam58tAA915 

-----END CERTIFICATE----- 

 

Buypass Class 3 CA 1 - extended life-time

-----BEGIN CERTIFICATE----- 

MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg 

Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE2MDUwOTE0MTMwM1owSzEL 

MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD 

VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP 

ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg 

isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z 

NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI 

+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R 

hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ 

mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw 

AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCFpYJ6LryjhPCuxwMa6pdG+o9tLL1AgTUU 

WzJzPlbXKRJPkT60DiLptFhhcqu0/hEDz5hAkWXU6gydQlk3lZQodNLWj9Db+WyY 

casAxUSacqSuR/RT7G+myQEJ4Bl+4cBFjTY6McWCNifctCsJMhlNm3puHNytqwRy 

T2DoICHrURrzfaqnZ0hkNnf26Yhs0BDjWE/R+5SbzqmEVlLGVfZW8QzQMRNEnPkH 

Mg3Ah6doPqjO+1+UAJgeI+dC9epf+iQgGlBdzw3NLYtqbs3fsHu2/40bbOum0qfI 

Q8MLRyH/421x8g3MeJ7SAUQ8+fU5RzbkZUfnpGLIcH82viL3C9Pg 

-----END CERTIFICATE----- 

 

Buypass Class 3 Root CA

-----BEGIN CERTIFICATE----- 

MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg 

Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow 

TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw 

HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB 

BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y 

ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E 

N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9 

tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX 

0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c 

/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X 

KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY 

zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS 

O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D 

34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP 

K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3 

AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv 

Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj 

QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV 

cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS 

IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2 

HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa 

O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv 

033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u 

dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE 

kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41 

3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD 

u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq 

4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= 

-----END CERTIFICATE-----

 

 NemID E-Signatures for Long-Term Validation (packaging policy)

Policy ID and location

Policy ID

urn:signicat:packagingpolicy:ltv:nemid:1.0:1.0

Name

Policy for Packaging of NemID E-Signatures for Long-Term Validation 

URL

https://id.signicat.com/definitions/packagingpolicy/ltv-1.0/nemid-1.0

Introduction

This packaging service policy defines requirements for packaging of NemID E-signatures for long-term validation in connection with the signature creation and initial verification. It includes requirement for collecting and packaging of the signers CPR-number.

About Packaging Policies

The purpose of a packaging policy is to specify requirements for the packaging process, and high-level requirements for the prior signature creation and verification process. 

The primary users of this policy will be e-signature users (relying parties). The policy will help e-signature users to better understand the information contained in a package, and on what basis it can be trusted and used.

The policy will also be useful for implementers of the packaging service.

Scope

This packaging policy defines requirements for packaging of NemID E-signatures for long-term validation in connection with the signature creation and initial verification.

The policy also sets some high level requirements for the creation and verification processes, and requires them to collect certain data that is needed by the packaging process. 

The policy does not set detailed requirements for the signature creation and verification processes, because those requirements are controlled by NemID.

Structure 

The normative parts of the policy are listed below.

  1. General process requirement defines high-level requirements for the overall packaging process.
  2. Signature creation requirement defines requirements for the creation of the packaged signature (the “native” signature).
  3. Signature verification requirements verification defines requirements for the verification of the native signature. 
  4. Signature enrichment and hardening requirements  defines requirements for the signature enrichment and hardening process. 
  5. Package formatting requirements defines requirements for the format used for the package
  6. Sealing requirements defines requirements for the TSP signature on the package

 

Contents

  1.  Policy ID and location 1
  2.  Version 1
  3.  Introduction 1
  4.  General process requirements (normative) 3
  5.  Signature creation requirements (normative) 4
  6.  Signature verification requirements (normative) 4
  7.  Signature enrichment and hardening requirements (normative) 4
  8.  Package formatting requirements (normative) 6
  9.  Sealing requirements (normative) 6
  10.  Appendix A: Trust anchors used in validation of the native signature 7
  11.  Appendix B: Trust anchors used in validation of the seal 8

 

Terms and acronyms

Term 

Explanation

TSP

Trusted Service Provider - the entity implementing this policy by packaging the signature.

Long-term validation

The concept of validating an e-signature long time (months, and some times years) after it was created. 

Native signature

The e-signature that is to be packaged for long-term validation

Original document

The document signed with the native signature

Signature enrichment

 

The addition of extra information about the document, the signer, the context or the signing and verification process. 

Signature hardening 

The addition of information that strengthens the non-reputability of the signature.

Native signature qualifying properties 

A common term for information that strengthens the native e-signature and makes it suitable for long-term validation.

Seal

This is the Trusted Service Providers signature on the package. It is commonly referred to as the Seal .

POCES

OCES Personal Certificates

MOCES

OCES Employee Certificates

 

References

Short name

Resource

XMLDSIG

http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/

XAdES

ETSI TS 101 903: “XML Advanced Electronic Signatures (XAdES)

General process requirements (normative)

  1. Packaging of the native signature is done such that it provides support for long-term validation of the native signature. 
  2. Packaging is performed immediately following signature creation and initial verification.
  3. Packaging is done only if initial verification succeeds.
  4. Validation data used in the initial verification is included in the package.

Signature creation requirements (normative)

This section defines requirements for the creation of the packaged signature (the “native” signature).

  1. The signers certificate must be of type POCES (not MOCES).
  2. The original document can be either on plain text format or PDF format.
  3. Signature creation is performed according to the NemID requirements and guidelines at signature creation time. 
  4. Signing of PDF documents is done as follows:
    1. Before the NemID client is launched the PDF is shown to the user.
    2. Then the PDF is Base64-encoded and put into the signproperties applet parameter with property name attachedpdf
    3. The signtext parameter is set to a text which declares that the user commits to the PDF which he has just read. This text is shown to the signer in the NemID client.

Signature verification requirements (normative)

This section defines requirements for the verification of the native signature.

  1. Signature verification is done according to current NemID requirements and guidelines at signature verification time.
  2. The process will always include verification of signature according to XMLDSig Core Validation [XMLDSIG]
  3. The process will include certificate validation of the signing certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix A.

Signature enrichment and hardening requirements (normative)

This section defines requirements for the signature enrichment and hardening done as part of the packaging. 

Native Signature Qualifying Properties

The following information is included in the package as native signature qualifying properties:

  1. The revocation information that was used in the initial verification of the native signature.
  2. All certificates that was used in initial verification, when not already included in the native signature.
  3. The signing time, as collected by the TSP from a trusted time source.

Signature creation context

The following information is collected from the signature creation context

Information about the client platform:

  1. Client OS and browser, as provided by the client browser.
  2. Client Java version

Information about the server platform:

  1. Server OS and Java version
  2. List of important server software components with versions

Signature verification context

The following information is collected from the signature verification context:

Information about the client platform:

  1. Client OS and browser, as specified by the browser through the HTTP Header “User-Agent”
  2. Client Java version

Information about the server platform:

  1. Server OS and Java version
  2. Version of the NemID API used (“OOAPI”)
  3. List of important server software components with versions

Signature external context

The following information is collected from the signature external context:

  1. The description of the external context as provided by the user of the packaging service.

Additional information

The following additional information elements are collected:

  1. The signers CPR, either by collecting it directly from the PID-CPR service, or by first collecting it from the user and then verify it against the PID-CPR service. 

Audit trail 

Audit trail entries are collected for important events, for the purpose of strengthening the non-reputability of the signature, and to support forensics. This could include events like, for example:

  1. “PDF shown to the signer”
  2. “Signature created”
  3. “Signature core validation succeeded”
  4. “Certificate path validation succeeded”
  5. “Revocation check succeeded” 
  6. “CPR collected from user and verified by PID-CPR service”, or “CPR collected from PID-CPR service”

Package formatting requirements (normative)

Package formatting is the process of putting all information elements together in a package.

Format

The package must be formatted according to the following format specification:

Name

Long Time Validation extended Signed Data Object 

Version *)

1.X 

Available at *)

https://id.signicat.com/definitions/xsd/LtvSdo-1.X

 

*) The 'X' means that the minor version number is not specified. It should be replaced by the actual minor version in the URL.

Sealing requirements (normative)

This section contains requirements to the TSP signature on the package, also called the seal.

  1. The seal covers the complete package, such that all information in the package is protected by the signature.
  2. The seal is a XAdES signature.
  3. The signature is verified immediately following signature creation.
  4. Signature verification is done according to XMLDSig Core Validation [XMLDSIG]
  5. Verification includes certificate validation of the signing certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix B.
  6. All certificates and revocation values used in the initial verification of the signature are included in the XAdES structure.
  7. The signature does not include time-stamps.
  8. The package is signed according to an explicit signature policy which is available together with this policy. 

 

 

Appendix A: Trust anchors used in validation of the native signature

The following certificate is used as trust anchor in Certificate Path Validation and OCSP Response validation when validating the native signature. 

TRUST2408 OCES Primary CA

-----BEGIN CERTIFICATE-----

MIIGHDCCBASgAwIBAgIES45gAzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJE

SzESMBAGA1UEChMJVFJVU1QyNDA4MSIwIAYDVQQDExlUUlVTVDI0MDggT0NFUyBQ

cmltYXJ5IENBMB4XDTEwMDMwMzEyNDEzNFoXDTM3MTIwMzEzMTEzNFowRTELMAkG

A1UEBhMCREsxEjAQBgNVBAoTCVRSVVNUMjQwODEiMCAGA1UEAxMZVFJVU1QyNDA4

IE9DRVMgUHJpbWFyeSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB

AJlJodr3U1Fa+v8HnyACHV81/wLevLS0KUk58VIABl6Wfs3LLNoj5soVAZv4LBi5

gs7E8CZ9w0F2CopW8vzM8i5HLKE4eedPdnaFqHiBZ0q5aaaQArW+qKJx1rT/AaXt

alMB63/yvJcYlXS2lpexk5H/zDBUXeEQyvfmK+slAySWT6wKxIPDwVapauFY9QaG

+VBhCa5jBstWS7A5gQfEvYqn6csZ3jW472kW6OFNz6ftBcTwufomGJBMkonf4ZLr

6t0AdRi9jflBPz3MNNRGxyjIuAmFqGocYFA/OODBRjvSHB2DygqQ8k+9tlpvzMRr

kU7jq3RKL+83G1dJ3/LTjCLz4ryEMIC/OJ/gNZfE0qXddpPtzflIPtUFVffXdbFV

1t6XZFhJ+wBHQCpJobq/BjqLWUA86upsDbfwnePtmIPRCemeXkY0qabC+2Qmd2Fe

xyZphwTyMnbqy6FG1tB65dYf3mOqStmLa3RcHn9+2dwNfUkh0tjO2FXD7drWcU0O

I9DW8oAypiPhm/QCjMU6j6t+0pzqJ/S0tdAo+BeiXK5hwk6aR+sRb608QfBbRAs3

U/q8jSPByenggac2BtTN6cl+AA1Mfcgl8iXWNFVGegzd/VS9vINClJCe3FNVoUnR

YCKkj+x0fqxvBLopOkJkmuZw/yhgMxljUi2qYYGn90OzAgMBAAGjggESMIIBDjAP

BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjARBgNVHSAECjAIMAYGBFUd

IAAwgZcGA1UdHwSBjzCBjDAsoCqgKIYmaHR0cDovL2NybC5vY2VzLnRydXN0MjQw

OC5jb20vb2Nlcy5jcmwwXKBaoFikVjBUMQswCQYDVQQGEwJESzESMBAGA1UEChMJ

VFJVU1QyNDA4MSIwIAYDVQQDExlUUlVTVDI0MDggT0NFUyBQcmltYXJ5IENBMQ0w

CwYDVQQDEwRDUkwxMB8GA1UdIwQYMBaAFPZt+LFIs0FDAduGROUYBbdezAY3MB0G

A1UdDgQWBBT2bfixSLNBQwHbhkTlGAW3XswGNzANBgkqhkiG9w0BAQsFAAOCAgEA

VPAQGrT7dIjD3/sIbQW86f9CBPu0c7JKN6oUoRUtKqgJ2KCdcB5ANhCoyznHpu3m

/dUfVUI5hc31CaPgZyY37hch1q4/c9INcELGZVE/FWfehkH+acpdNr7j8UoRZlkN

15b/0UUBfGeiiJG/ugo4llfoPrp8bUmXEGggK3wyqIPcJatPtHwlb6ympfC2b/Ld

v/0IdIOzIOm+A89Q0utx+1cOBq72OHy8gpGb6MfncVFMoL2fjP652Ypgtr8qN9Ka

/XOazktiIf+2Pzp7hLi92hRc9QMYexrV/nnFSQoWdU8TqULFUoZ3zTEC3F/g2yj+

FhbrgXHGo5/A4O74X+lpbY2XV47aSuw+DzcPt/EhMj2of7SA55WSgbjPMbmNX0rb

oenSIte2HRFW5Tr2W+qqkc/StixgkKdyzGLoFx/xeTWdJkZKwyjqge2wJqws2upY

EiThhC497+/mTiSuXd69eVUwKyqYp9SD2rTtNmF6TCghRM/dNsJOl+osxDVGcwvt

WIVFF/Onlu5fu1NHXdqNEfzldKDUvCfii3L2iATTZyHwU9CALE+2eIA+PIaLgnM1

1oCfUnYBkQurTrihvzz9PryCVkLxiqRmBVvUz+D4N5G/wvvKDS6t6cPCS+hqM482

cbBsn0R9fFLO4El62S9eH1tqOzO20OAOK65yJIsOpSE=

-----END CERTIFICATE-----

 

Appendix B: Trust anchors used in validation of the seal

The following certificates are used as trust anchor in Certificate Path Validation and OCSP Response validation when validating the seal (the TSP signature).

Buypass Class 3 CA 1

-----BEGIN CERTIFICATE----- 

MIIDUzCCAjugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg 

Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE1MDUwOTE0MTMwM1owSzEL 

MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD 

VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP 

ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg 

isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z 

NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI 

+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R 

hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ 

mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw 

AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQABZ6OMySU9E2NdFm/soT4JXJEVKirZgCFP 

Bdy7pYmrEzMqnji3jG8CcmPHc3ceCQa6Oyh7pEfJYWsICCD8igWKH7y6xsL+z27s 

EzNxZy5p+qksP2bAEllNC1QCkoS72xLvg3BweMhT+t/Gxv/ciC8HwEmdMldg0/L2 

mSlf56oBzKwzqBwKu5HEA6BvtjT5htOzdlSY9EqBs1OdTUDs5XcTRa9bqh/YL0yC 

e/4qxFi7T/ye/QNlGioOw6UgFpRreaaiErS7GqQjel/wroQk5PMr+4okoyeYZdow 

dXb8GZHo2+ubPzK/QJcHJrrM85SFSnonk8+QQtS4Wxam58tAA915 

-----END CERTIFICATE----- 

 

Buypass Class 3 CA 1 - extended life-time

-----BEGIN CERTIFICATE----- 

MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg 

Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE2MDUwOTE0MTMwM1owSzEL 

MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD 

VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP 

ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg 

isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z 

NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI 

+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R 

hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ 

mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw 

AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCFpYJ6LryjhPCuxwMa6pdG+o9tLL1AgTUU 

WzJzPlbXKRJPkT60DiLptFhhcqu0/hEDz5hAkWXU6gydQlk3lZQodNLWj9Db+WyY 

casAxUSacqSuR/RT7G+myQEJ4Bl+4cBFjTY6McWCNifctCsJMhlNm3puHNytqwRy 

T2DoICHrURrzfaqnZ0hkNnf26Yhs0BDjWE/R+5SbzqmEVlLGVfZW8QzQMRNEnPkH 

Mg3Ah6doPqjO+1+UAJgeI+dC9epf+iQgGlBdzw3NLYtqbs3fsHu2/40bbOum0qfI 

Q8MLRyH/421x8g3MeJ7SAUQ8+fU5RzbkZUfnpGLIcH82viL3C9Pg 

-----END CERTIFICATE----- 

 

Buypass Class 3 Root CA

-----BEGIN CERTIFICATE----- 

MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg 

Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow 

TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw 

HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB 

BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y 

ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E 

N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9 

tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX 

0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c 

/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X 

KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY 

zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS 

O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D 

34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP 

K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3 

AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv 

Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj 

QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV 

cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS 

IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2 

HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa 

O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv 

033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u 

dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE 

kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41 

3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD 

u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq 

4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= 

-----END CERTIFICATE-----

 

 Norwegian BankID E-Signatures for Long-Term Validation (packaging policy)

Policy ID and location

Policy ID

urn:signicat:packagingpolicy:ltv:bankid-no:1.0:1.0

Name

Policy for Packaging of Norwegian BankID E-Signatures for Long-Term Validation 

URL

https://id.signicat.com/definitions/packagingpolicy/ltv-1.0/bankid-no-1.0


Introduction

This packaging service policy defines requirements for packaging of Norwegian BankID e-signatures for long-term validation in connection with the signature creation and initial verification. It includes requirement for collecting and packaging of the signers Norwegian national ID “fødselsnummer”.

About Packaging Policies

The purpose of a packaging policy is to specify requirements for the packaging process, and high-level requirements for the prior signature creation and verification process. 

The primary users of this policy will be e-signature users (relying parties). The policy will help e-signature users to better understand the information contained in a package, and on what basis it can be trusted and used.

The policy will also be useful for implementers of the packaging service.

Scope

This packaging policy defines requirements for packaging of Norwegian BankID e-signatures for long-term validation in connection with the signature creation and initial verification.

The policy also sets some high level requirements for the creation and verification processes, and requires them to collect certain data that is needed by the packaging process. 

The policy does not set detailed requirements for the signature creation and verification processes, because those requirements are controlled by BankID.

Structure 

The normative parts of the policy are listed below.

  1. General process requirement defines high-level requirements for the overall packaging process.
  2. Signature creation requirement defines requirements for the creation of the packaged signature (the “native” signature).
  3. Signature verification requirements verification defines requirements for the verification of the native signature. 
  4. Signature enrichment and hardening requirements  defines requirements for the signature enrichment and hardening process. 
  5. Package formatting requirements defines requirements for the format used for the package
  6. Sealing requirements defines requirements for the TSP signature on the package

Terms and acronyms

Term 

Explanation

TSP

Trusted Service Provider - the entity implementing this policy by packaging the signature.

Long-term validation

The concept of validating an e-signature long time (months, and some times years) after it was created. 

Native signature

The e-signature that is to be packaged for long-term validation

Original document

The document signed with the native signature

Signature enrichment

 

The addition of extra information about the document, the signer, the context or the signing and verification process. 

Signature hardening 

The addition of information that strengthens the non-reputability of the signature.

Native signature qualifying properties 

A common term for information that strengthens the native e-signature and makes it suitable for long-term validation.

Seal

This is the Trusted Service Providers signature on the package. It is commonly referred to as the Seal .

PersonBankID

BankID Personal certificate (Bank-stored end-user PERSONAL QUALIFIED certificate)

AnsattBankID

BankID Employe certificate (Bank-stored end-user EMPLOYEE QUALIFIED certificate)

MobilBankID

BankID on Mobile (Mobile end-user PERSONAL certificate)

 

References

Short name

Resource

XAdES

ETSI TS 101 903: “XML Advanced Electronic Signatures (XAdES)

SEID-SDO

SEID-SDO – Dataobjekt for langtidslagring og utveksling av elektroniske signaturer. Versjon 1 (in Norwegian)

General process requirements (normative)

  1. Packaging of the native signature is done such that it provides support for long-term validation of the native signature. 
  2. Packaging is performed immediately following signature creation and initial verification.
  3. Packaging is done only if initial verification succeeds.
  4. Validation data used in the initial verification is included in the package, to enable recreation of the validation process at a later point in time

Signature creation requirements (normative)

This section defines requirements for the creation of the packaged signature (the “native” signature).

  1. The signer's certificate must be of type PersonBankID (not AnsattBankID or MobilBankID).
  2. The original document can be either on plain text format or PDF format.
  3. Signature creation is performed according to the BankID requirements and guidelines at signature creation time. 
  4. Signature is created in SEID-SDO Basic-V format, and a SEID-SDO seal is applied.

Signature verification requirements (normative)

This section defines requirements for the verification of the native signature.

  1. Signature verification is done according to current BankID requirements and guidelines at signature verification time.
  2. The process will always include verifying that the cryptographic signature is created from the included original document, by using the signer private key corresponding to the public key in the included signer certificate. 
  3. The process will include certificate validation of the signer certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix A.

Signature enrichment and hardening requirements (normative)

This section defines requirements for the signature enrichment and hardening done as part of the packaging. 

Native Signature Qualifying Properties

The following information is included in the package as native signature qualifying properties:

  1. The trusted signing time, as collected by the TSP from a trusted time source.
  2. The Root BankID certificate of end-user BankID 
  3. The Root BankID certificate of the Merchant BankID (if different)

Signature creation context

The following information is collected from the signature creation context

Information about the client platform:

  1. Client OS and browser, as provided by the client browser.
  2. Client Java version

Information about the server platform:

  1. Server OS and Java version
  2. List of important server software components with versions

Signature verification context

The following information is collected from the signature verification context:

Information about the client platform:

  1. Client OS and browser, as specified by the browser through the HTTP Header “User-Agent”
  2. Client Java version

Information about the server platform:

  1. Server OS and Java version
  2. Version of the BankID API used, the “BankID Server”.
  3. List of important server software components with versions

Signature external context

The following information is collected from the signature external context:

  1. The description of the external context as provided by the user of the packaging service.

Additional information

The following additional information elements are collected:

  1. The signers FNR, by collecting it directly from the BankID VA service.

Audit trail 

Audit trail entries are collected for important events, for the purpose of strengthening the non-reputability of the signature, and to support forensics. 

 

Package formatting requirements (normative)

Package formatting is the process of putting all information elements together in a package.

Format

The package must be formatted according to the following format specification:

Name

Long Time Validation extended Signed Data Object 

Version *)

1.X 

Available at *)

https://id.signicat.com/definitions/xsd/LtvSdo-1.X

 

*) The 'X' means that the minor version number is not specified. In the URL, it should be replaced by the actual minor version.

Sealing requirements (normative)

This section contains requirements to the TSP signature on the package, also called the seal.

  1. The seal covers the complete package, such that all information in the package is protected by the signature.
  2. The seal is a XAdES signature.
  3. The signature is verified immediately following signature creation.
  4. Signature verification is done according to XMLDSig Core Validation [XMLDSIG]
  5. Verification includes certificate validation of the signing certificate, including revocation check. Trust anchors used in certificate validation are listed in Appendix B.
  6. All certificates and revocation values used in the initial verification of the signature are included in the XAdES structure.
  7. The signature does not include time-stamps.
  8. The package is signed according to an explicit signature policy which is available together with this policy. 

 

 

Appendix A: Trust anchors used in validation of the native signature

The following certificate is used as trust anchor in Certificate Path Validation and OCSP Response validation when validating the native signature. 

BankID Root CA 2048

-----BEGIN CERTIFICATE----- 

MIIDszCCApugAwIBAgIEPPtPMjANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJO 

TzEjMCEGA1UEChMaRk5IIG9nIFNwYXJlYmFua2ZvcmVuaW5nZW4xDzANBgNVBAsT 

BkJhbmtJRDEXMBUGA1UEAxMOQmFua0lEIFJvb3QgQ0EwHhcNMDIwNjAzMTExMzU1 

WhcNMjgwNTI3MTExMzU1WjBcMQswCQYDVQQGEwJOTzEjMCEGA1UEChMaRk5IIG9n 

IFNwYXJlYmFua2ZvcmVuaW5nZW4xDzANBgNVBAsTBkJhbmtJRDEXMBUGA1UEAxMO 

QmFua0lEIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL 

xQpQGPCL28OPuPpLXkWuwk4AdrzGOuc2nHy1zkw43JNJp8xI7R7HTErbbvIPVJ8w 

WM9OV3v6nyJaNtEiLzOinj+oIwvNhx77wlU+99o/kcUyRmgRcEAR33LYVVG31nfN 

T3BZk8LaaClgEj+lBsfesGi+zdg+V0z9BtMgUM3u2Fow9Ed7RDmknbFhJAcJe9+2 

v1V1uIZYzVoYTG4f7biYjGHabK0KFR0jqTB6FUOZ3043bmpUIJQt3WhilaYUSeml 

BU8LorQgjmQb3N4udEPeo/LeTk7AUM77vJkcKHU+Sqc9+36eI2+HRz1eG7Khfiq5 

xrb1qyc100HOyc4KGKZ3AgMBAAGjfTB7MBIGA1UdEwEB/wQIMAYBAf8CAQEwFQYD 

VR0gBA4wDDAKBghghEIBEAEEATAdBgNVHQ4EFgQUaSQqxYzfDPewQDHgiboair3v 

ffswHwYDVR0jBBgwFoAUaSQqxYzfDPewQDHgiboair3vffswDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCigozPJX/BTayFp0SfFF3u0YoSTpUT9p+u 

l33iCbeldK3ba8BMtSgRLpdVhHaXIyoTyOwR43YuOyO7MHmBU+pEq7dRaEgj6Wn9 

YGjLLpFuVqU5tHcllYgJITLAMiDF5x9C2h2OXSebKTdWaw4H7O6SM7W0JyCNBmFQ 

29UbFr3P6ERYlj0p+Mh/WODgE+uSxwZxZ6+eMizRkrJGQgzhQAW+IB4jJ198SdDH 

r+npVmdSrL1v572KLKZaQjo1KiRmbltOMvXOw8uiq3ytULTNNaoSw+KIhh3gaWQU 

09yqg7tzqYRQ0Tm3ceQ5Es8f2FS/BdY07b3T3WQIExVuZtj93M0d 

-----END CERTIFICATE-----

 

BankID Root CA 4096

-----BEGIN CERTIFICATE----- 

MIIFsDCCA5igAwIBAgIBZDANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJOTzEj 

MCEGA1UECgwaRk5IIG9nIFNwYXJlYmFua2ZvcmVuaW5nZW4xDzANBgNVBAsMBkJh 

bmtJRDEXMBUGA1UEAwwOQmFua0lEIFJvb3QgQ0EwHhcNMDkwNDI4MTY0NTQ5WhcN 

MzUwNDI4MTY0NTQ5WjBcMQswCQYDVQQGEwJOTzEjMCEGA1UECgwaRk5IIG9nIFNw 

YXJlYmFua2ZvcmVuaW5nZW4xDzANBgNVBAsMBkJhbmtJRDEXMBUGA1UEAwwOQmFu 

a0lEIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCHrO2o 

OJgH1XL6AF5BSTUwgZcMLaqsRzhWqWAFXgQZJliauDaGER4COVpEpk11mQBlk6AU 

EbTyeCJ9yl+Qfhw8zTv00/ZN6420y+e0Id3yX+kROIXj0f7+PQaOAv1d7GEYAPe3 

UaSk/unwyz2XWnPSHl4PUoxa3nqrJlhhhcVX5hJMxM9b8D3RsVhbY/XGPXe/wM2A 

bM3DRZjEkY/Bj1uAsphIzy8GroqDnsJ2OfhpiOvPSgR7Rv4ULf8YdzqRvn+j3awi 

fDVru1oMq5sVT2pO2iG9+vcuAEt6I6rdcGVNRSQc72o+Sj1MtnNI44CFSGVoluyu 

CvlNorHY4I0UuW+lndGy5t/icMeG2K4Wx5qfTLCIBqNMe3zQwtGuXa2hlRjFCuR/ 

UwOQV9a6NPKV7tnYXAV28FDqCLrfFzsHIdNtvoIUPYNQCUOukMEZlhO7B84vycI3 

DWBeiz7Ri/+R3fj4iD7/ySPqHqhAyyL4QfBc/OiP/lGWMBUPx7FK52k1PID3yhb7 

ZZAKLcnKn2Ok755fCMw3/SAlBAJwfuii8nwCOazYpJeIEuWVyZVttZpfDnw5IgoL 

DOGkopJfRAWaUdtlsuysGAOl/rZn02DnIcsIBwbC/Z+zpRr/c+Wa0h7PF1oTFpJ2 

uqDNv4zHXmGLcf6RTBJAmxMG/hH2n0cm0CJEvQIDAQABo30wezASBgNVHRMBAf8E 

CDAGAQH/AgEBMBUGA1UdIAQOMAwwCgYIYIRCARABBAEwDgYDVR0PAQH/BAQDAgEG 

MB8GA1UdIwQYMBaAFKBudPUx8LAUfeJ/P6bEfG/ZhGlcMB0GA1UdDgQWBBSgbnT1 

MfCwFH3ifz+mxHxv2YRpXDANBgkqhkiG9w0BAQsFAAOCAgEAZWrD+ZSuHskrIFCV 

T30RJwl73L38VF5RB++h4fBbujCswtEUM51VEK16/8tjZgp6dKpOp2MqIDGg2W87 

fBOI/7xR39RE+v92K5i6PRXhmnz97iPQUGqF6POyhDyuSIimrJnjw1WMd7LI1+FT 

3e/wdHV/WDTM5g0DV07McMGt29Ls4q/BDZtaXVUVI+SnpWtbBMHvCOt0JWjIcm4T 

6UG1WB9jeTYq5k4ikrwNUIbEwP2mtmPE30qYL/6DNFNMDLVziJhX5gjn+nMHwPBl 

biYbgMp47X5A79mfPLoQB0dZ82qAM8QqorVn88Y7IINOjR1Qvd0IWIiswEj2aVWf 

VSRZ20Zu/QTew4+sr1uIRqt2hs0+HIYr8ozNDbYh4Y/bu6BV6XYg1MTtto8lANPc 

mM9IXaDaDSZ79WPKxm4ltJC6bSYYRqbg8arVSQR4XwSt2bWyKJuiLg6i6wj4Msin 

l+toLDBezQWH9UcG3fB/rut5YTy10n03+m4l7nT/jDeLIZzRPdjnklUX/741FWK9 

27cra/wwZdgxRKA6oxHh2SpplgAtkeVZVe9bxKak1UGokOoPSOtaRzAf0UIpDQoh 

Euqk6ZRC2kMBrucGigaxJwLtbmlJeh9VG6eI/Ekzkhg/wu2+SNmdRF1dGZf1GA+x 

SEZSLzDXpRxX/9RbZ5VsPM3QF00= 

-----END CERTIFICATE-----

 

Appendix B: Trust anchors used in validation of the seal

The following certificates are used as trust anchor in Certificate Path Validation and OCSP Response validation when validating the seal (the TSP signature).

Buypass Class 3 CA 1

-----BEGIN CERTIFICATE----- 

MIIDUzCCAjugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg 

Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE1MDUwOTE0MTMwM1owSzEL 

MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD 

VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP 

ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg 

isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z 

NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI 

+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R 

hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ 

mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw 

AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQABZ6OMySU9E2NdFm/soT4JXJEVKirZgCFP 

Bdy7pYmrEzMqnji3jG8CcmPHc3ceCQa6Oyh7pEfJYWsICCD8igWKH7y6xsL+z27s 

EzNxZy5p+qksP2bAEllNC1QCkoS72xLvg3BweMhT+t/Gxv/ciC8HwEmdMldg0/L2 

mSlf56oBzKwzqBwKu5HEA6BvtjT5htOzdlSY9EqBs1OdTUDs5XcTRa9bqh/YL0yC 

e/4qxFi7T/ye/QNlGioOw6UgFpRreaaiErS7GqQjel/wroQk5PMr+4okoyeYZdow 

dXb8GZHo2+ubPzK/QJcHJrrM85SFSnonk8+QQtS4Wxam58tAA915 

-----END CERTIFICATE----- 

 

 

Buypass Class 3 CA 1 - extended life-time

-----BEGIN CERTIFICATE----- 

MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg 

Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE2MDUwOTE0MTMwM1owSzEL 

MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD 

VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP 

ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg 

isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z 

NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI 

+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R 

hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+ 

mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw 

AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD 

AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCFpYJ6LryjhPCuxwMa6pdG+o9tLL1AgTUU 

WzJzPlbXKRJPkT60DiLptFhhcqu0/hEDz5hAkWXU6gydQlk3lZQodNLWj9Db+WyY 

casAxUSacqSuR/RT7G+myQEJ4Bl+4cBFjTY6McWCNifctCsJMhlNm3puHNytqwRy 

T2DoICHrURrzfaqnZ0hkNnf26Yhs0BDjWE/R+5SbzqmEVlLGVfZW8QzQMRNEnPkH 

Mg3Ah6doPqjO+1+UAJgeI+dC9epf+iQgGlBdzw3NLYtqbs3fsHu2/40bbOum0qfI 

Q8MLRyH/421x8g3MeJ7SAUQ8+fU5RzbkZUfnpGLIcH82viL3C9Pg 

-----END CERTIFICATE----- 

 

 

Buypass Class 3 Root CA

-----BEGIN CERTIFICATE----- 

MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd 

MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg 

Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow 

TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw 

HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB 

BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y 

ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E 

N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9 

tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX 

0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c 

/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X 

KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY 

zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS 

O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D 

34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP 

K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3 

AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv 

Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj 

QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV 

cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS 

IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2 

HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa 

O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv 

033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u 

dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE 

kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41 

3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD 

u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq 

4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= 

-----END CERTIFICATE-----

 

Appendix D: Packaging Norwegian BankID Signatures for Long-Term Validation

This appendix explains how long-term validation concepts are applied to the packaging of Norwegian BankID e-signatures.

 

Trust anchors

trust anchor is a is an authoritative entity for which trust is assumed and not derived:

  1. The BankID Root CA for the end-user certificate, operating under a given certificate policy
  2. The BankID Root CA for the merchant certificate, operating under a given certificate policy
  3. The TSP, operating under this packaging policy 
  4. The CA of the TSP Certificate

 

Validation Data for the Native SDO

Validation data are additional data needed to validate the electronic signature, but which are not trusted in themselves.

For validation of the end-user signature:

ID

Information element

Were it is located in the package

Derives trust from

1

EU Certificate

In the SEID SDO

2,4

2

EU Intermediate CA Certificates

In the SEID SDO

3

3

BankID Root Certificate for EU Certificate

Native Signature Qualifying Properties

None. Trust anchor.

4

EU Certificate revocation data

OCSP response in the SEID SDO

5

5

OCSP Certificate

In the OCSP response in the SEID SDO

2

for validation of the merchant signature, and the SEID SDO seal signature:

ID

Information element

Were it is located in the package

Derives trust from

6

Merchant Certificate

In the SEID SDO

6, 8

7

Merchant certificate intermediate CA certs

In the SEID SDO

 

10

8

Merchant Certificate revocation data

OCSP response in the SEID SDO

9

9

OCSP Certificate

In the OCSP response in the SEID SDO

10

10

BankID Root Certificate for Merchant Certificate (may be identical to 3)

Native Signature Qualifying Properties

None. Trust anchor.

 

Validation Data for the TSP Signature

ID

Information element

Were it is located in the package

Derives trust from

1

TSP Certificate

In the XAdES Signature 

2, 4

2

TSP Certificate chain

In the XAdES Signature 

3

3

TSP Certificate Root CA

In the XAdES Signature.

None. Trust anchor.

4

TSP Certificate revocation data

OCSP response in the XAdES Signature

6

5

TSP Certificate chain revocation data

CRL in the XAdES Signature

7

6

OCSP Certificate 

In the OCSP response in the XAdES Signature

2/3

7

CRL Certificate for TSP cert

In the CRL in the XAdES Signature

2/3

 

Note: The validation data does not include revocation information for the intermediate CA certificates. This is because BankID does not provide such services (CRL or OCSP) for these certificates. This means that these certificate has a kind of trusted status, and that the compromise of their private key must be communicated out-of-band.

 

Trusted signing time

It is essential for Long-term validation to have a trusted signing time. Without this, it is impossible to decide whether the signing certificate was valid at the time of signing.

This packaging policy arranges for the following sources of trusted signing time:

  1. The TSP-collected trusted signing time included in the Native Signature Qualifying Properties. It relies on trust to the TSP trusted time source, and can be validated through validation of the TSP Signature.
  2. As additional evidence, the OCSP Response signing time is available, under SignatureDescription, and signed in the OCSP response. This can be validated as part of the OCSP response. Note that the relation between the OCSP response and the signature depends on trust to the TSP Signature and SEID-SDO Seal, and therefore on trust to the TSP and Merchant.

 

The Additional information will be

  1. The Norwegian “fødselsnummer”, as contained in the OCSP-response. This is contained in the signed End-User Certificate OCSP-response from BankID, and can be validated through validation of the OCSP Response, and the relation between the OCSP response and the end-user certificate.
  • No labels