GB/T 38308-2019 Processes, data elements and documents in commerce, industry and administration - Long term signature - Part 4: Attributes pointing to proof of existence objects used in long term signature formats
1 Scope
This document specifies the attributes and objects to proof of existence (PoE) used in long term signature formats, it describes the basic concept and attribute character of PoE, and provides the type, basic fields and associated examples of PoE objects.
This document is applicable to (external) PoE used in long term signature formats, i.e. achieving long term signature validation through existing digital signatures and trusted time values.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 32000-2 Document management - Portable document format - Part 2: PDF 2.0
ISO/IEC8825-1 Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
Note: GB/T16263.1-2006 Information technology- ASN. 1 encoding rules- Part 1 :Specification Of Basic Encoding Rules(BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules(DER) (ISO/IEC 8825-1:2002, IDT)
ISO/IEC 9594-8 Information technology - Open Systems Interconnection - The Directory - Part 8 : Public-key and attribute certificate frameworks
Note: GB/T16264.8-2005 Information technology-Open systems Interconnection-The Directory-Part 8:Public-key and attribute certificate frameworks (ISO/IEC 9594-8:2001, IDT)
ETSI EN 319122-1 V1.1.1: 2016 Electronic Signatures and Infrastructures(ESI); CAdES digital signatures; Part 1:Building blocks and CAdES baseline signatures
IETF RFC 31611 Timestamp Protocol (TSP)
IETF RFC 46482) The Basel6,Base32,and Base64 Data Encodings
IETF RFC 49983) Evidence Record Syntax(ERS)
IETF RFC 56524) Cryptographic Message Syntax (CMS)
IETF RFC 62835) Extensible Markup Language Evidence Record Syntax (XMLERS)
IETF RFC 6960 Online Certificate Status Protocol (OCSP)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 9594-8, ISO 32000-2, ISO/IEC 8825-1, IETF RFC 3161, IETF RFC 6960 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
- ISO Online browsing platform: available at https://www.iso.org/obp
- IEC Electropedia :available athttp://www.electropedia.org/
3.1
digital signature
data appended to, or cryptographic transformation of, a data string that proves the origin and the integrity of the data string and protects against forgery, e.g.by the recipient of the data string
Note: Digital signatures in the present document cover also electronic signatures, advanced electronic signatures, qualified electronic signatures, electronic seals, advanced electronic seals, qualified electronic seals, electronic time stamps and qualified electronic time stamps as per Regulation (EU) No 910/2014[6] and ISO/IEC 9594-8 certificate, CRL (see ISO/IEC 9594-8) or OCSP response and signatures defined in the configuration document.
[Source: ISO/IEC 7816-4:2013, 3.21, modified]
3.2
document identifier; DId
indirect identifier for machine processing in the form of DER encoded ASN.1 type MessageImprint defined in IETF RFC 3161 covering the electronic document
3.3
document signature identifier; DSId
indirect identifier of signature of a document for machine processing in the form of DER encoded ASN.1 type MessageImprint defined in IETF RFC 3161 covering the DER encoded result of the asymmetric signature algorithm
Example: ECDSA or RSA result included in the digital signature (3.1) of the signed electronic document.
Note 1: DSId is mainly used for indirect machine processing identification of the electronic document which is electronically signed, e.g .DSId is used for PDF document identification if PDF file contains many versions of PDF document created by including incremental updates (see ISO 32000-2:2017, 7.5.6 for details) after more than one PDF document timestamps (see ISO 32000-2:2017, 12.8.5) or by including incremental updates after PDF signature or after PDF document timestamp.
Note 2: Indirect identifier means a relatively unique changeable hash value changing according to the used hash algorithm. A hash collision is when two different input strings of a hash function produce the same hash result.
3.4
document type identifier; DTId
sequence of the characters associated with the electronic document used for determining the format and interpretation of the electronic document
Note 1: DTld is crucial for correct interpretation of the content of electronic document protected by digital signature (3.1). DTId is implemented as the file name extension or the value of the content type (see IETF RFC 2231 or IETF RFC 2045), whose value is included in the fields protected by the digital signature (see Annex F).
3.5
end-of-line marker; EOL marker
sequence of one or two characters marking the end of a line, consisting of a CARRIAGE RETURN character (0Dh) or a LINE FEED character (0Ah) or a CARRIAGE RETURN followed immediately by a LINE FEED
3.6
evidence record; ER
collection of evidence created for one or more given data objects over time, which can be used to prove the integrity and existence of a data object or a data object group at a certain time
Note 1: See IETF RFC 4998, IETF RFC 6283 and ETSI SR 019510.
3.7
long term
period of time long enough for there to be concern about the impacts of changing technologies, including support for new media and data formats, and of a changing user community, on the information being held in a repository, which may extend into the indefinite future
Note 1: Cryptographic algorithms could become weak.
3.8
long-term integrity preservation long-term preservation; LTI
extension of the validity status of a digital signature (3.1) overlong periods of time and/or of provision of proofs of existence of data over long periods of time, in spite of the obsolescence of cryptographic technology such as crypto algorithms, key sizes or hash functions, key compromises or of the loss of the ability to check the validity status of public key certificates
3.9
object identifier as a hash; ObjectId
hash reference of the PoE object (3.12), PoE attribute (3.11) or data object, consisting of object identifier like Did (3.2) or DSId (3.3)
3.10
proof of existence; PoE
evidence that proves that an object existed at a specific date/time
Note: See ETSI SR 019510.
3.11
proof of existence attribute PoE attribute
reference to the PoE object (3.12) containing also PoE object type, optional PoE object location, optional storage for the PoE object and optional data object references as additional clarification of data object(s), protected by PoE object, thus unambiguously specifying their semantics
Note: PoE attribute can be a signed or unsigned object of the digital signature (3.1) or the file containing the Objectld (3.9), e.g. Did (3.2) or DSId (3.3), of PoE object. See 4.1 or Annex G, where the type of PoE object is the file name extension like, e.g."timestampedFile.EXTTST.DSId" containing PoE object. The file is stored in "timestampedFile.EXT". The timestamp is stored in timestamp file "timestampedFile.EXTTST"
3.12
proof of existence object
PoE object
property that represents information about a protected data object like type, status or integrity, a trustworthy information of date and time and a digital signature, possibly as part of a timestamp, which proves the integrity of the PoE object and optionally also the origin of the PoE object
GB/T 38308-2019 Processes, data elements and documents in commerce, industry and administration - Long term signature - Part 4: Attributes pointing to proof of existence objects used in long term signature formats
1 Scope
This document specifies the attributes and objects to proof of existence (PoE) used in long term signature formats, it describes the basic concept and attribute character of PoE, and provides the type, basic fields and associated examples of PoE objects.
This document is applicable to (external) PoE used in long term signature formats, i.e. achieving long term signature validation through existing digital signatures and trusted time values.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 32000-2 Document management - Portable document format - Part 2: PDF 2.0
ISO/IEC8825-1 Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
Note: GB/T16263.1-2006 Information technology- ASN. 1 encoding rules- Part 1 :Specification Of Basic Encoding Rules(BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules(DER) (ISO/IEC 8825-1:2002, IDT)
ISO/IEC 9594-8 Information technology - Open Systems Interconnection - The Directory - Part 8 : Public-key and attribute certificate frameworks
Note: GB/T16264.8-2005 Information technology-Open systems Interconnection-The Directory-Part 8:Public-key and attribute certificate frameworks (ISO/IEC 9594-8:2001, IDT)
ETSI EN 319122-1 V1.1.1: 2016 Electronic Signatures and Infrastructures(ESI); CAdES digital signatures; Part 1:Building blocks and CAdES baseline signatures
IETF RFC 31611 Timestamp Protocol (TSP)
IETF RFC 46482) The Basel6,Base32,and Base64 Data Encodings
IETF RFC 49983) Evidence Record Syntax(ERS)
IETF RFC 56524) Cryptographic Message Syntax (CMS)
IETF RFC 62835) Extensible Markup Language Evidence Record Syntax (XMLERS)
IETF RFC 6960 Online Certificate Status Protocol (OCSP)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 9594-8, ISO 32000-2, ISO/IEC 8825-1, IETF RFC 3161, IETF RFC 6960 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
- ISO Online browsing platform: available at https://www.iso.org/obp
- IEC Electropedia :available athttp://www.electropedia.org/
3.1
digital signature
data appended to, or cryptographic transformation of, a data string that proves the origin and the integrity of the data string and protects against forgery, e.g.by the recipient of the data string
Note: Digital signatures in the present document cover also electronic signatures, advanced electronic signatures, qualified electronic signatures, electronic seals, advanced electronic seals, qualified electronic seals, electronic time stamps and qualified electronic time stamps as per Regulation (EU) No 910/2014[6] and ISO/IEC 9594-8 certificate, CRL (see ISO/IEC 9594-8) or OCSP response and signatures defined in the configuration document.
[Source: ISO/IEC 7816-4:2013, 3.21, modified]
3.2
document identifier; DId
indirect identifier for machine processing in the form of DER encoded ASN.1 type MessageImprint defined in IETF RFC 3161 covering the electronic document
3.3
document signature identifier; DSId
indirect identifier of signature of a document for machine processing in the form of DER encoded ASN.1 type MessageImprint defined in IETF RFC 3161 covering the DER encoded result of the asymmetric signature algorithm
Example: ECDSA or RSA result included in the digital signature (3.1) of the signed electronic document.
Note 1: DSId is mainly used for indirect machine processing identification of the electronic document which is electronically signed, e.g .DSId is used for PDF document identification if PDF file contains many versions of PDF document created by including incremental updates (see ISO 32000-2:2017, 7.5.6 for details) after more than one PDF document timestamps (see ISO 32000-2:2017, 12.8.5) or by including incremental updates after PDF signature or after PDF document timestamp.
Note 2: Indirect identifier means a relatively unique changeable hash value changing according to the used hash algorithm. A hash collision is when two different input strings of a hash function produce the same hash result.
3.4
document type identifier; DTId
sequence of the characters associated with the electronic document used for determining the format and interpretation of the electronic document
Note 1: DTld is crucial for correct interpretation of the content of electronic document protected by digital signature (3.1). DTId is implemented as the file name extension or the value of the content type (see IETF RFC 2231 or IETF RFC 2045), whose value is included in the fields protected by the digital signature (see Annex F).
3.5
end-of-line marker; EOL marker
sequence of one or two characters marking the end of a line, consisting of a CARRIAGE RETURN character (0Dh) or a LINE FEED character (0Ah) or a CARRIAGE RETURN followed immediately by a LINE FEED
3.6
evidence record; ER
collection of evidence created for one or more given data objects over time, which can be used to prove the integrity and existence of a data object or a data object group at a certain time
Note 1: See IETF RFC 4998, IETF RFC 6283 and ETSI SR 019510.
3.7
long term
period of time long enough for there to be concern about the impacts of changing technologies, including support for new media and data formats, and of a changing user community, on the information being held in a repository, which may extend into the indefinite future
Note 1: Cryptographic algorithms could become weak.
3.8
long-term integrity preservation long-term preservation; LTI
extension of the validity status of a digital signature (3.1) overlong periods of time and/or of provision of proofs of existence of data over long periods of time, in spite of the obsolescence of cryptographic technology such as crypto algorithms, key sizes or hash functions, key compromises or of the loss of the ability to check the validity status of public key certificates
3.9
object identifier as a hash; ObjectId
hash reference of the PoE object (3.12), PoE attribute (3.11) or data object, consisting of object identifier like Did (3.2) or DSId (3.3)
3.10
proof of existence; PoE
evidence that proves that an object existed at a specific date/time
Note: See ETSI SR 019510.
3.11
proof of existence attribute PoE attribute
reference to the PoE object (3.12) containing also PoE object type, optional PoE object location, optional storage for the PoE object and optional data object references as additional clarification of data object(s), protected by PoE object, thus unambiguously specifying their semantics
Note: PoE attribute can be a signed or unsigned object of the digital signature (3.1) or the file containing the Objectld (3.9), e.g. Did (3.2) or DSId (3.3), of PoE object. See 4.1 or Annex G, where the type of PoE object is the file name extension like, e.g."timestampedFile.EXTTST.DSId" containing PoE object. The file is stored in "timestampedFile.EXT". The timestamp is stored in timestamp file "timestampedFile.EXTTST"
3.12
proof of existence object
PoE object
property that represents information about a protected data object like type, status or integrity, a trustworthy information of date and time and a digital signature, possibly as part of a timestamp, which proves the integrity of the PoE object and optionally also the origin of the PoE object
