CMS長期署名プロファイル(案)

Similar documents
XAdES長期署名プロファイル(案)

2

最近の電子認証・署名の考え方

Microsoft PowerPoint LE-miyachi.pptx

第3 章 電子認証技術に関する国際動向

Microsoft PowerPoint - PKI Day 2009講演資料 漆嶌 公開用.ppt

電子メールのセキュリティ

タイムスタンプ・プロトコルに関する技術調査

/02/ /09/ /05/ /02/ CA /11/09 OCSP SubjectAltName /12/02 SECOM Passport for Web SR

.Net CryptoAPI 機能と利用法

/07/ /10/12 I

マイナンバーカードによる認証と署名

長期署名フォーマットの標準化と日欧相互運用実験

電子文書交換のための署名とコンテナの構造

IW2003 PKI 応用編 富士ゼロックス株式会社稲田龍 Copyright 富士ゼロックス株式会社

電子署名普及に向けた調査報告書

3. /dev/urandom 1024 ~CA0/private/cakey.pem $ openssl genrsa -rand /dev/urandom -out \ private/cakey.pem 1024 Generating RSA private key

1. PKI (EDB/PKI) (Single Sign On; SSO) (PKI) ( ) Private PKI, Free Software ITRC 20th Meeting (Oct. 5, 2006) T. The University of Tokush


PKIの標準化動向と リソースPKI

\\afs001-0m0005\project02\A32\M

OpenXML長期署名

DICOM Conformance Statement Carino

磁気ディスクへの記録方式に関する告示

Cisco® ASA シリーズルーター向けDigiCert® 統合ガイド

1. はじめに ブリッジ CA (UTF8) 証明書プロファイル 相互認証証明書 ( ブリッジ CA (UTF8) 組織 CA ) 相互認証証明書 ( ブリッジ CA (UTF8) 政府認証基盤ブリッジ CA )..

Microsoft PowerPoint - ESig-PKI-handson-doc-v100.pptx

Juniper Networks Corporate PowerPoint Template

広報なんと10月号

欧州における電子署名技術の最新動向

NFC ucode タグのメモリフォーマット規定

医用画像システム部会 ISO委員会報告

untitled

sp c-final

¥Í¥Ã¥È¥ï¡¼¥¯¥×¥í¥°¥é¥ß¥ó¥°ÆÃÏÀ

C02.pdf

<4D F736F F D20838A B F955C8E8682A982E796DA8E9F914F E718F9096BC816A5F E646F63>

<348C8E8D862E696E6464>

DICOM Conformance Statement "Pronto"


untitled

UID S307-NDEF

Mobilelron® Virtual Smartphone Platform 向けDigiCert® 統合ガイド

A

2

1 発病のとき

署名ツール検証報告書

Microsoft PowerPoint - X-Road.pptx

h1

n..

Canon EOS Kiss Digital N 製品カタログ

eidas とは? eidas: Electronic identification and trust services EUで定めた電子認証や電子署名を含めたトラストサービスに関する規則 電子認証やトラストサービスを普及させることで 国境を越えた電子取引を安全かつシームレスに実現させることが目的

ebXMLメッセージ構造\(V 1.0\)

FileMaker Server 8 Advanced Web Publishing Installation Guide

橡セキュリティポリシー雛形策定に関する調査報告書

かんたん操作ガイド[arrows M02]

かんたん操作ガイド[arrows RM02]



かんたん操作ガイド[arrows M03]

JNSA Challenge PKI 2001



[補足資料] 「Managed CA対応」における製品仕様変更点について

Transcription:

1/22

RFC3126, Electronic Signature Formats for long term electronic signatures (ETSI TS 101 733 V.1.2.2(2000-12)) ETSI TS 101 733 V1.5.1(2003-12), Electronic Signature Formats draft-pinkas-smime-cades-00.txt(2005-7), CMS Advanced Electronic Signatures (CAdES) ECOMH14 3 ECOM 1. CMS Advanced Electronic Signatures (CAdES) 1.1. 1 BES Basic Electronic Signature 2 EPES Explicit Policy Electronic Signature BES EPES 2/22

"ETSI TR 102 272 V1.1.1(2003.12) Electronic Signatures and Infrastructures (ESI);ASN.1 format for signature policies" "RFC3125 : Electronic Signature" Cryptographic Message Syntax (CMS : RFC3852) Enhanced Security Services (ESS : RFC2634) General syntax General syntax CMS(RFC3852) Data content type Data content type CMS(RFC3852) Signed-data content type Signed-data content type CMS(RFC3852) SingedData type SignedData CMS(RFC3852) SignedData certificates 3/22

encapsulated content type id-data SignerInfo certificates crls EncapusulatedContentInfo type EncapusulatedContentInfo type CMS(RFC3852) SignedData econtent econtent SingerInfo type SignerInfo type CMS(RFC 3852) SignerInfo SingerInfo SignerInfo SignerIdentifier issuerandserialnumber SignerIdentifier subjectkeyidentifier 4/22

SignedAttributes ContentType MessageDigest SigningCertificate Message digest CMS(RFC3852) Message signature CMS(RFC3852) Message signature CMS(RFC3852) ESS Signing Certificate Other Signing Certificate CMS signed attribute Content type CMS(RFC3852) id-contenttype OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } ContentType ::= OBJECT IDENTIFIER Message digest CMS(RFC3852) MessageDigest signed attribute 1 Signing certificate signed-data ESS signing certificate Other signing certificate signing certificate simple substitution re-issue 5/22

A) ESS signing certificate ESS signing certificate ESS(RFC2634)ESS signing certificate signed attribute signing certificate Other signing certificate (Signature Validation Policy) signing certificate ESSCertID issuerserial SignerInfo issuerandserialnumber issuerserial ESSCertID policy information B) Other signing certificate SHA-1 ESS SigningCertificate 6/22

id-aa-ets-othersigcert OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 19 } OtherSigningCertificate ::= SEQUENCE { OtherCertID ::= SEQUENCE { OtherHash ::= CHOICE { sha1hash OtherHashValue, -- SHA-1 otherhash OtherHashAlgAndValue OtherHashValue ::= OCTET STRING OtherHashAlgAndValue ::= SEQUENCE { hashalgorithm AlgorithmIdentifier, hashvalue OtherHashValue ESS SigningCertificate Other signing certificate EPES Signature policy identifier EPES signature policy identifier signed attribute 7/22

id-aa-ets-sigpolicyid OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 15 } SignaturePolicyIdentifier ::= CHOICE{ SignaturePolicyId ::= SEQUENCE { SignaturePolicyImplied ::= NULL SigPolicyId ::= OBJECT IDENTIFIER SigPolicyHash ::= OtherHashAlgAndValue SigPolicyQualifierInfo ::= SEQUENCE { sigpolicyqualifierid SigPolicyQualifierId, sigqualifier ANY DEFINED BY sigpolicyqualifierid SigPolicyQualifierId ::= OBJECT IDENTIFIER id-spq-ets-uri OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-spq(5) 1 } SPuri ::= IA5String id-spq-ets-unotice OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-spq(5) 2 } SPUserNotice ::= SEQUENCE { NoticeReference ::= SEQUENCE { DisplayText ::= CHOICE { CMS Signing time 8/22

CMS(RFC3852) UTCTime GeneralizedTimeYYYYMMDDHHMMSSZ id-signingtime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } SigningTime ::= Time Time ::= CHOICE { utctime UTCTime, generalizedtime GeneralizedTime } Countersignature countersignature unsigned attribute id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } Countersignature ::= SignerInfo unsigned attribute countersignature ES-A countersignature countersignature archivetimestamp ESS content reference content reference signedattribute id-aa-contentreference OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 10 } ContentReference ::= SEQUENCE { contenttype ContentType, signedcontentidentifier ContentIdentifier, originatorsignaturevalue OCTET STRING } Content Identifier Contentidentifier signed attribute 9/22

id-aa-contentreference OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 10 } ContentReference ::= SEQUENCE { contenttype ContentType, signedcontentidentifier ContentIdentifier, originatorsignaturevalue OCTET STRING } Content Hints ContentHints ::= SEQUENCE { contentdescription UTF8String (SIZE (1..MAX)) OPTIONAL, contenttype ContentType } id-aa-contenthint OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 4} Commitment Type Indication commitmenttypeindication signedattribute id-aa-ets-commitmenttype OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 16} CommitmentTypeIndication ::= SEQUENCE { CommitmentTypeIdentifier ::= OBJECT IDENTIFIER CommitmentTypeQualifier ::= SEQUENCE { id-cti-ets-proofoforigin OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 1} id-cti-ets-proofofreceipt OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 2} id-cti-ets-proofofdelivery OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 3} id-cti-ets-proofofsender OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 4} id-cti-ets-proofofapproval OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 5} id-cti-ets-proofofcreation OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) cti(6) 6} 10/22

Proof of origin Proof of receipt Proof of delivery Proof of sender Proof of approval Proof of creation TSP Signer Location Signer Location signedattribute id-aa-ets-signerlocation OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 17} SignerLocation ::= SEQUENCE { -- countryname [0] DirectoryString OPTIONAL, -- X.500 Coutry localityname [1] DirectoryString OPTIONAL, -- X.500 locality postaladddress [2] PostalAddress OPTIONAL PostalAddress ::= SEQUENCE SIZE(1..6) OF DirectoryString Signer Attributes signer-attributes signed attribute id-aa-ets-signerattr OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 18} SignerAttribute ::= SEQUENCE OF CHOICE { ClaimedAttributes ::= SEQUENCE OF Attribute CertifiedAttributes ::= AttributeCertificate Content Time-Stamp content time-stamp signed attribute id-aa-ets-contenttimestamp OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 20} ContentTimestamp::= TimeStampToken 11/22

Independent Signatures SignerInfo SignerInfo Embedded Signatures countersignature countersignature ES-A countersignature countersignature archevetimestamp countersignature countersignature Counter Signature Counter Signature 12/22

1.2. ES-TElectronic Signature Time-stamped) ES-T CMS SignerInfo SignatureValue TSA ES-T ES TSA Signature Timestamp OID id-aa-signaturetimestamptoken OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 14} Signature Timestamp ASN.1 SignatureTimeStampToken SignatureTimeStampToken ::= TimeStampToken TimeStampToken messageimprint signeddata SignerInfo signature TimeStampToken RFC3161 SignatureTimestamp ES 1) certificates crls 2) ES Complete validation reference data Extended validation data 3) unsigned attribute(extended validation data ) 1) 3) 1)3) 1.3. ES-CComplete validation reference data) ES-C ES-T CRL OCSP 13/22

ES-C ES-T ES complete validation reference data Complete validation reference data Signature Timestamp Complete Certificate Refs Complete Revocation Refs Complete validation reference data X-Long validation data () Complete Certificate Values Complete Revocation Values Complete validation reference data Extended validation data ( CA ) ES-C Timestamp(ES-X Type1 ) Time-Stamped Certificates and CRLs references(es-x Type2 ) Complete Certificate Refs Complete Certificate Refs unsigned attribute Complete Certificate Refs ES CA signing certificate Complete Certificate Refs OID id-aa-ets-certificaterefs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 21} 14/22

Complete Certificate Refs ASN.1 CompleteCertificateRefs CompleteCertificateRefs ::= SEQUENCE OF OtherCertID OtherCertID IssuerSerial certhash Complete Revocation Refs Complete Revocation Refs unsigned attribute ES-C CA CRL OCSP Complete Revocation Refs OID id-aa-ets-revocationrefs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 22} Complete Revocation Refs ASN.1 CompleteRevocationRefs CompleteRevocationRefs ::= SEQUENCE OF CrlOcspRef CrlOcspRef ::= SEQUENCE { CompleteRevocationRefs signing certificate CrlOcspRef CompleteCertificateRefs OtherCertID CrlOcspRef CrlOcspRef OtherCertID CRLListIDOcspListIDOtherRevRefs CRL OCSP 15/22

CRLListID ::= SEQUENCE { crls SEQUENCE OF CrlValidatedID} CrlValidatedID ::= SEQUENCE { CrlIdentifier ::= SEQUENCE { OcspListID ::= SEQUENCE { ocspresponses SEQUENCE OF OcspResponsesID} OcspResponsesID ::= SEQUENCE { OcspIdentifier ::= SEQUENCE { ocspresponderid ResponderID, -- As in OCSP response data producedat GeneralizedTime -- As in OCSP response data crlvalidatedid crlhash CRL DER crlidentifier CRL crlidentifier CRL CRL thisupdate crllistid unsigned attribute CRL Delta CRL complete revocation list CRL OcspIdentifier OSCP OCSP producedat OCSP OcspResponceID OtherRevRefs ::= SEQUENCE { OtherRevRefType ::= OBJECT IDENTIFIER 16/22

1.4. Extended Validation DataES-X ES-X CA ES-C ES-X ES-X Long 4-8ES-X Type1 4-9ES-X Type2 4-10 3 ES-X Long ES-C ES-T ES ES-XLong ES-C ES-T ES ES-X Type1 ES-C ES ES-T ES-C ES-X Type2 ES-X Long ES-X Type1 ES-C ES-X Type2 17/22

CA ES-C ES-X Long ES-X Long Certificate Values Certificate Values unsigned attribute 1 1 CompleteCertificationRefs SingedData Certificates Attribute Certificate signer-attributes Certificate Values OID id-aa-ets-certvalues OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 23} Certificate Values ASN.1 CertificateValues CertificateValues ::= SEQUENCE OF Certificate Certificate RFC3280 ITU-T Recommendation X.509 Revocation Values Revocation Values unsigned attribute 1 1 CompleteRevocationRefs CRL OCSP Revocation Values OID id-aa-ets-revocationvalues OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 24} 18/22

Revocation Values ASN.1 RevocationValues RevocationValues ::= SEQUENCE { OtherRevVals ::= SEQUENCE { OtherRevValType ::= OBJECT IDENTIFIER Other revocation values CertificateList RFC3280 ITU-T Recommendation X.509 BasicOCSPResponse RFC2560 ES-C Time-Stamp Time-Stamped Certificates and CRLs Signing Certificate CA Complete Certificate Refs CA1 CA2 TCA Complete Revocation Refs CA1 CA2 TCA Complete Certificate Values CA2 CA1 TCA Complete Revocation Values CA1 CAi CA2 19/22

1.5. ES-AArchive Validation Data TSA archive time-stamp ES-C ES-T ES ES-XLong ES-A Archive Time-Stamp Archive Time-Stamp Certificate Values Revocation Values Archive Time-Stamp unsigned attribute TSA Archive Time-Stamp OID id-aa-ets-archivetimestamp OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 27} Archive Time-Stamp ASN.1 ArchiveTimeStampToken messageimprint encapcontentinfo econtent OCTET STRING; signedattributes; signature field within SignerInfo; SignatureTimeStampToken attribute; 20/22

CompleteCertificateRefs attribute; CompleteRevocationData attribute; CertificateValues attribute (ES-A ) RevocationValues attribute (ES-A ) ESCTimeStampToken attribute if present; TimestampedCertsCRLs attribute if present; any previous ArchiveTimeStampToken attributes. TimeStampToken RFC3161 1) certificates crls 2) unsigned attribute(extended validation data ) 1) 1),2) draft-pinkas-smime-cades-00.txt ETSI TS 101 733 V1.5.1 messageimprint SignedData encapcontentinfo SignedData Certificates crls SignerInfo contersignature countersignature RFC3126 TSI TS 101 733 V1.4.0 21/22

2. CMS CAdES BES CAdES EPES CAdES ES-T CAdES ES-C CAdES ES-X Long CAdES ES-A SignedAttributes ContentType MessageDigest SigningTime SigningCertificate SignaturePolicyIdentifier ContentReference ContentIdentifier ContentHints CommitmentTypeIndication SignerLocation SignerAttribute ContentTimeStamp UnsignedAttribute CounterSignature SignatureTimeStamp CompleteCertificateRefs CompleteRevocationRefs AttributeCertificateRefs AttributeRevocationRefs CertificateValues RevocationValues ES-C TimeStamp TimeStampedCertsAndCrls ArchiveTimeStamp SignaturePolicyIdentifier ETSI TS 101 733 V 1.4.0 (RFC 3126) ETSI TS 101 733 V 1.5.1 1 1 22/22

2026 © docsplayer.net プライバシー | 利用規約 | フィードバック