SecureBlackbox 16: Introduction to XAdES (XML Advanced Electronic Signatures)
Note: This article applies only to SecureBlackbox Legacy. For future development please consider using the latest version.
The importance of electronic signature is obvious, not only for people and companies doing electronic business, but for nonprofit organizations and personals as well. Everybody who cares about trust and security in data storage and processing wants to have a way to sign his documents or data and to validate the signature of some second or third party. Thus, the electronic signature is an important security component that can be used to protect information and provide trust in modern electronic world.
In this article we are talking about signing XML documents, though the same mechanism of XML signature can be used to sign any type of data. XML signature may be detached from or attached to signed data. In the latter case, the signature is said to be enveloping, when it contains the signed data within itself, or may be enveloped when it comprises a part of the document containing the signed data.
Principally, the way to sign digital documents was available before XAdES was issued. It was defined in the W3C Recommendation for XML Signature Syntax and Processing, called XML-DSig. So why someone would bother about XAdES, the new standard for XML signature? The answer is trivial: XAdES defines some extensions and specifications for XML-DSig to provide some advanced features. More specifically, XAdES defines six precise profiles in addition to XML-DSig. These profiles are XAdES, XAdES-T, XAdES-C, XAdES-X, XAdES-X-L and XAdES-A. Each following profile adds some properties to the previous one. First profile, XAdES itself, adds properties to basic XML-DSig signature. You can read XAdES specifications here.
How It Works
The basic XML signature, defined in XML-DSig, consists on a Signature element in the http://www.w3.org/2000/09/xmldsig# namespace. The structure of this element is as follows:
<Signature> <SignedInfo> <SignatureMethod /> <CanonicalizationMethod /> <Reference> <Transforms /> <DigestMethod /> <DigestValue /> </Reference> <Reference /> etc. </SignedInfo> <SignatureValue /> <KeyInfo /> <Object /> </Signature>
This form of digital signature may be considered as a minimal form. It can satisfy some basic requirements, but it lacks in most of the features introduced by XAdES standard, which we will discuss in the following sections.
Provides basic authentication and integrity protection and satisfies the legal requirements for advanced electronic signatures as defined in the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures [ EU-DIR-ESIG]. The XAdES profile does not provide neither non-repudiation of signature existence nor long-term validation. It adds the following elements to XML-DSig:
<ds:Signature ID?> <ds:SignedInfo> <ds:CanonicalizationMethod/> <ds:SignatureMethod/> (<ds:Reference URI? > (<ds:Transforms />)? <ds:DigestMethod /> <ds:DigestValue /> </ds:Reference>)+ </ds:SignedInfo> <ds:SignatureValue /> (<ds:KeyInfo />)? <ds:Object> <QualifyingProperties> <SignedProperties> <SignedSignatureProperties> (SigningTime) (SigningCertificate) (SignaturePolicyIdentifier) (SignatureProductionPlace)? (SignerRole)? </SignedSignatureProperties> <SignedDataObjectProperties> (DataObjectFormat)* (CommitmentTypeIndication)* (AllDataObjectsTimeStamp)* (IndividualDataObjectsTimeStamp)* </SignedDataObjectProperties> </SignedProperties> <UnsignedProperties> <UnsignedSignatureProperties> (CounterSignature)* </UnsignedSignatureProperties> </UnsignedProperties> </QualifyingProperties> </ds:Object> </ds:Signature>
In this example, the elements that are already defined in XML-DSig, appear with the "ds" prefix, whereas the new XML elements defined in the present profile, appear without a prefix. The "?" symbol, denotes zero or one occurrence; "+" denotes one or more occurrences; and "*" denotes zero or more occurrences.
The QualifyingProperties element acts as a container for all the qualifying information that should be added to an XML signature. The qualifying properties are split into properties that are cryptographically bound to (i.e. signed by) the XML signature (SignedProperties), and properties that are not cryptographically bound to the XML signature (UnsignedProperties).
This profile adds time-stamp to provide protection against repudiation of digital certificate. Timestamp holds the time of digital signature creation. If digital certificate was not repudiated before this time, the repudiation of the signature is impossible.
This profile adds the following element within UnsignedSignatureProperties element:
<UnsignedSignatureProperties> <SignatureTimeStamp>...</SignatureTimeStamp> ... </UnsignedSignatureProperties>
XML Advanced Electronic Signature with complete validation data (XAdES-C). Includes references to the set of data supporting the validation of the electronic signature (i.e. the references to the certification path and its associated revocation status information). This profile is useful for those situations where such information is archived by an external source, like a trusted service provider. This profile adds the following elements to XAdES-T profile within UnsignedSignatureProperties element:
<UnsignedSignatureProperties> <SignatureTimeStamp>...</SignatureTimeStamp> <CompleteCertificateRefs>...</CompleteCertificateRefs> <CompleteRevocationRefs>...</CompleteRevocationRefs> ... </UnsignedSignatureProperties>
XML Advanced Electronic Signature with eXtended validation data (XAdES-X). Includes time-stamp on the references to the validation data or on the Signature element and the aforementioned validation data. This time-stamp takes into account the risk that any keys used in the certificate chain or in the revocation status information may be compromised. This form has two alternative implementations.
The first one adds the following element to XAdES-C within the UnsignedSignatureProperties element:
The second one adds the following element to XAdES-C within the UnsignedSignatureProperties element:
<UnsignedSignatureProperties> <SignatureTimeStamp>...</SignatureTimeStamp> <CompleteCertificateRefs>...</CompleteCertificateRefs> <CompleteRevocationRefs>...</CompleteRevocationRefs> <SigAndRefsTimeStamp>...</SigAndRefsTimeStamp > ... </UnsignedSignatureProperties>
XML Advanced Electronic Signature with extended validation data incorporated for the long term.
One important benefit from XAdES is that electronically signed documents can remain valid for long periods, even if underlying cryptographic algorithms are broken. This, probably the most important feature, is called Long Term Validation.
XAdES-X-L includes the validation data for those situations where the validation data is not stored elsewhere for the long term. This profile adds the following elements to XAdES-X within the UnsignedSignatureProperties element:
<UnsignedSignatureProperties> <SignatureTimeStamp>...</SignatureTimeStamp> <CompleteCertificateRefs>...</CompleteCertificateRefs> <CompleteRevocationRefs>...</CompleteRevocationRefs> <SigAndRefsTimeStamp>...</SigAndRefsTimeStamp > <CertificateValues>....</CertificateValues> <RevocationValues>...</RevocationValues> </UnsignedSignatureProperties>
XML Advanced Electronic Signature with archiving validation data (XAdES-A). It includes additional time-stamps for archiving signatures in a way that they are protected in case the cryptographic data becomes weak. This profile adds the following elements to XAdES-X-L within the UnsignedSignatureProperties element:
The correct signature policy is the guaranty of confidence and trust in this modern electronic world. An electronic signature produced in accordance with XAdES standard provides evidence that it can be processed to get confidence that some commitment has been explicitly endorsed under a signature policy, at a given time, by a signer under a identifier, e.g. a name or a pseudonym, and optionally a role.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at firstname.lastname@example.org.