New national standard EVS 821:2014 on digital signatures is valid since 05.06.2014 and available to order from Estonian Centre for Standardisation.
Previous version of Estonian digital signature standard EVS 821:2009 (withdrawn from 05.06.2014) needed refreshment primarily due to the fact that ETSI has meanwhile released number of relevant standards, namely:
- ETSI TS 102 918 (ASiC) which addresses the format of container for encapsulation of signed files and signatures with extra information
- Baseline Profile of ASiC ETSI TS 103 174 which significantly narrows down choices in ASiC
- Basline Profile of XAdES ETSI TS 103171 which in turn narrows down options in XAdES.
Changes between 1.0 and 1.9.9
Aforementioned profiling standards are similar to DDOC and BDOC specifications but there are little differences in details. Main goal of BDOC2.1 specification is to be 100% compliant with those ETSI standards. The following changes were required to achieve this compliance:
- XAdES element DataObjectFormat and subelement MimeType are now required – MIME type shall be specified in signature for each signed file in the container
- Removal of XAdES “C” block – redundant elements CompleteCertificateRefs and CompleteRevocationRefs have been thrown out
- Removal of XAdES “X” block. Element SigAndRefsTimeStamp is not longer in use
- Identification of ASiC media type – „application/vnd.etsi.asic-e+zip“ is used for MIME type; new file extensions „.asice“ and „.sce“ are permitted besides „.bdoc“
- The name of signature file shall contain *signatures* (was: *signature*)
- Signature file root element shall be <asic:XAdESSignatures>
- Listing of signature files in not required in manifest.xml file any more.
The rest of changes are the following:
- All references to renewed base standards have been renewed, some new references were added
- There is a special section addressing cryptographic algorithms. Use of elliptic curves (ECDSA) is implicitly added.
- Canonicalization method is upgraded (http://www.w3.org/2006/12/xml-c14n11)
- Mandatory use of SignaturePolicyIdentifier is introduced in order to reference BDOC specification from the signature and to specify hash algorithm which is used to calculate nonce field in for the OCSP request.
Changes between 1.9.9 and 2.0 (12.2012):
- Removed requirement that manifest.xml must be signed.
- The specification does not require separate <KeyValue> element within <KeyInfo> block any more.
- Element <SigningTime> is now mandatory
- BDOC 2.0 specification
Changes between 2.0 and 2.1 (11.2013)
- Element NonceAlgorithm has been dropped. Instead when signature hash value is calculated the hash function identificator is displayed in OCSP nonce field.
- SignaturePolicyIdentifier element is no longer used for timestamp.
- Timestamp profile has been changed/specified.
- Overall improvements to texts.
- BDOC 2.1 specification
Changes between 2.1 and 2.1.2 (02.2014, updated 05.2014)
- Minor corrections, mainly in Annex 1 (example file)
- Removed requirement on comparision of time values between time-stamp and
OCSP response (p.6.2)
- The contents of CertificateValues element is further clarified
- BDOC 2.1.2 specification