BDOC2.1 – new national standard on digital signatures

New national standard EVS 821:2014 on digital signatures is valid since 05.06.2014 and available to order from Estonian Centre for Standardisation.

Previous version of Estonian digital signature standard EVS 821:2009 (withdrawn from 05.06.2014) needed refreshment primarily due to the fact that ETSI has meanwhile released number of relevant standards, namely:

  • ETSI TS 102 918 (ASiC) which addresses the format of container for encapsulation of signed files and signatures with extra information
  • Baseline Profile of ASiC ETSI TS 103 174 which significantly narrows down choices in ASiC
  • Basline Profile of XAdES ETSI TS 103171 which in turn narrows down options in XAdES.

Changes between 1.0 and 1.9.9

Aforementioned profiling standards are similar to DDOC and BDOC specifications but there are little differences in details. Main goal of BDOC2.1 specification is to be 100% compliant with those ETSI standards. The following changes were required to achieve this compliance: 

  • XAdES element DataObjectFormat and subelement MimeType are now required – MIME type shall be specified in signature for each signed file in the container
  • Removal of XAdES “C” block – redundant elements CompleteCertificateRefs and CompleteRevocationRefs have been thrown out
  • Removal of XAdES “X” block. Element SigAndRefsTimeStamp is not longer in use
  • Identification of ASiC media type – „application/vnd.etsi.asic-e+zip“ is used for MIME type; new file extensions „.asice“ and „.sce“ are permitted besides „.bdoc“
  • The name of signature file shall contain *signatures* (was: *signature*)
  • Signature file root element shall be <asic:XAdESSignatures>
  • Listing of signature files in not required in manifest.xml file any more. 

The rest of changes are the following:

  • All references to renewed base standards have been renewed, some new references were added
  • There is a special section addressing cryptographic algorithms. Use of elliptic curves (ECDSA) is implicitly added.
  • Canonicalization method is upgraded (http://www.w3.org/2006/12/xml-c14n11)
  • Mandatory use of SignaturePolicyIdentifier is introduced in order to reference BDOC specification from the signature and to specify hash algorithm which is used to calculate nonce field in for the OCSP request.

Changes between 1.9.9 and 2.0 (12.2012):

  • Removed requirement that manifest.xml must be signed.
  • The specification does not require separate <KeyValue> element within <KeyInfo> block any more.
  • Element <SigningTime> is now mandatory
  • BDOC 2.0 specification
  • NonceAlgorithm.xsd 

Changes between 2.0 and 2.1 (11.2013)

  • Element NonceAlgorithm has been dropped. Instead when signature hash value is calculated the hash function identificator is displayed in OCSP nonce field.
  • SignaturePolicyIdentifier element is no longer used for timestamp.
  • Timestamp profile has been changed/specified.
  • Overall improvements to texts.
  • BDOC 2.1 specification

 Changes between 2.1 and 2.1.2 (02.2014, updated 05.2014)

  • Minor corrections, mainly in Annex 1 (example file)
  • Removed requirement on comparision of time values between time-stamp and
    OCSP response (p.6.2)
  • The contents of CertificateValues element is further clarified
  • BDOC 2.1.2 specification

 


ASK FOR HELP

If you didn't find an answer to your question, send it to our team.



  • See instructions
  • Please estimate your ability to use the computer, so that we can provide you with the best guidance

         

  • Verification failed

How can we improve the article and be more helpful?
Send Close