Network Working Group                                            J. Ross
Request for Comments: 3125                          Security & Standards
Category: Experimental                                         D. Pinkas
                                                                Integris
                                                                 N. Pope
                                                    Security & Standards
                                                          September 2001


                     Electronic Signature Policies

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   This document defines signature policies for electronic signatures. A
   signature policy is a set of rules for the creation and validation of
   an electronic signature, under which the validity of signature can be
   determined.  A given legal/contractual context may recognize a
   particular signature policy as meeting its requirements.

   A signature policy has a globally unique reference, which is bound to
   an electronic signature by the signer as part of the signature
   calculation.

   The signature policy needs to be available in human readable form so
   that it can be assessed to meet the requirements of the legal and
   contractual context in which it is being applied.

   To allow for the automatic processing of an electronic signature
   another part of the signature policy specifies the electronic rules
   for the creation and validation of the electronic signature in a
   computer processable form.  In the current document the format of the
   signature policy is defined using ASN.1.

   The contents of this document is based on the signature policy
   defined in ETSI TS 101 733 V.1.2.2 (2000-12) Copyright (C).
   Individual copies of this ETSI deliverable can be downloaded from
   http://www.etsi.org.



Ross, et al.                  Experimental                      [Page 1]

RFC 3125             Electronic Signature Policies        September 2001


Table of Contents

   1.  Introduction                                                    3
   2.  Major Parties                                                   3
   3.  Signature Policy Specification                                  5
   3.1  Overall ASN.1 Structure                                        5
   3.2  Signature Validation Policy                                    6
   3.3  Common Rules                                                   7
   3.4  Commitment Rules                                               8
   3.5  Signer and Verifier Rules                                      9
   3.5.1  Signer Rules                                                 9
   3.5.2  Verifier Rules                                              11
   3.6  Certificate and Revocation Requirements                       11
   3.6.1  Certificate Requirements                                    11
   3.6.2  Revocation Requirements                                     13
   3.7  Signing Certificate Trust Conditions                          14
   3.8  Time-Stamp Trust Conditions                                   15
   3.9  Attribute Trust Conditions                                    16
   3.10  Algorithm Constraints                                        17
   3.11  Signature Policy Extensions                                  18
   4.  Security Considerations                                        18
   4.1  Protection of Private Key                                     18
   4.2  Choice of Algorithms                                          18
   5.  Conformance Requirements                                       19
   6.  References                                                     19
   7. Authors' Addresses                                              20
   Annex A (normative):                                               21
   A.1  Definitions Using X.208 (1988) ASN.1 Syntax                   21
   A.2  Definitions Using X.680 (1997) ASN.1 Syntax                   27
   Annex B (informative):                                             34
   B.1  Signature Policy and Signature Validation Policy              34
   B.2  Identification of Signature Policy                            36
   B.3  General Signature Policy Information                          36
   B.4  Recognized Commitment Types                                   37
   B.5  Rules for Use of Certification Authorities                    37
   B.5.1  Trust Points                                                38
   B.5.2  Certification Path                                          38
   B.6  Revocation Rules                                              39
   B.7  Rules for the Use of Roles                                    39
   B.7.1  Attribute Values                                            39
   B.7.2  Trust Points for Certified Attributes                       40
   B.7.3  Certification Path for Certified Attributes                 40
   B.8  Rules for the Use of Time-Stamping and Timing                 40
   B.8.1  Trust Points and Certificate Paths                          41
   B.8.2  Time-Stamping Authority Names                               41
   B.8.3  Timing Constraints - Caution Period                         41
   B.8.4  Timing Constraints - Time-Stamp Delay                       41
   B.9  Rules for Verification Data to be followed                    41



Ross, et al.                  Experimental                      [Page 2]

RFC 3125             Electronic Signature Policies        September 2001


   B.10  Rules for Algorithm Constraints and Key Lengths              42
   B.11  Other Signature Policy Rules                                 42
   B.12  Signature Policy Protection                                  42
   Full Copyright Statement                                           44

1.  Introduction

   This document is intended to cover signature policies which can be
   used with electronic signatures for various types of transactions,
   including business transactions (e.g., purchase requisition,
   contract, and invoice applications).  Electronic signatures can be
   used for any transaction between an individual and a company, between
   two companies, between an individual and a governmental body, etc.
   This document is independent of any environment.  It can be applied
   to any environment e.g., smart cards, GSM SIM cards, special programs
   for electronic signatures etc.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
   as shown) are to be interpreted as described in [RFC2119].

2.  Major Parties

   The document uses the following terms:

      *  the Signature Policy Issuer;
      *  the Signer;
      *  the Verifier;
      *  the Arbitrator;
      *  Trusted Service Providers (TSP);

   The Signature Policy Issuer (which is a Trusted Service Provider
   (TSP)) issues signatures policies that define the technical and
   procedural requirements for electronic signature creation, and
   validation/ verification, in order to meet a particular business
   need.

   The Signer is the entity that creates the electronic signature.  When
   the signer digitally signs over an signature policy identifier, it
   represents a commitment on behalf of the signing entity that the data
   being signed is signed under the rules defined by the signature
   policy.

   The Verifier is the entity that validates the electronic signature,
   it may be a single entity or multiple entities.  The verifier MUST
   validate the electronic signature under the rules defined by the
   electronic signature policy for the signature to be valid.




Ross, et al.                  Experimental                      [Page 3]

RFC 3125             Electronic Signature Policies        September 2001


   An arbitrator, is an entity which arbitrates disputes between a
   signer and a verifier.  It acts as verifier when it verifies the
   electronic signature after it has been previously validated.

   The Trusted Service Providers (TSPs) are one or more entities that
   help to build trust relationships between the signer and verifier.
   Use of TSP specific services MAY be mandated by signature policy.
   TSP supporting services include: user certificates, cross-
   certificates, time-stamping tokens,CRLs, ARLs, OCSP responses.

   A Trusted Service Providers (TSPs) MAY be a Signature Policy Issuer,
   as Such, the TSP MUST define the technical and procedural
   requirements for electronic signature creation and validation, in
   order to meet a particular business need.

   The following other TSPs are used to support the functions defined in
   this document:

      *  Certification Authorities;
      *  Registration Authorities;
      *  Repository Authorities (e.g., a Directory);
      *  Time-Stamping Authorities;
      *  One-line Certificate Status Protocol responders;
      *  Attribute Authorities.

   Certification Authorities provide users with public key certificates.

   Registration Authorities allows the registration of entities before a
   CA generates certificates.

   Repository Authorities publish CRLs issued by CAs, , cross-
   certificates (i.e., CA certificates) issued by CAs, signature
   policies issued by Signature Policy Issuers and optionally public key
   certificates (i.e., leaf certificates) issued by CAs.

   Time-Stamping Authorities attest that some data was formed before a
   given trusted time.

   One-line Certificate Status Protocol responders (OSCP responders)
   provide information about the status (i.e., revoked, not revoked,
   unknown) of a particular certificate.

   Attributes Authorities provide users with attributes linked to public
   key certificates

   An Arbitrator is an entity that arbitrates disputes between a signer
   and a verifier.




Ross, et al.                  Experimental                      [Page 4]

RFC 3125             Electronic Signature Policies        September 2001


3.  Signature Policy Specification

   A signature policy specification includes general information about
   the policy, the validation policy rules and other signature policy
   information.

   This document mandates that:

      *  an electronic signature must be processed by the signer and
         verifier in accordance with the signature policy referenced by
         the signer;
      *  the signature policy referenced by the signer must be
         identifiable by an Object Identifier;
      *  there must exist a specification of the signature policy;
      *  for a given signature policy there must be one definitive form
         of the specification which has a unique binary encoding;
      *  a hash of the definitive specification, using an agreed
         algorithm, must be provided by the signer and checked by the
         verifier.

   This document defines but does not mandate the form of the signature
   policy specification.  The signature policy may be specified either:

      *  in a free form document for human interpretation; or
      *  in a structured form using an agreed syntax and encoding.

   This document defines an ASN.1 based syntax that may be used to
   define a structured signature policy.  Future versions of this
   document may include structured a signature policy specification
   using XML.

3.1  Overall ASN.1 Structure

   The overall structure of a signature policy defined using ASN.1 is
   given in this section.  Use of this ASN.1 structure is optional.

   This ASN.1 syntax is encoded using the Distinguished Encoding Rules
   (DER).

   In this structure the policy information is preceded by an identifier
   for the hashing algorithm used to protect the signature policy and
   followed by the hash value which must be re-calculated and checked
   whenever the signature policy is passed between the issuer and
   signer/verifier.

   The hash is calculated without the outer type and length fields.





Ross, et al.                  Experimental                      [Page 5]

RFC 3125             Electronic Signature Policies        September 2001


SignaturePolicy ::= SEQUENCE {
        signPolicyHashAlg      AlgorithmIdentifier,
        signPolicyInfo         SignPolicyInfo,
        signPolicyHash         SignPolicyHash     OPTIONAL }

SignPolicyHash ::= OCTET STRING

SignPolicyInfo ::= SEQUENCE {
        signPolicyIdentifier            SignPolicyId,
        dateOfIssue                     GeneralizedTime,
        policyIssuerName                PolicyIssuerName,
        fieldOfApplication              FieldOfApplication,
        signatureValidationPolicy       SignatureValidationPolicy,
        signPolExtensions               SignPolExtensions
                                                   OPTIONAL
                                                         }

SignPolicyId ::= OBJECT IDENTIFIER

PolicyIssuerName ::= GeneralNames

FieldOfApplication ::= DirectoryString

   The policyIssuerName field identifies the policy issuer in one or
   more of the general name forms.

   The fieldofApplication is a description of the expected application
   of this policy.

   The signature validation policy rules are fully processable to allow
   the validation of electronic signatures issued under that form of
   signature policy.  They are described in the rest of this section.

   The signPolExtensions is a generic way to extend the definition of
   any sub-component of a signature policy.

3.2  Signature Validation Policy

   The signature validation policy defines for the signer which data
   elements must be present in the electronic signature he provides and
   for the verifier which data elements must be present under that
   signature policy for an electronic signature to be potentially valid.

   The signature validation policy is described as follows:







Ross, et al.                  Experimental                      [Page 6]

RFC 3125             Electronic Signature Policies        September 2001


SignatureValidationPolicy ::= SEQUENCE {
        signingPeriod          SigningPeriod,
        commonRules            CommonRules,
        commitmentRules        CommitmentRules,
        signPolExtensions      SignPolExtensions        OPTIONAL
                                                }

   The signingPeriod identifies the date and time before which the
   signature policy SHOULD NOT be used for creating signatures, and an
   optional date after which it should not be used for creating
   signatures.

SigningPeriod ::= SEQUENCE {
        notBefore       GeneralizedTime,
        notAfter        GeneralizedTime OPTIONAL }

3.3  Common Rules

   The CommonRules define rules that are common to all commitment types.
   These rules are defined in terms of trust conditions for
   certificates, time-stamps and attributes, along with any constraints
   on attributes that may be included in the electronic signature.

CommonRules  ::= SEQUENCE {
        signerAndVeriferRules          [0]  SignerAndVerifierRules
                                                        OPTIONAL,
        signingCertTrustCondition      [1]  SigningCertTrustCondition
                                                        OPTIONAL,
        timeStampTrustCondition        [2]  TimestampTrustCondition
                                                        OPTIONAL,
        attributeTrustCondition        [3]  AttributeTrustCondition
                                                        OPTIONAL,
        algorithmConstraintSet         [4]  AlgorithmConstraintSet
                                                        OPTIONAL,
        signPolExtensions              [5]  SignPolExtensions
                                                         OPTIONAL
                                                       }

   If a field is present in CommonRules then the equivalent field must
   not be present in any of the CommitmentRules (see below).  If any of
   the following fields are not present in CommonRules then it must be
   present in each CommitmentRule:

      *  signerAndVeriferRules;
      *  signingCertTrustCondition;
      *  timeStampTrustCondition.





Ross, et al.                  Experimental                      [Page 7]

RFC 3125             Electronic Signature Policies        September 2001


3.4  Commitment Rules

   The CommitmentRules consists of the validation rules which apply to
   given commitment types:

   CommitmentRules ::= SEQUENCE OF CommitmentRule

   The CommitmentRule for given commitment types are defined in terms of
   trust conditions for certificates, time-stamps and attributes, along
   with any constraints on attributes that may be included in the
   electronic signature.

CommitmentRule  ::= SEQUENCE {
        selCommitmentTypes                  SelectedCommitmentTypes,
        signerAndVeriferRules          [0]  SignerAndVerifierRules
                                                          OPTIONAL,
        signingCertTrustCondition      [1]  SigningCertTrustCondition
                                                          OPTIONAL,
        timeStampTrustCondition        [2]  TimestampTrustCondition
                                                          OPTIONAL,
        attributeTrustCondition        [3]  AttributeTrustCondition
                                                          OPTIONAL,
        algorithmConstraintSet         [4]  AlgorithmConstraintSet
                                                          OPTIONAL,
        signPolExtensions              [5]  SignPolExtensions
                                                          OPTIONAL
                                                       }

SelectedCommitmentTypes ::= SEQUENCE OF CHOICE {
        empty                        NULL,
        recognizedCommitmentType     CommitmentType }


   If the SelectedCommitmentTypes indicates "empty" then this rule
   applied when a commitment type is not present  (i.e., the type of
   commitment is indicated in the semantics of the message).  Otherwise,
   the electronic signature must contain a commitment type indication
   that must fit one of the commitments types that are mentioned in
   CommitmentType.

   A specific commitment type identifier must not appear in more than
   one commitment rule.

CommitmentType ::= SEQUENCE {
        identifier                      CommitmentTypeIdentifier,
        fieldOfApplication      [0] FieldOfApplication OPTIONAL,
        semantics               [1] DirectoryString OPTIONAL }




Ross, et al.                  Experimental                      [Page 8]

RFC 3125             Electronic Signature Policies        September 2001


   The fieldOfApplication and semantics fields define the specific use
   and meaning of the commitment within the overall field of application
   defined for the policy.

3.5  Signer and Verifier Rules

   The following rules apply to the format of electronic signatures
   defined using [ES-FORMATS].

   The SignerAndVerifierRules consists of signer rule and verification
   rules as defined below:

SignerAndVerifierRules ::= SEQUENCE {
        signerRules      SignerRules,
        verifierRules    VerifierRules }

3.5.1  Signer Rules

   The signer rules identify:

      *  if the eContent is empty and the signature is calculated using
         a hash of signed data external to CMS structure.

      *  the CMS signed attributes that must be provided by the signer
         under this policy;

      *  the CMS unsigned attribute that must be provided by the signer
         under this policy;

      *  whether the certificate identifiers from the full certification
         path up to the trust point must be provided by the signer in
         the SigningCertificate attribute;

      *  whether a signer's certificate, or all certificates in the
         certification path to the trust point must be by the signer in
         the *  certificates field of SignedData.

SignerRules ::= SEQUENCE {
        externalSignedData         BOOLEAN      OPTIONAL,
                   -- True if signed data is external to CMS structure
                        -- False if signed data part of CMS structure
                        -- Not present if either allowed
        mandatedSignedAttr         CMSAttrs,
                                 -- Mandated CMS signed attributes
        mandatedUnsignedAttr       CMSAttrs,
                                 -- Mandated CMS unsigned attributed
        mandatedCertificateRef     [0] CertRefReq DEFAULT signerOnly,
                                 -- Mandated Certificate Reference



Ross, et al.                  Experimental                      [Page 9]

RFC 3125             Electronic Signature Policies        September 2001


        mandatedCertificateInfo    [1] CertInfoReq DEFAULT none,
                                 -- Mandated Certificate Info
        signPolExtensions          [2] SignPolExtensions        OPTIONAL
                                                }

CMSattrs ::= SEQUENCE OF OBJECT IDENTIFIER

   The mandated SignedAttr field must include the object identifier for
   all those signed attributes required by this document as well as
   additional attributes required by this policy.

   The mandatedUnsignedAttr field must include the object identifier for
   all those unsigned attributes required by this document as well as
   additional attributes required by this policy.  For example, if a
   signature time-stamp