Certificate profile for certificates issued by Central Signing services



Similar documents
Authentication Context Classes for Levels of Assurance for the Swedish eid Framework

Registry for identifiers assigned by the Swedish e- identification board

SAML V2.0 Asynchronous Single Logout Profile Extension Version 1.0

MACE-Dir SAML Attribute Profiles

OIOIDWS for Healthcare Token Profile for Authentication Tokens

ETSI TS V1.1.1 ( )

Telia hardware based e-legitimation v2. Certification Practice Statement. Revision Date: 10 th June Version: 1.0

Representation of E-documents in AIDA Project

ETSI TS V1.3.2 ( )

ETSI TS V1.4.2 ( ) Technical Specification. Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signatures (XAdES)

Signature policy for TUPAS Witnessed Signed Document

Server based signature service. Overview

Certificate Path Validation

OASIS Standard Digital Signature Services (DSS) Assures Authenticity of Data for Web Services

Feide Integration Guide. Technical Requisites

Digital Signature Web Service Interface

Certificate Policies and Certification Practice Statements

SAML 2.0 INT SSO Deployment Profile

ETSI TS V1.1.1 ( )

Service Provisioning Markup Language (SPML) Version 1.0

ETSI TS V1.1.1 ( ) Technical Specification

Internet Engineering Task Force (IETF) Category: Standards Track. R. Gerhards Adiscon GmbH H. Feng Huaweisymantec Technologies October 2010

Chris Smith, Platform Computing Marvin Theimer, Microsoft Glenn Wasson, UVA July 14, 2006 Updated: October 2, 2006

Stefan Santesson Consultant, 3xA Security AB ( Born November 2, 1962 in Malmö, Sweden

Appendix 1 Technical Requirements

2 Transport-level and Message-level Security

Implementation of eidas through Member States Supervisory Bodies

DeviceProtection:1 Service

DIRECTOR GENERAL OF THE LITHUANIAN ARCHIVES DEPARTMENT UNDER THE GOVERNMENT OF THE REPUBLIC OF LITHUANIA

Certificate Management Profile

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

Kantara egov and SAML2int comparison

Common definitions and specifications for OMA REST interfaces

FOR A PAPERLESS FUTURE. Petr DOLEJŠÍ Senior Solution Consultant SEFIRA Czech Republic

Long term electronic signatures or documents retention

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

ETSI TS V2.4.1 ( )

PKI - current and future

3GPP TS V8.1.0 ( )

[MS-SAMLPR]: Security Assertion Markup Language (SAML) Proxy Request Signing Protocol Specification

Single Sign On Integration Guide. Document version:

In accordance with article 11 of the Law on Electronic Signature (Official Gazette of the Republic of Serbia No. 135/04), REGULATION

ETSI EN V2.1.1 ( )

2.1 The scope of Time Stamping Protocol (TSP)

ETSI TS V1.1.1 ( ) Technical Specification

ETSI TS V1.1.1 ( ) Technical Specification

Specifying the content and formal specifications of document formats for QES

Digital Signature Verification using Historic Data

[MS-SAMLPR]: Security Assertion Markup Language (SAML) Proxy Request Signing Protocol

Security framework. Guidelines for trust services providers Part 1. Version 1.0 December 2013

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

ATSC Standard: ATSC Security and Service Protection Standard

HbbTV Forum Nederland Specification for use of HbbTV in the Netherlands

ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

PKI and OpenSSL part 1 X.509 from the user s and the client software s point of view

Certificate Policy for OCES personal certificates (Public Certificates for Electronic Services)

Federation Operator Practice (FOP): Metadata Registration Practice Statement

ETSI TR V1.1.1 ( )

AlphaTrust PRONTO Enterprise Platform Product Overview

Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile

Forum of European Supervisory Authorities for Electronic Signatures (FESA) Working Paper on Qualified Certificates for Automatically Signing Systems

Alcatel OmniPCX Enterprise R11 Supported SIP RFCs

Digital Signing without the Headaches

Certificate Policy for OCES Employee Certificates (Public Certificates for Electronic Services) Version 5

Certipost Trust Services. Certificate Policy. for Lightweight Certificates for EUROCONTROL. Version 1.2. Effective date 03 May 2012

PEPPOL Deliverable D1.1 Requirements for Use of Signatures in Public Procurement Processes Part 5: XKMS v2 Interface Specification

E-Signing Functional description

Technical Guideline TR ecard-api-framework ecard-interface. Version 1.1.5

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

XML Advanced Electronic Signatures (XAdES)

Consiglio Nazionale del Notariato

QUOVADIS ROOT CERTIFICATION AUTHORITY CERTIFICATE POLICY/ CERTIFICATION PRACTICE STATEMENT. OIDs:

Shibboleth Architecture

Java Security Web Services Security (Overview) Lecture 9

PKI, Past, Present and Future

Presence SIMPLE Architecture

Version 2.4 of April 25, 2008

XML Digital Signature Implementation Guide

[MS-DVRD]: Device Registration Discovery Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

Transcription:

Certificate profile for certificates issued by Central Signing services ELN-0608-v1.0 Version 1.0 2013-10-30 1 (6)

1 INTRODUCTION 3 1.1 REQUIREMENT KEY WORDS 3 1.2 XML NAME SPACE REFERENCES 3 1.3 STRUCTURE 3 2 CERTIFICATE PROFILE 4 2.1 STANDARDS 4 2.2 QUALIFIED AND PKC CERTIFICATES 4 2.3 CERTIFICATE CONTENT 4 2.3.1 SUBJECT ATTRIBUTES AND NAME FORMS 4 2.3.2 AUTHENTICATION CONTEXT AND ATTRIBUTE MAPPING 4 3 NORMATIVE REFERENCES 6 2 (6)

1 Introduction This document specifies a certificate profile for certificates issued by a signature service within the infrastructure for Svensk E-legitimation. 1.1 Requirement key words The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOM- MENDED, MAY, and OPTIONAL are to be interpreted as described in [RFC2119]. These keywords are capitalized when used to unambiguously specify requirements over protocol features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense. 1.2 XML name space references The prefix saci: stands for the SAML Authentication Context Information XML Schema namespace (http://id.elegnamnden.se/auth-cont/1.0/saci). 1.3 Structure This specification uses the following typographical conventions in text: <Eid2Element>, <ns:foreignelement>, Attribute, Datatype, OtherCode 3 (6)

2 Certificate Profile 2.1 Standards The following standards provides normative requirements for this certificate profile: Standard Function Referens RFC 5280 Main certificate standard [RFC5280] RFC 3739 Main certificate profile for Qualified Certificates [RFC3739] EN 319 412-5 EU profile of RFC 3739 providing defined data structures for issuing [EU-QC] Qualified Certificate in accordance with the EU electronic sig- nature directive [EUSig]. TS 102 280 EU interoperability profile for certificates issued to Natural Persons. [EU-INTEROP] 2.2 Qualified and PKC Certificates This profile supports both Qualified Certificates as well as certificates that are not Qualified Certificates, here named PKC certificates (Public Key Certificates). The same profile requirements apply for both Qualified Certificates and for PKC certificates unless a requirement is explicitly related to only Qualified Certificates. 2.3 Certificate content All certificates SHALL be fully compliant with [RFC5280], [RFC3739] and [EU-INTEROP]. All Qualified Certificates SHALL also be fully compliant with [EU-QC]. Qualified Certificates SHALL implement the Statement regarding location of Policy Disclosure Statements (PDS) as specified in section 5.2.4 of [EU-QC]. 2.3.1 Subject attributes and name forms Subject name attributes and other name forms in the certificate SHALL comply with [RFC3739]. The following specific certificate subject name conventions SHALL be met: Subject data Requirement Swedish personnummer Swedish personnummer obtained from a SAML assertion using the attribute with OID 1.2.752.29.4.13, SHALL be stored in a serialnumber attribute (OID 2.5.4.5) in the subject field. The data SHALL be composed according to [SKV704] Swedish samordningsnummer Swedish samordningsnummer obtained from a SAML assertion using the attribute with OID 1.2.752.29.4.13, SHALL be stored in a serialnumber attribute (OID 2.5.4.5) in the subject field. The data SHALL be composed according to [SKV707]. E-mail address E-mail address, when present, SHALL be stored in a Subject Alternative Name extension as an rfc822name. 2.3.2 Authentication Context and Attribute mapping Certificates MUST include an AuthContextExtension according to [AuthCont]. This extension SHALL include one SAML Authentication Context Information element identified by the XML schema name space identifier: http://id.elegnamnden.se/auth-cont/1.0/saci 4 (6)

The <saci:samlauthcontext> element SHALL contain both an <saci:authcontextinfo> element as well as an <saci:idattributes> element. The <saci:idattributes> element SHALL contain one <saci:attributemapping> element for each subject attribute or other name form that was obtained from a SAML attribute in the SAML assertion used to authenticate the signer as part of the signature creation process. Each <saci:attributemapping> element SHALL provide the <saml:attributevalue> that were obtained from the SAML assertion. 5 (6)

3 Normative References [RFC2119] Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, March 1997. [RFC3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509 Public Key Infrastructure: Qualified Certificates Profile", RFC\03739, March 2004. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC\05280, May 2008. [EU-QC] Electronic Signatures and Infrastructures (ESI); Profiles for Trust Service Providers issuing certificates; Part 5: Extension for Qualified Certificate profile, ETSI TS 319 412-5 V1.1.1, Jan 2013. [EU-INTEROP] X.509 V.3 Certificate Profile for Certificates Issued to Natural Persons, ETSI TS 102 280 V1.1.1, March 2004. [AuthCont] Authentication Context Certificate Extension (http://tools.ietf.org/html/draft-santesson-auth-contextextension) [SKV704] Skatteverket, SKV 704 utgåva 8, Personnummer, September 2007. [SKV707] Skatteverket, SKV 707 utgåva 2, Samordningsnummer, October 2006. 6 (6)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information