Associated Signature Containers

Associated Signature Containers (ASiC) specifies the use of container structures to bind together one or more signed objects with either advanced electronic signatures or timestamp tokens into one single digital container.[1]

Regulatory context

Under the eIDAS-regulation,[2] an associated signature container (ASiC) for eIDAS is a data container that is used to hold a group of file objects and  digital signatures and/or time assertions that are associated to those objects. This data is stored in the ASiC in a ZIP format. ASiCs have been standardized since April 2016 by the European Telecommunications Standards Institute in the standard Associated Signature Containers (ASiC)(ETSI EN 319 162-1 V1.1.1 (2016-04).[3][4]

Structure

The internal structure of an ASiC includes two folders:

Such an electronic signature file would contain a single CAdES object or one or more XAdES signatures. A time assertion file would either contain a one timestamp token that will conform to IETF RFC 3161,[5] whereas a single evidence record would conform to IETF RFC 4998[6] or IETF RFC6283.[7][1][3]

How ASiC is Used?

One of the purposes of an electronic signature is to secure the data that it is attached to it from being modified. This can be done by creating a data set that combines the signature with its signed data or to store the detached signature to a separate resource and then utilize an external process to re-associate the signature with its data. It can be advantageous to use detached signatures because it prevents unauthorized modifications to the original data objects. However, by doing this, there is the risk that the detached signature will become separated from its associated data. If this were to happen, the association would be lost and therefore, the data would be become inaccessible.[1]

Types of ASiC Containers

Using the correct tool for each job is always important. Using the correct type of ASiC container for the job at hand is also important:[1]

ASiC Simple (ASiC-S)

With this container, a single file object is associated with a signature or time assertion file. A “mimetype” file that specifies the media type might also be included in this container. When a mimetype file is included, it is required to be the first file in the ASiC container. This container type will allow additional signatures to be added in the future to be used to sign stored file objects. When long term time-stamp tokens are used, ASiC Archive Manifest files are used to protect long term time-stamp tokens from tampering.[3][1]

ASiC Extended (ASiC-E)

This type of contain can hold one or more signature or time assertion files. ASiC-E with XAdES deals with signature files, while ASiC-E with CAdES deals with time assertions. The files within these ASiC containers apply to their own file object sets. Each file object might have additional metadata or information that is associated with it that can also be protected by the signature. An ASiC-E container could be designed to prevent this modification or allow its inclusion without causing damage to previous signatures.

Both of these ASiC containers are capable of maintaining long term availability and integrity when storing XAdES or CAdES signatures through the use of time-stamp tokens or evidence record manifest files that are contained within the containers. ASiC containers must comply with the ZIP specification and limitations that are applied to ZIP.[3][1]

ASiC-S Time Assertion Additional Container

This container operates under the baseline requirements of the ASiC Simple (ASiC-S) container but it also provides additional time assertion requirements. Additional elements may be within its META-INF folder and requires the use of “SignedData” variable to include certificate and revocation information.[1][4]

ASiC-E CAdES Additional Container

This container has the same baselines as an ASiC-E container, but with additional restrictions.[1][4]

ASiC-E Time Assertion Additional Container

This container complies with ASiC-E baseline requirements along with additional requirements and restrictions.[1][4]

Reduced Risk of Loss of Electronic Signature

The use of ASiC reduces the risk of an electronic signature becoming separated from its data by combining the signature and its signed data in a container. With both elements secured within an ASiC, it is easier to distribute a signature and guarantee that the correct signature and its metadata is being used during validation. This process can also be used when associating time assertions, including evidence records or time-stamp tokens to their associated data.[1]

References

  1. 1 2 3 4 5 6 7 8 9 10 Turner, Dawn M. "ASiC - Associated Signature Containers for eIDAS". Cryptomathic. Retrieved 13 June 2017.
  2. "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.
  3. 1 2 3 4 "Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC); Part 1: Building blocks and ASiC baseline containers (ETSI EN 319 162-1 V1.1.1 (2016-04)" (PDF). European Telecommunications Standards Institute.
  4. 1 2 3 4 "Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC); Part 2: Additional ASiC containers (ETSI EN 319 162-2 V1.1.1 (2016-04)" (PDF). European Telecommunications Standards Institute.
  5. Adams, C.; Cain, P.; Pinkas, D.; Zuccherato, R. "Internet X.509 Public Key Infrastructure - Time-Stamp Protocol (TSP)". Network Working Group. Retrieved 13 June 2017.
  6. Gondrom, T.; Brander, R.; Pordesch, U. "Evidence Record Syntax (ERS)". Network Working Group. Retrieved 13 June 2017.
  7. Jerman Blazic, A.; Saljic, S.; Gondrom, T. "Extensible Markup Language Evidence Record Syntax (XMLERS)". Internet Engineering Task Force (IETF). Retrieved 13 June 2017.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.