CAdES (computing)

Last updated April 23, 2023

CAdES (CMS Advanced Electronic Signatures) is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.^[1]

Description

CMS is a general framework for electronic signatures for various kinds of transactions like purchase requisition, contracts or invoices.^[2] CAdES specifies precise profiles of CMS signed data making it compliant with the European eIDAS regulation (Regulation on electronic identification and trust services for electronic transactions in the internal market). The eIDAS regulation enhances and repeals the Electronic Signatures Directive 1999/93/EC.^[3]^[4] EIDAS is legally binding in all EU member states since July 2014. An electronic signature that has been created in compliance with eIDAS has the same legal value as a handwritten signature.^[3]

An electronic signature, technically implemented based on CAdES has the status of an advanced electronic signature.^[2] This means that

it is uniquely linked to the signatory;
it is capable of identifying the signatory;
only the signatory has control of the data used for the signature creation;
it can be identified if data attached to the signature has been changed after signing.

A resulting property of CAdES is that electronically signed documents can remain valid for long periods, even if the signer or verifying party later attempts to deny the validity of the signature.

A CAdES-based electronic signature is accepted in a court proceeding as evidence; as advanced electronic signatures are legally binding.^[5] But it gets higher probative value when enhanced to a qualified electronic signature. To receive that legal standing, it needs to be doted with a digital certificate, encrypted by a security signature creation device ("qualified electronic signature").^[4]^[6] The authorship of a statement with a qualified electronic signature cannot be challenged - the statement is non-repudiable.

The document ETSI TS 101 733 Electronic Signature and Infrastructure (ESI) – CMS Advanced Electronic Signature (CAdES) describes the framework.^[2]

Evolution of the framework

The main document describing the format is ETSI TS 101 733 Electronic Signature and Infrastructure (ESI) – CMS Advanced Electronic Signature (CAdES).

The ETSI TS 101 733 was first issued as V1.2.2 (2000–12). The current release version has the release number V2.2.1 (2013-04). ETSI is working on a new draft of CAdES. All drafts and released documents are publicly accessible at .

The ETSI TS V.1.7.4 (2008-07) is technically equivalent to RFC 5126. RFC 5126 document builds on existing standards that are widely adopted. These include:

RFC 3852 : "Cryptographic Message Syntax (CMS)"
ISO/IEC 9594-8/ITU-T Recommendation X.509 "Information technology - Open Systems Interconnection - The Directory: Authentication framework"
RFC 3280 "Internet X.509 Public Key Infrastructure (PKIX) Certificate and Certificate Revocation List (CRL) Profile"
RFC 3161 "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)".

Profiles

ETSI "TS 101 733" specifies formats for Advanced Electronic Signatures built on CMS (CAdES). It defines a number of signed and unsigned optional signature properties, resulting in support for a number of variations in the signature contents and processing requirements.

In order to maximize interoperability in communities applying CAdES to particular environments it was necessary to identify a common set of options that are appropriate to that environment. Such a selection is commonly called a profile.

ETSI "TS 103 173" ^[7] describes profiles for CAdES signatures, in particular their use in the context of the EU Services Directive, "Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market".

There are four profiles available:

CAdES-B: Basic Electronic Signature, the simplest version, containing the SignedInfo, SignatureValue, KeyInfo and SignedProperties. This level combines the old -BES and -EPES levels. This form extends the definition of an electronic signature to conform to the identified signature policy
CAdES-T: B-Level for which a Trust Service Provider has generated a trusted token (time-mark or time-stamp token) proving that the signature itself actually existed at a certain date and time.
CAdES-LT: are built by direct incorporation to CAdES-T signatures conformant to the T-Level, a long-term-validation attribute containing values of certificates and values of certificate revocation status used to validate the signature.
CAdES-LTA: a signature conformant to LT-Level to which one or more long-term-validation attribute with a poeValue has been incorporated. By using periodical timestamping (e.g. each year) it is prevented the compromising of the signature due to weakening algorithms during long time storage periods. This level is equivalent to the old -A level

Related Research Articles

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created by a known sender (authenticity), and that the message was not altered in transit (integrity).

The Cryptographic Message Syntax (CMS) is the IETF's standard for cryptographically protected messages. It can be used by cryptographic schemes and protocols to digitally sign, digest, authenticate or encrypt any form of digital data.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 3369, 3370, 3850 and 3851. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

XAdES is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.

Digital Signature Services (DSS) is an OASIS standard.

Trusted timestamping is the process of securely keeping track of the creation and modification time of a document. Security here means that no one—not even the owner of the document—should be able to change it once it has been recorded provided that the timestamper's integrity is never compromised.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures. This is published by ETSI as EN 319 142.

ARX is a digital security company headquartered in San Francisco, CA, with offices in the UK, the Netherlands, Australia and Israel. It is the creator of CoSign by ARX, a digital signature technology, along with related digital signature security technology products. ARX was acquired by DocuSign in May 2015. The acquisition builds on a three-year business partnership between DocuSign and ARX, bringing together ARX's CoSign digital signature technology with DocuSign's Digital Transaction Management (DTM) platform and broadens The DocuSign Global Trust Network.

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repeals 1999/93/EC from 13 December 1999.

An advanced electronic signature (AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market.

ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

Associated Signature Containers (ASiC) specifies the use of container structures to bind together one or more signed objects with either advanced electronic signatures or timestamp tokens into one single digital container.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

↑ Turner, Dawn M. "INTRODUCTION INTO CADES FOR TRUST SERVICE PROVIDERS". Cryptomathic. Retrieved 1 March 2016.
1 2 3 European Telecommunications Standards Institute. "Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES) v. 4/2013" (PDF). ETSI.
1 2 Turner, Dawn M. "EIDAS FROM DIRECTIVE TO REGULATION - LEGAL ASPECTS". Cryptomathic. Retrieved 1 March 2016.
1 2 THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION. "REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014". Official Journal of the European Union. Retrieved 1 March 2016.
↑ Turner, Dawn M. "UNDERSTANDING THE MAJOR TERMS AROUND DIGITAL SIGNATURES". Cryptomathic. Retrieved 1 March 2016.
↑ Dept. for Business Innovation & Skills. "Electronic Signatures" (PDF). Government of the United Kingdom.{{cite web}}: |last1= has generic name (help)
↑ "ETSI TS 103 173" (PDF).

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[DawnCAdES-1] Turner, Dawn M. "INTRODUCTION INTO CADES FOR TRUST SERVICE PROVIDERS". Cryptomathic. Retrieved 1 March 2016.

[ETSI-CAdES-2] 1 2 3 European Telecommunications Standards Institute. "Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES) v. 4/2013" (PDF). ETSI.

[DawnEIDAS-legal-aspects-3] 1 2 Turner, Dawn M. "EIDAS FROM DIRECTIVE TO REGULATION - LEGAL ASPECTS". Cryptomathic. Retrieved 1 March 2016.

[EU-EIDAS-Regulation-4] 1 2 THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION. "REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014". Official Journal of the European Union. Retrieved 1 March 2016.

[Understanding_EIDAS_Dawn-5] Turner, Dawn M. "UNDERSTANDING THE MAJOR TERMS AROUND DIGITAL SIGNATURES". Cryptomathic. Retrieved 1 March 2016.

[ElecSig_UK_Gov-6] Dept. for Business Innovation & Skills. "Electronic Signatures" (PDF). Government of the United Kingdom.{{cite web}}: |last1= has generic name (help)

[7] "ETSI TS 103 173" (PDF).

[1]

[2]

[3]

[4]

[5]

[6]

[7]