1

Reading the ETSI EN 319 102-1 V1.1.1 (2016-05) Electronic Signatures and Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation.

The signature validation procedures and requirements are clear in section 5. However there are many references to validation according "Signature Validation Policy", which should be included also in the validation report.

I was searching what does it mean and came along to "QES AdESQC TL based" signature validation policy. Many example are there which has this policy in the validation report.

Where is the signature validation policies defined? Where I can find the relevant information about it? It seems that QES AdESQC TL based is something standard but I am not able to find the real definition of the policy.

I am not sure if the signature validation policy can be defined for example as XML file with the conditions how to validate signature or seal, which can be understood by application.

All sample validation reports refer to it, e.g.:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SimpleReport xmlns="http://dss.esig.europa.eu/validation/simple-report">
    <Policy>
        <PolicyName>QES AdESQC TL based</PolicyName>
        <PolicyDescription>Validate electronic signatures and indicates whether they are Advanced electronic Signatures (AdES), AdES supported by a Qualified Certificate (AdES/QC) or a
        Qualified electronic Signature (QES). All certificates and their related chains supporting the signatures are validated against the EU Member State Trusted Lists (this includes
        signer's certificate and certificates used to validate certificate validity status services - CRLs, OCSP, and time-stamps).
    </PolicyDescription>
    </Policy>
    <ValidationTime>20/01/2016 08:06:05.002</ValidationTime>
    <DocumentName>PAdES_B_PVDB-extended_LTA.pdf</DocumentName>
    <ValidSignaturesCount>1</ValidSignaturesCount>
    <SignaturesCount>1</SignaturesCount>
    <Signature Id="id-30b3acd8c4fe0ced13b26ed2e6574d91e2e77b19e06a42b6c513a0b046b4561b" SignatureFormat="PAdES_BASELINE_LTA">
        <SigningTime>30/07/2015 13:49:14.000</SigningTime>
        <SignedBy>Pierrick Vandenbroucke (Signature)</SignedBy>
        <Indication>TOTAL_PASSED</Indication>
        <SignatureLevel>AdESqc</SignatureLevel>
    </Signature>
</SimpleReport>
user1563721
  • 1,099
  • 11
  • 22

1 Answers1

2

The "QES AdESQC TL based" policy is the default policy used if none are specified. You can find that default policy in the DSS library under "source/main/resources/constraint.xml" in the dss-policy-jaxb library.

It looks like the default policy follows the recommendations as defined by the ETSI regarding digest and encryption algorithm expiration dates which is probably best practice if you are doing anything with signing for official instances. This file can also be used as a template to create your own policy if required.

Sleepkever
  • 21
  • 2