ETSI TS 119 432 V1.1.1 (2019-03)

TECHNICAL SPECIFICATION
Electronic Signatures and Infrastructures (ESI);
Protocols for remote digital signature creation


2 ETSI TS 119 432 V1.1.1 (2019-03)

Reference
DTS/ESI-0019432
Keywords
electronic signature, protocol, remote, security,
trust services
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2019.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners. ®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
3 ETSI TS 119 432 V1.1.1 (2019-03)
Contents
Intellectual Property Rights . 7
Foreword . 7
Modal verbs terminology . 7
Introduction . 7
1 Scope . 8
2 References . 8
2.1 Normative references . 8
2.2 Informative references . 9
3 Definition of terms, symbols and abbreviations . 10
3.1 Terms . 10
3.2 Symbols . 11
3.3 Abbreviations . 11
4 Signature creation process, service decomposition . 12
4.1 Signature creation process steps and data elements . 12
4.2 Service main components and interfaces . 13
4.3 Signature Creation Application . 14
4.3.1 Signer's document and hashing . 14
4.3.2 DTBS composition and formatting . 14
4.3.3 DTBS preparation . 14
4.3.4 SDO composer . 14
4.4 Server Signing Application . 15
4.4.1 Signature creation . 15
4.4.1.1 Introduction . 15
4.4.1.2 Signature activation . 15
4.4.1.3 Signature creation by SCDev . 15
5 Architectures for server signing . 16
5.1 Overview . 16
5.2 Introduction to architectures . 16
5.3 Remote signing services with SCAL1 . 16
5.4 Remote signing services with SCAL2 . 18
5.5 Security, integrity and confidentiality . 20
6 Protocol profiles specification . 20
6.1 Introduction . 20
6.2 OASIS DSS-X XML related protocol . 20
6.3 CSC JSON related protocol . 21
7 Protocol components definitions . 21
7.1 Introduction . 21
7.2 Component for asynchronous/synchronous operation mode selection . 21
7.2.1 Component semantics . 21
7.2.2 JSON related component . 22
7.2.3 XML related component . 22
7.2.4 Processing model . 22
7.3 Component for identification of the request . 23
7.3.1 Component semantics . 23
7.3.2 JSON related component . 23
7.3.3 XML related component . 23
7.4 Component for credential authorization . 23
7.4.1 Component semantics . 23
7.4.2 JSON related component . 23
7.4.3 XML related component . 24
7.5 Component for defining optional data to be returned . 24
7.5.1 Component semantics . 24
ETSI
4 ETSI TS 119 432 V1.1.1 (2019-03)
7.5.2 JSON related component . 25
7.5.3 XML related component . 25
7.5.4 Processing model . 25
7.6 Component for defining the validity period for asynchronous requests . 26
7.6.1 Component semantics . 26
7.6.2 JSON related component . 26
7.6.3 XML related component . 26
7.6.4 Processing model . 26
7.7 Component for the client application authentication . 26
7.7.1 Component semantics . 26
7.7.2 JSON related component . 26
7.7.3 XML related component . 27
7.8 Component for identifying signature credentials . 27
7.8.1 Component semantics . 27
7.8.2 JSON related component . 27
7.8.3 XML related component . 27
7.9 Component for language selection . 27
7.9.1 Component semantics . 27
7.9.2 JSON related component . 27
7.9.3 XML related component . 28
7.10 Component for specifying the contents from certificate info to be returned . 28
7.10.1 Component semantics . 28
7.10.2 JSON related component . 28
7.10.3 XML related component . 28
7.10.4 Processing model . 29
7.11 Component for managing digital signatures transactions . 29
7.11.1 Component semantics . 29
7.11.2 JSON related component . 29
7.11.3 XML related component . 30
7.11.4 Processing model . 30
7.12 Component for service policy selection . 30
7.12.1 Component semantics . 30
7.12.2 JSON related component . 30
7.12.3 XML related component . 30
7.13 Component for signature creation policy selection . 31
7.13.1 Component semantics . 31
7.13.2 JSON related component . 31
7.13.3 XML related component . 31
7.14 Component for optional signature attributes/properties selection . 32
7.14.1 Component semantics . 32
7.14.2 JSON related component . 33
7.14.3 XML related component . 33
7.14.4 Processing model . 33
7.15 Component for protocol identifier . 34
7.15.1 Component semantics . 34
7.15.2 JSON related component . 34
7.15.3 XML related component . 34
7.16 Component for requesting specific signature formats . 34
7.16.1 Component semantics . 34
7.16.2 JSON related component . 35
7.16.3 XML related component . 36
7.17 Component for signer identification . 37
7.17.1 Component semantics . 37
7.17.2 JSON related component . 37
7.17.3 XML related component . 37
7.18 Component for specifying response URL . 37
7.18.1 Component semantics . 37
7.18.2 JSON related component . 37
7.18.3 XML related component . 38
7.18.4 Processing model . 38
7.19 Component for submitting document(s) or hash(es) to be signed . 38
7.19.1 Component semantics . 38
ETSI
5 ETSI TS 119 432 V1.1.1 (2019-03)
7.19.2 JSON related component . 39
7.19.3 XML related component . 39
7.20 Component for returning service information . 39
7.20.1 Component semantic. 39
7.20.2 JSON related component . 40
7.20.3 XML related component . 41
7.21 Component for returning signed documents or signatures . 42
7.21.1 Component semantics . 42
7.21.2 JSON related component . 42
7.21.3 XML related component . 42
7.22 Component for returning signing credential information . 42
7.22.1 Component semantics . 42
7.22.2 JSON related component . 43
7.22.3 XML related component . 45
7.23 Component for returning the list of the signing certificate(s) . 46
7.23.1 Component semantics . 46
7.23.2 JSON related component . 46
7.23.3 XML related component . 46
7.24 Component for notifying operation result(s) . 46
7.24.1 Component semantics . 46
7.24.2 JSON related component . 46
7.24.3 XML related component . 47
7.25 Component for service policy identification . 47
7.25.1 Component semantics . 47
7.25.2 JSON related component . 47
7.25.3 XML related component . 47
7.26 Component for identification of the response . 47
7.26.1 Component semantics . 47
7.26.2 JSON related component . 48
7.26.3 XML related component . 48
7.27 Component for signature creation policy identification . 48
7.27.1 Component semantics . 48
7.27.2 JSON related component . 48
7.27.3 XML related component . 49
7.28 Component for returning credential authorization mode . 49
7.28.1 Component semantics . 49
7.28.2 JSON related component . 49
7.28.3 XML related component . 49
7.29 Component for returning digital signature value(s) . 50
7.29.1 Component semantics . 50
7.29.2 JSON related component . 50
7.29.3 XML related component . 50
7.30 Component for returning sole control assurance level required . 50
7.30.1 Component semantics . 50
7.30.2 JSON related component . 51
7.30.3 XML related component . 51
8 Remote signature creation messages . 51
8.1 Introduction . 51
8.2 AdES signatures creation messages . 52
8.2.1 Request message (A) . 52
8.2.1.1 Component for requesting AdES signatures creation . 52
8.2.1.2 JSON related component . 53
8.2.1.3 XML related component . 53
8.2.2 Response message (B) . 53
8.2.2.1 Component for responding to AdES signatures creation requests . 53
8.2.2.2 JSON related component . 54
8.2.2.3 XML related component . 54
8.3 DSVs creation messages . 54
8.3.1 Request message (C) . 54
8.3.1.1 Component for requesting DSVs creation . 54
8.3.1.2 JSON related component . 55
ETSI
6 ETSI TS 119 432 V1.1.1 (2019-03)
8.3.1.3 XML related component . 55
8.3.2 Response message (D) . 55
8.3.2.1 Component for responding to DSVs creation requests . 55
8.3.2.2 JSON related component . 56
8.3.2.3 XML related component . 56
8.4 Messages for asynchronous processing (E) . 56
8.4.1 Component for managing pending-requests . 56
8.4.2 JSON related component . 57
8.4.3 XML related component . 57
8.5 Signing certificates list messages . 57
8.5.1 Request message (F) . 57
8.5.1.1 Component for requesting signing certificates list . 57
8.5.1.2 JSON related component . 58
8.5.1.3 XML related component . 58
8.5.2 Response message (G) . 58
8.5.2.1 Component for responding to certificates list requests . 58
8.5.2.2 JSON related component . 59
8.5.2.3 XML related component . 59
8.6 Credential information retrieval messages . 59
8.6.1 Request message (H) . 59
8.6.1.1 Component for requesting credential information . 59
8.6.1.2 JSON related component . 60
8.6.1.3 XML related component . 60
8.6.2 Response message (I). 60
8.6.2.1 Component for responding to credential information requests . 60
8.6.2.2 JSON related component . 61
8.6.2.3 XML related component . 61
8.7 Service information messages (J) . 61
8.7.1 Request message (J) . 61
8.7.1.1 Component for requesting service information . 61
8.7.1.2 JSON related component . 61
8.7.1.3 XML related component . 61
8.7.2 Response message (K) . 62
8.7.2.1 Component for responding to service information requests . 62
8.7.2.2 JSON related component . 62
8.7.2.3 XML related component . 62
8.8 Component use summary . 62
Annex A (normative): XML and JSON Schema files . 64
A.1 JSON Schema file location for "$schema" "http://uri.etsi.org/19432/v1.1.1/json#" . 64
A.2 XML Schema file location for namespace http://uri.etsi.org/19432/v1.1.1# . 64
Annex B (informative): OpenAPI description file . 65
Annex C (informative): Bibliography . 66
History . 67

ETSI
7 ETSI TS 119 432 V1.1.1 (2019-03)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and
Infrastructures (ESI).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
Standards for digital signatures have generally been developed for a long time considering solutions tailored to the
characteristics of devices such as desktop computers and laptops where all signature processing was done in one system
locally to the user. These traditional signature solutions assume that the signer uses smart cards or tokens to create any
required digital signatures. Given developments in distributed systems, cloud computing, mobile equipment and related
technologies, solutions have been emerging in the last few years where the process of digital signature creation and
construction of AdES format is done in a distributed way with different steps of the process carried out by different
systems/services that may be controlled by different actors.
The present document specifies protocols and interfaces for components providing specific functionalities as part of a
process for remote digital signatures creation and construction of AdES formats. The present document aims at
supporting electronic signatures and electronic seals, including qualified electronic signatures and qualified electronic
seals according to the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on
electronic identification and trust services for electronic transactions in the internal market and repealing Directive
1999/93/EC [i.1] (the eIDAS Regulation).
ETSI
8 ETSI TS 119 432 V1.1.1 (2019-03)
1 Scope
The present document specifies protocols and interfaces applicable when the process of creating AdES digital
signatures as defined by ETSI TS 119 102-1 [i.7] and/or digital signature values, as result of Data To Be Signed
Representations signatures, is carried out by a distributed solution comprised of two or more
systems/services/components.
The present document is limited to remote server signing, i.e. the signing key is held in a remote shared service.
NOTE: Remote signature creation with local signing, i.e. the signing key is held with the signer's personal device
but other steps in the signature creation are carried out by means of networked services, is a possible
solution but protocols for such architecture are not covered in the present document.
Finally, the present document specifies two bindings, each one in a different syntax (XML and JSON), for each of the
protocols mentioned above.
As far as it has been possible and suitable, the protocols have re-used constructs of CSC JSON and OASIS DSS-X
XML specifications. When this has not been possible the present document specifies new components semantically and
also syntactically in the two formats: XML and JSON.
The authorized signer's use of its key for signing requires users to provide multiple proofs of their claimed identity
before being granted access to the needed set of resources. The way in which the user identity verification process is
carried out by the service provider or any suggestion concerning the usage of multi-factor authentication mechanisms is
out of the scope of the present document.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference/.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] Cloud Signature Consortium Standard (Version 1.0.3.0): "Architectures and protocols for remote
signature applications".
NOTE: Available at https://cloudsignatureconsortium.org/wp-
content/uploads/2019/02/CSC_API_V1_1.0.3.0.pdf.
[2] OASIS Standard: "Digital Signature Service Core Protocols, Elements, and Bindings Version 2.0",
Committee Specification Draft 03 / Public Review Draft 03.
NOTE: Available at https://www.oasis-open.org/committees/download.php/64707/dss-core-v2.0-wd12-package-
for-CSD03-PRD01.zip.
[3] OASIS Standard: "Advanced Electronic Signature Profiles of the OASIS Digital Signature Service
Version 2.0", Working Draft 02.
NOTE: Available at https://www.oasis-open.org/committees/download.php/63125/oasis-dssx-2.0-profiles-
ades%20WD%2002.docx.
[4] IETF RFC 5280: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile".
ETSI
9 ETSI TS 119 432 V1.1.1 (2019-03)
[5] OASIS Standard: "Asynchronous Processing Abstract Profile of the OASIS Digital Signature
Services Version 1.0".
NOTE: Available at https://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-asynchronous_processing-spec-cs-
v1.0-r1.pdf.
[6] CEN EN 419 241-1: "Trustworthy Systems Supporting Server Signing - Part 1: General System
Security Requirements".
[7] IETF RFC 5646: "Tags for Identifying Languages".
[8] IETF RFC 4514: "Lightweight Directory Access Protocol (LDAP): String Representation of
Distinguished Names".
[9] IETF RFC 3061: "A URN Namespace of Objects Identifiers".
[10] IETF RFC 7468: "Textual Encodings of PKIX, PKCS, and CMS Structures".
[11] ETSI EN 319 122-1: "Electronic Signatures and Infrastructures (ESI); CAdES digital signatures;
Part 1: Building blocks and CAdES baseline signatures".
[12] ETSI EN 319 132-1: "Electronic Signatures and Infrastructures (ESI); XAdES digital signatures;
Part 1: Building blocks and XAdES baseline signatures".
[13] ETSI EN 319 142-1: "Electronic Signatures and Infrastructures (ESI); PAdES digital signatures;
Part 1: Building blocks and PAdES baseline signatures".
[14] ISO 3166-1: "Codes for the representation of names of countries and their subdivisions -- Part 1:
Country codes".
2.2 Infor
...