ISO/IEC TS 23078-2:2020

TECHNICAL ISO/IEC TS
SPECIFICATION 23078-2
First edition
2020-09
Information technology —
Specification of DRM technology for
digital publications —
Part 2:
User key-based protection
Reference number
©
ISO/IEC 2020
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Overview . 3
5.1 General . 3
5.2 Protecting the publication . 4
5.3 Licensing the publication . 5
5.4 Reading the publication . 5
6 License document . 6
6.1 General . 6
6.2 Content conformance . 6
6.3 License information . 6
6.3.1 General. 6
6.3.2 Encryption (transmitting keys) . . 7
6.3.3 Links (pointing to external resources) . 8
6.3.4 Rights (identifying rights and restrictions) . 9
6.3.5 User (identifying the user) .10
6.3.6 Signature (signing the license) .11
6.4 User key .12
6.4.1 General.12
6.4.2 Calculating the user key .12
6.4.3 Hints.13
6.4.4 Requirements for the user key and user passphrase .13
6.5 Signature and public key infrastructure .13
6.5.1 General.13
6.5.2 Certificates .14
6.5.3 Canonical form of the license document .14
6.5.4 Generating the signature .15
6.5.5 Validating the certificate and signature .17
7 License status document .17
7.1 General .17
7.2 Content conformance .18
7.3 License status information .18
7.3.1 General.18
7.3.2 Status .18
7.3.3 Updated (timestamps) .19
7.3.4 Links .19
7.3.5 Potential rights .20
7.3.6 Events .20
7.4 Interactions .21
7.4.1 General.21
7.4.2 Handling errors .21
7.4.3 Checking the status of a license .21
7.4.4 Registering a device .21
7.4.5 Returning a publication .22
7.4.6 Renewing a license .23
8 Encryption profile .25
8.1 General .25
© ISO/IEC 2020 – All rights reserved iii

8.2 Encryption profile requirements .25
8.3 Basic encryption profile 1.0 .26
9 Integration in EPUB .26
9.1 General .26
9.2 Encrypted resources .26
9.3 Using META-INF/encryption.xml for LCP .27
10 Reading system behavior .28
10.1 Detecting LCP protected publication .28
10.2 License document processing .28
10.2.1 Overall .28
10.2.2 Validating the license document .28
10.2.3 Acquiring the publication .28
10.2.4 License status processing .28
10.3 User key processing .29
10.4 Signature processing . .29
10.5 Publication processing .29
Annex A (informative) Examples .30
Annex B (informative) Use case scenarios for library lending model .33
Bibliography .36
iv © ISO/IEC 2020 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see http:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 34, Document description and processing languages.
A list of all parts in the ISO/IEC TS 23078 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2020 – All rights reserved v

Introduction
Ever since ebooks have grown in popularity, copyright protection has been an important issue for
authors and publishers.
While the distribution of ebooks around the world is mostly based on the open EPUB standard,
most ebook retailers are using proprietary technologies to enforce usage constraints on digital
publications in order to impede oversharing of copyrighted content. The high level of interoperability
and accessibility gained by the use of a standard publishing format is therefore cancelled by the use
of proprietary and closed technologies: ebooks are only readable on specific devices of software
applications (a retailer "lock-in" syndrome), cannot be accessed anymore if the ebook distributor which
protected the publication goes out of business or if the DRM technology evolves drastically. As a result,
users are deprived of any control over their ebooks.
Requirements related to security levels differ depending on which part of the digital publishing market
is addressed. In many situations, publishers require a solution which technically enforces the digital
rights they provide to their users; most publishers are happy to adopt a DRM solution which guarantees
an easy transfer of publications between devices, a certain level of fair-use and provides permanent
access to the publications acquired by their customers.
This is where this document comes into play.
vi © ISO/IEC 2020 – All rights reserved

TECHNICAL SPECIFICATION ISO/IEC TS 23078-2:2020(E)
Information technology — Specification of DRM technology
for digital publications —
Part 2:
User key-based protection
1 Scope
This document defines a technical solution for encrypting resources in digital publications (especially
EPUB) and for securely delivering decryption keys to reading systems, included in licenses tailored to
specific users. It also defines a simple passphrase-based authentication method for reading systems to
verify the license and access the encrypted resources of such digital publications.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EPUB Open Container Format (OCF) 3.2, W3C, available at https:// www .w3 .org/ publishing/ epub32/
epub -ocf
ISO 8601-1, Date and time — Representations for information interchange — Part 1: Basic rules
ISO/IEC 8824-1, Information technology — Abstract Syntax Notation One (ASN.1): Specification of basic
notation — Part 1:
RFC 4627, The application/json Media Type for JavaScript Object Notation (JSON), The Internet Society,
available at https:// www .ietf .org/ rfc/ rfc4627
RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
Profile, Network Working Group, available at https:// tools .ietf .org/ html/ rfc5280
RFC 7807, Problem Details for HTTP APIs, The Internet Engineering Task Force, available at https://
tools .ietf .org/ html/ rfc7807
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
codec content type
content type that has intrinsic binary format qualities
EXAMPLE Such as video and audio media type.
Note 1 to entry: It is already designed for optimum compression or provides optimized streaming capabilities.
© ISO/IEC 2020 – All rights reserved 1

3.2
content key
symmetric key used to encrypt and decrypt publication resources (3.15)
3.3
encryption profile
set of encryption algorithms used in a specific protected publication (3.10) and associated license
document (3.6)
3.4
container
EPUB container
zip-based packaging and distribution format for EPUB publications (3.13)
[SOURCE: EPUB OCF 3.2, clause 4]
3.5
license authority
entity which delivers provider certificates (3.12) to content providers (3.11)
3.6
license document
document that contains references to the various keys, links to related external resources, rights and
restrictions that are applied to protected publication (3.10), and user (3.18) information
3.7
licensed content protection
LCP
Readium LCP
DRM technology published by the Readium Foundation
3.8
non-codec content type
content type that benefits from compression due to the nature of its internal data structure
EXAMPLE Such as a file format based on character strings (for example HTML, CSS, etc.)
3.9
package document
publication resource (3.15) carrying meta information about an EPUB publication (3.13)
3.10
protected publication
LCP-protected publication
publication (3.13) in which resources (3.15) have been encrypted according to this document
3.11
provider
content provider
entity that delivers LCP licenses for protected publications (3.10) to users (3.18)
3.12
provider certificate
certificate that is included in the license document (3.6) to identify the content provider (3.11) and
validate the signature of the license document
2 © ISO/IEC 2020 – All rights reserved

3.13
publication
EPUB publication
logical document entity consisting of a set of interrelated resources (3.15) and packaged in an EPUB
container (3.4)
[SOURCE: EPUB Content Documents 3.2]
3.14
reading system
system that processes EPUB publications (3.13) and presents them to users (3.18)
3.15
resource
publication resource
content or instructions that contribute to the logic and rendering of an EPUB publication (3.13)
3.16
root certificate
certificate possessed by the license authority (3.5) and embedded in each EPUB reading system (3.14) in
order to confirm that the provider certificate (3.12) is valid
3.17
status document
license status document
document that contains the current status and possible interactions with a license document (3.6), along
with historical information
3.18
user
individual that consumes an EPUB publication (3.13) using an EPUB reading system (3.14)
3.19
user key
hash value of the user passphrase (3.20), used to decrypt the content key (3.2) and any encrypted user
(3.18) information embedded in a license document (3.6)
3.20
user passphrase
string of text entered by the user (3.18) for obtaining access to the protected publication (3.10)
4 Abbreviated terms
DRM digital rights management
IANA Internet Assigned Number Authority
5 Overview
5.1 General
In order to deliver a publication to users without risk of indiscriminate redistribution, most publication
resources are encrypted and a license document is generated.
The license document can be transmitted outside an EPUB container or be embedded inside it. Following
the EPUB OCF 3.2 specification, META-INF/encryption.xml identifies all encrypted publication
resources and points to the content key needed to decrypt them. This content key is located inside the
license document and is itself encrypted using the user key. The user key is generated by calculating
© ISO/IEC 2020 – All rights reserved 3

a hash of a user passphrase. It is used to decrypt the content key, which in turn is used to decrypt the
publication resources.
The license document may also contain information about which rights are conveyed to the user and
which are not, and information identifying the user and links to external resources. Rights information
may include things like the time for which the license is valid, whether the book may be printed or
copied, etc. Finally, the license document always includes a digital signature to prevent modification of
any of its components.
Figure 1 shows the relationships among the various components of LCP.
Figure 1 — Protected publication with a license document
5.2 Protecting the publication
To protect a publication, a content provider follows these steps.
a) Generate a unique content key for the publication.
b) Store this content key for future use in licensing the publication.
c) Encrypt each protected resource using that key, after compression if applicable.
d) Add these protected resources to the container, replacing unprotected versions.
e) Create a META-INF/encryption.xml document (as described in 9.3) which includes an EncryptedData
element for each protected resource, that contains:
1) an EncryptionMethod element that lists the algorithm used;
4 © ISO/IEC 2020 – All rights reserved

2) a KeyInfo element with a RetrievalMethod child that points to the content key in the license
document;
3) a CipherData element that identifies the protected resource.
f) Add META-INF/encryption.xml to the container.
The publication is now protected (i.e., has become a protected publication) and is ready for licensing to
one or more users.
5.3 Licensing the publication
After a user requests a protected publication, the following steps are followed by the content provider
to license the protected publication.
a) Generate the user key by hashing the user passphrase (as described in 6.4.2). It is assumed that the
user and associated user passphrase are already known to the provider.
b) Encrypt the content key for the protected publication using the user key.
c) Create a license document (META-INF/license.lcpl) with the following contents:
1) a unique ID for this license;
2) the date the license was issued;
3) the URI that identifies the content provider;
4) the encrypted content key;
5) information relative to the user passphrase and user key;
6) links to additional information stored outside of the protected publication and license
document (optional);
7) information on specific rights being granted to the user (optional);
8) information identifying the user (optional); some of the fields may be encrypted using the
user key.
d) Generate a digital signature for the license document data and add it to the license document.
There are then two different methods to deliver the license document and protected publication to
the user.
— License document included inside protected publication: The content provider adds the license
document to the protected publication’s container and delivers this to the user.
— License document delivered separately: The content provider includes a link from the license
document to the protected publication, and then delivers just the license document to the user. The
reading system processing the license document retrieves the protected publication and add the
license document to the container of this protected publication.
Whichever method is used, the reading system is presented with an EPUB container that includes the
protected publication and the license document.
5.4 Reading the publication
In order to decrypt and render a protected publication, the user’s reading system follows these steps.
a) Verify the signature for the license document.
b) Get the user key (if already stored) or generate it by hashing the user passphrase.
© ISO/IEC 2020 – All rights reserved 5

c) Decrypt the content key using the user key.
d) Decrypt the protected resources using the content key.
6 License document
6.1 General
This clause defines the license document’s syntax, its location in the container, its media type, file
extension and processing model.
While META-INF/encryption.xml describes how the resources are encrypted and where the encrypted
content key is located, every other relevant information for LCP is stored in the license document.
A.1 shows an example of a license document.
6.2 Content conformance
A license document shall meet all of the following criteria:
Document properties:
— It shall meet the conformance constraints for JSON documents as defined in RFC 4627.
— It shall be encoded using UTF-8.
File properties:
— Its filename shall use the file extension .lcpl.
— Its MIME media type shall be application/vnd.readium.lcp.license.v1.0+json.
— Its location in the container shall be META-INF/license.lcpl.
6.3 License information
6.3.1 General
The license document shall contain id, issued, provider, encryption, links and signature objects and
may contain updated, rights and user objects as defined in Table 1.
Table 1 — Objects list of license document
Name Value/Object Format/data type Required?
id Unique identifier for the license String Yes
issued Date and time of first issue of the license ISO 8601-1 date and time Yes
updated Date and time of last update of the license ISO 8601-1 date and time No
provider Identifier for the content provider URI Yes
encryption encryption object Object as defined in 6.3.2 Yes
links links object Object as defined in 6.3.3 Yes
rights rights object Object as defined in 6.3.4 No
user user object Object as defined in 6.3.5 No
signature signature object Object as defined in 6.3.6 Yes
The date and time format shall follow the rules defined in ISO 8601-1.
6 © ISO/IEC 2020 – All rights reserved

6.3.2 Encryption (transmitting keys)
6.3.2.1 General
To transmit keys, the encryption object shall contain profile, content_key and user_key objects.
6.3.2.2 Profile
The encryption/profile object shall contain the value defined in Table 2.
Table 2 — Profile information in encryption
Name Value Format/data type
profile Identifier for the encryption profile used by this LCP-protected URI
publication
6.3.2.3 Content key
The encryption/content_key object contains the content key (encrypted using the user key) used to
encrypt the publication resources. It shall contain the name/value pairs described in Table 3.
Table 3 — Content key information in encryption
Name Value Format/data type
encrypted_value Encrypted content key Base 64 encoded octet
sequence
algorithm Algorithm used to encrypt the content key, identified using URI
the URIs defined in W3C XML Encryption. This shall match the
content key encryption algorithm named in the encryption
profile identified in encryption/profile.
6.3.2.4 User key
The encryption/user_key object contains information regarding the user key used to encrypt the
content key. It shall contain the name/value pairs defined in Table 4.
Table 4 — User key information in encryption
Name Value Format/data type
text_hint Hint to be displayed to the user to help them remember the user String
passphrase
algorithm Algorithm used to generate the user key from the user passphrase. URI
This URI shall match the user passphrase hash algorithm specified in
the encryption profile identified in encryption/profile.
key_check Value of the license document’s id field encrypted using the user Base 64 encoded octet
key and the same algorithm identified for content key encryption in sequence
encryption/content_key/algorithm. This is used to verify that the
reading system handles the correct user key.
EXAMPLE Encryption information for a license document that uses the basic encryption profile for LCP 1.0.
{
"id": "ef15e740-697f-11e3-949a-0800200c9a66",
"issued": "2013-11-04T01:08:15+01:00",
"updated": "2014-02-21T09:44:17+01:00",
"provider": "https://www.imaginaryebookretailer.com",
"encryption": {
"profile": "http://readium.org/lcp/basic-profile",
"content_key": {
© ISO/IEC 2020 – All rights reserved 7

"encrypted_value": "/k8RpXqf4E2WEunCp76E8PjhS051NXwAXeTD1ioazYxCRGvHLAck/KQ3cCh5JxD
mCK0nRLyAxs1X0aA3z55boQ==",
"algorithm": "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
},
"user_key": {
"text_hint": "Enter your email address",
"algorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
"key_check": "jJEjUDipHK3OjGt6kFq7dcOLZuicQFUYwQ+TYkAIWKm6Xv6kpHFhF7LOkUK/
Owww"
}
},
"links": ".",
"rights": ".",
"signature": "."
}
6.3.3 Links (pointing to external resources)
6.3.3.1 General
To specify external resources, the license document shall contain a links object. This is used to associate
the license document with resources that are not locally available.
Each link object nested in links contains the link URI, a link relationship and an optional set of other
link properties.
6.3.3.2 Link object
Each link object supports the names/values defined in Table 5.
Table 5 — Object list in link
Name Value Format/data type Required?
href Location of the linked resource URI or URI Template Yes
List of well-known relation
rel Link relationship to the document values, URIs for extensions as Yes
defined in 6.3.3.3
title Title of the link String No
Expected MIME media type value for the No, but highly
type MIME media type
external resources recommended
No, default value
templated Indicates that the href is a URI Template Boolean
is "false"
Expected profile used to identify the external
profile URI No
resource
length Content length in octets Integer No
hash SHA-256 hash of the resource Base 64 encoded octet sequence No
Templated URIs follow the RFC 6570 specification.
6.3.3.3 Link relationships
Table 6 introduces the link relationships for each link object which is used for value of rel.
8 © ISO/IEC 2020 – All rights reserved

Table 6 — Link relationships of link
Relation Semantics Required?
Location where a reading system can redirect a user looking for
hint Yes
additional information about the user passphrase
Location where the publication associated with the license document
publication Yes
can be downloaded
As defined in the IANA registry of link relations: "Conveys an identifier
self No
for the link's context"
support Support resources for the user (either a website, an email or a telephone number) No
status Location of the status document associated with the license document No
In addition to these link relationships, this document introduces the LCP Link Relations Registry, in
which all link relations defined in this document are referenced.
Link relationships may also be extended for vendor-specific applications. Such links shall use a URI
instead of a string to identify their link relationships.
The representation of the URI mentioned in the status link shall be a valid status document.
EXAMPLE A license document points to a publication, contains the location of a hint about its user
passphrase, several support links and uses an extension to provide authentication.
{
"id": "ef15e740-697f-11e3-949a-0800200c9a66",
"issued": "2013-11-04T01:08:15+01:00",
"updated": "2014-02-21T09:44:17+01:00",
"provider": "https://www.imaginaryebookretailer.com",
"encryption": ".",
"links": [
{ "rel": "publication",
"href": "https://www.example.com/file.epub",
"type": "application/epub+zip",
"length": "264929",
"hash": "8b752f93e5e73a3efff1c706c1c2e267dffc6ec01c382cbe2a6ca9bd57cc8378"
},
{ "rel": "hint",
"href": "https://www.example.com/passphraseHint?user_id=1234",
"type": "text/html"
},
{ "rel": "support",
"href": "mailto:support@example.org"
},
{ "rel": "support",
"href": "https://example.com/support",
"type": "text/html"
},
{ "rel": "www.imaginaryebookretailer.com/lcp/rel/authentication",
"href": "https://www.example.com/authenticateMe",
"title": "Authentication service",
"type": "application/vnd.myextension.authentication+json"
}
],
"rights": ".",
"signature": "."
}
6.3.4 Rights (identifying rights and restrictions)
To identify rights and restrictions, the license document may also express a series of rights using
the rights object. The rights object may include the fields defined in Table 7.
© ISO/IEC 2020 – All rights reserved 9

Table 7 — Object list in rights
Name Value Format/data type Default
Maximum number of pages that can be printed over
print Unsigned integer Unlimited
the lifetime of the license
Maximum number of characters that can be copied
copy Unsigned integer Unlimited
to the clipboard over the lifetime of the license
ISO 8601-1 date
start Date and time when the license begins None (perpetual license)
and time
ISO 8601-1 date
end Date and time when the license ends None (perpetual license)
and time
The date and time format shall follow the rules defined in ISO 8601-1.
All name/value pairs using an integer as their data type (print and copy for this document) shall not use
leading zeroes in values (e.g., “9”, not “09”).
For the print right, a page is defined as follows:
a) the page as defined in the publication, if it is pre-paginated (fixed layout), or
b) the page as defined by the page-list nav element of the EPUB navigation document, as defined in
EPUB Packages 3.2, subclause 5.4.2.3, if this exists, or
c) 1024 Unicode characters for all other cases.
The copy right only covers the ability to copy to the clipboard and is limited to text (no images, etc.).
In addition to these rights, this document introduces the LCP rights registry, in which all rights defined
in this document are referenced.
The rights object may be extended to include any number of implementor-specific rights. Each extension
right shall be identified using a URI controlled by the implementor.
EXAMPLE A license document grants the following rights: print up to 10 pages and copy up to 2048
characters for the lifetime of the license; the license has a start and an expiration date. There is also a vendor
extension granting the right to tweet parts of this book.
{
"id": "ef15e740-697f-11e3-949a-0800200c9a66",
"issued": "2013-11-04T01:08:15+01:00",
"updated": "2014-02-21T09:44:17+01:00",
"provider": "https://www.imaginaryebookretailer.com",
"encryption": ".",
"links": ".",
"rights": {
"print": 10,
"copy": 2048,
"start": "2013-11-04T01:08:15+01:00",
"end": "2030-11-25T01:08:15+01:00",
"https://www.imaginaryebookretailer.com/lcp/rights/tweet": true
},
"signature": "."
}
6.3.5 User (identifying the user)
To identify a user, the license document may embed information about the user using the user object.
The user object includes the fields defined in Table 8.
10 © ISO/IEC 2020 – All rights reserved

Table 8 — Object list in user
Name Value Format/data type Required?
id Unique identifier for the user at a String No, but highly
specific Provider recommended
email The user’s e-mail address String No
name The user’s name String No
encrypted A list of which user object values Array of one or more strings matching Yes if encryption is
are encrypted in this license the above names or an extension used for any field
document
In addition to this user information, this document introduces the LCP user fields registry, in which all
user fields defined in this document are referenced.
As with rights, the user object may be extended to include any number of implementor-specific fields.
Each extension field shall be identified by a URI controlled by the implementor.
To protect private user data, any of these fields may be encrypted, except the encrypted field
which shall remain in plain text. If encrypted, the field values shall be encrypted using the user key
and the same encryption algorithm identified in the encryption/content_key object. The names of all
encrypted fields shall be listed in the encrypted array.
EXAMPLE A license document where an identifier, a provider and an email are provided. There is also an
extension to indicate the user’s preferred language. The email is encrypted.
{
"id": "ef15e740-697f-11e3-949a-0800200c9a66",
"issued": "2013-11-04T01:08:15+01:00",
"updated": "2014-02-21T09:44:17+01:00",
"provider": "https://www.imaginaryebookretailer.com",
"encryption": ".",
"links": ".",
"rights": ".",
"user": {
"id": "d9f298a7-7f34-49e7-8aae-4378ecb1d597",
"email": "EnCt2b8c6d2afd94ae4ed201b27049d8ce1afe31a90ceb8c6d2afd94ae4ed201b2704Rjka
XRveAAarHwdlID1KCIwEmS",
"encrypted": ["email"],
"https://www.imaginaryebookretailer.com/lcp/user/language": "fr"
},
"signature": "."
}
6.3.6 Signature (signing the license)
To validate that it has not been altered, the license document shall include information about the
signature using the signature object. The signature object shall include the fields defined in Table 9.
Table 9 — Object list in signature
Name Value Format/data type
algorithm Algorithm used to calculate the signature, identified using the URIs URI
given in W3C XML Signature. This shall match the signature algorithm
named in the encryption profile identified in encryption/profile.
certificate The provider certificate: an X509 certificate used by the content Base 64 encoded DER
provider certificate
value Value of the signature Base 64 encoded octet
sequence
© ISO/IEC 2020 – All rights reserved 11

For more information on how the signature and the certificate should be calculated, encoded and
processed, see 6.5.
EXAMPLE Signature based on the basic LCP encryption profile.
{
"id": "ef15e740-697f-11e3-949a-0800200c9a66",
"issued": "2013-11-04T01:08:15+01:00",
"updated": "2014-02-21T09:44:17+01:00",
"provider": "https://www.imaginaryebookretailer.com",
"encryption": ".",
"links": ".",
"rights": ".",
"user": ".",
"signature": {
"algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"certificate": "MIIDEjCCAfoCCQDwMOjkYYOjPjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzETMB
EGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKRXZlcnl3aGVyZTESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDEw
MjIxMjYxNloXDTE1MDEwMjIxMjYxNlowSzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBA
cTCkV2ZXJ5d2hlcmUxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOpC
RECG7icpf0H37kuAM7s42oqggBoikoTpo5yapy+s5eFSp8HSqwhIYgZ4SghNLkj3e652SALav7chyZ2vWvitZycY+a
q50n5UTTxDvdwsC5ZNeTycuzVWZALKGhV7VUPEhtWZNm0gruntronNa8l2WS0aF7P5SbhJ65SDQGprFFaYOSyN6550
P3kqaAO7tDddcA1cmuIIDRf8tOIIeMkBFk1Qf+lh+3uRP2wztOTECSMRxX/hIkCe5DRFDK2MuDUyc/iY8IbY0hMFFG
w5J7MWOwZLBOaZHX+Lf5lOYByPbMH78O0dda6T+tLYAVzsmJdHJFtaRguCaJVtSXKQUAMCAwEAATANBgkqhkiG9w0B
AQUFAAOCAQEAi9HIM+FMfqXsRUY0rGxLlw403f3YtAG/ohzt5i8DKiKUG3YAnwRbL/VzXLZaHru7XBC40wmKefKqoA
0RHyNEddXgtY/aXzOlfTvp+xirop+D4DwJIbaj8/wHKWYGBucA/VgGY7JeSYYTUSuz2RoYtjPNRELIXN8A+D+nkJ3d
xdFQ6jFfVfahN3nCIgRqRIOt1KaNI39CShccCaWJ5DeSASLXLPcEjrTi/pyDzC4kLF0VjHYlKT7lq5RkMO6GeC+7YF
vJtAyssM2nqunA2lUgyQHb1q4Ih/dcYOACubtBwW0ITpHz8N7eO+r1dtH/BF4yxeWl6p5kGLvuPXNU21ThgA==",
"value": "q/3IInic9c/EaJHyG1Kkqk5v1zlJNsiQBmxz4lykhyD3dA2jg2ZzrOenYU9GxP/xhe5H5Kt2WaJ/
hnt8+GWrEx1QOwnNEij5CmIpZ63yRNKnFS5rSRnDMYmQT/fkUYco7BUi7MPPU6OFf4+kaToNWl8m/ZlMxDcS3BZnVh
SEKzUNQn1f2y3sUcXjes7wHbImDc6dRthbL/E+assh5HEqakrDuA4lM8XNfukEYQJnivqhqMLOGM33RnS5nZKrPPK/
c2F/vGjJffSrlX3W3Jlds0/MZ6wtVeKIugR06c56V6+qKsnMLAQJaeOxx
...