Certificate Profile for Certificates Issued by Central Signing Services
Version 1.2 - 2020-01-17
Registration number: 2019-313 (previously: ELN-0608)
Table of Contents
-
1.3. Structure
-
2.1. Standards
2.2. Qualified and PKC Certificates
2.3. Certificate Content
2.3.1. Subject Attributes and Name Forms
2.3.1.1. Person Identifier Attributes
2.3.1.1.1. Data Source
2.3.1.1.2. Data Format
2.3.1.2. Other Attribute Requirements
2.3.2. Authentication Context and Attribute Mapping
2.3.2.1. Extended Authentication Information
2.3.3. Certificate Policy
1. Introduction
This document specifies a certificate profile for certificates issued by a signature service based on the OASIS DSS protocol [DSS], enhanced by the DSS Extensions for Federated Central Signing Services [DSS-Ext].
1.1. Requirement key words
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as described in [RFC2119].
These keywords are capitalized when used to unambiguously specify requirements over protocol features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
1.2. XML namespace references
The prefix saci: stands for the SAML Authentication Context Information XML Schema
namespace, http://id.elegnamnden.se/auth-cont/1.0/saci.
Schema location URL: https://docs.swedenconnect.se/schemas/cert-schemas/1.0/CertAuthContextExtension-SAML-1.0.xsd
The prefix sacex: stands for the Extended Authentication Information XML Schema
namespace, http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info.
Schema location URL: https://docs.swedenconnect.se/schemas/cert-schemas/1.0/CertAuthContextExtension-ExtAuthInfo-1.0.xsd
1.3. Structure
This specification uses the following typographical conventions in text:
<Eid2Element>, <ns:ForeignElement>, Attribute, Datatype,
OtherCode.
2. Certificate Profile
2.1. Standards
The following standards provides normative requirements for this certificate profile:
| Standard | Function | Reference |
|---|---|---|
| RFC 5280 | Main certificate standard | [RFC5280] |
| RFC 7773 | Authentication context extension | [RFC7773] |
| EN 319 411-1 | Policy requirements for PKC certificates | [EU-POL-NCP] |
| EN 319 411-2 | Policy requirements for Qualified certificates | [EU-POL-QC] |
| EN 319 412-1 | Definitions of semantic identifies and formatting rules for identity data | [EU-CERT-GEN] |
| EN 319 412-2 | Certificate profile for certificates issued to natural persons | [EU-CERT-NP] |
| EN 319 412-5 | Declaration of qualified certificate properties | [EU-CERT-QC] |
2.2. Qualified and PKC Certificates
This profile supports both Qualified Certificates as well as certificates that are not Qualified Certificates, here named PKC certificates (Public Key Certificates).
All profile requirements apply to both Qualified Certificates and to PKC certificates unless it is explicitly stated that a particular requirement applies only to PKC or Qualified Certificates.
2.3. Certificate Content
All certificates SHALL be fully compliant with [RFC5280] and [EU-CERT-NP]. All Qualified Certificates SHALL also implement mandatory QC statements as defined in [EU-CERT-QC].
2.3.1. Subject Attributes and Name Forms
2.3.1.1. Person Identifier Attributes
2.3.1.1.1. Data Source
All certificates SHALL contain a unique person identifier, carried in the serialNumber attribute (OID 2.5.4.5) in the subject field. The person identifier SHALL be obtained from the Identity Provider in the form of a SAML attribute. For PKC certificates, the SAML attribute SHOULD be one of the attributes listed below. For Qualified Certificates, the SAML attribute SHALL be one of the attributes listed below.
| Attribute | Attribute name | Specification |
|---|---|---|
| Swedish Personal Identity Number (personnummer) | urn:oid:1.2.752.29.4.13 | [AttrSpec] |
| Provisional ID | urn:oid:1.2.752.201.3.4 | [AttrSpec] |
| eIDAS Person Identifier | urn:oid:1.2.752.201.3.7 | [AttrSpec] |
2.3.1.1.1. Data Format
The identifier data obtained from the SAML assertion SHALL be stored in the serialNumber attribute using one of the following formats:
- using exactly the same format as it was obtained from the SAML attribute, or,
- using conventions specified in [EU-CERT-GEN] as defined below.
When storing a person identifier in the serialNumber attribute in accordance with [EU-CERT-GEN], the certificate SHALL include a semantics identifier as specified in section 5.1 of [EU-CERT-GEN].
Swedish Personal Identity Number (personnummer)
When the identifier is a Swedish personal identity number (personnummer) the semantics identifier SHALL be a natural person semantics identifier using the identity type reference "PNO".
Example: PNOSE-194911172296
Provisional ID
When the identifier is a provisional ID the semantics identifier SHALL be a natural person semantics identifier using a local national identity type reference "PI:SE".
Example: PI:SE-NO:16043700158
This identifier illustrates that the identifier is a Provisional ID (PI) as defined in Sweden (SE) followed by a hyphen (-) and the actual provisional ID for a person from Norway (NO:16043700158).
When the identity type reference is "PI:SE", the nameRegistrationAuthorities element of SemanticsInformation shall be present and shall contain a uniformResourceIdentifier generalName with the following value:
http://id.elegnamnden.se/eln/name-registration-authority
eIDAS Person Identifier
eIDAS person identifier attributes MAY be stored in the serial number attribute having exactly the same format as received from the SAML attribute listed above, supported by providing a semantics identifier according to [EU-CERT-GEN] identified by the OID 0.4.0.194121.1.3.
NOTE:
A new version of the [EU-CERT-GEN] is processed for approval at the time of publication of this document. The new version will specify a semantics identifier for storing eIDAS person identifier attributes using the semantics identifier OID
0.4.0.194121.1.3. This semantics identifier (id-etsi-qcs-semanticsId-eIDASNatural) is not yet present in the latest published version of the standard.
2.3.1.2. Other Attribute Requirements
An e-mail address, when present, SHALL be stored in a Subject Alternative Name extension as an rfc822Name.
2.3.2. Authentication Context and Attribute Mapping
Certificates MUST include an AuthContextExtension according to [RFC7773]. This extension SHALL include one SAML Authentication Context Information element identified by the XML schema namespace identifier:
http://id.elegnamnden.se/auth-cont/1.0/saci
The <saci:SAMLAuthContext> element SHALL contain both an <saci:AuthContextInfo> element as well as an <saci:IdAttributes> element.
The <saci:IdAttributes> element SHALL contain one <saci:AttributeMapping> element for each
subject attribute or other name form that was obtained from a SAML attribute in the SAML
assertion used to authenticate the signer as part of the signature creation process. Each
<saci:AttributeMapping> element SHALL provide the <saml:AttributeValue> that were obtained from
the SAML assertion.
2.3.2.1. Extended Authentication Information
In addition to the attributes of <saci:AuthContextInfo> it is possible to provide additional authentication information through the extensibility of the <saci:AuthContextInfo> element which allows inclusion of a sequence of any element.
One such element is defined in this section, the <sacex:ExtAuthInfo> element.
This element MAY be included to provide a name of a parameter and its associated value.
This element MAY be used to carry the value of any single valued attribute from the associated SAML assertion as long as the SAML attribute value is not composed of a complex type. When used to carry a SAML attribute value, the value of the <sacex:ExtAuthInfo> element SHALL be identical to the content of the SAML attribute value element and the Name attribute SHALL hold the same value as the Name attribute of the corresponding SAML attribute.
The <sacex:ExtAuthInfo> element is defined by the following XML Schema:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
targetNamespace="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info"
xmlns:sacex="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info">
<xs:element name="ExtAuthInfo" type="sacex:ExtAuthInfoType" />
<xs:complexType name="ExtAuthInfoType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="Name" type="xs:string" use="required" />
<xs:anyAttribute namespace="##any" processContents="lax" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:schema>Example:
The following example illustrates inclusion of the content of a transaction identifier SAML attribute as extended authentication information.
<saci:SAMLAuthContext
xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
xmlns:sacext="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info">
<saci:AuthContextInfo IdentityProvider="http://eid.example.com/idp"
AuthenticationInstant="2020-01-10T17:02:46.000Z"
AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"
AssertionRef="_936e075dc2725b016de57b9a0624c766">
<sacext:ExtAuthInfo Name="urn:oid:1.2.752.201.3.2">dc6ac7656H89bfb51</sacext:ExtAuthInfo>
</saci:AuthContextInfo>
<saci:IdAttributes>...</saci:IdAttributes>
</saci:SAMLAuthContext>2.3.3. Certificate Policy
Certificates SHALL contain at least one referenced certificate policy. PKC certificates SHALL contain at least one reference to a policy identified in [EU-POL-NCP]. Qualified Certificates SHALL reference at least one certificate policy identified in [EU-POL-QC].
3. Normative References
Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, March 1997.
ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements.
ETSI EN 319 411-2, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates
ETSI EN 319 412-1, Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 1: Overview and common data structures.
ETSI EN 319 412-2, Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 2: Certificate profile for certificates issued to natural persons.
ETSI EN 319 412-5, Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 5: QCStatements.
Skatteverket, SKV 704 utgåva 8, Personnummer, September 2007.
4. Changes between versions
Changes between version 1.1 and version 1.2:
Update of logotype, fixes of typos and reference list.
Section 2.3.2.1, "Extended Authentication Information", was added.
Changes between version 1.0 and version 1.1:
- Removed the requirement to store "personnummer" or "samordningsnummer".
- Updated standards references to remove old deprecated standards and replace them with the currently published documents.
- Specified optional support for using semantics identifiers in accordance with ETSI EN 319 412-1 to specify that the serialNumber attribute contains a Swedish "personnummer" or "samordningsnummer", Provisional ID or eIDAS person identifier.
- Added requirement to specify ETSI policy identifiers.
- Fix of invalid links for SKV704 and SKV707.