This page is used to configure the type of signatures that this profile will be used to verify:

From the above screen assign required signature types to this verification profile. Clients accessing/using this profile will only be able to verify the signature type(s) allowed. Following verification rules will be applied:


PAdES Signature Verification Rules


Signature Type

Description

PAdES Baseline Signatures (EN 319 142-1)

Below signatures are PAdES Baseline (EN 319 142-1) compliant:

PAdES-B-B

Validate the Baseline BES signature at the current time or historic time based on verification profile settings. Signing Time is mandatory in this case. It should be included in the specific entry M in the Signature dictionary of the PDF document.

PAdES-B-T

Validate the Baseline Timestamp signature at the signature timestamp token time. The timestamp token will be validated at the current time.

PAdES-B-LT

Validate the Baseline Long Term signature, signature timestamp token and validation information (revocation info).

PAdES-B-LTA

Validate the signature, signature timestamp token and validation information at the archive timestamp token time and validate archive timestamp token at current time.

PAdES Extended Signatures (EN 319 142-2)

Below signatures are PAdES Extended (EN 319 142-2) compliant.

PAdES-E-BES

Validate the signature at the current time or historic time based on verification profile settings.

PAdES-E-BES With Embedded Timestamp

Validate the signature at the signature timestamp token time.The timestamp token will be validated at the current time.

PAdES-E-LTV

Validate the signature, signature timestamp token and validation information at the archive timestamp token time and validate archive timestamp token at current time.

Verify Explicit Policy Electronic Signature (EPES) attribute

When enabled, service will send an alert whenever auto-archiving is performed. 

​The ADSS Verification Service can retrieve the signature policy document in either one of the following ways (Fall-Back order):
Using Policy URI defined inside the signature. The ADSS Verification Service will use this policy URI to retrieve the online available policy document and calculate it's HASH value and compare it with hash of the policy document embedded in the signed properties of the signature.

Using locally configured signature policy document. EPES configurations should be made in policy.properties file located at: [ADSS Installation Directory]/service/
Open this file in any text editor and enter policy OID and path to the policy document
e.g. 1.2.3.4.5 = "F:/Policy_File"

The ADSS Verification Service will retrieve the locally available policy document and calculate it's HASH value and compare it with hash of the policy document embedded in the signed properties of the signature.


CAdES and XAdES Signature Verification Rules


Signature Type

Description

XAdES Legacy Signatures (ETSI TS 101 903)

Below signatures are XAdES legacy (ETSI TS 101 903) compliant:

AdES-BES

Validate the signature at the current time or an historic time based on verification profile settings.

AdES-T

Validate the signature at the signature timestamp token time. The timestamp token will be validated at the current time.

AdES-C

If the signature type is only AdES-C (Complete Validation Data References) then the signature and AdES-T will be validated at the current time.

AdES-X

If the signature type is AdES-X then the AdES-C and AdES-T signatures will be validated at the AdES-X timestamp token time while the AdES-X timestamp token will be validated at the current time.

AdES-X-L

For AdES-X-L signatures there are two possibilities depending upon whether or not the AdES-X signature exists:

  1. If the signature type is AdES-X-L and the AdES-X exists then the AdES-X-L, AdES-C and AdES-T signatures will be validated at the AdES-X timestamp token time while the AdES-X timestamp token will be validated at the current time.
  2. If the signature type is AdES-X-L and AdES-X does not exist then the AdES-X-L, AdES-X, AdES-C and AdES-T signatures will all be validated at the current time.

AdES-A

For AdES-A signatures, there are three possibilities:

  1. If the signature type is AdES-A and the AdES-X exists then the AdES-X-L, AdES-C and AdES-T signatures will be validated at the AdES-X timestamp token time, the AdES-X will be validated at the AdES-A timestamp token time and the AdES-A itself will be validated at the current time.
  2. If the signature type is AdES-A and the AdES-X signature is not present then the AdES-X-L, AdES-C and AdES-T signatures will be validated at the AdES-A timestamp token time while the AdES-A signature will be validated at the current time.
  3. If the signature consists of multiple archived timestamps then the outermost timestamp token will be validated at the current time and the subsequent inner timestamp tokens will be validated at the previous archived timestamp token time.

Baseline Signatures (EN 319 142-1)

Below signatures are CAdES and XAdES Baseline (EN 319 142-1) compliant:

AdES-B-B

Validate the Baseline BES signature at the current time or an historic time based on verification profile settings.

AdES-B-T

Validate the Baseline Timestamp signature at the signature timestamp token time. The timestamp token will be validated at the current time.

AdES-B-LT

Validate the Baseline Long Term signature at the AdES-B-T timestamp token time while the AdES-B-T timestamp token will be validated at the current time. 

AdES-B-LTA

Validates the Baseline Long Term Archive Signature at the current time and Baseline LT signature at the AdES-B-T timestamp token time, while the AdES-B-T timestamp token will be validated at the current time.

Extended Signatures (EN 319 142-2)

Below signatures are CAdES and XAdES Extended (EN 319 142-2) compliant:

AdES-E-BES

Validate the signature at the current time or an historic time based on verification profile settings.

AdES-E-T

Validate the signature at the signature timestamp token time. The timestamp token will be validated at the current time.

AdES-E-C

If the signature type is only AdES-E-C (Complete Validation Data References) then the signature and AdES-E-T will be validated at the current time.

AdES-E-X

If the signature type is AdES-E-X then the AdES-E-C and AdES-E-T signatures will be validated at the AdES-E-X timestamp token time while the AdES-E-X timestamp token will be validated at the current time.

AdES-E-X-L

For AdES-E-X-L signatures there are two possibilities depending upon whether or not the AdES-E-X signature exists:

  1. If the signature type is AdES-E-X-L and the AdES-E-X exists then the AdES-E-X-L, AdES-E-C and AdES-E-T signatures will be validated at the AdES-E-X timestamp token time while the AdES-X timestamp token will be validated at the current time.
  2. If the signature type is AdES-E-X-L and AdES-E-X does not exist then the AdES-E-X-L, AdES-E-X, AdES-E-C and AdES-E-T signatures will all be validated at the current time.

AdES-E-A

For AdES-E-A signatures, there are three possibilities:

  1. If the signature type is AdES-E-A and the AdES-E-X exists then the AdES-E-X-L, AdES-E-C and AdES-E-T signatures will be validated at the AdES-E-X timestamp token time, the AdES-E-X will be validated at the AdES-E-A timestamp token time and the AdES-E-A itself will be validated at the current time.
  2. If the signature type is AdES-E-A and the AdES-E-X signature is not present then the AdES-E-X-L, AdES-E-C and AdES-E-T signatures will be validated at the AdES-E-A timestamp token time while the AdES-E-A signature will be validated at the current time.
  3. If the signature consists of multiple archived timestamps then the outermost timestamp token will be validated at the current time and the subsequent inner timestamp tokens will be validated at the previous archived timestamp token time.

Verify Explicit Policy Electronic Signature (EPES) attribute

If enabled then verification service will reject the EPES AdES signatures which do not comply with the configured Explicit policy and hence the signature verification failure is returned in this case

​The ADSS Verification Service can retrieve the signature policy document in either one of the following ways (Fall-Back order):
Using Policy URI defined inside the signature. The ADSS Verification Service will use this policy URI to retrieve the online available policy document and calculate it's HASH value and compare it with hash of the policy document embedded in the signed properties of the signature.

Using locally configured signature policy document. EPES configurations should be made in policy.properties file located at: [ADSS Installation Directory]/service/
Open this file in any text editor and enter policy OID and path to the policy document
e.g. 1.2.3.4.5 = "F:/Policy_File"

The ADSS Verification Service will retrieve the locally available policy document and calculate it's HASH value and compare it with hash of the policy document embedded in the signed properties of the signature.



MS Office Signature Verification Rules


Signature Type

Time to be Used in Validation Procedure

XAdES-BES

Validate the signature at the current time or an historic time based on verification profile settings.

XAdES-T (XAdES-BES with signature Timestamp)

Validate the signature at the signature timestamp token time. The timestamp token will be validated at the current time.

XAdES-C (XAdES-T with Complete Validation Data References)

If the signature type is only XAdES-C (Complete Validation Data References), then the signature and XAdES-T will be validated at the current time.

XAdES-X (XAdES-C with Extended Validation Data)

If the signature type is XAdES-X, then the XAdES-C and XAdES-T signatures will be validated at the XAdES-X timestamp token time while the XAdES-X timestamp token will be validated at the current time.

XAdES-X-L (XAdES-X with Long-term Validation Data)

For XAdES-X-L signatures there are two possibilities depending upon whether or not the XAdES-X signature exists:

  1. If the signature type is XAdES-X-L and the XAdES-X exists then the XAdES-X-L, XAdES-C and XAdES-T signatures will be validated at the XAdES-X timestamp token time while the XAdES-X timestamp token will be validated at the current time.
  2. If the signature type is XAdES-X-L and XAdES-X does not exist then the XAdES-X-L, XAdES-X, XAdES-C and XAdES-T signatures will all be validated at the current time.

Clicking the Next button will display the Algorithms Settings page.

See also

General Settings

Trust Anchor Settings
Algorithms Settings
Path Discovery Settings
Path Validation Settings
Advanced Settings