No Formal Workgroup G. Queiroz Internet-Draft September 11, 2018 Intended status: Experimental Expires: March 15, 2019 JSON Unified Digital Signatures System Standard 1 draft-judsys1-02 Abstract A simple digital signature standard designed to be used by regular people and to be of mandatory acceptance and to replace PAdES, XAdES and CAdES. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 15, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Queiroz Expires March 15, 2019 [Page 1] Internet-Draft JUDSYS1 September 2018 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Right of Implementation . . . . . . . . . . . . . . . . . 5 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 2. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Files . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1. File extensions . . . . . . . . . . . . . . . . . . . 6 2.2. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3. Dates . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4. Country-like codes . . . . . . . . . . . . . . . . . . . 7 2.5. Certificate chains . . . . . . . . . . . . . . . . . . . 8 3. Certificates . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Subject Attributes . . . . . . . . . . . . . . . . . . . 10 3.2.1. id . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.2.2. INT/type . . . . . . . . . . . . . . . . . . . . . . 10 3.2.3. INT/names . . . . . . . . . . . . . . . . . . . . . . 10 3.2.4. INT/parents . . . . . . . . . . . . . . . . . . . . . 11 3.2.5. INT/guardians . . . . . . . . . . . . . . . . . . . . 11 3.2.6. INT/emails . . . . . . . . . . . . . . . . . . . . . 12 3.2.7. INT/phones . . . . . . . . . . . . . . . . . . . . . 12 3.2.8. INT/addresses . . . . . . . . . . . . . . . . . . . . 13 3.2.9. INT/pictures . . . . . . . . . . . . . . . . . . . . 13 3.2.10. INT/passports . . . . . . . . . . . . . . . . . . . . 14 4. Certification Chain . . . . . . . . . . . . . . . . . . . . . 15 4.1. Public Key Infrastructure . . . . . . . . . . . . . . . . 15 4.2. Nameless Certificates . . . . . . . . . . . . . . . . . . 15 4.3. Revocation . . . . . . . . . . . . . . . . . . . . . . . 16 5. Proof of attribute . . . . . . . . . . . . . . . . . . . . . 16 5.1. Standard attributes . . . . . . . . . . . . . . . . . . . 16 5.1.1. INT/job . . . . . . . . . . . . . . . . . . . . . . . 16 6. Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 17 6.1. Standard attributes . . . . . . . . . . . . . . . . . . . 17 6.1.1. reason . . . . . . . . . . . . . . . . . . . . . . . 17 6.1.2. location . . . . . . . . . . . . . . . . . . . . . . 18 6.1.3. date . . . . . . . . . . . . . . . . . . . . . . . . 19 6.1.4. file . . . . . . . . . . . . . . . . . . . . . . . . 19 6.1.5. counter-signs . . . . . . . . . . . . . . . . . . . . 19 6.1.6. implementation . . . . . . . . . . . . . . . . . . . 19 6.2. Signature Request . . . . . . . . . . . . . . . . . . . . 19 7. Internet APIs . . . . . . . . . . . . . . . . . . . . . . . . 20 7.1. Online RESTful . . . . . . . . . . . . . . . . . . . . . 20 7.1.1. Sign certificate . . . . . . . . . . . . . . . . . . 20 7.1.2. Certificate revocation status . . . . . . . . . . . . 20 7.1.3. Time-stamps Authorities . . . . . . . . . . . . . . . 20 7.2. Browser interaction . . . . . . . . . . . . . . . . . . . 20 8. Smart-cards/Smart-phones . . . . . . . . . . . . . . . . . . 20 Queiroz Expires March 15, 2019 [Page 2] Internet-Draft JUDSYS1 September 2018 9. Security and Usability Considerations . . . . . . . . . . . . 20 9.1. Graphical representation . . . . . . . . . . . . . . . . 20 9.2. Mixing digital and paper signatures . . . . . . . . . . . 21 9.3. Dynamic Content . . . . . . . . . . . . . . . . . . . . . 21 9.4. Accidental changes . . . . . . . . . . . . . . . . . . . 22 9.5. Archive files . . . . . . . . . . . . . . . . . . . . . . 23 9.6. User misinterpretation and excessive trust on the machine 23 9.7. Certificate and password sharing . . . . . . . . . . . . 23 9.8. Cloud usage . . . . . . . . . . . . . . . . . . . . . . . 23 9.9. Side channel attacks . . . . . . . . . . . . . . . . . . 23 9.10. Document replacement . . . . . . . . . . . . . . . . . . 23 10. Language Specific Rules . . . . . . . . . . . . . . . . . . . 23 10.1. Portuguese . . . . . . . . . . . . . . . . . . . . . . . 23 10.1.1. Unicode Support . . . . . . . . . . . . . . . . . . 23 10.1.2. Standard Translations . . . . . . . . . . . . . . . 23 11. Country Specific Rules . . . . . . . . . . . . . . . . . . . 24 11.1. Brazil . . . . . . . . . . . . . . . . . . . . . . . . . 24 11.2. Subject Attributes . . . . . . . . . . . . . . . . . . . 25 11.2.1. BRA/CPF . . . . . . . . . . . . . . . . . . . . . . 25 11.2.2. BRA/CNPJ . . . . . . . . . . . . . . . . . . . . . . 25 11.2.3. BRA/RNE . . . . . . . . . . . . . . . . . . . . . . 25 11.2.4. BRA/RGs . . . . . . . . . . . . . . . . . . . . . . 25 11.2.5. BRA/Titulo de Eleitor . . . . . . . . . . . . . . . 26 11.2.6. BRA/NIT . . . . . . . . . . . . . . . . . . . . . . 26 12. JSON Schemas . . . . . . . . . . . . . . . . . . . . . . . . 26 12.1. Certificate File (.j1c) . . . . . . . . . . . . . . . . 26 12.2. Private Keys File (.j1k) . . . . . . . . . . . . . . . . 27 12.3. Proof of Attribute File (.j1a) . . . . . . . . . . . . . 28 12.4. Detached Digital Signature File (.j1s) . . . . . . . . . 28 12.5. Document Signature . . . . . . . . . . . . . . . . . . . 28 12.5.1. Unsigned Document Signature . . . . . . . . . . . . 28 12.5.2. Signed Document Signature . . . . . . . . . . . . . 30 12.6. Encrypted File (.j1e) . . . . . . . . . . . . . . . . . 30 12.7. Revocation Information File (.j1r) . . . . . . . . . . . 30 12.8. Hash (optionally salted) . . . . . . . . . . . . . . . . 30 12.9. AES-256-CBC . . . . . . . . . . . . . . . . . . . . . . 31 12.10. Argon2 . . . . . . . . . . . . . . . . . . . . . . . . . 32 12.11. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . 32 12.12. Encrypted Object . . . . . . . . . . . . . . . . . . . . 32 12.13. Signed Object . . . . . . . . . . . . . . . . . . . . . 34 12.14. Key . . . . . . . . . . . . . . . . . . . . . . . . . . 34 12.14.1. RSA . . . . . . . . . . . . . . . . . . . . . . . . 35 12.14.2. ECDSA Public Key . . . . . . . . . . . . . . . . . 36 12.15. Entity (subject) . . . . . . . . . . . . . . . . . . . . 37 12.16. Address . . . . . . . . . . . . . . . . . . . . . . . . 39 12.17. Passport . . . . . . . . . . . . . . . . . . . . . . . . 40 12.18. Certificates . . . . . . . . . . . . . . . . . . . . . . 41 12.18.1. Unsigned Certificate . . . . . . . . . . . . . . . 41 Queiroz Expires March 15, 2019 [Page 3] Internet-Draft JUDSYS1 September 2018 12.18.2. Signed Certificate . . . . . . . . . . . . . . . . 42 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 13.1. Normative References . . . . . . . . . . . . . . . . . . 43 13.2. Informative References . . . . . . . . . . . . . . . . . 43 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 44 1. Introduction Currently, ITI, the government body responsible of ICP-Brasil, Brazil's PKI (Public Key Infrastructure), endorses three different standards: CAdES, XAdES and PAdES. Since they are all based on X.509 which is used in SSL, there should be an abundance of good software libraries and end user applications to support at least one of these standard. This is not the case. While there have been some efforts to write open source libraries and end user applications for ICP-Brasil, they are hard to find and most seem unfinished and abandoned. ITI provides a digital signature verification web tool, but it is only for CAdES and doesn't seem to work well. PAdES is a monster of its own kind. In an attempt to replicate the paper experience in the digital world, a PDF file can be signed, edited and resigned by another person in a way that they signed over different version of the same document. This is both hard to implement and hard to explain to end users. To make matters worse, PDF readers almost never come with the necessary CAs to verify ICP-Brasil digital signatures. Perhaps as result of this mess of different standards, the ITI admits that, no one is obliged to accept digital signatures in Brazil (see [ITI-FAQ-21]). This situation is unacceptable. We need a digital signature standard that: 1. Is easy for programmers to implement. Including reference libraries in multiple languages. 2. Is easy for ordinary people to use on a day to day basis. 3. Has strict rules to avoid interoperability problems. 4. Has mandatory acceptance by law. Queiroz Expires March 15, 2019 [Page 4] Internet-Draft JUDSYS1 September 2018 This document aims to provide a digital signature standard that address points one through three. Hopefully, this standard may fulfil the fourth point in the near future. 1.1. Right of Implementation Any person, group or organization can freely implement this standard so long as the implementation is complete. 1.2. Terminology The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in [RFC2119]. All apps MUST use the standard translations present in this document when they present in the Language specific rules section. *User*: A human being using a JUDSYS app. Unless otherwise specified, users MUST always be considered as non-tech-savvy people. *Signing app*: A computer program that digitally signs documents according to this standard. *Verifier app*: A computer program that verifies a digital signature according to this standard. (*App*) *JUDSYS app* or *implementation*: A computer program that is either a singing app or a verifier app or both. *Subject attributes*: Certain values that qualify the subject. Ex: email, full name, government issued identification numbers, et cetera. *Natural person*: A human begin. *Legal person*: A group of people who the Law considers to be its own person. *Software person*: A piece of software that acts in the name of a natural or legal person. *Digital signature*: (*PKI*) *Public Key Infrastructure*: (*KP*) *Key Pair*: Queiroz Expires March 15, 2019 [Page 5] Internet-Draft JUDSYS1 September 2018 *Certificate*: A short signed message that states a key pair is in the control of a specific subject. (*CA*) *Certificate Authority*: A certificate that is allowed to sign other certificates. This is, a CA is an entity (usually a company or government body) that ensures that the subject on a certificate is really the person it names. (*PA*) *Proof of attribute*: A short signed message in which the issuer certifies that a certain attribute is true. Examples: job titles and permissions delegated by the issuer to the subject. (*TA*) *Time-stamping Authority* This is very similar to the concept of attribute certificates. The names was changed to avoid using the "certificate" in two different contexts that may confuse users. *ICAO*: International Civil Aviation Organization. *JSON*: JavaScript Object Notation. 2. Encoding 2.1. Files All JUDSYS-1 files are JSON encoded with UTF-8. To avoid canonicalization problems, all signed messages are encoded in base64. Example: {"b": 1, "a":2} // becomes { "raw": "eyJiIjogMSwgImEiOjJ9Cg==", // This is to aid humans debugging, not for machines to use "what": "JUDSYS-1 base64" } 2.1.1. File extensions All JUDSYS-1 extensions begin with ".j1" (dot, jay, one). For JUDSYS-1 files, all apps MUST use only the file extensions show below: Queiroz Expires March 15, 2019 [Page 6] Internet-Draft JUDSYS1 September 2018 +-----------+------------------------------------------+ | Extension | Usage | +-----------+------------------------------------------+ | ".j1c" | Certificates (no private keys) | | ".j1a" | A single proof of attribute | | ".j1k" | Certificates with the private keys | | ".j1s" | Detached digital signature | | ".j1e" | Encrypted file | | ".j1r" | Revocation information | | ".j1d" | Reserved for a future WYSIWYS [1] format | +-----------+------------------------------------------+ 2.2. Strings All apps MUST have proper Unicode support and fonts to display any characters that may be necessary for the country of intended use. This is, an app for France MUST have fonts with accented characters, but MAY have no CJK nor Cyrillic support. An app for Russia MUST have Cyrillic and Latin support, but MAY have no CJK or Mongolian support. It is RECOMMENDED to store string in NFC (Normal Form Composition). It is RECOMMENDED that all apps support as much Unicode characters and scripts as possible. It is also RECOMMENDED that all apps include the necessary fonts. Emoji usage is discouraged. 2.3. Dates All dates MUST be encoded as strings according to the [RFC3339]. If the time is not available, it MUST be assumed to be midnight. Times MUST NOT include fractions of a second. 2.4. Country-like codes In this spec, country-like means any sovereign state, international organization or similar. For example, the United Nations, the European Union, the UK and the International Court of Justice are country-like but England and Wales are not. All countries-like MUST be represented by the upper case three letter codes defined on ISO 3166-1 alpha-3. If a country-like does not have such code, it MUST be full English name with spaces and proper Queiroz Expires March 15, 2019 [Page 7] Internet-Draft JUDSYS1 September 2018 capitalization. Ex: "Principality of Sealand" not "principality of sealand" nor "PrincipalityOf_Sealand". International organizations MUST use their upper case English acronym and their full English name separated by a hyphen with spaces on both sides. Ex: "ICAO - International Civil Aviation Organization" and "ICJ - International Court of Justice". Special cases are: 1. "UN" for the United Nations (already on the ISO 3166-1 alpha-2). 2. "EU" for the European Union (already on the ISO 3166-1 alpha-2). 3. "INT" for international things such as passports, names and date of birth. 4. "MERCOSU" for the Southern Common Market, Mercosur in Spanish and Mercosul in Portuguese. 5. "UNASU" for the Union of South American Nations, UNSAUR in Spanish and UNASUL in Portuguese. 6. "NAFTA" for the North American Free Trade Agreement. 7. "HOAX" for URSAL - Uniao das Republicas Socialistas da America Latina. (just a joke, non-normative) 2.5. Certificate chains All JUDSYS-1 certification chains are simple trees with root CAs at the top. Cross-signing or other complicated methods MUST NOT be used. All JUDSYS-1 files MUST include exactly all the necessary certificates, attribute certificates and revocation files for verifying the file in question. An exception is made to the root CAs which MUST NOT be included in any JUDSYS-1 file, as they MUST be a part of the apps themselves, preferably in the implementation source code. 3. Certificates A certificate is a signed message in which the issuer certifies that the subject has those keys. A certificate is an object with the following keys: Queiroz Expires March 15, 2019 [Page 8] Internet-Draft JUDSYS1 September 2018 1. "subject": An entity describing the subject. 2. "issuer": The key id of the issue-certs key of the CA. 3. "notBefore": The time in which the certificate starts being valid. 4. "notAfter": The time in which the certificate expires. 5. "keys": An array holding multiple public keys. 6. "public-faith": An array of of strings indicating which types of signature the subject has "public-faith". This is, what hey say is assumed to be e true. 3.1. Keys All keys are encoded as a dictionaries, which MUST have the following keys: 1. "algorithm" 2. "id": A hash of the key that uniquely identifies it. 3. "usage": An enum that indicates what the key may be used for. Possible values: 1. "signing": The key is used only to sign digital documents, issue and revoke attribute certificates. 2. "identification": They key is used only to identify the subject. Ex: login. 3. "encryption": The key is used only for any person to encrypt messages to the subject. 4. "certification": The key is used only to issue digital certificates. 5. "revocation": They key is used only to issue certificate revocations. Each key MUST NOT be used in any algorithms other than the one prescribed on the key "usage". Key material MUST NOT be reused. Queiroz Expires March 15, 2019 [Page 9] Internet-Draft JUDSYS1 September 2018 3.2. Subject Attributes Attributes in the singular are a single value and attributes in the plural are arrays. The CA MUST verify the attributes it will use on certificates it issues. If any verification is not done or fails, the corresponding attributes MUST NOT be included in the issued certificate. Examples: 1. If the CA fails to verify that a phone number really belongs to the subject, it MUST never be included. 2. If the subject of the certificate to be issued forgets to bring their USA/SSN, this attribute MUST NOT be included in the certificate. A CA MAY refuse to issue a certificate if essential properties could not verified. Examples: INT/name, USA/SSN, BRA/RG, BRA/CPF. 3.2.1. id A string pointing to an attribute which no other entity shares that value. Examples: "BRA/CPF", "USA/SSN", "INT/passports:number". This is, two entities are the same when their respective ids (attribute name and value) match. The reverse is not guaranteed. The syntax is "" or ":". If there is an array, the first value is always used as if it were the only one. 3.2.2. INT/type An enum describing the type of the subject. Possible values are: "natural person", "legal person", and "other" (ex: software). 3.2.3. INT/names Each name is a one line Unicode string. Each name entry SHOULD be at most 5 KiB long. All apps MUST support such long names. They MAY, however, show only the beginning of the name by default and have a simple way to show the full name. Example: a tooltip or a button close to the name. There MUST be at least one name in the "INT/names" attribute. Queiroz Expires March 15, 2019 [Page 10] Internet-Draft JUDSYS1 September 2018 Any prefixes, suffixes, infixes, honorifics and similar things attached to the name MUST be verified. Example: a person may never use the prefix "Dr." if they have no valid doctorates degree. Generic prefixes like "Mr." or "Ms." and job titles MUST NOT be included in any of the names. For legal persons, it is RECOMMENDED to follow the convention: "() " Examples: 1. (USP) Universidade Sao Paulo 2. Monsters Inc. 3. Empresa Qualquer Servicos e Comercio LTDA For natural persons, it is RECOMMENDED to follow the convention: "() " Examples: 1. Dennis MacAlister Ritchie 2. (FHC) Fernando Henrique Cardoso 3. (Dom Pedro II) Pedro de Alcantara Joao Carlos Leopoldo Salvador Bibiano Francisco Xavier de Paula Leocadio Miguel Gabriel Rafael Gonzaga 3.2.4. INT/parents An array of entities. The order MUST NOT be assigned any meaning. The array MAY have any number of elements. The "INT/parents" attribute MAY lead to a recursive behaviour. This attribute SHOULD NOT exceed the grandparents generations. Example: [ {"id": "BRA/CPF", "INT/names": ["Joao da Silva"], "BRA/CPF": "123.456.789-00"}, {"id": "BRA/CPF", "INT/names": ["Maria da Silva"], "BRA/CPF": "987.654.321-00"}, {"id": "BRA/CPF", "INT/names": ["Joaquim Freitas"], "BRA/CPF": "987.654.321-00"} ] 3.2.5. INT/guardians Pretty much the same as the "INT/parents" attribute. Queiroz Expires March 15, 2019 [Page 11] Internet-Draft JUDSYS1 September 2018 It it is present, the entities "INT/parents" MUST NOT be considered as legal guardians. It is absent, the entities "INT/parents" MAY be assumed to be legal guardians. Example: [ {"id": "BRA/CPF", "INT/names": ["Joao da Silva"], "BRA/CPF": "123.456.789-00"}, {"id": "BRA/CPF", "INT/names": ["Maria da Silva"], "BRA/CPF": "987.654.321-00"}, {"id": "BRA/CPF", "INT/names": ["Joaquim Freitas"], "BRA/CPF": "987.654.321-00"} ] 3.2.6. INT/emails An array of the subject's email addresses. The fist entry is considered the main one. The subject MAY have no email address. It is RECOMMENDED to have at least one ASCII-only email address. Examples: // Okay: [] ["someone@example.com"] ["jose@construcoes-ltda.br", "jose@construcoes-ltda.br"] ["jose@construcoes-ltda.br", "jose@xn--construes-ltda-mjb8t.br"] ["jose@construcoes-ltda.br", "jose@construcoes-ltda.br", "jose@xn--construes-ltda-mjb8t.br"] ["jose@construcoes-ltda.br"] ["jose@construcoes-ltda.br", "jose@construcoes-ltda.br"] 3.2.7. INT/phones For SPAM/robo-calling prevention the subject MUST have the right to refuse the inclusion of the "INT/phone" attribute. The phone numbers MUST be encoded as a string array. Each element of that array represents one phone number and MUST include the country and area codes. The country code part MUST begin with a "+" (plus sign) and have a space to separate it from the rest of the number. This is mainly to aid humans, by separating the international part from the local one. Queiroz Expires March 15, 2019 [Page 12] Internet-Draft JUDSYS1 September 2018 The rest of the number SHOULD follow the traditions and conventions of the country in question and MAY include punctuation. Examples: // Okay: [] ["+55 (11) 0 0000-0000", "+55 0800 000"] // Wrong: ["+55(11) 0 0000-0000", "+550800000", "55 0800 000"] Note: This attribute is intended to be used by some legal persons and by pretty much no natural persons. 3.2.8. INT/addresses For security reasons the subject MUST have the right to refuse the inclusion of "INT/address" attribute. 3.2.9. INT/pictures For privacy reasons the subject SHOULD have the right to refuse the inclusion of "INT/pictures" attribute. The CA, however, CAN require this attribute but its is encouraged not to require it. The picture MUST always be static: no animated GIFs or similar. For natural persons the image MUST be picture of the subject. The specific are left to the CA, but it SHOULD follow the traditions and conventions of the CA's country. One suggestion for CAs is to follow the ICAO guidelines on photos for passports (see [ICAO-9303]). For legal persons the image MUST be a logo or other symbol that represents the subject. It MUST NOT be a picture of the owners or of the place where the subject is. Again, specific are left to the CA. Support for this property in apps is OPTIONAL but RECOMMENDED to those that have a GUI. Those that decide to implement this property MUST be able do decode both JPEG and PNG. The picture MUST be data URL encoded using base64 and MUST NOT exceed 1 MiB. The size restriction applies to the image itself, not to the string that encodes it. Queiroz Expires March 15, 2019 [Page 13] Internet-Draft JUDSYS1 September 2018 The picture MUST NOT be rotated using metadata (see [JPEG-HOFF]) regardless of the file type (JPGE or PNG or other). Example: (Tux, the Linux mascot) ["data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD//gAiUmVzaXplZCB3aXRoIGV6Z2lmLmNvbSBHSUYgbWFrZXL/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wAARCAAmACADASIAAhEBAxEB/8QAGQAAAwEBAQAAAAAAAAAAAAAABgcIAAUE/8QALRAAAQMDAgQFAwUAAAAAAAAAAQIDBAUGEQAHEiExQQgTFCJxFVGBMlJhcrH/xAAXAQEBAQEAAAAAAAAAAAAAAAADAgQF/8QAJhEAAgICAQMCBwAAAAAAAAAAAQIDBAARMQUhQRNxEhQigaHR8P/aAAwDAQACEQMRAD8AsvUleN/cDcWk1yNb1lyajTqbGhtyajLhZStS3XFIbQVjmB7eg6lXPtqtdIDcOnRbm3bqkyNR/rkWkw40GTggoRJKnFlscsFQSWyRk4ynvrNbnavC0ioXI8Dk4kSB3Ck698C/CbuduEncRG2u4Sp77kmnqlRXZ6wt9C0ZJHEOZSUhXI5IKfkarPUYXbHVs34gLGvKsQU06hSWnI3C0StDJdW55xUScgguhZ65GemNWWy4260h1paVtrSFJUk5CgehB+2kgkMsauVKk+DyPfWS6/CxG94Gb4Xi1Ym19auFTwbktx1NQh3XJWOFsAdzxHPwDrw7AWc7ZO2NLpk6U/JqcsmdUHXFlSlyHfevJ6nGQM98Z0P7xRYF8Nrt2tQEKhwZfmtKS4oLDqUlKVgggAjiJAORrsbN3nWLglVS3bho70eo0QoHr22iIs5pYPAtB6JXge5HY9P45dPrtO7akqxH6k58cHR17HnNM1KWGNZGHY5w/F5Y0C7dnKxMkrd9RRmVVGN7iQC2CVDGeWUcQ+caFvANe0y4ttqhbdRkuSXrfkpbjuOElXpnEkoSf6lKwPsMDtpj7+TfUWbLtGLLYaqFdhyGG0KUCrgKCFK4evCOIZP40u/B9ZI22g1KJWJTDlSqzjZU42CEAI4glHPv7lHOBn8aSbrVOCyKsr6c60D53v8AWSlSV4/VUbGNavWIuXKel02ruR3nlqcLb7QdQVHmeYwQPydB7G1941SpuTX7/n2021llLVCXzewf1OFxOOXYBJIz11tbRJ0ajBdWzHGA533G/P4xDbmeEozbHbOKrYOZQLoXetPvWq1+rqbLL/157jy2f2rQnII5YGMdemmzaFqtU2O1KqCm5dQ5KKwD5bZ+yAf9PP41tbSN02rLe+ZdAXAGif7X35yRYlWD0w2hvP/Z"] 3.2.10. INT/passports Each passport is encoded as a dictionary with the following keys: 1. "type": Indicates the type of document, for passports this is a "P". 2. "number": A string, which MAY contain letters, the identifies this passport. 3. "country": The country that issued the passport. 4. "surname": The subject's last name. 5. "given_name": The subject's first name. 6. "nationality": The subject's nationality. 7. "date_of_birth": The subject's date of birth. 8. "place_of_birth": The subject's place of birth. 9. "personal_number": An id number identifying the subject. 10. "sex": The sex or gender of the subject. Note that "X" and other characters may be used instead of the traditional "F" and "M". 11. "date_of_issue": The date in which the passport was issued. 12. "date_of_expiry": The date in which the passport will expire. 13. "MRZ": the contents on the MRZ (machine readable zone). Only "type", "country" and "number" MUST be present. The "given_name" and "surname" are OPTIONAL because some people may have no first or last name. However, at least one of them MUST be included. Queiroz Expires March 15, 2019 [Page 14] Internet-Draft JUDSYS1 September 2018 Except of dates, it is RECOMMENDED that all fields match the way they are presented on the VIZ (Visual Inspection Zone), rather than the MRZ. { "type": "P", "country": "UTO", // This **MAY NOT** match ISO 3166-1, read ICAO Doc 9303 (pages 22 to 29) for details. "number": "L898902C3", "surname": "ERIKSSON", "given_name": "ANNA MARIA", "nationality": "UTOPIAN", "date_of_birth": "1974-08-12", "place_of_birth": "ZENITH", "personal_number": "Z E 184226 B", "sex": "F", /* Do NOT assume it is "F" or "M", other characters, such as "X" may de used. */ "date_of_issue": "2007-04-16", "date_of_expiry": "2012-04-15", "MRZ": "P/issue-cert/" Form: an unsigned certificate [2] on name "unsigned-certificate" Response: a signed certificate [3]. 7.1.2. Certificate revocation status Method: "GET" URL: "/status/" Response (main part): { "key-id": "", "revoked": true, "datetime": "2000-01-01T00:00:00" } 7.1.3. Time-stamps Authorities 7.2. Browser interaction 8. Smart-cards/Smart-phones 9. Security and Usability Considerations 👉 9.1. Graphical representation Implementations MUST NOT show any representation of the signatures within the document. Ex: a scanned signature on a corner of a page is forbidden, but showing the signatures in a side panel is allowed. Queiroz Expires March 15, 2019 [Page 20] Internet-Draft JUDSYS1 September 2018 9.2. Mixing digital and paper signatures The implementations MUST NOT encourage the user to print a digital document which already has signatures and add regular signatures to the printed version. Rather, all paper signatures MUST be done first, then the document SHOULD be scanned by a notary or equivalent and then digital signatures may be added to the resulting file. 9.3. Dynamic Content All signing apps MUST warn the user when the document they are trying to sign seems to have dynamic content. All signing apps MUST NOT show the warning to the user if they have checked and failed to find signs of dynamic content on the file being signed. If a signing app cannot verify the file for dynamic content and it is not on the white list, it MUST warn the user about the possibility of dynamic content. For PDF, the verification, if implemented, MUST check for, and fail to find all of the following: 1. Any signs of JavaScript. 2. (👉 what else?) For HTML, the verification, if implemented, MUST check for, and fail to find all of the following: 1. The "