xmldigital-signaturex509padesxades

How to tell if a XADES signature is QSCD compliant


I have an XML file which has been signed with XADES using qualified digital signature.

How do I tell if this signature is QSCD compliant?

Is this something:

I'm pretty sure this check can be technically performed as various validators can tell you this information. Below samples are from Adobe Acrobat Reader PADES signature verification, but it should work the same way for XADES:

QSCD compliant qualified digital signature

Non QSCD compliant qualified digital signature


Solution

  • After some investigation I figured this one out.

    Apparently, each signing certificate have a property called Certificate Policy and that may directly refer to EUs QSCD policy with OID 0.4.0.194112.1.3. More info on this OID here. If this OID reference is present in the signing certificate than the signature can be deemed QCSD compliant (given all other formal qualified signature requirements are met).

    There may be cases where this OID is not directly present in the certificate. In such case other OID should be present, and that OID may refer to the certificate's issuer custom policy. Then the matter becomes trickier as each EU Country may maintain their own TSL list where this custom OIDs are referenced. Supposedly National lists can be located under this address. Once you are able to locate the National TSL list, then it is possible to find the Certificate's OID and then locate following node which again proves that the signature is QSCD complaint

    <Qualifier uri="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithQSCD"/>