XAdES Baseline Profile (B-B/B-T/B-LT/B-LTA) compliance gaps per ETSI EN 319 132-1 #16
Description
Summary
The current XAdES implementation has gaps against ETSI EN 319 132-1 (XAdES Building Blocks) and ETSI TS 103 171 (XAdES Baseline Profile) that affect interoperability and compliance for qualified electronic signatures under eIDAS.
Critical Gaps
1. SigningCertificate vs SigningCertificateV2
ETSI EN 319 132-1 Section 5.2.6 specifies that SigningCertificateV2 SHOULD be used; SigningCertificate is obsoleted.
The current implementation uses the legacy xades:SigningCertificate with xades:IssuerSerial format. Modern validators expect xades:SigningCertificateV2 with xades:IssuerSerialV2 (base64-encoded DER per RFC 5035).
2. No ArchiveTimeStamp Support
ETSI EN 319 132-1 requires xadesv141:ArchiveTimeStamp for B-LTA level signatures. The current implementation only supports xades:SignatureTimeStamp.
SignatureTimeStamp ≠ ArchiveTimeStamp. True B-LTA requires ArchiveTimeStamp for long-term validation and signature renewal/extension.
3. XAdES Namespace Version
The implementation uses namespace http://uri.etsi.org/01903/v1.3.2#. ETSI EN 319 132-1 recommends v1.4.1 namespace (http://uri.etsi.org/01903/v1.4.1#) for new signatures.
High Priority Gaps
4. Incomplete CertificateValues for B-LT/B-LTA
ETSI TS 103 171 Clause 8 requires B-LT signatures to include the complete certificate chain in xades:CertificateValues. Currently:
- Root CA certificate embedding is optional
- OCSP responder certificate embedding is optional
- TSA certificates are not automatically extracted and embedded
5. Hardcoded Digest Algorithm
ETSI EN 319 132-1 requires support for SHA-256, SHA-384, and SHA-512 for all digests. Currently SHA-256 is hardcoded throughout (document digests, SignedProperties digest, certificate digest).
Medium Priority Gaps
6. Hardcoded Signature Policy
The implementation has a hardcoded BDOC 2.1 policy (OID 1.3.6.1.4.1.10015.1000.3.2.1). There is no flexibility for other policies, and implied policy (XAdES-BES without SignaturePolicyIdentifier) is not supported.
7. Missing CompleteCertificateRefs/CompleteRevocationRefs
Some extended profiles require references to certificates and revocation data (not just embedded values).
Impact
- Interoperability: Signatures may not validate with modern EU validators (EU DSS, ETSI conformance checker)
- Legal validity: Gaps affect compliance for qualified electronic signatures under eIDAS
- Long-term validity: Without ArchiveTimeStamp, signatures cannot be renewed for long-term archival
Current Baseline Level Support
| Level | ETSI Name | Status |
|---|---|---|
| B-B | Basic | Partial |
| B-T | Timestamp | Partial |
| B-LT | Long-Term | Partial |
| B-LTA | Long-Term Archive | Not compliant |
References
- ETSI EN 319 132-1 - XAdES Building Blocks
- ETSI TS 103 171 - XAdES Baseline Profile
- RFC 5035 - ESSCertIDv2