CAdES Signature Policy - Meaning and Purpose

In a CAdES (CMS Advanced Electronic Signatures) signature, the Signature Policy Identifier (which includes a URL and a hash) plays a key role in defining the rules and requirements that the signer agrees to follow when generating the signature.

Purpose of the Signature Policy

The signature policy defines:

  • The legal, technical, and procedural rules under which the signature was created.
  • How the signature should be validated and interpreted (e.g., allowed algorithms, acceptable certificate chains, timestamping, etc.).

Signature Policy ID

  • The CAdES Signature Policy ID is an identifier included in a CAdES signature that specifies the exact signature policy the signer followed.
  • The Signature Policy ID tells the verifier what rules the signer agreed to (e.g., cryptographic algorithms, certificate validation), and ensures those rules are uniquely and verifiably identified.

Example:

2.16.76.1.7.1.1.1

Signature Policy URL (sigPolicyIdsigPolicyQualifier)

  • This is a URL (or OID) pointing to the formal document that defines the policy.
  • It tells verifiers:

    “This signature was made according to this specific policy. Here’s where to read it.”

Example:

http://politicas.icpbrasil.gov.br/PA_AD_RB.der

Signature Policy Hash (sigPolicyHash)

  • This is a hash of the actual policy document at the time the signature was created.
  • It ensures integrity and immutability — the verifier can be certain the signer was referring to that exact version of the policy.
  • Prevents tampering if the document at the URL changes later.

Example (base64 SHA-256 hash of the .der):

uSEBa9A6chxhAQvq7FNBoAQGpcvC84AFibnLHXJ98Go=

Why It Matters

  1. Legal Assurance – If challenged, the signer can prove they followed a specific, verifiable policy.
  2. Validation Rules – The signature verifier can apply rules from the same policy to validate the signature correctly.
  3. Non-repudiation – The signer cannot later claim they followed different or no rules.

Summary

In a CAdES signature, the policy URL points to the signature policy document, and the policy hash ensures that the verifier uses the exact version the signer agreed to. Together, they make the signature legally binding, verifiable, and traceable.

Chilkat Articles