Explaining CAdES-BES
A CAdES-BES (CMS Advanced Electronic Signature – Basic Electronic Signature) signature builds on CMS (Cryptographic Message Syntax, i.e., PKCS#7 or RFC 5652) and must include certain features to be compliant with the ETSI TS 101 733 standard.
Required Features of a CAdES-BES Signature
To qualify as CAdES-BES, the CMS signature must include at least the following:
1. CMS SignedData structure
- Standard CMS container used for detached or attached signatures.
2. A valid CMS signature
- Uses a recognized signature algorithm (e.g., RSA, ECDSA).
- The
signerInfostructure must contain a proper digital signature over the signed attributes.
3. The signer's certificate (signerInfo.sid)
- Must be included in the
certificatesset of the CMS structure. - This allows signature validation without external certificate retrieval.
4. Signed Attributes (must be present in signedAttrs)
| Attribute | Required? | Description |
|---|---|---|
content-type |
Required | Identifies the type of content being signed. |
message-digest |
Required | Digest (hash) of the content being signed. |
signing-certificate or signing-certificate-v2 |
Required | Links the signature to the exact signing certificate, including a hash of the certificate. |
signing-time |
Optional (but recommended) | Indicates when the signature was generated. |
5. DER encoding
- The CMS structure must be encoded using DER (Distinguished Encoding Rules), not BER.
What CAdES-BES Does *Not* Include
CAdES-BES does not include:
- Timestamps (CAdES-T)
- Long-term validation data like revocation info (CAdES-LT, CAdES-LTA)
- Archive-level attributes
Summary
A CAdES-BES signature is a CMS/PKCS#7 signature that includes the signer's certificate and specific signed attributes (content-type, message-digest, signing-certificate) and is encoded using DER. It's the minimal profile for an advanced electronic signature under EU standards.