User Tools

Site Tools


en:e-yazisma_paketi

e-Correspondence Package

Introduction

e-Correspondence Package (ECP) is a package structure that is designed to carry out the official correspondence between public institutions and organizations in an electronic environment. The information and components of official letters turn into a single electronic file by specific rules with ECP. This package structure enables cover letters and attachments in official writings can be signed as a whole at once. Updates were made to the existing data structure of the e-Correspondence Package and the use of electronic seals was made technically possible with the “ECP 2.0 e-Correspondence Technical Guide” published by the Presidency of the Republic of Turkey Digital Transformation Office on August 28th, 2020.

ECP consists of components related to the document and package structure that are logically connected. The table below lists the ECP components.

M/O Package Components
MCover Letter
MMetadata
MFinal Metadata
OParaph Hash
OParaph Electronic Signature
MPackage Hash
MElectronic Signature(e-signature)
MCore
OAttachment
MFinal Hash
MElectronic Seal

M: Mandatory - It is mandatory to include the specified component in the package

O: Optional - It is optional to include the specified component in the package

While ECP must have Electronic Signature and Electronic Seal, the use of Paraph Electronic Signature is optional. P4 CAdES X-Long signature format is used for Paraph Electronic Signature and Electronic Signature. P4 CAdES-A signature format is used for Electronic Seal.

Certificate Control and Time Stamp verification procedures must be performed before creating the Paraph Electronic Signature, Electronic Signature, and Electronic Seal used in ECP. The “Date” field in the Final Metadata component is expected to be the same as the timestamp information of the most recently created Electronic Signature. Information about all signers should be included in the “Document Signatures” field of the Final Metadata component.

Paraph Electronic Signature: It is created by signing the “ParafOzeti.xml” file that exists in the Paraph Hash component in the ECP by using Qualified Electronic Certificate. It must be used only in paraph made with an electronic signature. Cover Letter, Metadata, and Attachments components' hash values exist in the “PaketOzeti.xml” file. The presence of Attachments is optional. The following table specifies the components that must be included and not included in the Paraph Electronic Signature.

Paraph Electronic Signature Component M/O
Package Components Included in Paraph Electronic Signature Cover Letter M
Metadata M
Attachment (Internal Electronic File(DED) Attachment) O
Paraph Electronic Signature P4 CAdES-X LONG M
Package Components Not Included in Paraph Electronic Signature Unsigned Attachments O

Electronic Signature: It is created by signing the “PaketOzeti.xml” file that exists in the Package Hash component of the ECP by using the Qualified Electronic Certificate by the authorized personnel of the institution. Cover Letter, Metadata, Attachments, Paraph Hash, Paraph Electronic Signature components' hash values exist in the “PaketOzeti.xml” file. The presence of Attachments, Paraph Hash, and Paraph Electronic Signature is optional. The Electronic Signature component can include serial or parallel signers. The following table specifies the components that must be included and not included in the Electronic Signature.

Electronic Signature Component M/O
Package Components Included in Electronic Signature Cover Letter M
Metadata M
Attachment (Internal Electronic File(DED) Attachment) O
Paraph Hash O
Paraph Electronic Signature O
Electronic Signature P4 CAdES-X LONG M
Package Components Not Included in Electronic Signature Unsigned Attachments O

Electronic Seal: The purpose of the Electronic Seal is to verify the identity of the institution that created the ECP. Electronic Seal is created by signing the “NihaiOzet.xml” file that exists in the Final Hash component by using the Electronic Seal certificate issued by Kamu SM on behalf of the public institutions and organizations within the scope of Prime Ministry Circular no 2017/21. Cover Letter, Metadata, Final Metadata, Core, Package Hash, Electronic Signature, Attachments, Paraph Hash and Paraph Electronic Signature components' hash values exist in the “NihaiOzet.xml” file. The presence of Attachment, Paraph Hash, and Paraph Electronic Signature components are optional. The Electronic Seal component can not include serial or parallel signers. The following table specifies the components that must be included and not included in the Electronic Seal.

Electronic Seal Component M/O
Package Components Included in Electronic Seal Cover Letter M
Metadata M
Final Metadata M
Attachment (Internal Electronic File(DED) Attachment) O
Paraph Hash O
Core M
Paraph Electronic Signature O
Package Hash M
Electronic Hash M
Electronic Seal P4 CAdES-A M
Package Components Not Included in Electronic Seal Unsigned Attachments O

This section has been created to test the compliance of ECP files with various standards. The structural features of the ECP should be conformed with “ECP 2.0 e-Correspondence Technical Guide”. Signatures in the package must comply with the ETSI TS 101 733 standard, in which the CAdES signature type is defined, and the “Long Term and OCSP Controlled Secure Electronic Signature Policies (Profile P4)” in Digital Signature Usage Profiles Guide published by the Information Technologies and Communication Authority. In this context, Paraph Electronic Signature, Electronic Signature, Electronic Seal and package structure controls are specified in the procedure table. In addition, ECP Archiving structure is briefly explained at the end of the section.

Procedures

You can access ECP Test Package from here.

You can access Test Root Certificates here.

The following table provides the names and properties of the ECP files to be used in the procedures. Packages in the procedure have been prepared according to “ECP 2.0 e-Correspondence Technical Guide”.

ECP files have been created to cover only the scenarios related to Electronic Signature or Electronic Seal components. Paraph Electronic Signature, which is optional, is only available in scenarios specific to the relevant component.

M/O Package Name Package Property Package Validation ResultExplanation
M P4_1 Valid ECP (Includes paraph e-signature and all signed features have been added for the e-signature component.) VALID All signed attributes must be displayed in the validation result.
O P4_2.doc“Cover Letter” component of the package is Word document with a macro INVALID Verification details must be shown.
M P4_3 Package has a contradictory e-signature component including “mime-type” attribute with “image/jpeg” value although the actual content type is XML INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_4 Package has an e-signature component including “SigPolicyId” having another value than P4 OID (2.16.792.1.61.0.1.5070.3.3.1) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_5 Package has an e-signature component including “SigPolicyHash” having another hash value than P4 hash value INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_6 Package has an e-signature component including “SPUserNotice” having P4 user notice VALID P4 user notice must be shown.
M P4_7 Package has an e-signature component including “ESS-Signing-Certificate” hash algorithm is SHA-1 INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_8 Package has an e-signature component without “SigningTime” attribute INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_9 Package has an e-signature component contains the “SigningTime” attribute which indicates the time 3 hours before the “SignatureTimeStamp” attribute INVALID Electronic Signature must not be verified. Signature TimeStamp must be taken within two hours as of the signing time.
M P4_10Package has an e-signature component with qualified certificate revocation value CRL rather than OCSP INVALID Electronic Signature must not be verified. Verification details must be shown.
O P4_11 e-signature Component: ”SignatureTimeStamp” which do not have “signatureTimeStamp” root certificate (TS server is TSC1) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_12 e-signature Component: Signature file with ” SignatureTimeStamp” which do not have “signatureTimeStamp” CRL (TS server is TSC1) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_13 Package has an e-signature component including a forged “ESS Signing-Certificate-v2” attribute INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_14 Package has an e-signature component including a forged ”message-digest” attribute INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_15 Package has an e-signature component in which SHA-1 digest algorithm is used VALID
M P4_16Package has an e-signature component with a forged signature INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_17e-signature Component: Signed by a certificate with an omitted “non-repudiation” field in the key usage extension INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_18e-signature Component: Signed by a certificate with an omitted “UserNotice” text field in the “CertificatePolicies” extension INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_19e-signature Component: Signed by a certificate with an omitted ETSI OID in “QualifiedCertificateStatements” extension INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_20e-signature Component: Signed by a certificate with an omitted ICTA OID in “QualifiedCertificateStatements” extension INVALID Electronic Signature must not be verified. Verification details must be shown.
O P4_21Package has PDF/A-3 type cover letter component whose attachment is a word file INVALID Verification details must be shown.
M P4_22Package has an e-signature component created with an expired certificate INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_23Package has an e-signature component created with a certificate that has a forged signature. INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_24Package has an e-signature component that was created with the revoked certificate in OCSP, the certificate was revoked before the signing time INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_25Package has an e-signature component that was created with the revoked certificate in OCSP, the certificate was revoked after the signing time VALID
M P4_26The validity of the certificate of the e-signature component has to be checked via an expired OCSP response INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_27The validity of the certificate of the e-signature component has to be checked via an OCSP response having a forged signature. INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_28The validity of the certificate of the e-signature component has to be checked via an OCSP response which is signed by an expired OCSP certificate INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_29The validity of the certificate of the e-signature component has to be checked via an OCSP response which is signed by a signature forged OCSP certificate INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_30The validity of the certificate of the e-signature component has to be checked via an OCSP response which is signed by a revoked OCSP certificate. The OCSP certificate is revoked before signature timestamp INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_31The validity of the certificate of the e-signature component has to be checked via an OCSP response which is signed by a revoked OCSP certificate. The OCSP certificate is revoked after signature timestamp VALID
M P4_32e-signature Component: Signer certificate has a monetary limit which is equal to “0” CHOICE*
O P4_33e-signature Component: Signer certificate has a usage restriction defined in “QC Statements” extension INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_34The validity of the certificate of the e-signature component has to be checked via an OCSP response which is generated for a different certificate INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_35Package has an e-signature component that is created by a certificate that is issued by an intermediate CA certificate having a forged signature. INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_36The root certificate of the e-signature component has a forged signature INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_37e-signature Component: Signature timestamp has a “TSTInfo” with a forged “messageImprint” field (TS server is TSA1) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_38e-signature Component: Signature timestamp has a forged signature (TS server is TSA2) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_39e-signature Component: Signature timestamp is signed by an expired certificate (TS server is TSA3) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_40e-signature Component: Signature timestamp is signed by a certificate with a forged signature (TS server is TSA4) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_41e-signature Component: Signature timestamp is signed by a revoked certificate. The revocation time is before the signing time (TS server is TSA5) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_42e-signature Component: Signature timestamp is signed by a revoked certificate. The revocation time is after the signature timestamp (TS server is TSA5) VALID
M P4_43e-signature Component: Signature timestamp is signed by a certificate whose issuer certificate signature is forged (TS server is TSB) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_44e-signature Component: Signature timestamp is signed by a valid certificate (TS server is TSC1) VALID
M P4_45e-signature Component: Signature timestamp is signed by a certificate which references an expired CRL (TS server is TSC2) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_46e-signature Component: Signature timestamp is signed by a certificate which references a CRL with a forged signature (TS server is TSC3) INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_47Package has an e-signature component including a ”Complete certificate references” attribute which does not have a root certificate reference INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_48Package has an e-signature component including a ”Complete certificate references” attribute which has a wrong root certificate reference INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_49Package has an e-signature component including a ”Complete certificate references” attribute which does not have an intermediate CA certificate reference INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_50Package has an e-signature component including a ”Complete certificate references” attribute which has a wrong intermediate CA certificate reference INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_51Package has an e-signature component including a ”Complete revocation references” attribute which does not have a CRL reference for intermediate CA INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_52Package has an e-signature component including a ”Complete revocation references” attribute which has a wrong CRL reference for intermediate CA INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_53Package has an e-signature component including a ”Complete revocation references” attribute which does not have an OCSP reference for signer certificate INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_54Package has an e-signature component including a ”Complete revocation references” attribute which has a wrong OCSP reference for signer certificate INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_55Package has an e-signature component including a ”Certificate values” attribute which does not have a root certificate value INVALID Electronic Signature should not be verified. Verification details must be shown.
M P4_57Package has an e-signature component including a ”Certificate values” attribute which does not have an intermediate CA certificate value INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_59Package has an e-signature component including a ”Revocation Values” attribute which does not have a CRL value for intermediate CA certificate INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_61Package has an e-signature component including a ”Revocation values” attribute which does not have an OCSP value for signer certificate INVALID Electronic Signature must not be verified.Verification details must be shown.
M P4_A75“archiveTimeStamp” within the Electronic Seal has a “TSTInfo” with a forged “messageImprint” field (TS server is TSA1) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A76 “archiveTimeStamp” within the Electronic Seal has a forged signature (TS server is TSA2) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A77 “archiveTimeStamp” within the Electronic Seal is signed by an expired certificate (TS server is TSA3) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A78 “archiveTimeStamp” within the Electronic Seal is signed by an forged certificate (TS server is TSA4) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A79 “archiveTimeStamp” within the Electronic Seal is signed by a revoked certificate. The revocation time is before the signing time (TS server is TSA5) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A80 “archiveTimeStamp” within the Electronic Seal is signed by a revoked certificate. The revocation time is after the signature timestamp (TS server is TSA5) VALID
M P4_A81 “archiveTimeStamp” within the Electronic Seal is signed by a certificate whose issuer certificate is forged (TS server is TSB) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A82 “archiveTimeStamp” within the Electronic Seal is signed by a valid certificate (TS server is TSC1) VALID
M P4_A83 “archiveTimeStamp” within the Electronic Seal is signed by a certificate which references an expired CRL (TS server is TSC2) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A84 “archiveTimeStamp” within the Electronic Seal is signed by a certificate which references a CRL with a forged signature (TS server is TSC3) INVALID Electronic Seal must not be verified. Verification details must be shown.
O P4_A85 Electronic Seal component has two “archiveTimeStamp”. The first one's root certificate is not added to the signature file (TS server TSC1) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A86 Electronic Seal component has two “archiveTimeStamp”. The first one's CRL is not added to the signature file (TS server TSC1) INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_A90“archiveTimeStamp” certificate is expired after the Electronic Seal creation date. VALID The signature must be archived.
M P4_93_s e-signature Component is a Counter signature signed by two signers. Second signer has a valid certificate, but the first signer certificate is revoked in OCSP INVALID Validation result of the each signer must be shown in a hierarchical order similar to the tree structure. Verification details must be shown.
M P4_93_p e-signature Component is a Parallel signature signed by two signers. Second signer has a valid certificate, but the first signer is revoked in OCSP INVALID Each signature validation result must be shown in a hierarchical order similar to the tree structure. The details of the error should be reported to the user.
M P4_A94 “archiveTimeStamp” within the Electronic Seal possesses SHA-1 digest algorithm VALID The signature must be archived.
M P4_95 The hash value of Metadata Component (Üstveri) in PaketOzeti.xml file is forged INVALID Verification details must be shown.
M P4_96 The hash value of Cover Letter Component (Üst yazı) in PaketOzeti.xml file is forged INVALID Verification details must be shown.
M P4_97 The hash value of the Attachment Component which is the type of Internal Electronic File (DED) within PaketOzeti.xml is forged INVALID Verification details must be shown.
M P4_98The hash value of Paraph Hash Component in PaketOzeti.xml file is forged INVALID Verification details must be shown.
M P4_99 The hash value of Paraph Electronic Signature Component in PaketOzeti.xml file is forged. INVALID Verification details must be shown.
M P4_100The content value within the Electronic Signature is forged. INVALID Verification details must be shown.
M P4_101 Hash values of the components within PaketOzeti.xml is created with SHA-1 algorithm. INVALID Verification details must be shown.
M P4_102 The hash value of Metadata Component (Üstveri) In ParafOzeti.xml file is forged INVALID Verification details must be shown.
M P4_103 The hash value of Cover Letter Component (Üst yazı) in ParafOzeti.xml file is forged INVALID Verification details must be shown.
M P4_104 The hash value of Attachment Component which is the type of Internal Electronic File (DED) within ParafOzeti.xml is forged. INVALID Verification details must be shown.
M P4_105 The content value within the Paraph Electronic Signature is forged INVALID Verification details must be shown.
M P4_106 Hash values of the components within ParafOzeti.xml is created with SHA-1 algorithm. INVALID Verification details must be shown.
M P4_107 The hash value of Metadata Component (Üstveri) in NihaiOzet.xml file is forged INVALID Verification details must be shown.
M P4_108 The hash value of Final Metadata Component (Nihai Üstveri) in NihaiOzet.xml file is forged INVALID Verification details must be shown.
M P4_109 The hash value of Cover Letter Component (Üst yazı) in NihaiOzet.xml file is forged INVALID Verification details must be shown.
M P4_110 The hash value of Attachment Component which is the type of Internal Electronic File (DED) within NihaiOzet.xml is forged INVALID Verification details must be shown.
M P4_111 The hash value of Core Component in NihaiOzet.xml file is forged INVALID Verification details must be shown.
M P4_112 The hash value of Package Hash Component (Paket Özeti) in NihaiOzet.xml file is forged INVALID Verification details must be shown.
M P4_113 The hash value of Paraph Hash Component (Paraf Özeti) in NihaiOzet.xml file is forged INVALID Verification details must be shown.
M P4_114 The hash value of e-signature Component in NihaiOzet.xml file is forged INVALID Verification details must be shown.
M P4_115 The hash value of Paraph Electronic Signature Component in NihaiOzet.xml file is forged INVALID Verification details must be shown.
M P4_116 The content value within the Electronic Seal is forged INVALID Verification details must be shown.
M P4_117_sElectronic Seal is a Counter Signature with two signers INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_117_p Electronic Seal is a Parallel Signature with two signers INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_118 Hash values of the components within NihaiOzet.xml is created with SHA-1 algorithm. INVALID Verification details must be shown.
M P4_119Electronic Seal Component is signed with Qualified Certificate instead of Qualified Electronic Seal Certificate INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_120The package possesses an unplaced attachment(Konulmamış Ek) VALID
M P4_121 The signer component in the NihaiUstveri.xml file is different from the signer of the Electronic Signature Component INVALID Verification details must be shown.
M P4_122e-signature component is not conform with P4 Profile. INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_123 Electronic Seal component is not conform with P4 Profile. INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_124 Paraph Electronic Signature component is not conform with P4 Profile. INVALID Paraph Electronic Signature must not be verified. Verification details must be shown.
M P4_125 Electronic Seal is created with an expired Qualified Electronic Seal Certificate. INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_126 Electronic Seal is created with a Qualified Electronic Seal Certificate which is revoked in OCSP. INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_127 Electronic Seal is created with an Electronic Seal Certificate which is not qualified INVALID Electronic Seal must not be verified. Verification details must be shown.
M P4_128 Electronic Seal is created with a Qualified Electronic Seal Certificate whose signature is forged. INVALID Electronic Seal must not be verified. Verification details must be shown.
O P4_129e-signature component does not have “mime-type” attribute. INVALID Electronic Signature must not be verified. Verification details must be shown.
M P4_130The package has not an Electronic Seal Component INVALID Verification details must be shown.

M: Mandatory - The specified items must be provided. In case the item is not provided, ECP evaluation will result in negative.

O: Optional - The specified items must be provided. In case the item is not provided, ECP evaluation will not result in negative.

* One of the following methods must be selected when verifying the signed document if the signer certificate includes a monetary limit:

  • “INVALID Signature” message must be displayed. The description of the error should be reported to the user.
  • The monetary limit of the certificate is compared with the monetary limit of the signed document and if the monetary limit of the certificate is sufficient for the monetary value of the signed document, “VALID Signature” message must be displayed.
  • In the case where the monetary limit of the certificate is not compared with the monetary limit of the signed document, the user should be warned that the signer certificate has a monetary limit and “VALID Signature” message must be displayed.

ECP Archival

In ECP applications, the archiving infrastructure should be provided. Comprehensive information about archiving can be found in section Signature Archival.

Since the Electronic Seal component in ECP 2.0 is in the archive signature format, archiving scenarios only cover tests specific to archive signature. Correspondingly, P4_A90 and P4_A94 packages in the procedure table should be archived.

The Electronic Signature component in ECP 1.3 can be in P4 CAdES-X LONG or P4 CAdES-A signature format. If signature is in P4 CAdES-X LONG format, it must be protected with archival. If the signature is in P4 CAdES-A format, archiving scenarios only cover tests specific to archive signature. Archived signature can be added in the package. If there is a Final Hash component in the package, this component also needs to be rebuilt after archival.

en/e-yazisma_paketi.txt · Last modified: 2022/12/05 10:33