DNV - Signature quality

Print this page Save as PDF E-mail link

Based on certificate quality, hash algorithm quality, and public key algorithm / key size, the signature quality level is calculated as follows:

Signature quality = certificate quality + hash algo. quality + public key algo. and key size quality

This algorithm is amended as follows:

- If any quality parameter is 0, signature quality is set to 0 regardless of the values of the other two quality parameters. The signature is considered too weak to be trusted.

- If certificate quality level is 6, and both other quality parameters have value 1 or higher, the signature quality shall be set to 20. This value thus indicates a qualified signature according to the EU Directive.

Quality values for cryptographic algorithms, including key sizes, are to be interpreted as:

Quality 0: Inadequate – should not be trusted.

Quality 1: Reasonably secure for 3 years.

Quality 2: Regarded as trustworthy for 5-10 years.

Quality 3-5: Increasing levels of security.

The following sums up assigned quality values for hash algorithms. Further algorithms will be added according to demand.

Hash algo.	Quality	OID
MD2	0	md2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 2 }
MD2 with RSA encryption	0	md2WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md2WithRSAEncryption(2)}
MD4	0	md4 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) md4(4)}
MD4 with RSA encryption	0	md4withRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md4withRSAEncryption(3)}
MD5	0	md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5 }
MD5 with RSA encryption	0	md5WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md5WithRSAEncryption(4)}
MD5 with RSA signature	0	md5WithRSASignature OBJECT IDENTIFIER ::={iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) md5WithRSASignature(25)}
RIPEMD-128	0	ripemd128 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2)
RIPEMD-160	1	ripemd160 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2)
RIPEMD-256	1	ripemd256 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2)
SHA-1	1	id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 }
SHA-1 with RSA encryption	1	sha1WithRSAEncryption OBJECT IDENTIFIER ::={iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha1-with-rsa-signature(5)}
SHA-224	2	id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 }
SHA-256	3	id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 }
SHA-256 with RSA encryption	3	sha256WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha256WithRSAEncryption(11)}
SHA-384	4	id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 }
SHA-512	5	id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 }

The following sums up assigned quality ratings for public key cryptographic algorithms and assigned key sizes. Only RSA is indicated. Quality rating for DSA will be equal to RSA for the same key size.

These algorithms will be added according to demand and as supported by the VA.

PK algo.	Key size	Quality	OID
MD2 with RSA encryption	1024	1	md2WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md2WithRSAEncryption(2)}
MD2 with RSA encryption	2048	2	md2WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md2WithRSAEncryption(2)}
MD2 with RSA encryption	4096	4	md2WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md2WithRSAEncryption(2)}
MD4 with RSA encryption	1024	1	md4withRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md4withRSAEncryption(3)}
MD4 with RSA encryption	2048	2	md4withRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md4withRSAEncryption(3)}
MD4 with RSA encryption	4096	4	md4withRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md4withRSAEncryption(3)}
MD5 with RSA encryption	1024	1	md5WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md5WithRSAEncryption(4)}
MD5 with RSA encryption	2048	2	md5WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md5WithRSAEncryption(4)}
MD5 with RSA encryption	4096	4	md5WithRSAEncryptionOBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) md5WithRSAEncryption(4)}
RSA	512	0	rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1}
RSA	768	0	rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1}
RSA	1024	1	rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1}
RSA	2048	2	rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1}
RSA	3072	3	rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1}
RSA	4096	4	rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1}
RSA OAEP encryption set	1024	1	rsaOAEPEncryptionSET OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) rsaOAEPEncryptionSET(6)}
RSA OAEP encryption set	2048	2	rsaOAEPEncryptionSET OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) rsaOAEPEncryptionSET(6)}
RSA OAEP encryption set	4096	4	rsaOAEPEncryptionSET OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) rsaOAEPEncryptionSET(6)}
SHA-1 with RSA encryption	1024	1	sha1WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha1-with-rsa-signature(5)}
SHA-1 with RSA encryption	2048	2	sha1WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha1-with-rsa-signature(5)}
SHA-1 with RSA encryption	4096	4	sha1WithRSAEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha1-with-rsa-signature(5)}

Hash algo.

Contact us

Downloads