Validation Policy


<ConstraintsParameters Name="QES AdESQC TL based" xmlns="http://dss.esig.europa.eu/validation/policy">
	<Description>Validates electronic signatures and indicates whether they are Advanced electronic Signatures (AdES), AdES supported by a Qualified Certificate (AdES/QC) or a
		Qualified electronic Signature (QES). All certificates and their related chains supporting the signatures are validated against the EU Member State Trusted Lists (this includes
		signer's certificate and certificates used to validate certificate validity status services - CRLs, OCSP, and time-stamps).
	</Description>
	<ContainerConstraints>
		<AcceptableContainerTypes Level="FAIL">
			<Id>ASiC-S</Id>
			<Id>ASiC-E</Id>
		</AcceptableContainerTypes>
		<MimeTypeFilePresent Level="INFORM" />
		<AcceptableMimeTypeFileContent Level="WARN">
			<Id>application/vnd.etsi.asic-s+zip</Id>
			<Id>application/vnd.etsi.asic-e+zip</Id>
		</AcceptableMimeTypeFileContent>
		<ManifestFilePresent Level="FAIL" />
		<SignedFilesPresent Level="FAIL" />
		<AllFilesSigned Level="WARN" />
	</ContainerConstraints>
	<SignatureConstraints>
		<StructuralValidation Level="WARN" />
		<AcceptablePolicies Level="FAIL">
			<Id>ANY_POLICY</Id>
			<Id>NO_POLICY</Id>
		</AcceptablePolicies>
		<PolicyAvailable Level="FAIL" />
		<PolicyHashMatch Level="FAIL" />
		<AcceptableFormats Level="FAIL">
			<Id>*</Id>
		</AcceptableFormats>
		<BasicSignatureConstraints>
			<ReferenceDataExistence Level="FAIL" />
			<ReferenceDataIntact Level="FAIL" />
			<ManifestEntryObjectExistence Level="WARN" />
			<SignatureIntact Level="FAIL" />
			<SignatureDuplicated Level="FAIL" />
			<ProspectiveCertificateChain Level="FAIL" />
			<SignerInformationStore Level="FAIL" />
			<ByteRange Level="FAIL" />
			<ByteRangeCollision Level="WARN" />
			<PdfSignatureDictionary Level="FAIL" />
			<PdfPageDifference Level="FAIL" />
			<PdfAnnotationOverlap Level="WARN" />
			<PdfVisualDifference Level="WARN" />
			<DocMDP Level="WARN" />
			<FieldMDP Level="WARN" />
			<SigFieldLock Level="WARN" />
			<UndefinedChanges Level="WARN" />
			<SigningCertificate>
				<Recognition Level="FAIL" />
				<Signature Level="FAIL" />
				<NotExpired Level="FAIL" />
				<AuthorityInfoAccessPresent Level="WARN" />
				<RevocationInfoAccessPresent Level="WARN" />
				<RevocationDataAvailable Level="FAIL" />
				<AcceptableRevocationDataFound Level="FAIL" />
				<CRLNextUpdatePresent Level="WARN" />
				<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
				<KeyUsage Level="WARN">
					<Id>nonRepudiation</Id>
				</KeyUsage>
				<PolicyTree Level="WARN" />
				<NameConstraints Level="WARN" />
				<SupportedCriticalExtensions Level="WARN">
					<Id>2.5.29.15</Id> <!-- keyUsage -->
					<Id>2.5.29.32</Id> <!-- certificatePolicies -->
					<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
					<Id>2.5.29.19</Id> <!-- basicConstraints -->
					<Id>2.5.29.30</Id> <!-- nameConstraints -->
					<Id>2.5.29.36</Id> <!-- policyConstraints -->
					<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
					<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
					<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
					<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
					<!-- policyMappings 2.5.29.33 not supported -->
				</SupportedCriticalExtensions>
				<ForbiddenExtensions Level="FAIL">
					<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
				</ForbiddenExtensions>
				<SerialNumberPresent Level="WARN" />
				<NotRevoked Level="FAIL" />
				<NotOnHold Level="FAIL" />
				<RevocationIssuerNotExpired Level="FAIL" />
				<NotSelfSigned Level="WARN" />
				<UsePseudonym Level="INFORM" />
				<Cryptographic />
			</SigningCertificate>
			<CACertificate>
				<Signature Level="FAIL" />
				<NotExpired Level="FAIL" />
				<RevocationDataAvailable Level="FAIL" />
				<AcceptableRevocationDataFound Level="FAIL" />
				<CRLNextUpdatePresent Level="WARN" />
				<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
				<CA Level="FAIL" />
				<MaxPathLength Level="FAIL" />
				<KeyUsage Level="FAIL">
					<Id>keyCertSign</Id>
				</KeyUsage>
				<PolicyTree Level="WARN" />
				<NameConstraints Level="WARN" />
				<SupportedCriticalExtensions Level="WARN">
					<Id>2.5.29.15</Id> <!-- keyUsage -->
					<Id>2.5.29.32</Id> <!-- certificatePolicies -->
					<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
					<Id>2.5.29.19</Id> <!-- basicConstraints -->
					<Id>2.5.29.30</Id> <!-- nameConstraints -->
					<Id>2.5.29.36</Id> <!-- policyConstraints -->
					<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
					<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
					<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
					<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
					<!-- policyMappings 2.5.29.33 not supported -->
				</SupportedCriticalExtensions>
				<ForbiddenExtensions Level="FAIL">
					<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
				</ForbiddenExtensions>
				<NotRevoked Level="FAIL" />
				<NotOnHold Level="FAIL" />
				<Cryptographic />
			</CACertificate>
			<Cryptographic />
		</BasicSignatureConstraints>
		<SignedAttributes>
			<SigningCertificatePresent Level="WARN" />
			<UnicitySigningCertificate Level="WARN" />
			<SigningCertificateRefersCertificateChain Level="WARN" />
			<SigningCertificateDigestAlgorithm Level="WARN" />
			<CertDigestPresent Level="FAIL" />
			<CertDigestMatch Level="FAIL" />
			<IssuerSerialMatch Level="WARN" />
			<KeyIdentifierMatch Level="WARN" />
			<SigningTime Level="FAIL" />
			<MessageDigestOrSignedPropertiesPresent Level="FAIL" />
			<EllipticCurveKeySize Level="WARN" />

		</UnsignedAttributes>
	</SignatureConstraints>
	<CounterSignatureConstraints>
		<BasicSignatureConstraints>
			<ReferenceDataExistence Level="FAIL" />
			<ReferenceDataIntact Level="FAIL" />
			<SignatureIntact Level="FAIL" />
			<SignatureDuplicated Level="FAIL" />
			<ProspectiveCertificateChain Level="FAIL" />
			<SigningCertificate>
				<Recognition Level="FAIL" />
				<Signature Level="FAIL" />
				<NotExpired Level="FAIL" />
				<AuthorityInfoAccessPresent Level="WARN" />
				<RevocationInfoAccessPresent Level="WARN" />
				<RevocationDataAvailable Level="FAIL" />
				<AcceptableRevocationDataFound Level="FAIL" />
				<CRLNextUpdatePresent Level="WARN" />
				<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
				<KeyUsage Level="WARN">
					<Id>nonRepudiation</Id>
				</KeyUsage>
				<PolicyTree Level="WARN" />
				<NameConstraints Level="WARN" />
				<SupportedCriticalExtensions Level="WARN">
					<Id>2.5.29.15</Id> <!-- keyUsage -->
					<Id>2.5.29.32</Id> <!-- certificatePolicies -->
					<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
					<Id>2.5.29.19</Id> <!-- basicConstraints -->
					<Id>2.5.29.30</Id> <!-- nameConstraints -->
					<Id>2.5.29.36</Id> <!-- policyConstraints -->
					<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
					<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
					<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
					<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
					<!-- policyMappings 2.5.29.33 not supported -->
				</SupportedCriticalExtensions>
				<ForbiddenExtensions Level="FAIL">
					<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
				</ForbiddenExtensions>
				<SerialNumberPresent Level="WARN" />
				<NotRevoked Level="FAIL" />
				<NotOnHold Level="FAIL" />
				<NotSelfSigned Level="WARN" />
				<UsePseudonym Level="INFORM" />
				<Cryptographic />
			</SigningCertificate>
			<CACertificate>
				<Signature Level="FAIL" />
				<NotExpired Level="FAIL" />
				<RevocationDataAvailable Level="FAIL" />
				<AcceptableRevocationDataFound Level="FAIL" />
				<CRLNextUpdatePresent Level="WARN" />
				<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
				<CA Level="FAIL" />
				<MaxPathLength Level="FAIL" />
				<KeyUsage Level="FAIL">
					<Id>keyCertSign</Id>
				</KeyUsage>
				<PolicyTree Level="WARN" />
				<NameConstraints Level="WARN" />
				<SupportedCriticalExtensions Level="WARN">
					<Id>2.5.29.15</Id> <!-- keyUsage -->
					<Id>2.5.29.32</Id> <!-- certificatePolicies -->
					<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
					<Id>2.5.29.19</Id> <!-- basicConstraints -->
					<Id>2.5.29.30</Id> <!-- nameConstraints -->
					<Id>2.5.29.36</Id> <!-- policyConstraints -->
					<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
					<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
					<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
					<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
					<!-- policyMappings 2.5.29.33 not supported -->
				</SupportedCriticalExtensions>
				<ForbiddenExtensions Level="FAIL">
					<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
				</ForbiddenExtensions>
				<NotRevoked Level="FAIL" />
				<NotOnHold Level="FAIL" />
				<Cryptographic />
			</CACertificate>
			<Cryptographic />
		</BasicSignatureConstraints>
		<SignedAttributes>
			<SigningCertificatePresent Level="WARN" />
			<UnicitySigningCertificate Level="WARN" />
			<SigningCertificateRefersCertificateChain Level="WARN" />
			<SigningCertificateDigestAlgorithm Level="WARN" />
			<CertDigestPresent Level="FAIL" />
			<CertDigestMatch Level="FAIL" />
			<IssuerSerialMatch Level="WARN" />
			<KeyIdentifierMatch Level="WARN" />
			<SigningTime Level="FAIL" />
			<MessageDigestOrSignedPropertiesPresent Level="FAIL" />
			<EllipticCurveKeySize Level="WARN" />
			<ContentHints Level="FAIL" value="*" />
			<CommitmentTypeIndication Level="FAIL">
				<Id>1.2.840.113549.1.9.16.6.1</Id>
				<Id>1.2.840.113549.1.9.16.6.4</Id>
				<Id>1.2.840.113549.1.9.16.6.5</Id>
				<Id>1.2.840.113549.1.9.16.6.6</Id>
			</CommitmentTypeIndication>
			<SignerLocation Level="FAIL" />
			<ContentTimeStamp Level="FAIL" /> -->
		</SignedAttributes>
	</CounterSignatureConstraints>
	<Timestamp>
		<TimestampDelay Level="IGNORE" Unit="DAYS" Value="0" />
		<RevocationTimeAgainstBestSignatureTime	Level="FAIL" />
		<BestSignatureTimeBeforeExpirationDateOfSigningCertificate Level="FAIL" />
		<Coherence Level="WARN" />
		<BasicSignatureConstraints>
			<ReferenceDataExistence Level="FAIL" />
			<ReferenceDataIntact Level="FAIL" />
			<SignatureIntact Level="FAIL" />
			<ProspectiveCertificateChain Level="FAIL" />
			<ByteRange Level="FAIL" />
			<ByteRangeCollision Level="WARN" />
			<PdfSignatureDictionary Level="FAIL" />
			<PdfPageDifference Level="FAIL" />
			<PdfAnnotationOverlap Level="WARN" />
			<PdfVisualDifference Level="WARN" />
			<DocMDP Level="WARN" />
			<FieldMDP Level="WARN" />
			<SigFieldLock Level="WARN" />
			<UndefinedChanges Level="WARN" />
			<SigningCertificate>
				<Recognition Level="FAIL" />
				<Signature Level="FAIL" />
				<NotExpired Level="FAIL" />
				<RevocationDataAvailable Level="FAIL" />
				<AcceptableRevocationDataFound Level="FAIL" />
				<CRLNextUpdatePresent Level="WARN" />
				<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
				<ExtendedKeyUsage Level="FAIL">
					<Id>timeStamping</Id>
				</ExtendedKeyUsage>
				<PolicyTree Level="WARN" />
				<NameConstraints Level="WARN" />
				<SupportedCriticalExtensions Level="WARN">
					<Id>2.5.29.15</Id> <!-- keyUsage -->
					<Id>2.5.29.32</Id> <!-- certificatePolicies -->
					<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
					<Id>2.5.29.19</Id> <!-- basicConstraints -->
					<Id>2.5.29.30</Id> <!-- nameConstraints -->
					<Id>2.5.29.36</Id> <!-- policyConstraints -->
					<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
					<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
					<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
					<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
					<!-- policyMappings 2.5.29.33 not supported -->
				</SupportedCriticalExtensions>
				<ForbiddenExtensions Level="FAIL">
					<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
				</ForbiddenExtensions>
				<NotRevoked Level="FAIL" />
				<NotOnHold Level="FAIL" />
				<NotSelfSigned Level="WARN" />
				<Cryptographic />
			</SigningCertificate>
			<CACertificate>
				<Signature Level="FAIL" />
				<NotExpired Level="FAIL" />
				<RevocationDataAvailable Level="WARN" />
				<AcceptableRevocationDataFound Level="WARN" />
				<CRLNextUpdatePresent Level="WARN" />
				<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
				<CA Level="FAIL" />
				<MaxPathLength Level="FAIL" />
				<KeyUsage Level="FAIL">
					<Id>keyCertSign</Id>
				</KeyUsage>
				<PolicyTree Level="WARN" />
				<NameConstraints Level="WARN" />
				<SupportedCriticalExtensions Level="WARN">
					<Id>2.5.29.15</Id> <!-- keyUsage -->
					<Id>2.5.29.32</Id> <!-- certificatePolicies -->
					<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
					<Id>2.5.29.19</Id> <!-- basicConstraints -->
					<Id>2.5.29.30</Id> <!-- nameConstraints -->
					<Id>2.5.29.36</Id> <!-- policyConstraints -->
					<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
					<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
					<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
					<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
					<!-- policyMappings 2.5.29.33 not supported -->
				</SupportedCriticalExtensions>
				<ForbiddenExtensions Level="FAIL">
					<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
				</ForbiddenExtensions>
				<NotRevoked Level="FAIL" />
				<NotOnHold Level="FAIL" />
				<Cryptographic />
			</CACertificate>
			<Cryptographic />
		</BasicSignatureConstraints>
		<SignedAttributes>
			<SigningCertificatePresent Level="WARN" />
			<SigningCertificateRefersCertificateChain Level="WARN" />
			<CertDigestPresent Level="WARN" />
			<IssuerSerialMatch Level="WARN" />
		</SignedAttributes>
		<TSAGeneralNameContentMatch Level="WARN" />
	</Timestamp>
	<Revocation>
        <UnknownStatus Level="FAIL" />
		<OCSPResponderIdMatch Level="FAIL" />
        <SelfIssuedOCSP Level="WARN" />
		<BasicSignatureConstraints>
			<ReferenceDataExistence Level="FAIL" />
			<ReferenceDataIntact Level="FAIL" />
			<SignatureIntact Level="FAIL" />
			<ProspectiveCertificateChain Level="FAIL" />
			<SigningCertificate>
				<Recognition Level="FAIL" />
				<Signature Level="FAIL" />
				<NotExpired Level="FAIL" />
				<RevocationDataAvailable Level="FAIL" />
				<AcceptableRevocationDataFound Level="FAIL" />
				<CRLNextUpdatePresent Level="WARN" />
				<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
				<PolicyTree Level="WARN" />
				<NameConstraints Level="WARN" />
				<SupportedCriticalExtensions Level="WARN">
					<Id>2.5.29.15</Id> <!-- keyUsage -->
					<Id>2.5.29.32</Id> <!-- certificatePolicies -->
					<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
					<Id>2.5.29.19</Id> <!-- basicConstraints -->
					<Id>2.5.29.30</Id> <!-- nameConstraints -->
					<Id>2.5.29.36</Id> <!-- policyConstraints -->
					<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
					<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
					<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
					<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
					<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
					<!-- policyMappings 2.5.29.33 not supported -->
				</SupportedCriticalExtensions>
				<NotRevoked Level="FAIL" />
				<NotOnHold Level="FAIL" />
				<Cryptographic />
			</SigningCertificate>
			<CACertificate>
				<Signature Level="FAIL" />
				<NotExpired Level="FAIL" />
				<RevocationDataAvailable Level="WARN" />
				<AcceptableRevocationDataFound Level="WARN" />
				<CRLNextUpdatePresent Level="WARN" />
				<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
				<CA Level="FAIL" />
				<MaxPathLength Level="FAIL" />
				<KeyUsage Level="FAIL">
					<Id>keyCertSign</Id>
				</KeyUsage>
				<PolicyTree Level="WARN" />
				<NameConstraints Level="WARN" />
				<SupportedCriticalExtensions Level="WARN">
					<Id>2.5.29.15</Id> <!-- keyUsage -->
					<Id>2.5.29.32</Id> <!-- certificatePolicies -->
					<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
					<Id>2.5.29.19</Id> <!-- basicConstraints -->
					<Id>2.5.29.30</Id> <!-- nameConstraints -->
					<Id>2.5.29.36</Id> <!-- policyConstraints -->
					<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
					<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
					<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
					<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
					<!-- policyMappings 2.5.29.33 not supported -->
				</SupportedCriticalExtensions>
				<ForbiddenExtensions Level="FAIL">
					<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
				</ForbiddenExtensions>
				<NotRevoked Level="FAIL" />
				<NotOnHold Level="FAIL" />
				<Cryptographic />
			</CACertificate>
			<Cryptographic />
		</BasicSignatureConstraints>
	</Revocation>
	<Cryptographic Level="FAIL">
		<AcceptableEncryptionAlgo>
			<Algo>RSA</Algo>
			<Algo>DSA</Algo>
			<Algo>ECDSA</Algo>
			<Algo>PLAIN-ECDSA</Algo>
		</AcceptableEncryptionAlgo>
		<MiniPublicKeySize>
			<Algo Size="1024">DSA</Algo>
			<Algo Size="1024">RSA</Algo>
			<Algo Size="160">ECDSA</Algo>
			<Algo Size="160">PLAIN-ECDSA</Algo>
		</MiniPublicKeySize>
		<AcceptableDigestAlgo>
			<Algo>MD5</Algo>
			<Algo>SHA1</Algo>
			<Algo>SHA224</Algo>
			<Algo>SHA256</Algo>
			<Algo>SHA384</Algo>
			<Algo>SHA512</Algo>
			<Algo>SHA3-256</Algo>
			<Algo>SHA3-384</Algo>
			<Algo>SHA3-512</Algo>
			<Algo>RIPEMD160</Algo>
			<Algo>WHIRLPOOL</Algo>
		</AcceptableDigestAlgo>
		<AlgoExpirationDate Level="FAIL" Format="yyyy" UpdateDate="2022" LevelAfterUpdate="WARN">
			<!-- Digest algorithms -->
			<Algo Date="2005">MD5</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
			<Algo Date="2009">SHA1</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.0.0 -->
			<Algo Date="2026">SHA224</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029">SHA256</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029">SHA384</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029">SHA512</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029">SHA3-256</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029">SHA3-384</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029">SHA3-512</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2011">RIPEMD160</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.0.0 -->
			<Algo Date="2015">WHIRLPOOL</Algo> <!-- ETSI 119 312 V1.1.1 -->
			<!-- end Digest algorithms -->
			<!-- Encryption algorithms -->
			<Algo Date="2013" Size="1024">DSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
			<Algo Date="2026" Size="2048">DSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029" Size="3072">DSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2009" Size="1024">RSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.0.0 -->
			<Algo Date="2016" Size="1536">RSA</Algo> <!-- ETSI 119 312 V1.1.1 -->
			<Algo Date="2026" Size="1900">RSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029" Size="3000">RSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2013" Size="160">ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
			<Algo Date="2013" Size="192">ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
			<Algo Date="2016" Size="224">ECDSA</Algo> <!-- ETSI 119 312 V1.1.1 -->
			<Algo Date="2029" Size="256">ECDSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029" Size="384">ECDSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029" Size="512">ECDSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2013" Size="160">PLAIN-ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
			<Algo Date="2013" Size="192">PLAIN-ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
			<Algo Date="2016" Size="224">PLAIN-ECDSA</Algo> <!-- ETSI 119 312 V1.1.1 -->
			<Algo Date="2029" Size="256">PLAIN-ECDSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029" Size="384">PLAIN-ECDSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<Algo Date="2029" Size="512">PLAIN-ECDSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
			<!-- end Encryption algorithms -->
		</AlgoExpirationDate>
	</Cryptographic> 
	
	<Model Value="SHELL" />
	
	<!-- eIDAS REGL 910/EU/2014 --> 
	<eIDAS>
		<TLFreshness Level="WARN" Unit="HOURS" Value="6" />
		<TLNotExpired Level="WARN" />
		<TLWellSigned Level="WARN" />
		<TLVersion Level="FAIL" value="5" />
	</eIDAS>
</ConstraintsParameters>