...
- Start with the use case. refer to the scope once to be clear.
...
In our context, eSign will mean cryptographically validatable signatures.
Scope:
Government signing the document G2P – Priority
End user signing the document. P2G - Priority
Bussiness signing the document. B2B or B2C - last
Objective:
<TODO: update after discussion with the team during kickoff>
The ability for anyone to sign
Jürgen: one-One time signature with - OTP (i.e enter code sent via SMS) - weaker securityJürgen: signature with hardware device (smart card, phone etc) - stronger security, Biometrics.
Longterm signature - Smart cards, Phone.
Use ID BB to authorize and sign a document.
Jürgen: ID BB is probably good for cloud platforms (i.e signing portals),
Jürgen: Should be possible to sign with standalone app, without ID BB
Auditability
Validatable
Revoke certificate.
Highly secure.
Preservation of esignature
Jürgen: Non-Repudiation
Jürgen: Lawful/qualified e-signatures (i.e made equal to handwritten signatures by law)
Jürgen: Long term storage
Assumptions:
Has an ekyc or authentication service.
Jürgen: Registration/KYC should be possible to be performed online or face to face
Jürgen: Should be possible to performed perform via phone call/SMS
Bulk signing is out of scope.
Collaboration in the signature is limited by the type of the document and the support of the document.
Jürgen: There should be levels of how strongly KYC is done and how good is the signature creation device
...
Central service vs Distributed model
What if there is no eKyc/auth available?
Phone-based signature?
Scope:
Government signing the document G2P – Priority
End user signing the document. P2G - Priority
Bussiness signing the document. B2B or B2C - last
Key principles:
Flow:
Sign using a cryptographic key and explain
...