Versions Compared

Old Version 22

changes.mady.by.user Jürgen Niinre

Saved on

compared with

New Version 23

changes.mady.by.user Jürgen Niinre

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

<Description by Jürgen Niinre .

Type: C2G, G2C, G2B

Steps:

Terms and Definitions

  • Qualified Certificate (EIDAS term) - certificate that allows users digital signature to be equal to handwritten signature. Can be issued only according to legally accepted procedure.

  • Qualified Signature Creation Device (EIDAS term) - device that allows user to give signatures. Technically follows legally accepted procedure. There are different types:

    • Physical token (ID card, Smart card, USB token)

    • Remote token/EIDAS remote QSCD/Split key ( Cloud + App, Cloud + App + Secure element, Cloud + SIM card, Cloud + App + eSIM)

  • Signing Application - 3rd party or Government Application that implements the document signing.

    • Standalone application (Desktop, mobile App)

    • Embedded application - embedded into another service, e.g web portal, online self service, product

  • Onboarding - process of issuing Qualified Certificate and binding it to Qualified Signature Creation Device, can involve different ways, subject to legislation:

    • Face to face

    • Online + authenticated with existing token

    • Online re-onboarding only

    • Full online

Prerequisites

  • User has been onboarded, has been issued Qualified Certificate and owns or controls Qualified Signature Creation Device. Onboarding can be performed in following ways

    • ID card: By visiting designated Government office and is issued ID card

    • User’s remote signing device: By purchasing special SIM card from Mobile operator and authenticating using ID card

    • Users' cloud signing provider: By downloading an app from AppStore/Google Play and authenticating using ID card

Signing using standalone Application (i.e mobile/desktop):

  • User opens application and selects a documents

Signing using Application

  • User uses Application directly by choosing documents to be signed (standalone) or through another service, in which case service will compile the Document needed to be signed by user

  • Application will present the documents or data to be signed

  • Application will authenticate to e-signature BB, using embedded token that allows for fixed e.g 10 requests/month

  • Application will create a signature

    • With ID card signature can be created directly by communicating with ID card over smart card readerPhysical token

      • Application will communicate with ID card that is physical token directly connected to the device

      • Application will read the User’s certificate from ID cardphysical token

      • Application will perform User verification

        • Application will ask User’s PIN code and/or perform Biometric check

        • Application will instruct the ID card reader to prompt for PIN code, in case the ID card reader is with keypad

        • After user enters the PIN and/or performs the biometric check, ID card physical token is ready to perform the signing operation

      • Application will forward hash to be signed to ID cardID card physical token

      • Physical token will return the signed hash

      • Application will contact e-signature BB for validity confirmation and timestamp

    • With User’s remote signing device (SIM card) With Remote token

      • Application will contact an e-signature BB

      • e-signature BB will contact a OTA backend Remote token platform to send notification to User’s remote signing deviceUser, containing hash to be signed and text to display

      • User’s remote signing device token will perform User verification and signing

        • User’s device remote token will ask User’s PIN code or perform biometric verification

        • After User verification is completed, User’s remote signing device token will sign the hash

        • Signed hash, with users certificate will be sent back to e-signature BB

      • e-signature BB will retrieve the User's certificate from CA

      • e-signature BB will confirm certificate validity

      • e-signature BB will issue timestamp

      • e-signature BB will send

        • back

        a signature with certificate validity and timestamp

      With User’s cloud signature provider (App based)

      • Application will contact an e-signature BB

      • e-signature BB will contact a Cloud signature provider to send notification to User’s App with text to display

      • User’s App will perform User verification and signing authorization

        • User’s device will ask User’s PIN code and/or perform biometric verification

        • After User verification is completed, signing authorization is given to Cloud signature provider

        Cloud signature provider will create the signature and return it to

        • e-signature BB

  • e-signature BB will

    retrieve the User's certificate from CAe-signature BB will

    confirm certificate validity

  • e-signature BB will issue timestamp

  • e-signature BB will send back a signature with certificate validity and timestamp

  • Application will save the signature, validity information and timestamp together with document, so that document with this embedded information can be validated later

  • Application will present results to user

Sequence Diagram:

Related use cases

...