...
E-Signature or an electronic signature is a way of signing documents digitally, without needing to print them. It’s sort of like an electronic version of a pen and paper signature or stamp, specific to a person or organization and is both secure and legally binding. In our context, E-Signature will mean cryptographically validatable signatures.
Qualified Certificate (EIDAS term) - a certificate in form of X.509 that allows the user's digital signature to be equal to a handwritten signature. It can be issued only according to legally accepted procedures.
Qualified Signature Creation Device (EIDAS term) - device that allows users to give signatures. Technically follows legally accepted procedure. There are different types:
Physical token (ID card, Smart card, USB token)
Remote token/EIDAS remote QSCD/Split key ( Cloud + App, Cloud + App + Secure element, Cloud + SIM card, Cloud + App + eSIM)
As requirements, we can define this to be:
Defined in EIDAS QSCD list https://esignature.ec.europa.eu/efda/notification-tool/#/screen/browse/list/QSCD_SSCD
Certified by Common Criteria
Certified/Endorsed by FIDO
Signing Application - 3rd party or Government Application that implements the document signing.
Standalone application (Desktop, Mobile App)
Embedded application - embedded into another service, e.g web portal, online self-service, product
Onboarding - the process of issuing a Qualified Certificate and binding it to a Qualified Signature Creation Device, can involve different ways, subject to legislation:
Face to face
Online + authenticated with existing token
Online re-onboarding only
Full online
Signature Requestor - An application that has the artefact that needs the users signature.
Document/Artefact to be Signed - Data that needs to be signed by User. It can be
a Document file (pdf, word, etc) owned/handled by User
a Data file in an arbitrary format owned/handled by the user
A Document or Data file handled by a 3rd party Service on behalf of user.
Scope:
Phase 1:
Limit the scope of work to the following
Ability to create and manage keys in remote QSCD.
This is needed to support the server-side signing of documents. Mostly used by applications without much user involvement.
Use cases like Payroll signing, agreement signing etc are handled using this API. Does not require an individual or would not interact with the ID building block.
Ability to create & sign using dynamic short-lived keys.
This is needed to support the ID BB based signature. Mostly used by the end user to sign documents or by the applications on behalf of the end user and sign.
Use cases like consent, tax filing, request for registration etc can be handled.
Support for the following signature formats:
XAdES
CAdES
ASIC
JWS
No administrative API’s are need to cater to this requirement. So administrative API’s will be left out of scope
All signatures are expected to be happening on the server.
The government signed document G2P – Priority
The end user signs the document. P2G - Priority
Business signing the document. B2B or B2C, G2B, B2G - last
Quantum resistance - Not in scope as of now.
Remote e-signature would be considered as the scope.
...