Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  •  Start with the use case. refer to the scope once to be clear.

Definitions:

...

  • E-Signature or an electronic signature is a way of signing documents digitally, without needing to print them. It’s sort of like an electronic version of a pen and paper signature or stamp, specific to a person or organization and is both secure and legally binding.

...

  • In our context, E-Signature will mean cryptographically validatable signatures.

  • Qualified Certificate (EIDAS term) - a certificate in form of X.509 that allows the user's digital signature to be equal to a handwritten signature. It can be issued only according to legally accepted procedures.

  • Qualified Signature Creation Device (EIDAS term) - device that allows users to give signatures. Technically follows legally accepted procedure. There are different types:

  • Signing Application - 3rd party or Government Application that implements the document signing.

    • Standalone application (Desktop, Mobile App)

    • Embedded application - embedded into another service, e.g web portal, online self-service, product

  • Onboarding - the process of issuing a Qualified Certificate and binding it to a Qualified Signature Creation Device, can involve different ways, subject to legislation:

    • Face to face

    • Online + authenticated with existing token

    • Online re-onboarding only

    • Full online

  • Signature Requestor - An application that has the artefact that needs the users signature.

  • Document/Artefact to be Signed - Data that needs to be signed by User. It can be

    • a Document file (pdf, word, etc) owned/handled by User

    • a Data file in an arbitrary format owned/handled by the user

    • A Document or Data file handled by a 3rd party Service on behalf of user.

Scope:

...

Phase 1:

Limit the scope of work to the following

  • Ability to create and manage keys in remote QSCD.

    • This is needed to support the server-side signing of documents. Mostly used by applications without much user involvement.

    • Use cases like Payroll signing, agreement signing etc are handled using this API. Does not require an individual or would not interact with the ID building block.

  • Ability to create & sign using dynamic short-lived keys.

    • This is needed to support the ID BB based signature. Mostly used by the end user to sign documents or by the applications on behalf of the end user and sign.

    • Use cases like consent, tax filing, request for registration etc can be handled.

  • Support for the following signature formats:

    • XAdES

    • CAdES

    • ASIC

    • JWS

  • No administrative API’s are need to cater to this requirement. So administrative API’s will be left out of scope

All signatures are expected to be happening on the server.

  • The government signed document G2P – Priority

  • The end user signs the document. P2G - Priority

  • Business signing the document. B2B or B2C, G2B, B2G - last

  • Quantum resistance - Not in scope as of now.

  • Remote e-signature would be considered as the scope.

Objective:

  • The ability for anyone to sign

    • One authentication based E-signature

      • OTP

      • Biometrics

      • PIN

    • One Time Signature

      • WOTS+ - Not supported

      • XMSS - Not supported

    • Long-term signature

      • Smart cards

      • Smart Phone.

    • HD Signature

      • Smart Phone

  • Use ID BB to authorize and sign a document.

    • Should be possible to sign with a standalone app, without ID BB.

  • Auditability

  • Validatable

  • Revoke certificate.

  • Highly secure.

  • Preservation of E-Signature

  • Non-Repudiation

  • Long-term validatable.

  • Inclusive

    • Supports multiple social economic backgrounds.

  • Presentation

    • Can we support multiple signature types and let verifiers provide presentation layers?

Assumptions:

  • Has a digital ekyc or authentication service.

    • Registration/KYC should be possible to be performed online or face to face

    • Should be possible to perform via phone call/SMS

  • Bulk signing is out of scope.

  • Collaboration in the signature is limited by the type of the document and the support of the document.

  • Countries are expected to have digital signature law’s that consider e-signatures as equivalent to handwritten signatures.

  • No support for printing the digital document and validating the signature.

Challenges:

  • Central service vs Distributed model

  • What if there is no eKyc/auth available?

  • Phone-based signature?

  • Online and/or Offline validation

  • Can we use JSON-LD signatures so we can validate a linked PDF or HTML or image etc.

Key principles:

Flow:

Sign using a cryptographic key and explain

...

Differentiate validation vs creation of digital signatures.

Solution:

  • There should be levels of how strongly KYC is done and how good is the signature creation device

  • How do we take care of the machine signature? Is this in scope?

Sample Use cases: - Priority 1

Notes from Ramkumar:

Can we map a use case with the mother-child?

Govstack Building Block Cookbook

Consider the below as scenarios.

Use case 1: Signature of the resident on the consent form to share his details.

Actors:

Consent Building Block, Resident, Application, Agent, ID Building Block

Type:

C2G

Steps for approach online:

  1. Agent opens up the consent form.

  2. Describes the services to the resident.

  3. Resident authenticates to the ID Building Block

  4. The resident is redirected to the Application

  5. The Application gets the necessary consent form and shows it to the agent/resident.

  6. The resident chooses to sign the consent form with a button click.

  7. The Application sends the consent form and the bearer token of the user to the e-signature building block API.

  8. The e-signature building block validates (introspects RFC 7662) the bearer token with the ID building block.

  9. Creates the key on the fly and timestamps & signs the document. (different types of signatures are allowed). The key is valid only for a short duration.

  10. The e-signature building block sends back the signature in the requested format (XAdES, CAdES, ASIC, JWS)

  11. The Application decides to embed or attach the signature data.

  12. The workflows building block sends the signature to the consent building block.

  13. The Application shows the user that consent is signed and he can download it from a link given.

Steps for approach offline:

Onboarding:

  1. The resident visits the e-signature portal.

  2. Authenticates & gets ekyc data using ID building block with biometrics, smart card, password + MFA.

  3. The resident/agent provides the USB token or smart card or Mobile phone to create a secure key pair and send the CSR to the e-signature building block.

  4. The CSR is signed with the resident ekyc on the resident’s e-kyc details and sent back the certificate (X509v3) to the USB token.

    1. The e-signature building block will use a certificate authority to get the certificate.

...

  1. Agent opens up the consent form.

  2. Describes the services to the resident.

  3. Resident authenticates to the ID Building Block

  4. The resident is redirected to the Application

  5. The Application gets the necessary consent form and shows it to the agent/resident.

  6. The resident chooses to sign the consent form with a button click.

  7. The Application redirects to the e-signature building block.

  8. The e-signature building block asks the resident to insert the USB token.

  9. The e-signature building block interacts with the USB token and signs the document.

  10. The e-signature building block sends back the signature in the requested format (XAdES, CAdES, ASIC, JWS) to the Application.

  11. The Application decides to embed or attach the signature data.

  12. The workflows building block sends the signature to the consent building block.

  13. The Application shows the user that consent is signed and he can download it from a link given.

Use case 2: Payroll signature

Can we have the payroll statement signed before it's sent for the payment block?

Type:

G2B or B2B or B2G

Sequence Diagram:

Related use cases

  • Sign you invoice.

  • Sign an RFP

  • Sign a business agreement.

Use case 3: Signing and verifying a document owned by user using a desktop computer or mobile phone

<Description by Jürgen Niinre .

Type: C2G, G2C, G2B

Terms and Definitions

  • Qualified Certificate (EIDAS term) - certificate that allows users digital signature to be equal to handwritten signature. Can be issued only according to legally accepted procedure.

  • Qualified Signature Creation Device (EIDAS term) - device that allows user to give signatures. Technically follows legally accepted procedure. There are different types:

    • Physical token (ID card, Smart card, USB token)

    • Remote token/EIDAS remote QSCD/Split key ( Cloud + App, Cloud + App + Secure element, Cloud + SIM card, Cloud + App + eSIM)

  • Signing Application - 3rd party or Government Application that implements the document signing.

    • Standalone application (Desktop, mobile App)

    • Embedded application - embedded into another service, e.g web portal, online self service, product

  • Onboarding - process of issuing Qualified Certificate and binding it to Qualified Signature Creation Device, can involve different ways, subject to legislation:

    • Face to face

    • Online + authenticated with existing token

    • Online re-onboarding only

    • Full online

Prerequisites

...

Prerequisites

  • The user has been onboarded, has been issued a Qualified Certificate and owns or controls a Qualified Signature Creation Device.

Signing using Application

...

user-owned document:

  • The user uses the Signing Application directly by choosing documents to be signed (standalone) or through another service, in which case service will compile the Document needed to be signed by user

  • The Signing Application will present the documents or data to be signed

  • The Signing Application will authenticate to e-signature BB, using an embedded token that allows for fixed e.g 10 requests/month

  • The Signing Application will create a signature

    With Physical token

  • Application will communicate with physical token directly connected to the device

  • Application will read the User’s certificate from physical token

  • Application will perform User verification

    Application will ask User’s

    with Qualified Signature Creation Device

    • User is verified using PIN code and/or

      perform Biometric check
    • After user enters the PIN and/or performs the biometric check, physical token is ready to perform the signing operation

    • Application will forward hash to be signed to physical token

    • Physical token will return the signed hash

    • With Remote token

    • Application will contact an e-signature BB

    • e-signature BB will contact a Remote token platform to send notification to User, containing hash to be signed and text to display

    • User’s remote token will perform verification and signing

    • User’s remote token will ask User’s PIN code or perform biometric verification

    • After User verification is completed, User’s remote token will sign the hash

    • Signed hash, with users certificate will be sent back to e-signature BB

      biometrics

    • Signature and Certificate are sent to e-signature BB to be verified

  • e-signature BB will confirm certificate validity

  • e-signature BB will issue timestamp

  • e-signature BB will send back a signature with certificate validity and timestamp

  • Signing Application will save the signature, validity information and timestamp together with document, so that document with this embedded information can be validated later

  • Application The application will present results to user

Sequence Diagram:

Mermaid cloud
filenamesigning2
revision3

Related use cases

Use case 4: Signing a consent form

<Description by kadio.kassy >

Type:

Sequence Diagram:

Related use cases

Kassy use cases

  • Local signature - Cryptographic token

  • Distance signature - sign your own

  • Before you get a key you should get the kyc from the certificate authority.

  • Gtax generates the key and certificate to sign and then returns the application.

Reference:

Introduction to cryptographic digital signature - https://www.youtube.com/watch?v=704dudhA7UI

...

  • An ID-card, which is a mandatory identity document for all Estonian citizens. The PINs required for electronic signing are issued to you in a security envelope with the card. In order to use your ID-card, you also need a card reader and ID-software.

  • digital ID card: Estonian citizens can use their digital IDs in parallel with ID-cards while foreigners are issued e-resident’s digital IDs.

  • mobile-ID is a SIM card-based solution for electronic authentication and digital signing with a mobile phone. Mobile-ID SIM cards are issued by mobile network operators.

  • Smart-ID is a SIM-independent device-based solution for smartphones.

Standards

PAdES - PDF

https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf

...