<TODO: Finalize with the team>
- Start with the use case. refer the scope once to be clear.
Definitions:
eSign, also known as eSignature or an electronic signature, is a way of signing documents digitally, without needing to print them. It’s sort of like an electronic version of a pen and paper signature or stamp, specific to a person or organization and is both secure and legally binding.
In our context, eSign will mean cryptographically validatable signatures.
Objective:
<TODO: update after discussion with the team during kickoff>
The ability for anyone to sign
Jürgen: one-time signature with OTP (i.e enter code sent via SMS) - weaker security
Jürgen: signature with hardware device (smart card, phone etc) - stronger security
Use ID BB to authorize and sign a document.
Jürgen: ID BB is probably good for cloud platforms (i.e signing portals)
Jürgen: Should be possible to sign with standalone app, without ID BB
Auditability
Validatable
Revoke certificate.
Highly secure.
Preservation of esignature
Jürgen: Non-Repudiation
Jürgen: Lawful/qualified e-signatures (i.e made equal to handwritten signatures by law)
Assumptions:
Has an ekyc or authentication service.
Jürgen: Registration/KYC should be possible to be performed online or face to face
Jürgen: Should be possible to performed via phone call/SMS
Bulk signing is out of scope.
Collaboration in the signature is limited by the type of the document and the support of the document.
Jürgen: There should be levels of how strongly KYC is done and how good is the signature creation device
Challenges:
Central service vs Distributed model
What if there is no eKyc/auth available?
Phone-based signature?
Scope:
Government signing the document G2P – Priority
End user signing the document. P2G - Priority
Bussiness signing the document. B2B or B2C - last
Key principles:
Flow:
Sign using a cryptographic key and explain
How do we verify? explain here
How can we make it easy for everyone in the country to use it?
Kassy - preservation means the ability to use a digital signature and validate the same digital signature
Let us add one or some of the sample digital signatures.
https://tcab.eu/eidas-assessment/seal-preservation/
Differentiate validation vs creation of digital signatures.
Sample Use cases: - Priority 1
Use case 1: Payroll signature - Can we have the payroll statement signed before its sent for the payment block.
Use case 2:
Kassy use cases
Local signature - Cryptographic token
Distance signature - sign your own
Before you get a key you should get the kyc from the certificate authority.
Gtax generates the key and certificate to sign and then returns the application.
- kassy - please update the use cases that you are aware of.
- kassy - please share the links of the esignature services available in your country.
- sasi - update India esign details.
- muttalib - pls update more on this https://legalseba.com/digital-signature-in-bangladesh/
Reference:
Introduction to cryptographic digital signature - https://www.youtube.com/watch?v=704dudhA7UI
India e-sign paper - https://cca.gov.in/sites/files/pdf/ACT/eSign-APIv2.0.pdf
India Other modes: Device based.
Estonia e-sign:
Estonian citizens can choose a suitable method for digital signing themselves. Nowadays, there are four common ways to do so:
An ID-card, which is a mandatory identity document for all Estonian citizens. The PINs required for electronic signing are issued to you in a security envelope with the card. In order to use your ID-card, you also need a card reader and ID-software.
A digital ID card: Estonian citizens can use their digital IDs in parallel with ID-cards while foreigners are issued e-resident’s digital IDs.
A mobile-ID is a SIM card-based solution for electronic authentication and digital signing with a mobile phone. Mobile-ID SIM cards are issued by mobile network operators.
A Smart-ID is a SIM-independent device-based solution for smartphones.