<TODO: Finalize with the team>
- Start with the use case. refer the scope once to be clear.
Definitions:
eSign, also known as eSignature or an electronic signature, is a way of signing documents digitally, without needing to print them. It’s sort of like an electronic version of a pen and paper signature or stamp, specific to a person or organization and is both secure and legally binding.
In our context, eSign will mean cryptographically validatable signatures.
Objective:
<TODO: update after discussion with the team during kickoff>
The ability for anyone to sign
Jürgen: one-time signature with OTP (i.e enter code sent via SMS) - weaker security
Jürgen: signature with hardware device (smart card, phone etc) - stronger security
Use ID BB to authorize and sign a document.
Jürgen: ID BB is probably good for cloud platforms (i.e signing portals)
Jürgen: Should be possible to sign with standalone app, without ID BB
Auditability
Validatable
Revoke certificate.
Jürgen: Is it meant to be revoke certificates? Revoking signatures I think very hard to do.
Highly secure.
Preservation of esignature
Jürgen: Non-Repudiation
Jürgen: Lawful/qualified e-signatures (i.e made equal to handwritten signatures by law)
Assumptions:
Has an ekyc or authentication service.
Jürgen: Registration/KYC should be possible to be performed online or face to face
Jürgen: Should be possible to performed via phone call/SMS
Bulk signing is out of scope.
Collaboration in the signature is limited by the type of the document and the support of the document.
There should be levels of how strongly KYS is done/
Challenges:
Central service vs Distributed model
What if there is no eKyc/auth available?
Phone-based signature?
Scope:
Government signing the document G2P – Priority
End user signing the document. P2G - Priority
Bussiness signing the document. B2B or B2C - last
Key principles:
Flow:
Sign using a cryptographic key and explain
How do we verify? explain here
How can we make it easy for everyone in the country to use it?
Kassy - preservation means the ability to use a digital signature and validate the same digital signature
Let us add one or some of the sample digital signatures.
https://tcab.eu/eidas-assessment/seal-preservation/
Differentiate validation vs creation of digital signatures.
Sample Use cases: - Priority 1
Use case 1: Payroll signature - Can we have the payroll statement signed before its sent for the payment block.
Use case 2:
Kassy use cases
Local signature - Cryptographic token
Distance signature - sign your own
Before you get a key you should get the kyc from the certificate authority.
Gtax generates the key and certificate to sign and then returns the application.
- kassy - please update the use cases that you are aware of.
- kassy - please share the links of the esignature services available in your country.
- sasi - update India esign details.
- muttalib - pls update more on this https://legalseba.com/digital-signature-in-bangladesh/
Reference:
Introduction to cryptographic digital signature - https://www.youtube.com/watch?v=704dudhA7UI
India e-sign paper - https://cca.gov.in/sites/files/pdf/ACT/eSign-APIv2.0.pdf
India Other modes: Device based.
Estonia e-sign:
Estonian citizens can choose a suitable method for digital signing themselves. Nowadays, there are four common ways to do so:
An ID-card, which is a mandatory identity document for all Estonian citizens. The PINs required for electronic signing are issued to you in a security envelope with the card. In order to use your ID-card, you also need a card reader and ID-software.
A digital ID card: Estonian citizens can use their digital IDs in parallel with ID-cards while foreigners are issued e-resident’s digital IDs.
A mobile-ID is a SIM card-based solution for electronic authentication and digital signing with a mobile phone. Mobile-ID SIM cards are issued by mobile network operators.
A Smart-ID is a SIM-independent device-based solution for smartphones.