<TODO: Finalize with the team>
- Start with the use case. refer to the scope once to be clear.
Definitions:
An E-Signature or an electronic signature is a way of signing documents digitally, without needing to print them. It’s sort of like an electronic version of a pen and paper signature or stamp, specific to a person or organization and is both secure and legally binding.
In our context, E-Signature will mean cryptographically validatable signatures.
Scope:
The government signing the document G2P – Priority
The end user signs the document. P2G - Priority
Business signing the document. B2B or B2C, G2B, B2G - last
Quantum resistance - Not in scope as of now.
Objective:
The ability for anyone to sign
One authentication based E-signature
OTP
Biometrics
PIN
One Time Signature
WOTS+ - Not supported
XMSS - Not supported
Long-term signature
Smart cards
Smart Phone.
HD Signature
Smart Phone
Use ID BB to authorize and sign a document.
Should be possible to sign with a standalone app, without ID BB.
Auditability
Validatable
Revoke certificate.
Highly secure.
Preservation of E-Signature
Non-Repudiation
Long-term validatable.
Inclusive
Supports multiple social economic backgrounds.
Presentation
Can we support multiple signature types and let verifiers provide presentation layers?
Assumptions:
Has a digital ekyc or authentication service.
Registration/KYC should be possible to be performed online or face to face
Should be possible to perform via phone call/SMS
Bulk signing is out of scope.
Collaboration in the signature is limited by the type of the document and the support of the document.
Countries are expected to have digital signature law’s that consider e-signatures as equivalent to handwritten signatures.
No support for printing the digital document and validating the signature.
Challenges:
Central service vs Distributed model
What if there is no eKyc/auth available?
Phone-based signature?
Online and/or Offline validation
Can we use JSON-LD signatures so we can validate a linked PDF or HTML or image etc.
Key principles:
Flow:
Sign using a cryptographic key and explain
How do we verify? explain here
How can we make it easy for everyone in the country to use it?
Kassy - preservation means the ability to use a digital signature and validate the same digital signature
Let us add one or some of the sample digital signatures.
https://tcab.eu/eidas-assessment/seal-preservation/
Differentiate validation vs creation of digital signatures.
Solution:
There should be levels of how strongly KYC is done and how good is the signature creation device
How do we take care of the machine signature? Is this in scope?
Sample Use cases: - Priority 1
Use case 1: Signature of the resident on the consent form to share his details.
Actors:
Consent Building Block, Resident, Application, Agent, ID Building Block
Type:
C2G
Steps for approach online:
Agent opens up the consent form.
Describes the services to the resident.
Resident authenticates to the ID Building Block
The resident is redirected to the Application
The Application gets the necessary consent form and shows it to the agent/resident.
The resident chooses to sign the consent form with a button click.
The Application sends the consent form and the bearer token of the user to the e-signature building block API.
The e-signature building block validates (introspects RFC 7662) the bearer token with the ID building block.
Creates the key on the fly and timestamps & signs the document. (different types of signatures are allowed). The key is valid only for a short duration.
The e-signature building block sends back the signature in the requested format (XAdES, CAdES, ASIC, JWS)
The Application decides on the resident’s e-kyc details and sent back the certificate (X509v3) to the USB token.
The e-signature building block will use a certificate authority to get the certificate.
Alternate Onboarding:
The resident is provided with a smart card as part of the id enrollment.
The smart card has an e-signature certificate pre-burned into it.
The smart card is sent to the resident/picked up by the resident after proper verification.
Steps:
Agent opens up the consent form.
Describes the services to the resident.
Resident authenticates to the ID Building Block
The resident is redirected to the Application
The Application gets the necessary consent form and shows it to the agent/resident.
The resident chooses to sign the consent form with a button click.
The Application redirects to the e-signature building block.
The e-signature building block asks the resident to insert the USB token.
The e-signature building block interacts with the USB token and signs the document.
The e-signature building block sends back the signature in the requested format (XAdES, CAdES, ASIC, JWS) to the Application.
The Application decides to embed or attach the signature data.
The workflows building block sends the signature to the consent building block.
The Application shows the user that consent is signed and he can download it from a link given.
Use case 2: Payroll signature
Can we have the payroll statement signed before it's sent for the payment block?
Type:
G2B or B2B or B2G
Sequence Diagram:
Related use cases
Sign you invoice.
Sign an RFP
Sign a business agreement.
Use case 3: Signing and verifying a document using a desktop computer or mobile phone
<Description by Jürgen Niinre .
Type: C2G, G2C, G2B
Terms and Definitions
Qualified Certificate (EIDAS term) - a certificate that allows the user's digital signature to be equal to a handwritten signature. It can be issued only according to legally accepted procedures.
Qualified Signature Creation Device (EIDAS term) - device that allows users to give signatures. Technically follows legally accepted procedure. There are different types:
Physical token (ID card, Smart card, USB token)
Remote token/EIDAS remote QSCD/Split key ( Cloud + App, Cloud + App + Secure element, Cloud + SIM card, Cloud + App + eSIM)
Signing Application - 3rd party or Government Application that implements the document signing.
Standalone application (Desktop, Mobile App)
Embedded application - embedded into another service, e.g web portal, online self-service, product
Onboarding - the process of issuing a Qualified Certificate and binding it to a Qualified Signature Creation Device, can involve different ways, subject to legislation:
Face to face
Online + authenticated with existing token
Online re-onboarding only
Full online
Prerequisites
The user has been onboarded, has been issued a Qualified Certificate and owns or controls a Qualified Signature Creation Device.
Signing using Application
The user uses the Application directly by choosing documents to be signed (standalone) or through another service, in which case the service will compile the Document needed to be signed by the user
The application will present the documents or data to be signed
The application will authenticate to e-signature BB, using an embedded token that allows for fixed e.g 10 requests/month
The application will create a signature
With Physical token
Application will get list of Qualified Certificates from Physical token, and allows user to choose
Application will read the User’s certificate from Physical token
Application will perform User verification
Application will ask User’s PIN code and/or perform a Biometric check
After user enters the PIN and/or performs the biometric check, Physical token is ready to perform the signing operation
Application will forward hash to be signed to Physical token
Physical token will return the signed hash
With Remote token
Application will contact an e-signature BB
e-signature BB will contact a Remote token with hash to be signed and text to display
User’s Remote token will perform verification and signing
User’s Remote token will ask User’s PIN code or perform biometric verification
After User verification is completed, User’s Remote token will sign the hash
Signed hash, with users certificate will be sent back to e-signature BB
e-signature BB will confirm certificate validity
e-signature BB will issue timestamp
e-signature BB will send back a signature with certificate validity and timestamp
Application will save the signature, validity information and timestamp together with document, so that document with this embedded information can be validated later
The application will present results to user
Sequence Diagram:
Related use cases
Use case 4: Signing a consent form
<Description by kadio.kassy >
Type:
Sequence Diagram:
Related use cases
Kassy use cases
Local signature - Cryptographic token
Distance signature - sign your own
Before you get a key you should get the kyc from the certificate authority.
Gtax generates the key and certificate to sign and then returns the application.
- kassy - please update the use cases that you are aware of.
- kassy - please share the links of the esignature services available in your country.
- sasi - update India esign details.
- muttalib - pls update more on this https://legalseba.com/digital-signature-in-bangladesh/
- HR documents (employment contracts, privacy notices, non-disclosure agreements, benefits paperwork), contract management, e-invoices.
- Need to explore more on this. https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/eSignature
Reference:
Introduction to cryptographic digital signature - https://www.youtube.com/watch?v=704dudhA7UI
India e-sign paper - https://cca.gov.in/sites/files/pdf/ACT/eSign-APIv2.0.pdf
India Other modes: Device-based.
Estonia eSignature mobile application - https://www.id.ee/en/article/ria-digidoc-mobile-application/
Estonia eSignature desktop application - https://www.id.ee/en/rubriik/using-digidoc4/
Estonia eSignature creation and verification libraries - https://www.id.ee/en/article/digidoc-libraries-overview/
Estonia eSignature timestamp service - https://www.skidsolutions.eu/en/services/time-stamping-service/
Estonia eSignature validity confirmation Service - https://www.skidsolutions.eu/en/services/validity-confirmation-services/
Estonia eSignature(container) format - bdoc-spec212-eng.pdf
Estonia eSignature certificate format - https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID2018-EN-v1_3_20220217.pdf
Estonian citizens can choose a suitable method for digital signing themselves. Nowadays, there are four common ways to do so:
An ID-card, which is a mandatory identity document for all Estonian citizens. The PINs required for electronic signing are issued to you in a security envelope with the card. In order to use your ID-card, you also need a card reader and ID-software.
A digital ID card: Estonian citizens can use their digital IDs in parallel with ID-cards while foreigners are issued e-resident’s digital IDs.
A mobile-ID is a SIM card-based solution for electronic authentication and digital signing with a mobile phone. Mobile-ID SIM cards are issued by mobile network operators.
A Smart-ID is a SIM-independent device-based solution for smartphones.
Standards
PAdES - PDF
https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf
https://www.etsi.org/deliver/etsi_en/319100_319199/31914202/01.01.01_60/en_31914202v010101p.pdf
XAdES - XML
http://www.etsi.org/deliver/etsi_ts\101900_101999\101903\01.04.02_60\ts_101903v010402p.pdf
CAdES
https://tools.ietf.org/html/rfc5126.html
Timestamping