QSCD (remote SCD) API

Certificate request

CSR

CSR (public key) is collected from SCD to create a Certificate. How the CSR is sent from a remote device is currently out of scope (can be e/mail/sms with request to install app, etc). Mandatory

SCD type

• remote SCD App

• remote SCD App + Secure Element

• remote SCD eSIM

• remote SCD SIM

Type of SCD. Mandatory

SCD remote ID

String

ID in a remote system that handles the messaging between SCD-s, depends on SCD type.

For Apple devices

• Device Token https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/sending_notification_requests_to_apns

• Android Devices Registration Token https://firebase.google.com/docs/cloud-messaging/android/client

• Other/Custom solution, depends on its specs

Mandatory

SCD key id

Number

They private key ID inside SCD for what the CSR corresponds with Mandatory

Authentication token

JWT

Authentication token as result of ID Building Block. Mandatory

Payment token

JWT

Payment token to indicate that payment has been done. If not present and payment is required HTTP 402 error is thrown. Optional

CertificateID

String

CertificateID identifies the SCD and binds it with the Certificate to be used. Mandatory

Unique pseudonym

String

Unique pseudonym for CertificateID

Certificate

PEM

Certificate that was issued. Mandatory

Status & description

• OK

• ERROR - in case of error also error description

Mandatory

Authentication token

or

Unique pseudonym

String

Authentication token can be used to query all user's certificates. In case unique pseudonym is used only a particular Certificate and CertificateID is returned.

Mandatory

Filter

String

filter to filter certificates by “All”|”ACTIVE”, ”Expired”|”Suspended”|”Revoked”

Certificate

X.509

User’s certificate

Mandatory when Status is OK

CertificateID

String

ID that binds Certificate and SCD and is used to send the request to user.

Mandatory when status is OK

Status & description

• ACTIVE

• ERROR - in case of error also error description should be added

• EXPIRED

• SUSPENDED - suspend cause should be added

• REVOKED - also REOVOKE cause should be added

Mandatory

CertificateID

String

Mandatory

Authentication Token

JWT

Authentication token is necessary and should belong to a user or an authority

Mandatory

Status & reason

• SUSPENDED - add reason text

• REVOKED - add reason text

• ACTIVE - activate

Mandatory

Allowed transitions

ACTIVE->SUSPENDED

ACTIVE->REVOKED

SUSPENDED->ACTIVE

SUSPENDED->REVOKED

Status & description

• ERROR - in case of error also error description should be added

• SUSPENDED - suspend cause should be added

• REVOKED - also REOVOKE cause should be added

Mandatory

CertificateID or

uniquePseudonym or

Authentication Token && Payment Token

String

Mandatory

In case CertificateId or uniquePseodonym is presented SCD Signature is created,

If Authentication Token and Payment Token are presented then One time signature is created

format

• XAdES

• CAdES

• ASIC

• JWS

Pre format the signature in a given format so that it can be more easily inserted by the formatting library. Mandatory

hash

byte array in base64

Has to be signed. Hashing of document is responsibility of Signer Application and is done by formatting library. Mandatory

hash type

• SHA2/3-256

• SHA2/3-384

• SHA2/3-512

• BLAKE2B

Mandatory

data to be displayed

String

Information to be displayed on users device, can involve free text like “Accept childcare request”, transactionId, etc. Mandatory

signature

byte array in base64

signature that is preformatted according to format

certificate

X.509

certificate with public key

timestamp

rfc3161 asn.1 in base64

timestamp of the signature

status

• ERROR - in case of error also error description should be added

• OK

Mandatory