Scope
Phase 1:
Limit the scope of work to the following
Ability to create and manage keys in remote QSCD.
This is needed to support the server-side signing of documents. Mostly used by applications without much user involvement.
Use cases like Payroll signing, agreement signing etc are handled using this API. Does not require an individual or would not interact with the ID building block.
Ability to create & sign using dynamic short-lived keys in remote HSM.
This is needed to support the ID BB-based signature. Mostly used by the end user to sign documents or by the applications on behalf of the end user and sign.
Use cases like consent, tax filing, request for registration etc can be handled.
Support for the following signature formats:
XAdES
CAdES
ASIC
JWS (RFC 7515)
PAdES
No administrative APIs are needed to cater to this requirement. So administrative APIs will be left out of the scope
Client-side libraries to be provided to merge the signature with payload ( PDF, XML & JSON)
Use case:
Step 1: The agent asks the mother to register for mother-child care and opens the UI BB for Registration BB.
Step 2: Mother authenticates herself using biometrics. (ID BB) and provides scope access to e-sign.
Step 3: The child is verified using his/her identification.
Step 4: A form is shown to the mother by the registration bb (UI BB of the registration bb)
Step 5: The agent helps her in filling in the details & explains the terms and conditions.
Step 6: Mother decides to sign the form, terms & conditions and clicks the “Sign using e-signature” button.
Step 7: The UI BB submits to the details to the Registration BB.
Step 8: The Registration BB calls the e-signature BB with an access token from the ID BB.
Step 9: The e-signature BB will call the token to introspect the API of the ID BB.
Step 10: The ID BB returns the user details, user PSUT (Partner Specific User Token) and the scope as consented.
Step 11: The e-signature BB verifies the information, if ok then signs (look for alternate flows) the given Hash in the requested format. The signature would have been timestamped.
Alternate Flow 1:
The e-signature block creates a random signature key which is valid for 5 minutes. Creates certificate with the user details filled in X509 V3.
Alternate Flow 2:
The e-signature block asks the PIN of the user to verify the certificate validity and sign using the QSCD.
Step 12: The e-signature BB would return the signature (as per the requested format) to the registration BB.
Step 13: The registration BB will call the e-signature client-side library to merge the given signature to the document if needed.
Step 14: The e-signature client-side library will return the final document to the Registration BB.
Step 15: The Registration BB would store this signed information and would let the user review and download the signed & completed application.
Logical Process Blueprint
This table describes all the input and output needed from the building blocks.
From BB | To BB | Description | To Input | To Output | Mandatory |
---|---|---|---|---|---|
e-Signature BB | ID BB | Check if the given access token is valid | access token, client id | validity as per RFC 7662 | Yes |
e-Signature BB | ID BB | Get the user name and age details | Input access token, client id | get user info object as per openid spec | Yes |
e-Signature BB | Payment BB | Redirect & collect the payment | Payment amount | result of payment | No |
e-Signature BB | Payment BB | Check the payment status/result | user id, transaction id | payment result, amount, payment date | No |
Registration BB | e-Signature BB | Register/Onboard the user on QSCD | access token, client id, call back URL, signed jwt | Redirect the browser | Yes |
e-Signature BB | IM BB | Check if the registration BB call back URL is registered. Check if the registration BB is listed | registration bb’s signed JWT request | Yes/No - based on the validity of JWT and client id. | Yes |
Consent BB/Any BB | e-Signature | Sign the hash. | hash, format, user access token, bb’s signed JWT request, type of key (RSA, ECC etc) | Signature, Certificate. | Yes |
Consent BB/Any BB | e-Signature | Check for validity of signature, this service should be available for everyone. | hash, signature, format, user access token (optional) | Yes/No | Yes |
Consent BB/Any BB | e-Signature | Get information about the e-signature building block | None | Signature device support (QSCD, HSM), formats (xaeds …), algorithm (RSA, ECC..), revocation details, timestamp URL, ID BB supported, Supported CA and CA certificate url. | Yes |
Consent BB/Any BB | e-Signature (Client) | Ability to merge the files for embedded signatures | document, hash, format | signed document | Yes |
Sequence diagram
HSM Based Single key per sign
QSCD based signature using PIN/Password
Remote QSCD Onboarding
Attached is the board that’s used in the GitBook Description.