One of the first questions is can you trust the signature if you receive an electronically signed document? ETSI has established a technical committee (TC) electronic signatures and infrastructures (ESI) to address these questions. ETSI is an international organization producing globally applicable standards for ICT-enabled systems.
eID Easy is helping to create digital signatures so most relevant standard is ETSI TS 119 102-1 Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation
Signature Creation Environment (SCE) consists of:
- a signer that wants to create a signature;
- a Driving Application (DA) which represents the environment (e.g. a business application) that the signer uses to access signing functionality; and
- a Signature Creation System (SCS) which implements the signing functionality.
Signature creation can happen either automatically, for example electronic seals, or require involvement of a human signer to authorize one or more signatures to be created at once.
Most basic part of the AdES digital signature creation process is the Signature Creation Device, it is the HSM, Smart Card, USB Crypto Token, Smartphone app, SIM card etc that is storing the private key that Signer can activate to create the signature. Sometimes private keys can also be in the form of a file but it is insecure and generally such signatures are not trusted internationally and it is a rare exception if any Trust Service Provider will issue such a certificate at all.
eID Easy is best described as a Signature Creation System which is a Signature Creation Application complementing Signature Creation Device. In reality it means getting an unsigned Singers Document, talking with the Signature Creation Device, requesting authorization from the signer and producing the signed file.eID Easy does this with a big number of different devices, Trust Service Providers and Certificate Authorities.
eID Easy customers are Driving Applications. These are businesses and applications that provide the workflow and UX to signers, they collect or generate documents to be signed, they manage (drive) the signature process at a high level and handle the signed documents.
What actually happens inside the Signature Creation System (SCS) and Signature Creation Application (SCA)?
Signer’s Document (SD) is converted into Signer’s document representation (SDR). This means using an algorithm like SHA-256 to digest the document data. In the case of XAdES, CAdES and ASiC-E the hash is generally created from one or more files exactly as they are. In case of PAdES the bytes referred to the ByteRange in the signature dictionary are taken and a digest is calculated over them.
You might think that this is the digest that will be signed but it is not. There are more Signed Attributes, for example public certificate of the signer, time of signing etc. Putting it all together we will get Data to be signed (DTBS). This data must be in very specific format and ordering which is called Data to be signed (formatted) (DTBSF)
Actual digest that will be signed is calculated when hashing DTBSF and it is called Data to be signed representation (DTBSR)
Signature Creation Application takes the DTBSR (SHA-256 digest) and sends it to the Signature Creation Device, which uses its private key to encrypt the value that can be validated with public key. This is not much of a use on its own as it is just an array of bits. The Signed data object (SDO) is needed to have complete info about the signed document and the signer.
