Authentication-based signing

​The E-Signing service includes functionality for producing advanced electronic signatures (PKI-based signatures) based on an eID authentication.

Nets E-Signing service utilizes the different eID authentication services for issuing a short-term signing certificate. The short-term certificate is used to create a strong PKI-based signature attached to the document. The certificate is issued by a Nets CA. It is valid for 15 minutes and it is only used for this particular purpose. The certificate and a certificate validation (OCSP) are added to the SDO (signed document object).

Note:  Nets are also offering customers the option to set up their own CA that issues the short-term certificates. For more information, use the Contact us form.

Advanced electronic signature.jpg 

  1. The signer is directed to the page showing the document. The document can either be a TEXT or a PDF document. When the signer has read the document he/she will need to click on a “Sign” button. 
  2. The signer is directed to the eID’s authentication service where he/she is prompted for his/hers authentication credentials (similar to a standard authentication). 
  3. When the signer has been authenticated, E-Signing creates a short-term certificate which is used to create an advanced signature on the document. An SDO is generated if this is the last sign process in the sign order. The signer is redirected back to either a sign ok page or to the customer’s web page. 

Short-term certificate issued by Nets CA

The short-term certificate issued by the Nets CA will have these values:

​Subject attribute​Value
​CN​Full name from ID Token.
​OU​Signer authenticated by <name of eID>: <bank (Finnish bank ID only)>
​O​Nets Branch Norway - 996 345 734
​C​NO
​SerialNumber​PID or SSN

Implementation considerations

Example of sign order

To enable authentication-based signing, the EndUserSigner element must be updated with AcceptedPKIs -> Nets. The eID to be used is identified in the AuthenticationID element. Allowed values are listed here. You don't have to specify any particular eIDs. In that case, all eIDs configured for your customer configuration will be displayed to the signer. An example of how the Signers element may look like in that case is shown below:

 

<Signers>
	<Signer>
		<EndUserSigner>
			<LocalSignerReference>signerref1</LocalSignerReference>
			<Name>Test User</Name>
			<AcceptedPKIs>
				<Nets>
				</Nets>
			</AcceptedPKIs>
		</EndUserSigner>
	</Signer>
</Signers>

An example of a combination of authentication-based signing and native signing:

<Signers>
	<Signer>
		<EndUserSigner>
			<LocalSignerReference>signerref1</LocalSignerReference>
			<Name>Test User</Name>
			<AcceptedPKIs>
				<Nets>
					<Authentication>             
						<AuthenticationID>nets_sms</AuthenticationID>
                        <SignerID>
                            <IDType>PID</IDType>
                            <IDValue>+xxxxxxxxx Lastname, Firstname</IDValue>
                        </SignerID>
					</Authentication>
					<Authentication>
						<AuthenticationID>se_bankid</AuthenticationID>
					</Authentication>
				</Nets>
			</AcceptedPKIs>
		</EndUserSigner>
	</Signer>
</Signers>

It is not allowed to add both a native and authentication-based signing for the same eID. This is an example of what's not allowed, here with Swedish BankID as an example:

<Signers>
	<Signer>
		<EndUserSigner>
			<LocalSignerReference>signerref1</LocalSignerReference>
			<Name>Test User</Name>
			<AcceptedPKIs>
				<BankIDSE>
				</BankIDSE>
				<Nets>
					<Authentication>
						<AuthenticationID>se_bankid</AuthenticationID>
					</Authentication>
				</Nets>
			</AcceptedPKIs>
		</EndUserSigner>
	</Signer>
</Signers>

 

Usage of forcepkivendor parameter

The forcepkivendor parameter may be used to show only a subset or just one of the eIDs available for a specific sign order. For authentication-based signing, the value is prefixed with "abs:". See the list of all accepted forcepkivendor values.

Custom properties values added to the SDO

The SDO will contain a set of custom properties with details about the authentication-based signing. This information will be added for each signature:

  • document-open-time: The time when the signer opened the document.
  • authentication-completed-time: The time the authentication was completed.
  • signer-ip-address: The IP address of the signer.
  • user-agent: The signer's user agent.
  • signing-time: The time of signing.
  • id-token: The ID token from the signer's authentication. This includes all information about the signer, and the short-term certificate is based on values from this.

Read more about the custom property values.

Finding the SSN in the SDO

If the eID handles the social security number (SSN) and the customer configuration is setup to allow usage of SSN, the SSN will be returned as a claim in the custom property named id-token. The claim is named ssn and will in cases where the SSN of the signer is known be returned.

GetSignature

The SSN of a signer can be fetched from E-Signing using the GetSignature call​. The SSN is returned in the SignerID / IDValue element of the response. This requires that the you are allowed to get SSN in return.

Identification before signing functionality

If the sign order has specified that the signer must identify herself before reading the document, the signer doesn't have to identify herself once more after reading the document. The short-term certificate used to form the signature of the document will be based on the first authentication. If the signer uses more than 30 minutes to read the document, she will be prompted for a new authentication before the document is signed.

Read more about the identification before signing functionality.

Validation of SDO

The SDO can be validated and opened using the E-Signing validator.

Read more about E-Signing validator.