A company needs to get one or more documents signed by one or several of its customers (signers) using the signers electronic ID (eID). In the process the company needs to know the status of the signing to be able to continue its process with the customer by for example issue a loan or establish a customer relationship. This can be accomplished using the E-Signing service. A typical flow:
- The company initiates a signing by sending a sign order to E-Signing
- E-Signing will process and prepare the document(s) for signing by the signer(s).
- The signer can either be directed to a sign page by the company or by accessing a link in an e-mail notification from E-Signing.
- The signer is optionally asked to identify using the Nets E-Ident service before allowed access to the document.
- The signer signs the document using an eID. E-Signing presents the user with either one or a list of eIDs to select from.
- The document is signed and the service can perform several actions:
- Verify that the signer has a right to sign - in a business-to-business interaction using ID-Right
- Archive the document to E-Archive
- Notify the company that the document is signed using XML notification call back
Through the entire process the company can ask for status of the sign order or receive notification call back about status changes.
Key functionalities in E-Signing
Sign order service
The E-Signing service is built up as a sign order service where customers sends a sign order to the service and the service processes it. The service is contacted through the TrustSignMessage web service protocol and it consists of a set of messages to
insert sign orders,
manage sign orders,
get sign order information and
handle the signed document.
The creation of the sign order gives the direction and guidelines for how the rest of the sign workflow will be. A sign order can consist of one or several
documents and one or several
signers that shall sign one or more of the documents. For each document a
number of needed signers can be set meaning that only a subset of the defined signers needs to sign the document. The document format to use is either PDF, TEXT or XML. There are some restrictions on the format to use dependent on the eID the signer shall use.
The signer can either be a physical person (an end user) or an organisation (the E-Signing customer). The organisation signature is done automatically in E-Signing using the customer's organisational certificate of choice.
A sign order can be set up with rules about which document to be signed by which signer(s) and rules regarding the order of signing. The order of signing is controlled by steps, and the sign workflow can be defined as sign processes that happens in parallel, sequential or as a combination of both. The sign order can also be given sign deadlines on both the order, step and sign process level. See the
Definitions for info about steps, sign processes and the different sign workflows.
The sign order can also define some optional directions and guidelines like:
- the eID the signer shall use
- if the signer must identify himself before viewing the document
- if the signatures on one or more documents shall be verified towards a business register
- if the signed document shall be archived
E-Signing supports all major nordic eIDs that the E-Signing customer can select amongst. The signer will be presented with either all the customer's selected eIDs or directed straight to one eID. The signer is directed to a specific eID if the customer has only selected one eID, if a forcevendor parameter is set on the sign URL or only one
AcceptedPKI has been defined for the signer when creating the sign order.
E-Signing hosts a customer’s organisation certificate on behalf of the customer. The organisation certificate is issued to the customer's organization. The following is the usage of the customer's certificate in E-Signing:
- In the communication with eIDs the certificate is used when using the signing client and to validate a signer's certificate.
- If the customer is one of the signers of a document (defined in the sign order), the certificate is used to sign automatically. If the customer has more than one eID enabled, the eID to use must be specified in the sign order as well.
- Optionally: The entire SDO is signed to ensure its integrity. The customer's certificate can be used for this purpose. Alternatively, a Nets issued certificate may be used as the seal certificate.
Read more about the supported eIDs.
The E-Signing service offers two user interfaces (UI) for the signer: embedded or standalone UI. The embedded option allows customers to present E-Signing service UI within their own web UI as an iframe solution while the standalone option presents the sign process within a standardized visual profile from Nets.
The service can distribute notifications to either the signer or the E-Signing customer. The signer can receive information on e-mail or SMS while the customer may receive either XML, e-mail or SMS notifications. The service distributes notifications based on either status changes for a sign order, a step or a sign process, or reminder settings related to a deadline. The information and information channel is based on triggers defined for each signer in the sign order.
The XML notification call back is defined in the TrustNotificationMessage protocol.
Read more about the protocol.
Identification before signing
The signer of a document can be requested to identify prior to accessing and reading the content of the document. This is defined for each document in the sign order using the
RequiresAuthentication element. If confidentiality protection of the document to be signed is required this function should be used. It is the E-Ident service that is used when identifying the signer.
Advanced electronic signing based on authentication
The E-Signing service include functionality for producing advanced electronic signatures (PKI-based signatures) by use of non-PKI based eID services (typically One Time Passcode or token authentication services).
Read more about this functionality.
Verification of sign rights
ID-Rights service has been integrated with E-Signing offering the possibility to verify procuration and signing rights after all documents in a sign order have been signed. It is also possible to fetch and attach business certificates to the signed document (attached in the SDO structure).
Read more about this functionality.
Signed document formats
A signed document from E-Signing is either in the format of a SDO or a PAdES. The SEID SDO is based upon ETSI TS 101 733 (CAdES) and ETSI 101 903 (XAdES) while the PAdES format comply to ETSI TS 102 778.
Read more about the signed document formats in E-Signing.
E-Archive service is tightly integrated with E-Signing, and signed documents (SDOs) can be automatically archived in E-Archive. Archival must be
defined when inserting the sign order. Note: Signed documents are only available in E-Signing for 90 days, and automatic archival to E-Archive is recommended.
Read more about E-Archive in E-Signing.
Validation of SDO
Nets offers a SDO validator, E-Signing validator. The validator can either be used manually by browsing for files or a customer can call the validator using HTTP POST to force validation of a specific SDO. The E-Signing validator is available at https://www.sign.nets.eu/validator/index.html .
Read more about the E-Signing validator.