English

Smart-ID digital signing for your e-service

Digital signatures given with Smart-ID have the same legal standing as handwritten ones. Smart-ID is eIDAS certified, gives the highest level (QES) signatures that are accepted standard across European Union.

If you want Smart-ID to support your e-service, start with the integration process.

All the technical information is available on the Smart-ID GitHub

Getting ready to use Smart-ID digital signing

When you sign up for the Smart-ID service and want to use it for Qualified Electronic Signatures, there are two related services you’ll need. So when you’re signing up for Smart-ID, also add OCSP and Time-Stamping to your order form!

You can start developing with our test services: it’s free, secure and there is no time limit so you can switch to live services when you’re ready. Just remember to sign up.

Smart-ID: the authentication and electronic signature creation device

The Smart-ID solution is based on a simple REST API that can be easily used with all modern development frameworks.

As soon as SK ID Solutions will receive a signed Smart-ID order and confirm it, you’ll be able to access Smart-ID end-point on your server.

OCSP: checking the certificate status

Online Certificate Status Protocol, known as OCSP or Validity confirmation services is required to check the revocation of a digital certificate, or in other words, to make sure that the person signing takes on legal responsibilities for its signature.

How it works: as an OCSP client, your system will send the responder (OCSP server) a query about the certificate. The responder checks both the validity (or non-validity) of the certificate and the confirmation time, and then returns a digitally signed response signifying that the certificate specified in the request is ‘good’, ‘revoked’, or ‘unknown’. If it cannot process the request, it may return an error code.

OCSP technical specifications
Test service address: http://demo.sk.ee/ocsp

Time-Stamping: to ensure the non-repudiation of signatures

The Time-Stamping service is needed to certify the existence of a certain data at a certain time no one is able to change data once it’s saved and confirmed with the time stamp. It is, therefore, widely used in digital signing or archiving documents. SK ID Solutions time-stamping service uses PKI, is compatible with international standards, and issues eIDAS qualified time stamps.

Technical specifications for time-stamping
Test service address: http://demo.sk.ee/tsa/

Creating a container

You need to create a container of the technical signature with Smart-ID and other included services. We’ve tried to make it as smooth as possible:

Smart-ID client libraries (PHP, Java, Ruby) help you get set. Of course, you can also build your own container.

In order to create a container, check out DigiDoc4j and Digital Signing Service (DSS) repositories.

For external signing services: take a look at Adobe Acrobat Sign, eDoks, Dokobit and SigningServices.

Step 1:
tools to create the electronic signature of the file

  • Create a signature container
  • Upload file. We support files as ASICE, PDF, eDOC, aDOC and other files, but recommend using ASICE (as it’s the standard accepted across European Union).
  • Sign the file with Smart-ID by entering PIN2 on your device to confirm the transaction.

Step 2:
lock in the signing time

Step 3:
validation of the user’s certificate

  • You need to include validation information about the user’s certificate, using the OCSP service.

Signing flow

WHAT DOES THE SIGNING FLOW LOOK LIKE?

All the communications with the end-user and trust services are handled by Smart-ID back end, so your system only needs to connect to it. If you want to use Smart-ID for signing as well as authentications, you need to be signed up for the OCSP and timestamping services as a prerequisite.

QES-LEVEL SIGNATURE FLOW:

The signee needs to be pre-authenticated before signing so that your system can generate a hash for the signature request (and post it with the user’s identifier) to our back end. All validity checks will be performed by Smart-ID. The answer that your system receives will either be digitally signed (in which case you can save the signature and publish the result of success) or contain the session status (i.e. reason for failure).