All-in Signing Service Reference Guide Version: 2.10 © Copyright This document, its contents and the ideas and concepts referred to therein are confidential and the intellectual property of Swisscom (Switzerland) Ltd. Any use other than the intended use and any disclosure to third parties other than as stated in the terms and conditions of contract is permitted only with the prior written consent of Swisscom (Switzerland) Ltd. 2 C1 - Public Swisscom (Switzerland) Ltd Contents 1 Introduction ...........................................................................................................................................................................................4 1.1 Terms and abbreviations .....................................................................................................................................................5 1.2 Referenced documents .........................................................................................................................................................7 2 Overview and main scenarios .......................................................................................................................................................8 2.1 Overview of Trusted Timestamps and Static CMS Signatures ...........................................................................9 2.2 Overview of On Demand CMS Signatures ...................................................................................................................9 2.2.1 Step-Up authentication ............................................................................................................................................... 10 3 Preconditions and assumptions................................................................................................................................................ 11 3.1 Internet access ....................................................................................................................................................................... 11 3.2 Certificate based client authentication ..................................................................................................................... 11 3.3 Request authorisation ....................................................................................................................................................... 12 4 All-in Signing Service Introduction .......................................................................................................................................... 13 4.1 Communication Modes ..................................................................................................................................................... 13 4.2 Type of Signatures ............................................................................................................................................................... 13 4.3 Adding Trusted Timestamps ........................................................................................................................................... 13 4.4 Adding Revocation Information (long-term signature)...................................................................................... 13 4.5 Declaration of Will (Step-Up Authentication)......................................................................................................... 14 4.6 Batch Processing ................................................................................................................................................................... 14 4.7 Detached Signature and Verification.......................................................................................................................... 14 5 All-in Signing Service Interface .................................................................................................................................................. 15 5.1 Overview ................................................................................................................................................................................... 15 5.1.1 Interface Description ..................................................................................................................................................... 15 5.1.2 HTTP/1.1 Header ............................................................................................................................................................. 15 5.1.3 Swisscom Basic Profile.................................................................................................................................................. 15 5.1.4 Document Hash ............................................................................................................................................................... 15 5.1.5 Signing Options ............................................................................................................................................................... 16 5.1.6 On Demand Certificate Policy and Certification Practice Statement (CP/CPS) .................................. 25 5.2 Trusted Timestamp ............................................................................................................................................................. 26 5.2.1 Trusted Timestamp SignRequest ............................................................................................................................ 26 5.2.2 Trusted Timestamp SignResponse ......................................................................................................................... 26 5.3 CMS Signatures ..................................................................................................................................................................... 29 5.3.1 CMS SignRequest for Static Signatures ................................................................................................................ 29 5.3.2 CMS SignRequest for On Demand Signatures .................................................................................................. 31 5.3.3 CMS SignResponse ......................................................................................................................................................... 32 5.4 Asynchronous Mode ........................................................................................................................................................... 35 5.4.1 SignRequest ....................................................................................................................................................................... 35 5.4.2 SignResponse .................................................................................................................................................................... 35 5.4.3 PendingRequest ............................................................................................................................................................... 36 5.4.4 PendingResponse ............................................................................................................................................................ 37 5.5 CMS On Demand Signatures with Step-Up Authentication ............................................................................ 38 5.5.1 SignRequest ....................................................................................................................................................................... 38 5.5.2 SignResponse .................................................................................................................................................................... 40 5.5.3 PendingRequest ............................................................................................................................................................... 42 5.5.4 PendingResponse ............................................................................................................................................................ 42 5.5.5 SignResponse (SUCCESS) ............................................................................................................................................. 42 5.6 Static Plain Signatures (PKCS#1) ................................................................................................................................... 44 5.7 Fault Response Message ................................................................................................................................................... 45 5.7.1 Wrong Digest Size (example) .................................................................................................................................... 45 5.7.2 Step-Up Authentication: Mobile ID User Account Problem (example) ................................................. 45 2/68 2 C1 - Public Swisscom (Switzerland) Ltd 5.7.3 Step-Up Authentication: User Cancel (example) ............................................................................................. 47 5.7.4 Step-Up Authentication: SerialNumber Mismatch (example) .................................................................. 48 5.8 Best Practices ......................................................................................................................................................................... 49 5.8.1 On Demand Step-Up Pre-Signing Process ..........................................................................................................