Signing

Signed Statement signature requests

831 views August 4, 2017 September 11, 2018 1

Signicat Signature with Signed Statement allows the end-user to use a supported ID method to digitally sign a short text statement. The statement expresses the end-user’s consent for the contents of one or several, separate documents to be signed, and is constructed in such a way as to include the description/title of the documents. The end-user only needs to sign once, regardless of the number of documents.

For ID solutions that support non-visible properties as part of the data to be signed, a data structure containing cryptographic message digests of the documents to be signed is also included. This further enhances the connection between the documents to be signed and the signed statement.

The signed statement, as well as each original document, audit trails, and other evidence collected during the signing ceremony, is combined into an LTV-SDO which is then digitally sealed by Signicat. One LTV-SDO is created for each original document.

Different levels of Signicat Signature

  1. Direct authentication-based signature
  2. Simple signed statement
  3. Signed statement with non-visible properties

Common for all these levels is that the main piece of evidence (SAML response, Signed Statement) is combined with other pieces of evidence into an LTV-SDO and digitally sealed by Signicat.

Creating a Signed Statement signing order

In order to trigger the use of Signed Statement, certain conditions must be fulfilled:

  • The bundle attribute on the task element must be set to true
  • The responsive attribute on the signature element must be set to true
  • The request must be sent to DocumentService-v3

The following SOAP example will result in a signing order for Signicat Signature with Signed Statement.

Signing Order Request Example
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns="https://id.signicat.com/definitions/wsdl/Document-v3">
   <soap:Header></soap:Header>
   <soap:Body>
      <create-request-request>
         <service>signicat</service>
         <password>Bond007</password>
         <request>
            <document id="1" mime-type="text/plain" xsi:type="provided-document" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
               <description>Text document</description>
               <data>VGFzayAx</data>
            </document>
            <task id="1" bundle="true">
               <document-action type="sign">
                  <document-ref>1</document-ref>
               </document-action>
               <signature responsive="true">
                  <method>nbid-sign</method>
               </signature>
            </task>
         </request>
      </create-request-request>
   </soap:Body>
</soap:Envelope>

Note that, while this example utilizes a provided text document, Signed Statement signing orders also support signing of PDF documents from SDS and the like, just like regular requests. You can find more about this in our guide for getting started with signing.

Additions to the result document (LTV-SDO)

In addition to the SAML response containing the signature value for the signed statement, the original sign text in its unprocessed form is also included:

<ltv:Authentication>
    <ltv:SAMLResponse Format="urn:signicat:format:saml-1.1" MimeType="application/x-saml+xml" Version="1.0"> [REMOVED FOR BREVITY] </ltv:SAMLResponse>

    <!-- THIS IS THE NEW PART -->
    <ltv:SignedStatement>
        <ltv:VisibleSignText> [HERE GOES VISIBLE SIGN TEXT] </ltv:VisibleSignText>
        <ltv:NonVisibleSignText> [HERE GOES NON-VISIBLE SIGN TEXT] </ltv:NonVisibleSignText>
        <ltv:DocumentIndex> [HERE GOES REFERENCE TO NON-VISIBLE SIGN TEXT]</ltv:DocumentIndex>
    </ltv:SignedStatement>
    <!-- NEW PART ENDS HERE -->

</ltv:Authentication>

The sign text

Visible sign text

The visible part of the sign text is the statement presented to the end-user, expressing the end-user’s consent for the documents to be signed. This text is automatically generated by Signicat.

Non-visible sign text

The non-visible part of the sign text is a JSON data structure containing cryptographic message digests of each of the documents to be signed, together with a zero-based index and the document’s description and MIME type.

Example of non-visible sign text
{
  "attachments": [
    {
      "index": 0,
      "documentDescription": "document.pdf",
      "mimeType": "application\/pdf",
      "primaryDigestValue": "aren3Efg3BTksqd7Iht0GWccosAFDL5ZAk4qi+2ifNU=",
      "primaryDigestMethod": {
        "algorithm": "http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256"
      },
      "secondaryDigestValue": "mU7l\/lD\/HSWUzZY2yxNZ1ys34SNYm7vx2Jk8WBL51Vs=",
      "secondaryDigestMethod": {
        "algorithm": "http:\/\/www.w3.org\/2007\/05\/xmldsig-more#sha3-256"
      }
    }
  ]
}

Document index

If multiple documents are signed, the same sign text will be included in each LTV-SDO. In other words, each separate LTV-SDO will contain a sign text referring to each and every one of the documents. In order to make the connection between the LTV-SDO and the entry in the non-visible sign text clear and unambiguous, the zero-based index of the relevant entry in the non-visible sign text is included in each LTV-SDO.

Supported ID methods

The methods that currently support Signed Statement signatures are as follows:

ID method
Signature type
Norwegian BankID Simple signed statement
Norwegian BankID on mobile Simple signed statement
Swedish BankID Signed statement with non-visible properties
Danish NemID Signed statement with non-visible properties

Was this helpful?

Related Articles