Digital Signatures for use by IDA Relying Parties v102
1. Digitally signing forms at IDA Relying Parties
Jon Shamah
EJ Consultants
04/09/2012
1 Commercial in Confidence E J Consultants
2. IDA limitations and suggested resolution
• IDA scheme as currently envisaged does not include any digital
signing capability for on-line forms.
– Provides authentication to a relying party only
• Potential resolution is to create an appliance-based PKI at the
relying party with authorisation linked to customer’s mobile.
– The Relying Party in effect acts as the Registration Authority for its IDA
authenticated customers
• The advantage is that this simple approach to on-line form signing
helps agencies justify inclusion in IDA with no impact on current
procurements and existing scheme architecture
2 Commercial in Confidence E J Consultants
3. IdSP Hub
Authenticate
Portal
Login
Customer starts sign in to his account on the portal
He is redirected to his IdSP for authentication
3 Commercial in Confidence E J Consultants
4. 2
SAML2
Session
IdSP Hub Manager
Match customer
Authenticate
Portal
Customer
Data
Login
IdSP issues SAML2 assertion
Hub communicates with Session Manager who matches
credential to internal customer data to establish identity
4 Commercial in Confidence E J Consultants
5. 2
SAML2
Session
IdSP Hub Manager
Match customer
Authenticate
Portal Establish Session
Customer
3 Data
Login
Session Manager establishes session
5 Commercial in Confidence E J Consultants
6. 2
SAML2
Session
IdSP Hub Manager
Match customer
Authenticate
Portal Establish Session
Customer
3 Data
Login
Unique customer certificate is created in
appliance and its key can only be used via
delegated release using an OTP
6 Commercial in Confidence E J Consultants
7. 2
SAML2
Session
IdSP Hub Manager
Match customer
Authenticate
Portal Establish Session
Customer
3 Data
Login
Form fetch &
prefill
View/fill
Customer selects form to fill and views /
completes a pre-filled form
7 Commercial in Confidence E J Consultants
8. 2
SAML2
Session
IdSP Hub Manager
Match customer
Authenticate
Portal Establish Session
Customer
3 Data
Login
Form fetch &
prefill
View/fill
4
Press submit to
agree to sign with
OTP Signing Page
Customer agrees to sign form with OTP
Transfers to signing page
8 Commercial in Confidence E J Consultants
9. 2
SAML2
Session
IdSP Hub Manager
Match customer
Authenticate
Portal Establish Session
Customer
3 Data
Login
Form fetch &
prefill
View/fill
4
Press submit to
agree to sign with
OTP Signing Page
OTP /SMS
Authenticator
OTP releases data key to
5
sign (PKI Stored in Co-
Sign)
OTP is sent to registered mobile
Customer enters code into signing page
9 Commercial in Confidence E J Consultants
10. 2
SAML2
Session
IdSP Hub Manager
Match customer
Authenticate
Portal Establish Session
Customer
3 Data
Login
Form fetch &
prefill
View/fill
4
Press submit to Signed form
agree to sign with
OTP Signing Page
Hash
6
signed
and
Download and print returned
OTP /SMS
Authenticator
OTP releases data key to
5
sign (PKI Stored in Co-
Sign)
Document hash is signed using customers certificate stored in co-
sign and then embedded in document for distribution
10 Commercial in Confidence E J Consultants
11. 2
SAML2
Session
IdSP Hub Manager
Match customer
Authenticate
Portal Establish Session
Customer
3 Data
Login
Form fetch &
prefill
View/fill
4
Press submit to Signed form
agree to sign with
OTP Signing Page
Hash
6
signed
and
Download and print returned
OTP /SMS
Authenticator
OTP releases data key to
5
sign (PKI Stored in Co-
Sign)
Note: Customer certificates in appliance are continuously
synchronised/validated together with Customer data
11 Commercial in Confidence E J Consultants
12. Discussion
• The IDA does not currently support digital signatures for signing
on-line forms as part of the core architecture
• Are agencies willing to move to on-line signing of forms?
• Do/will we need digital signatures to do this?
• Can this form an ROI case to encourage joining IDA?
12 Commercial in Confidence E J Consultants
13. Thank you
JON SHAMAH – EJ CONSULTANTS
jshamah@ejconsultants.co.uk
+44 7813-111290
13 Commercial in Confidence E J Consultants