ADSS RAS Service
The ADSS Remote Authorisation Signing (RAS) Service and ADSS SAM Service together provide Ascertia's high-trust solution for EN 419 241-2 Qualified Remote Signature services using Level 2 Sole Control. Together they enable the solution to meet the requirements defined in the ETSI EN 419 241-1 standard and ETSI EN 419 241-2 Protection Profile and thus, ensure that an end-user's private signing key and Qualified Certificate can only be used under the sole control of the Signer, and only used for the intended purpose. Level 2 sole control is supported as a standard feature, interacting with the user's Go>Sign Mobile App on their smart phone (or the Go>Sign Mobile SDK embedded in another App). It is possible to allow Level 1 sole control so that the same high-trust SAM Service environment can be used for non-qualified certificates.
The ADSS Remote Authorisation Signing (RAS) Service is the public facing element for business applications and end user mobile devices. It provides the required REST API interface to (a) register users, (b) send hash signing requests, (c) check the status of pending signing requests and (d) retrieve the PKCS#1 signed hash or hashes. It also provides the API interfaces for the Go>Sign Mobile App to so that the App can (a) register the mobile device, (b) send authorisation requests for signature, (c) process signed authorisation responses. RAS also communicates securely with the SAM service to submit the user signed authorisation requests and receive the signed hash responses.
When a business application initiates a signing transaction on behalf of a user, the signing request is received by RAS and an authorisation request message is sent to the user's Go>Sign Mobile App, which prompts them to authorise the signing transaction (OR the user rejects the request or the request times out). The user/signer uses Go>Sign Mobile App (or native Mobile App with the Go>Sign Mobile SDK embedded within it) to securely authorise the server-side signing action using a trusted path protocol. The Go>Sign Mobile App confirms the user’s authority to sign by digitally signing an authorisation request message that was sent to their Go>Sign Mobile App, clearly identifying what they are being asked to sign. The authorisation message is signed using a dedicated authorisation private key held in the Secure Element/Enclave or the user's mobile device. RAS passes the authorisation request to SAM Service for confirmation that the message has been authorised properly by checking the signature, device and message details. One or multiple hashes may be within the request. See the SAM Service for details of its processing. The SAM responses contain the user's Qualified (or Advanced) signature on the hash data (as a PKCS#1 signed hash) that RAS sends back to the calling business application or ADSS Signing Service.
The ADSS RAS Service also offers an "RSSP for Signing Service" interface as defined by the Cloud Signature Consortium.
The main admin screen for the ADSS RAS Service is shown below. Details of the key features are described in the following sections: