ADSS RAS Service
The ADSS Remote Authorisation Signing (RAS) Service and ADSS SAM Service together provide Ascertia's high-trust solution for EN 419 241-2 Qualified Remote Signature services using Level 2 Sole Control. Together they enable the solution to meet the requirements defined in the ETSI EN 419 241-1 standard and ETSI EN 419 241-2 Protection Profile and thus, ensure that an end-user's private signing key and Qualified Certificate can only be used under the sole control of the Signer, and only used for the intended purpose. Level 2 sole control is supported as a standard feature, interacting with the user's Go>Sign Mobile App on their smart phone (or the Go>Sign Mobile SDK embedded in another App). It is possible to allow Level 1 sole control so that the same high-trust SAM Service environment can be used for non-qualified certificates.
The ADSS Remote Authorisation Signing (RAS) Service is the public facing element for business applications and end user mobile devices. It provides the required REST API interface to (a) register users, (b) send hash signing requests, (c) check the status of pending signing requests and (d) retrieve the PKCS#1 signed hash or hashes. It also provides the API interfaces for the Go>Sign Mobile App to so that the App can (a) register the mobile device, (b) send authorisation requests for signature, (c) process signed authorisation responses. RAS also communicates securely with the SAM service to submit the user signed authorisation requests and receive the signed hash responses.
When a business application initiates a signing transaction on behalf of a user, the signing request is received by RAS and an authorisation request message is sent to the user's Go>Sign Mobile App, which prompts them to authorise the signing transaction (OR the user rejects the request or the request times out). The user/signer uses Go>Sign Mobile App (or native Mobile App with the Go>Sign Mobile SDK embedded within it) to securely authorise the server-side signing action using a trusted path protocol. The Go>Sign Mobile App confirms the user’s authority to sign by digitally signing an authorisation request message that was sent to their Go>Sign Mobile App, clearly identifying what they are being asked to sign. The authorisation message is signed using a dedicated authorisation private key held in the Secure Element/Enclave or the user's mobile device. RAS passes the authorisation request to SAM Service for confirmation that the message has been authorised properly by checking the signature, device and message details. One or multiple hashes may be within the request. See the SAM Service for details of its processing. The SAM responses contain the user's Qualified (or Advanced) signature on the hash data (as a PKCS#1 signed hash) that RAS sends back to the calling business application or ADSS Signing Service.
If Go>Sign mobile app is not being used and clients are using an IdP for user authentication and signature authorisation then RAS Service also redirects the users to configured IdPs for authentication and authorisation.
The ADSS RAS Service also offers an "RSSP for Signing Service" interface as defined by the Cloud Signature Consortium. Ascertia RAS Service supports CSC v1 APIs according to the specification version (1.0.4.0).
In a Linux environment, the user must install the RNGD Service to carry out RAS Service operations on the ADSS Server. |
The main admin screen for the ADSS RAS Service is shown below. Details of the key features are described in the following sections:
See also
Getting Started
Concepts & Architecture
ADSS RA Service
ADSS Certification Service
ADSS Signing Service
ADSS Go>Sign Service
ADSS RAS Service
ADSS SAM Service
ADSS CSP Service
ADSS TSA Service
ADSS Verification Service
ADSS OCSP Monitor
ADSS OCSP Service
ADSS SCVP Service
ADSS XKMS Service
ADSS LTANS Service
ADSS HMAC Service
ADSS Decryption Service
ADSS OCSP Repeater Service
ADSS NPKD Service
ADSS SPOC Service
Manage CAs
Key Manager
Trust Manager
TSL Monitor
ADSS CRL Monitor
Global Settings
Access Control
Client Manager
System Log Viewer
Server Manager
Approval Manager
Operational Management
Advanced Configuration