faq about swisscom's all-in signing service€¦ · ent-bpn-pfr-ids thema: all-in signing...

Swisscom (Schweiz) AG Titel: FAQ 1/22

ENT-BPN-PFR-IDS Thema: All-in Signing Service

Product Management Gilt für: ENT

EMail Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

FAQ about Swisscom's All-in Signing Service

Content 1 General identification ................................................................................................................ 5

(1) Are identifications also valid for advanced signatures for a maximum of only 5 years? ............ 5

(2) Can I also identify myself at Swiss Post, Swisscom Shops etc.? .................................................. 5

(3) Should I exactly use the identification data for the signature request? ..................................... 5

2 PDF handling, creation of hash, embedding signed hash ............................................................ 5

(4) Are there libraries that simplify the handling of PDFs? .............................................................. 5

(5) How much space does a signature need in a document? ........................................................... 6

3 Performance .............................................................................................................................. 6

(6) How many signature requests per minute can our system currently handle? ........................... 6

4 Multiple Signatures .................................................................................................................... 6

(7) Can multiple signatures be placed on a document? ................................................................... 6

(8) Can a document be provided with an organizational signature (static signature) and a

personal signature (on-demand)? ........................................................................................................... 6

(9) How is a bulk signature billed, i.e. in a signature request I send e.g. 5 documents? ................. 6

(10) How many documents can be sent with a bulk (batch) signature? ............................................ 6

(11) Can both advanced and qualified signatures be issued via a connection (ClaimedIdentity)? .... 6

5 RA app ....................................................................................................................................... 6

(12) How can I test with the RA-App? ................................................................................................ 6

(13) Which countries does the RA-App support? ............................................................................... 6

(14) Does the RA agent have to be authorized by Swisscom if it identifies persons for signatures

according to EU and CH law? .................................................................................................................. 7

(15) How is a person deleted from the RA service? ........................................................................... 8

(16) Are the data of EU-authorised and CH-authorised signatories kept separate? ......................... 8

(17) How long does a trained RA agent need for identification? ....................................................... 8

(18) When photographing the front/rear of the ID card, the camera does not focus... .................... 8

(19) The registered person did not receive the SMS or deleted it with the acceptance of the terms

of use. 8

(20) The registered person has not received an SMS and cannot be found. ..................................... 8

6 Authentication methods Mobile ID and SMS .............................................................................. 8




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(21) Is only Mobile ID or PWD/OTP possible for authentication? ...................................................... 8

(22) I was identified with PWD/OTP and now have a MobileID, can I use it to sign? ........................ 9

(23) Is mobile reception via SMS also guaranteed abroad? ............................................................... 9

(24) Is Mobile ID reception also guaranteed abroad? ........................................................................ 9

(25) Why do we need an additional password and the SMS is not enough for a qualified signature?

9

(26) Is 2FA authorization also necessary for advanced signatures? ................................................... 9

(27) Are there any costs for the Mobile ID or the SMS? .................................................................... 9

(28) What happens if I forgot my password? ..................................................................................... 9

(29) What happens if another person picks up a call? ....................................................................... 9

(30) Can a landline phone be used instead of a mobile phone for the SMS query? .......................... 9

(31) Is it possible to sign without mobile phone reception? .............................................................. 9

(32) Is the MobileID via eSIM supported? ........................................................................................ 10

(33) What happens if I change my SIM card? ................................................................................... 10

(34) How is identification linked to an authentication method? ..................................................... 10

(35) Is there an API instead of password/OTP screen integration? ................................................. 10

(36) Is screen scrapping for entering a PWD/OTP possible? ............................................................ 10

(37) Can the password/OTP screen be integrated into a website or application? .......................... 10

(38) Can the password/OTP screen text or MobileID text be configured? ...................................... 10

(39) What happens if MobileID is not activated or possible on a SIM card? ................................... 10

(40) When is the password set for the first time? ............................................................................ 10

(41) Can other authentication methods be used instead of PWD/OTP MobileID? ......................... 10

(42) Isn't a login to the subscriber application and an SMS authentication sufficient as a 2-factor

solution? ................................................................................................................................................ 11

(43) Are batch signatures possible? ................................................................................................. 11

(44) Are XADES (XML) signatures are possible? ............................................................................... 11

(45) What is the best interpretation of error codes concerning the RA-Service? ............................ 12

(46) Serial Number mismatch ........................................................................................................... 12

(47) Why didn't my signature work? ................................................................................................ 12

7 Validation of the signature ........................................................................................................ 13

(48) How can I validate signatures? .................................................................................................. 13

(49) Why does the validator display an invalid signature?............................................................... 13




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(50) Does the "green tick" in Adobe indicate the regularity of the signature? ................................ 13

8 Contractual questions ............................................................................................................... 13

(51) The configuration and acceptance declaration asks for two roles: (1) Security Officer for Data

Security and Privacy (2) System Administrator. How do I choose these roles appropriately? ............. 14

(52) What do I do in a company with several subsidiaries? ............................................................. 14

(53) We would like to bill partly "per signer" and partly "per signature", is that possible? ............ 14

(54) If "per signer" is billed, what happens to the months in which no signatures are performed?

14

(55) We would like to sign both in the EU and in the CH legal area, is that possible? ..................... 14

(56) Swisscom uses standard PDF contract – how can we adopt them to our needs? .................... 14

(57) Does the customer need certifications for the operation of the signature application? ......... 15

(58) How can I order seals as a company? ....................................................................................... 15

(59) Who is liable for faulty certificates?.......................................................................................... 15

9 Legal effect of a signature ......................................................................................................... 16

(60) Is the signature accepted in Switzerland? ................................................................................. 16

(61) Is the signature recognised in an EU country (also outside Austria)?....................................... 16

(62) Can Swisscom guarantee legal compliance for a contract signed with its signature? .............. 16

(63) Is the qualified signature more conclusive? .............................................................................. 16

(64) Can the validity of a signature still be proven after 10 years? .................................................. 17

(65) How are changes to the legal basis handled? ........................................................................... 17

(66) Can the reproduction of signed original documents be prevented? ........................................ 17

(67) Are there reports on the Web from Swisscom customers who use the digital signature? ...... 17

(68) How do time stamps affect different time zones? .................................................................... 17

(69) Adobe reports the error that the signature is invalid because it could not be validated. ........ 17

(70) Which data is published in the certificate as Distinguished Name (DN) of the personal

certificates? ........................................................................................................................................... 18

(71) Which file formats can be signed? ............................................................................................ 18

10 Data protection ..................................................................................................................... 18

(72) Data protection in Switzerland and the DSGVO? ...................................................................... 18

(73) Compliance with data protection of the All-in Signing Service ................................................. 19

(74) Privacy and RA-App/RA-Service ................................................................................................ 19

(75) Why order data processing? ..................................................................................................... 19




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(76) What are the obligations of RA agencies in the context of their activities? ............................. 19

(77) Identification process with own data does not require order data processing? ...................... 20

(78) How does Swisscom keep the private keys to the signature certificates? ............................... 20

11 Setup .................................................................................................................................... 20

(79) What is the setup procedure for a personal signature? ........................................................... 20

(80) What requirements must the access certificate fulfill? ............................................................ 21

(81) How does the setup of a seal take place? ................................................................................. 21




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

1 General identification

(1) Are identifications also valid for advanced signatures for a maximum of only 5 years?

Yes, after 5 years, persons identified for advanced signatures must also be newly identified. However, for

advanced signatures it is sufficient if the identity card was valid at the time of identification. If this expires

within the 5 years, no new identification is necessary. For qualified signatures, on the other hand, an

identification is valid for as long as the ID card was valid or for a maximum of 5 years after this

identification.

(2) Can I also identify myself at Swiss Post, Swisscom Shops etc.?

In Switzerland, Swisscom is in the process of enabling identification in Swisscom shops as well. However,

this will not happen before the end of 2019. Abroad, identification will only be possible via partners who

offer this. In the medium term, Swisscom is looking for a connection to existing identities (e.g. identity

verification online by a bank or a state eID, like the German Personalausweis or SwissID). The first projects

in Germany will start in Q2.

(3) Should I exactly use the identification data for the signature request?

Yes. In case of usage of the surname and given name it must be exactly the same as to be found in the ID

or passport. Swisscom is also able to configure the service in a way that only a pseudonym is used instead

of the surname and given name. Furthermore the "Common Name" (CN) could be used with the names

usually used for this person (independent from the ID document). The RA-Service verify call verifies in this

case the mobile number which was used during identification and the country.

2 PDF handling, creation of hash, embedding signed hash

(4) Are there libraries that simplify the handling of PDFs?

Yes, there are several libraries available on the market that allow a quick implementation of a signature

application. All of them also have special support for Swisscom Service:

• Intarsys, Germany: provides various solutions for handling and integrating signatures:

https://www.intarsys.de/produkte/fernsignatur

Intarsys is a premium partner of Swisscom and knows the AIS service very well from a technical

point of view and can provide consulting support.

• PDF-Tools, Switzerland: 3-Heights PDF Suite. http://www.pdf-tools.com/pdf20/de/produkte/pdf-

security-signature/pdf-security/

• iText, Belgium: iTextPDF. https://itextpdf.com/de/products/product-tour. Swisscom uses iText in

its examples, but the examples are "out of date", i.e. some functionalities have changed. But the

basic handling can be seen there: https://github.com/SCS-CBU-CED-IAM/itext-ais

• Setasign, Germany: Some customers are using SetaPDF, which also offers a special solution for

Swisscom Service: https://www.setasign.com/products/setapdf-signer/demos/swisscom-all-in-

signing-service/

• Blocksigner, Schweiz (Skribble.com): https://api.skribble.com/swagger-ui.html,

http://doc.skribble.com/

Swisscom rejects any responsibility for the error free operation of these libraries. These may contain errors

and require special knowledge and expertise. Use is at the subscriber's own risk.

https://www.intarsys.de/produkte/fernsignatur

http://www.pdf-tools.com/pdf20/de/produkte/pdf-security-signature/pdf-security/

http://www.pdf-tools.com/pdf20/de/produkte/pdf-security-signature/pdf-security/

https://itextpdf.com/de/products/product-tour

https://github.com/SCS-CBU-CED-IAM/itext-ais

https://www.setasign.com/products/setapdf-signer/demos/swisscom-all-in-signing-service/

https://www.setasign.com/products/setapdf-signer/demos/swisscom-all-in-signing-service/

https://api.skribble.com/swagger-ui.html

http://doc.skribble.com/




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(5) How much space does a signature need in a document?

Approx. 50 kBytes.

3 Performance

(6) How many signature requests per minute can our system currently handle?

At the moment we are in the process of expanding our capacities with other algorithms (pre-generation of

keys) and HW expansion. Since several customers use the service, we assume a maximum load of one

request per second on average per customer. Higher performance, i.e. especially reserved capacities are

optionally possible.

4 Multiple Signatures

(7) Can multiple signatures be placed on a document?

Yes, this is the sole task of the subscriber application, which then repeatedly sends the hash with the

signature request to the All-in Signing Service. Any number of signatures can be generated for the same

digital document.

(8) Can a document be provided with an organizational signature (static signature) and a personal signature

(on-demand)?

Yes, but this requires 2 communication channels and setups, i.e. the signature must first be authenticated

by the person signing via one channel (on demand) and then organizationally signed (with previously

created static certificate) by an SSL authentication certificate via a second channel.

(9) How is a bulk signature billed, i.e. in a signature request I send e.g. 5 documents?

Each signature is calculated individually, i.e. in this example 5 signatures are calculated.

(10) How many documents can be sent with a bulk (batch) signature?

It is limited to 250 due to the security reasons rather than to the capacity of the service.

(11) Can both advanced and qualified signatures be issued via a connection (ClaimedIdentity)?

Yes, this is possible and will be dealt with an appropriate call in the interface.

5 RA app

(12) How can I test with the RA-App?

There is a test and demo mode that allows you to try out the app, but no data is transmitted. For this

purpose, the mobile phone number +41001234567 must be entered in the registration form and the

company name "demo".

(13) Which countries does the RA-App support?

Please find a table with all accepted ID documents and passports:

Country Passpor

t ID

Afghanistan ✓

Albania ✓

Algeria ✓

Andorra ✓

Angola ✓




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

Argentina ✓

Armenia ✓

Australia ✓

Austria ✓ ✓

Bangladesh ✓

Belgium ✓ ✓

Benin ✓

Bosnia & Herzegovina

✓

Botswana ✓

Brazil ✓

Bulgaria ✓ ✓

Cameroon ✓ ✓

Canada ✓

Chile ✓

China ✓

Colombia ✓

Congo ✓ ✓

Costa Rica ✓

Croatia ✓ ✓

Cuba ✓

Czech Republic

✓ ✓

Denmark ✓

Dominican Republic

✓

Ecuador ✓

Egypt ✓

Eritrea ✓

Estonia ✓ ✓

Ethiopia ✓

Finland ✓ ✓

France (France)

✓ ✓

Georgia ✓

Germany (German)

✓ ✓

Ghana ✓

Great Britain

✓

Greece ✓ ✓

Haiti ✓

Hungary ✓ ✓

Iceland ✓

India ✓

Iran ✓

Iraq ✓

Ireland ✓

Israel ✓

Italy ✓ ✓

Ivory Coast ✓

Jamaica ✓

Japan ✓

Jordan ✓

Kazakhstan ✓

Kosovo ✓ ✓

Laos ✓

Latvia ✓ ✓

Lebanon ✓

Liechtenstein

✓ ✓

Lithuania ✓ ✓

Luxembourg ✓ ✓

Macedonia ✓

Malaysia ✓

Mexico ✓

Montenegro

✓

Morocco ✓

Mozambique

✓

Namibia ✓

Netherlands ✓ ✓

New Zealand

✓ ✓

Nigeria ✓

Norway ✓

Pakistan ✓

Peru ✓

Philippines ✓

Poland ✓ ✓

Portugal ✓ ✓

Qatar ✓

Romania ✓ ✓

Russia ✓

Senegal ✓

Serbia ✓

Singapore ✓

Slovakia ✓ ✓

Slovenia ✓ ✓

Somalia ✓

South Africa ✓

South Korea ✓

Spain ✓ ✓

Sweden ✓ ✓

Switzerland ✓ ✓

Syria ✓ ✓

Thailand ✓ ✓

Togo ✓

Tunisia ✓ ✓

Turkey ✓

Uganda ✓

Ukraine ✓

Uruguay ✓

USA ✓

Venezuela ✓

Vietnam ✓

Vltava ✓

(14) Does the RA agent have to be authorized by Swisscom if it identifies persons for signatures according to

EU and CH law?

This happens indirectly. In practice, the procedure is as follows: The RA agency first appoints a RA master

agent. This agent is identified by Swisscom or a Swisscom partner and undergoes training. He then




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

receives a user interface with which he can turn other persons identified by him alone into RA agents or RA

master agents. However, they must also undergo training.

(15) How is a person deleted from the RA service?

In principle, Swisscom must retain the data for a very long time (11 years in Switzerland or 35 years in the

EU). But persons can be deactivated by the RA master agent or by Swisscom so that they can no longer

sign.

(16) Are the data of EU-authorised and CH-authorised signatories kept separate?

Yes, a distinction is made between whether the signatories have agreed to the terms of use of Switzerland

or the EU or both. All data is also processed by Swisscom (Schweiz) AG for Swisscom IT Services Finance S.E.

in Vienna.

(17) How long does a trained RA agent need for identification?

On average, an identification is completed within 2 minutes.

(18) When photographing the front/rear of the ID card, the camera does not focus...

Hold the camera up so that the entire ID document is captured by the cut-out (still blurred if necessary).

Move the camera slowly closer to the badge and it will start to focus again.

(19) The registered person did not receive the SMS or deleted it with the acceptance of the terms of use.

Notify your RA-Master agent and ask him to search the portal for the mobile number. You can resend the

SMS with the terms of use by clicking on the link with the PDF symbol:

(20) The registered person has not received an SMS and cannot be found.

Make sure that you have not registered the person in the RA-App Demo Mode (mobile number

+41001234567, company "demo").

6 Authentication methods Mobile ID and SMS

(21) Is only Mobile ID or PWD/OTP possible for authentication?

In Switzerland we switch Mobile ID to PWD/OTP fallback mode by default if the SIM card is not enabled for

Mobile ID. In the eIDAS room we only allow PWD/OTP as standard.

From approx. Q1 2020 we will offer an authentication app based on the Mobile ID interface, which also

offers authentication with fingerprint or face recognition. This app only requires an Internet connection

during authentication and can therefore be used internationally. However, an international SIM card

(mobile phone number) is still required for the setup of the app. See

http://documents.swisscom.com/product/filestore/lib/0027a527-304d-44a3-b467-

9e655ee7025e/mobileidapp-en.mov .

In general, other authentication methods are also possible, but these must be approved by KPMG. The

partner would have to do this and show his method within the framework of an implementation concept.

http://documents.swisscom.com/product/filestore/lib/0027a527-304d-44a3-b467-9e655ee7025e/mobileidapp-en.mov

http://documents.swisscom.com/product/filestore/lib/0027a527-304d-44a3-b467-9e655ee7025e/mobileidapp-en.mov




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(22) I was identified with PWD/OTP and now have a MobileID, can I use it to sign?

Unfortunately, not. You have a new means of authentication which was not initially recorded with the

identification. I.e. you must be newly identified using the MobileID.

(23) Is mobile reception via SMS also guaranteed abroad?

No guarantee but it should work nearly everywhere - one can have a closer to this overview:

https://www.swisscom.ch/en/residential/mobile/tariffs-roaming-abroad/query-tariffs.html

It is expected that in Q4/2019 Swisscom will extend authentication with additional methods

(Authentication App). Thus Swisscom cannot give any guarantee about the possibility of authentication

abroad due to the external provider abroad.

(24) Is Mobile ID reception also guaranteed abroad?

Mobile ID is also received everywhere abroad - everywhere an SMS can be received. There is a special

protocol in the telecommunications standard. But since several parties are involved in this process

Swisscom can never guarantee this service.

(25) Why do we need an additional password and the SMS is not enough for a qualified signature?

A 2-factor authentication is necessary for the qualified signature: "possession" and "knowledge", i.e. only

the possession (SMS) is not sufficient.

(26) Is 2FA authorization also necessary for advanced signatures?

No, OTP is sufficient for advanced signatures.

(27) Are there any costs for the Mobile ID or the SMS?

Swisscom does not charge any costs for sending Mobile ID or SMS. Depending on the roaming partner's

tariff, costs may be incurred for roaming (which happens very rarely, e.g. on cruises).

(28) What happens if I forgot my password?

The loss of the password leads to a new digital identity. The application providers can react to this and, if necessary, demand a new identification of the signer, e.g. with the RA-App.

(29) What happens if another person picks up a call?

Since both methods require a secret as well as the possession of the telephone number, no signature for the previously existing digital identity can be triggered once the telephone number has been transferred. This means that the person must be newly identified.

(30) Can a landline phone be used instead of a mobile phone for the SMS query?

Since a fixed line number can practically not be assigned to a person, this is not possible. The SMS is

intended to ensure that something is contacted that is solely and without exception assigned to the

person signing the document.

(31) Is it possible to sign without mobile phone reception?

Modern devices are equipped with WIFIcalling. These can also be used to sign in a WIFI zone. Without the

Internet, however, remote signatures are not possible.

https://www.swisscom.ch/en/residential/mobile/tariffs-roaming-abroad/query-tariffs.html

Swisscom (Schweiz) AG Titel: FAQ 10/

22 ENT-BPN-PFR-IDS Thema: All-in Signing Service


Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(32) Is the MobileID via eSIM supported?

In most cases yes.

(33) What happens if I change my SIM card?

In the case of a MobileID, you can use a recovery code to transfer the MobileID to the new SIM. In the case

of PWD/OTP and the same phone number, your authentication option also remains.

(34) How is identification linked to an authentication method?

During identification, the means of authentication (e.g. specifically the mobile phone number) is queried.

With this, a first signature is already executed, typically the signature of the terms of use that have been

accepted. This signature is transferred to the All-in Signing Service. This means that the All-in Signing

System knows exactly the means of authentication.

(35) Is there an API instead of password/OTP screen integration?

No. Swisscom even requires that, when the PWD/OTP screen is integrated as an "iFrame", an external

person can check that it originates from Swisscom. E.g. the standard browser functions can be used which

Swisscom publishes under its website link in accordance with Chapter 4 of the Terms of Use.

(36) Is screen scrapping for entering a PWD/OTP possible?

There is no support for screen scrapping as an interface. Developers could be confronted with the fact that

the screens will be changed. It is also contradictory to the implementation of "sole control" between the

signer and the signing certificate.

(37) Can the password/OTP screen be integrated into a website or application?

Yes, but only as iFrame, instructions can be find here: https://rasp.scapp.swisscom.com/swagger-ui.html .

(38) Can the password/OTP screen text or MobileID text be configured?

Yes, as described in the Reference Guide (www.swisscom.com/signing-service ) under "Step-Up method" in

the "Message" field, the text block with the heading to the message for the expression of intent and the

language setting with "Language" can be configured within the framework of the protocol. For the SMS

input window the language can also be set with the "Language" parameter.

(39) What happens if MobileID is not activated or possible on a SIM card?

MobileID is always configured in combination with a PWD/OTP fallback solution, i.e. a password window is

automatically sent. You can activate your MobileID on the platform https://mobileid.ch .

(40) When is the password set for the first time?

In the standard case, after identification, the customer first receives the terms of use for Swisscom's

signature service. The customer confirms this and thereby triggers an initial signature of these conditions,

in the context of which he can also define the password for the first time.

(41) Can other authentication methods be used instead of PWD/OTP MobileID?

By default, Swisscom currently only offers these methods. However, the extension will be worked out in

the future, so that biometric methods may also be possible if approval has been granted. In addition,

Swisscom will optionally accompany the customer if it wishes to use an audited solution to permit an

additional signature at the recognition authority. Additional costs will be incurred.

https://rasp.scapp.swisscom.com/swagger-ui.html

http://www.swisscom.com/signing-service

https://mobileid.ch/




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(42) Isn't a login to the subscriber application and an SMS authentication sufficient as a 2-factor solution?

The basis of 2-factor authentication is the fact that both factors must be recorded in connection with

authentication, i.e. no password may be chosen that only knows the subscriber application, but the

subscriber himself has been identified with RA-App. Such an exception could only be imagined if the

participant himself carries out a authorized identification by RA delegation and furthermore designs the

authentication procedure in such a way that both factors (login, SMS release) are carried out in a short

session. Both the own identification procedure and this session procedure must be described in detail in an

implementation concept and requires a release by Swisscom and its auditors. Additional costs are incurred

here.

(43) Are batch signatures possible?

Yes, several documents can be signed with one approval within a session.

(44) Are XADES (XML) signatures are possible?

XML signatures according to XADES standard can be done based on seals but not on personal signatures

(in the moment). In the client you have to prepare the XADES standard: The call of a "plain signature" must

be implemented.




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(45) What is the best interpretation of error codes concerning the RA-Service?

(46) Serial Number mismatch

What does the error message "Serial Number Mismatch. We strongly advise to go through the Pre-Signing

Process in order to retrieve the actual StepUp SerialNumber". This error message indicates that in a

PWD/OTP process the password was reset and re-selected without performing a new identification with

the corresponding step-up process according to the Reference Guide.

(47) Why didn't my signature work?

I authenticated correctly with PWD/OTP or MobileID - but the signature didn't work ... what could be the

reason?

Causes are:




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

• You have set a new password for the PWD/OTP procedure. This may only be carried out in

exceptional situations at an internal registration authority and must otherwise always take place

as part of a new identification.

• You had previously authenticated with PWD/OTP and you have now activated your MobileID with

a Swiss mobile phone number. In this case, a new identification must also take place because the

means of authentication belonging to the identity has changed.

• You have changed the SIM or the mobile phone provider. As a result, the MobileID authentication

has changed when using a MobileID. A new identification is also necessary for this.

• If none of these causes are present, you should open a ticket.

7 Validation of the signature

(48) How can I validate signatures?

For signatures in the Swiss legal area: www.validator.ch (Attention, the validator is not always up to date).

For signatures in the EU legal area: https://www.signatur.rtr.at/de/vd/Pruefung.html

(49) Why does the validator display an invalid signature?

Often the messages refer to the missing integrity, i.e. the document shows changes after signing the

document. For example, elements from the network were downloaded and inserted later. This can be

avoided by consistently using the latest version of the PDF/A standard for the signature.

(50) Does the "green tick" in Adobe indicate the regularity of the signature?

Adobe is a U.S. American supplier of a software that can display PDF documents. The most prominent and

widespread product is the so-called "Adobe Acrobat Reader". This enables the verification of certificate-

based signatures. Whether a signature is valid and thus displayed with a green tick depends on many

aspects:

• Adobe has its own set of rules, which classifies issuing CAs from trust providers or certification

service providers as "trustworthy". These are listed in a so-called Adobe Trust List (AATL). Even if

not included in the service description, Swisscom always endeavours to be listed here. In addition,

the listed companies must pay annual fees for this entry and file in their self-assessment.

According to Adobe, eIDAS trust service providers are considered trustworthy if they have also

concluded a contract with Adobe.

• Adobe offers a variety of settings that can lead to a completely different validation: For example,

instead of Adobe's trust list, Microsoft Windows' trust list can also be used, which usually only

maintains trust service providers that also issue SSL or e-mail certificates. However, the check can

also be based on a time given by the computer clock and not on the time stamp in the document.

This means that you cannot rely on the validity of a signature in Adobe, but you get information about

whether changes have been made to the document since the signature was set and how the signature

certificate looks like.

8 Contractual questions

http://www.validator.ch/

https://www.signatur.rtr.at/de/vd/Pruefung.html




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(51) The configuration and acceptance declaration asks for two roles: (1) Security Officer for Data Security and

Privacy (2) System Administrator. How do I choose these roles appropriately?

Both should be IT people who are familiar with the application. It does not have to be a person with the official role "Privacy Deputy". Swisscom simply wants to retain the 4-eyes principle here. The roles are: To be able to provide information about the administration of the user application (who has access, what could an administrator manipulate, where might there be a hitch, SSL connection to Swisscom) and about topics such as virus protection, access control in general, etc. at the person responsible for security.

(52) What do I do in a company with several subsidiaries?

On the one hand, an internal company can become a Swisscom reselling partner for other companies. In this case, the payment flow goes directly only through this individual company. One company can also assume complete responsibility for the operation of the subscriber application. Even then, invoices will only go through this company. It can then identify employees of the other companies.

If all companies want to operate the subscriber application independently (with their own liability and responsibility) and also want to provide RA agents themselves, a separate contract is required for each company.

(53) We would like to bill partly "per signer" and partly "per signature", is that possible?

Here two user accounts (ClaimedIdentity) must be opened, each account is connected with a billing method. This means that the subscriber application must decide for itself which account it will use to send a signature request. There is a service fee per account, but the transaction fee per signature is reduced by 30%. 2 invoices are issued at the end of the month.

(54) If "per signer" is billed, what happens to the months in which no signatures are performed?

There are no costs for these months.

(55) We would like to sign both in the EU and in the CH legal area, is that possible?

Two user accounts (ClaimedIdentity) must be opened, each account is related to the respective signature

type, i.e. the participant application must decide, over which account it sends a signature inquiry. Both

accounts can be addressed via one interface, i.e. the same endpoint. There is a service fee per account, but

the transaction fee per signature is reduced by 30%. 2 invoices are issued at the end of the month.

Therefore 2 service contracts with 2 different configuration and acceptance declarations must be

submitted. If you have 2 legal areas and 2 billing types, you still have only one interface (technical), but 4

service access interface point and by this 4 times a service fee.

(56) Swisscom uses standard PDF contract – how can we adopt them to our needs?

Every year, Swisscom invests large sums in ongoing audits. However, to be able to place the offer of a trust

service provider on the market at a reasonable price, this service is offered in a standardised form. That

means in particular:

• The customer must adhere to the standard ordering process with the standard contract

documents released by the auditors.

• Further assessments by participants and the examination and acceptance of own contract texts

are not included in the offer.

Many aspects of the trust service provider are subject not only to conditions in the execution of the service

but also in the specification of important obligations, liability regulations and cooperation services in the

contract documents. Therefore, these contract documents are also subject to auditing or are also




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

submitted to the state conformity assessment bodies. Therefore, no changes to the legal system can be

accepted, nor can contractual enclosures of the participant be accepted, especially if they are subject to

foreign, applicable law.

If it is nevertheless necessary to adapt contractual texts, add contractual regulations (e.g. your own Code

of Conduct, Data Protection Declaration, NDA, etc.), process special assessment questionnaires or if you

have even discovered errors or unclear formulations, please report these to our product management.

If any errors or ambiguities are apparent, a corresponding change process is initiated by product

management and implemented as quickly as possible.

For the evaluation of other questions, a processing team is formed that draws on the relevant experts (e.g.

legal department, security officer, compliance officer, etc.) and carries out an evaluation of the request. A

project specific fee of CHF 6,000 is due for this. If the team of experts was not able to work out a solution

directly, it will prepare an answer and an offer, which will present and assess further steps on the part of

Swisscom.

(57) Does the customer need certifications for the operation of the signature application?

No, only for the operation of the signature application no certification and no audit is required. Within the

scope of a "configuration and acceptance declaration", the customer makes a self-declaration to operate

the signature application properly, i.e. not to exchange the hash of a document and to actually display the

document to be signed to the customer (WYSIWYS = "What you see is what you sign"). Data traffic

between the signature application and Swisscom should be encrypted and basic protection against viruses

and attacks should be guaranteed as with any other system. An official audit with certification can only be

necessary if the system has its own identification, especially in relation to its own authentication method.

In Switzerland, identification with Swisscom authentication methods can be dealt with in a simplified

manner by means of a suitable "implementation concept" submitted by the customer and approved by

Swisscom; in the EU, an official audit is generally necessary. As a rule, an authentication method must

always be certified, as this should ensure "sole control" to the signing certificate (called "sole control" in

the ETSI context).

(58) How can I order seals as a company?

In principle, the company must appoint representatives. These representatives should either be the

registered representatives according to the commercial or business register, or employees with

appropriate powers of attorney signed by the registered representatives. In any case, the persons must be

personally identified with our RA-App. In Switzerland, only companies registered in the UID Register can

order seals. With the seal, the SSL access certificate between the signature application at the customer and

Swisscom serves as authentication of the company. The access certificate must therefore be handed over

by the representative of the organisation. With the advanced seal, simple delivery is sufficient; with the

qualified seal, a joint handover ceremony takes place at which the access certificate is jointly generated.

The private key must be stored on a cryptodevice (FIPS 140-2 level 2 minimum).

(59) Who is liable for faulty certificates?

In principle, Swisscom has unlimited liability under the law for the incorrect issue of qualified certificates.

In the case of advanced certificates, this liability can be limited. Swisscom is also compulsory insured for

this purpose. In the event of errors in the signature application (e.g. the exchange of a hash of a document)

or errors in identification by third party registries, Swisscom in turn will hold these third parties liable. In

order to avoid the risks of liability, high demands are placed on the issuance and contract process and the

possibility of auditing the third parties involved is generally required.




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

9 Legal effect of a signature

(60) Is the signature accepted in Switzerland?

Swiss legislation, i.e. the Swiss Federal Electronic Signature Act (ZertES/SCSE), provides the requirements

organizations have to fulfill in order to be recognized as a certification service. The accredited

accreditation body for the accreditation of Swisscom as a certification service in Switzerland is KPMG

(Accreditation No. SCESm 0071). It issues a conformity assessment certificate (available at

www.swisscom.com/signing-service). The Swiss Accreditation Service SAS maintains a list of accredited

certification services:

https://www.sas.admin.ch/sas/en/home/akkreditiertestellen/akkrstellensuchesas/pki.html

(61) Is the signature recognised in an EU country (also outside Austria)?

With the entry into force of the Regulation on Electronic Identification and Trust Services for Electronic

Transactions in the Internal Market of the European Union (eIDAS), the basis has been created for legally

valid electronic communication and secure electronic identification throughout Europe. With the help of

trust services such as electronic signatures, seals, time stamps, delivery services and certificates for

authentication, companies, administrations and private individuals can exchange digital documents such

as offers, orders, contracts etc. within the European Union on a uniform legal basis. Thus, the new EU

regulation replaces the national signature law and signature regulations.

Under this Regulation (EC) No 910/2014/EU (eIDAS Regulation), national Trusted Lists have a constitutive

effect. In other words, a trust service provider and the trust services it provides will be qualified only if it

appears in the Trusted Lists. Consequently, the users (citizens, businesses or public administrations) will

benefit from the legal effect associated with a given qualified trust service only if the latter is listed (as

qualified) in the Trusted Lists.

Swisscom's subsidiary in Austria "Swisscom IT Services Finance S.E.", Vienna have been included in this list

of trust with qualified certificates and seals:

https://webgate.ec.europa.eu/tl-browser/#/tl/AT

Swisscom IT Services Finance S.E. has mandated Swisscom (Switzerland) Ltd to operate the trust service

and has also delegated the registry authority activities to Swisscom (Switzerland) Ltd. Swisscom

(Switzerland) Ltd. thus offers the service to the market and also accepts contractual documents on behalf

of Swisscom IT Services Finance S.E..

(62) Can Swisscom guarantee legal compliance for a contract signed with its signature?

Swisscom can only confirm that it can issue qualified signatures in both legal systems in accordance with

the eIDAS Regulation of the EU and the ZertES Act of Switzerland. The qualified Swiss signatures are only

recognised as qualified in Switzerland and the eIDAS qualified signatures in the EU.

Whether the qualified signature is compliant for any contract must always be verified by a lawyer.

Swisscom may not provide any legal information in this regard. This is not only related to the signature,

but also to other points that may be agreed in contracts. For example, the requirement for "return by

registered mail" may mean that an electronic signature cannot be executed at all, as a postal paper route is

mandatory.

(63) Is the qualified signature more conclusive?

In both the EU and Switzerland legal systems, the reversal of the burden of proof (and in Germany also

prima facie evidence compared to visual evidence) applies in principle to qualified signatures. This means

https://www.sas.admin.ch/sas/en/home/akkreditiertestellen/akkrstellensuchesas/pki.html

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG

https://webgate.ec.europa.eu/tl-browser/#/tl/AT




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

that an opposing party must prove that the qualified signature was not properly executed if it is contested.

And, of course, Swisscom can provide KPMG-certified verifications to prove that the qualified signature has

been duly executed.

(64) Can the validity of a signature still be proven after 10 years?

The retention periods for identity verification and the activity journal and thus also the periods of proof are

11 years in Switzerland and 35 years in the EU. Swisscom generally uses the long-term validation standard

of ETSI (LTV).

Long term validation means validating a signature in such a way that it remains valid for a long time. The

LTV validation only allows validation as long as the root certificate for the timestamp has not expired. It is

therefore advisable to time stamp the documents again before expiration if long-term evidence is to be

preserved, so that the integrity and meaningfulness of the signature evidence continues to be ensured.

In principle, PDF documents should also be managed in secure archives. A situation can arise in 5, 10 or 20

years in which the signature algorithms are "cracked", i.e. the integrity or authenticity could no longer be

guaranteed. Good archiving systems therefore provide for regular resignation, e.g. with a time stamp,

which always uses the latest algorithm and thus ensures the integrity of the document.

The web offers different links with optimized procedures for this, e.g. "Archisig". The German BSI has also

published a technical guideline "Preservation of the evidential value of cryptographically signed

documents". It is the specification of technical security requirements for the long-term preservation of the

evidential value of cryptographically signed electronic documents and data together with the associated

electronic administrative data (metadata).

A middleware defined for these purposes (TR-ESOR middleware) in the sense of this guideline comprises all

those modules and interfaces which are used to secure and maintain the authenticity and to prove the

integrity of the stored documents and data.

(65) How are changes to the legal basis handled?

Experience has shown that transition periods can last from 3 months to 2 years.

(66) Can the reproduction of signed original documents be prevented?

No.

(67) Are there reports on the Web from Swisscom customers who use the digital signature?

Yes, e.g:

https://www.seantis.ch/blog/digitale-signatur-onegov-cloud/

https://www.bcge.ch/pdf/conditions-self-en.pdf

https://www.inside-it.ch/articles/49769

(68) How do time stamps affect different time zones?

In principle, a time stamp also stores the zone (the offset). In this respect, all local programs will display the

actual local time.

(69) Adobe reports the error that the signature is invalid because it could not be validated.

"Signature is valid but the signer's identity validity could not be verified" is Adobe's statement if no LTV

format was used. The background is that Adobe then tries to check the validity of a 10 minute certificate. If

https://www.seantis.ch/blog/digitale-signatur-onegov-cloud/

https://www.bcge.ch/pdf/conditions-self-en.pdf

https://www.inside-it.ch/articles/49769




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

no long-term validation format was used, which stores the validity information at the time of the

signature, these can no longer be accessed after some time. Therefore, signatures with short-term

certificates (but also signatures with long-term proof) must always be saved in LTV format.

(70) Which data is published in the certificate as Distinguished Name (DN) of the personal certificates?

The Distinguished Name contains either the person's first name, surname and country of

birth/registration or home country, or a pseudonym with a serial number that can be uniquely traced back

to a person by the registry. Organisation names are only permitted in special cases.

(71) Which file formats can be signed?

In principle, Swisscom provides a signed hash and thus supports PADES (PDF) formats and, in the case of

organisation certificates, XADES (XML) formats. Word files are not signed and are not intended for this

purpose by law.

10 Data protection

(72) Data protection in Switzerland and the DSGVO?

Switzerland is not in the EU and has therefore not introduced EU legislation, the so-called General Data

Protection Regulation (GDPR). In reality, the GDPR is also applicable if the companies are based in

Switzerland and offer services in the EU.

Swisscom is therefore subject to the same data handling obligations as all other organizations that have to

comply with the GDPR:

• obtain the consent of the person whose data are processed

• "Privacy by design" and "Privacy by default" guarantee

• appoint a data protection representative

• create a list of processing activities

• report violations of data protection to the supervisory authority

• conduct a privacy impact assessment

All applications which concern data protection and are used for data processing, e.g. also the RA-App must

be GDPR compliant. Swisscom provides information on this on its pages:

Switzerland: www.swisscom.com/signing-service

Austria: www.swisscom.at

with corresponding data protection declarations according to GDPR.

Switzerland has always been and is considered as a secure third country pursuant to Art. 45 GDPR (data

transfer based on an adequacy decision), i.e. the usual authorisations as with other third countries (e.g. the

U.S.) are not necessary. Thanks to its Data Protection Act and the ongoing adaptation to the GDPR,

Switzerland has an "adequate level of protection for the transfer of personal data" in accordance with EU

criteria, i.e. it must in fact be treated as an EU country when transferring data:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-

protection-personal-data-non-eu-countries_en

http://www.swisscom.com/signing-service

http://www.swisscom.at/

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

(73) Compliance with data protection of the All-in Signing Service

As part of its ongoing audits, Swisscom must ensure that all the strict data protection requirements

necessary for the issue of digital signatures are complied with, both vis-à-vis the certification authority in

Switzerland and vis-à-vis the conformity assessment body in Austria. This means that, in addition to self-

declaration, trust service providers and certification services are obliged by legislation and the

international standards applied, such as ETSI 319 401, to demonstrate and have audited appropriate data

protection for all personal data.

(74) Privacy and RA-App/RA-Service

The data protection requirements to be demonstrated and audited also apply to the registration authority

activities - a task of a trust service provider and certification service provider. Thus the RA app as part of

the registration process must ensure data protection and privacy. The RA-App itself does not store any

personal data permanently. No data can be exported either. As soon as the identification has been

completed, the data is transferred signed by the RA agent as so-called evidence. This evidence is stored at

Swisscom's RA service under strict security conditions (e.g. 4-eye access). Only a few people have access to

this data and may only pass it on based on a court order or are allowed to check the quality of the

identification. According to the law, Swisscom has unlimited liability for the proper execution of the

signature and thus also the identification.

RA Master Agents have web access to a portal in which they can view all persons identified by RA Agents

with their surname, first name, expiry date of the ID document and mobile phone number. The ID

documents and photos (so-called "evidence") are not accessible or exportable.

(75) Why order data processing?

Swisscom is legally obliged to record personal data for the signature. It is therefore responsible for this

data. This means that Swisscom cannot play the role of a data processor, even if it receives e.g. employee

data from a customer company for the signature. Swisscom has a legal mandate like that of telecoms or

postal service providers. Furthermore Swisscom has a legal contractual relationship with the signatories

with the terms of use. In this agreement, the signatory also accepts the use of data.

With the RA app, Swisscom transfers the recording of identity data to an external service provider, which is

referred to in the contracts as the "RA agency". The GDPR requires in this case an order processing contract.

The RA agency must therefore comply with the obligations for order data processing.

Compliance with the GDPR order data processing is also required in purely Swiss projects. There are two

reasons for this:

• On the one hand, it can rarely be guaranteed that persons identified in Switzerland are not EU

citizens who are subject to the market principle of the GDPR,

• On the other hand, the RA app cannot be used in such a way that only persons for Switzerland are

identified, i.e. order data processing always takes place for Swisscom IT Services Finance S.E. in

Vienna as well.

(76) What are the obligations of RA agencies in the context of their activities?

RA agencies act on behalf of the Swisscom registration office. In addition to the duties of careful execution

of the registry's activities, data protection is also a priority. The data protection principles from Art. 28

DSGVO apply, which are reflected in precise form in the technical-organisational measures (TOM) in the RA




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

Agency contract. They are based on 2 sections of Art. 28, which reflect the use of the app on the mobile

device:

• The measure must "ensure the ability to ensure the confidentiality, integrity, availability and

resilience of the systems and services in connection with the processing on a long-term basis" and

• Include a procedure for regular review, evaluation and evaluation of the effectiveness of technical

and organisational measures to ensure the security of processing.

• The controller and the processor shall take steps to ensure that natural persons under their

authority who have access to personal data process them only on instructions from the controller,

unless they are required to do so by Union or national law.

This means that in addition to the use of carefully selected and trained employees, the protection of the

app on the mobile device and also the protection of access must be guaranteed. Are the devices

adequately protected against viruses? Will it be prohibited to download programs from other app stores

that do not offer sufficient protection? Do employees keep their PINs and passwords secret? Are devices

not rooted?

(77) Identification process with own data does not require order data processing?

There are projects in which Swisscom relies on legally recognized and audited identification procedures

with third parties. A typical example is a bank that carries out a presence identification of a person as part

of its KYC process. In this case, Swisscom receives a copy of the bank's data for its own business purposes

(signature). Order data processing is not necessary here, as there are two parties responsible for the data.

Conversely, the Joint Controllership Principle of the GDPR is not applied here either, as the responsiveness

of data does not serve the same business purpose and both parties do not act responsibly in the sense of a

common business purpose. The bank acts for its business purpose, e.g. opening an account, and Swisscom

pursues its business purpose of issuing signatures. Nevertheless, in this case our contracts on the

"delegation of registry activity" also contain a minimum of provisions on how to proceed regarding data

protection and the GDPR.

(78) How does Swisscom keep the private keys to the signature certificates?

In the case of a remote signature, Swisscom keeps and manages the keys to the signature certificates in

trust. In the case of a personal signature, the signature certificates are only generated for the signature

and lose their validity after approx. 10 minutes. Company certificates for seals are valid for up to 3 years.

According to the law, the private key must be stored on a (qualified) signature creation device. The

memory for this is a device which is mainly designed for key storage, the HSM (Hardware Security Module).

It is subject to strict regulation, auditing, in terms of security standards and access to this device.

Signatures in the EU and Switzerland are subject to particularly high security standards, which are only

available from a few HSM manufacturers worldwide.

11 Setup

(79) What is the setup procedure for a personal signature?

The prerequisite for setup is a "declaration of configuration and acceptance" signed by the customer and

verified by the global registration authority. This declaration contains the obligations of the operator of a

signature application (e.g. the possibility of displaying the complete document to be signed, securing

access to the service), but also the characteristics of the service.




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

Another prerequisite is an access certificate, which secures the communication of the signature

application to the signature service.

After checking the document, our Setup Service receives the order to activate the service with the access

certificate sent and the selected specification in the configuration and acceptance declaration. In the case

of qualified signatures, the service is initially only activated for "advanced" signatures. Subsequently, the

contact named in the configuration and acceptance declaration is asked for an example signature with the

advanced signature. If this is faultless, the service is switched to the "qualified" level if required so. The

customer will also be notified of this. He now has 10 days to report any irregularities directly to the setup

team. If they do not receive any complaints during this time, the connection to the service is accepted.

Further incidents can then be reported to Swisscom via 1st Level Support in case of a direct contact to

Swisscom or to the reselling partner.

(80) What requirements must the access certificate fulfill?

The access certificate can be a self-signed certificate. For example with openssl software.

Requirements for the Distinguished Name:

• CN=<URL of the subscriber system that performs the communication with AIS or other unique

identification of the subscriber system>

• O=<Name of organization>

• Email=<E-Mail for notification purposes e.g. in case of end of validity>

• C=<Country of organization>

The following additional requirements shall be considered when preparing the certificate:

• Maximum term 3 years

• Hash algorithm minimum SHA-256

• Key length minimum 2048 bit

Special conditions still apply for access certificates within the framework of regulated (ZertES) or qualified

(eIDAS) seal creation: The private key of the access certificate must be created on a cryptographic module

in a joint ceremony of a Swisscom registration authority representative. This module must meet the

requirements of FIPS 140-2 level 2, e.g. Yubikey or Microsoft Key Vault.

(81) How does the setup of a seal take place?

In the case of a seal, in addition to the configuration and acceptance declaration by the operator of the

signature platform, it also requires a certificate application for the seal certificate, an organisation

certificate. In contrast to the certificate for the personal signature, the seal certificate is issued for three

years. The certificate application must be signed by authorized persons of the organization. The

authorisation can result from the register (e.g. procuration) or can also be a special power of attorney,

which has been issued for example for the operators in the computer centre. Swisscom needs the proof of

this power of attorney. These persons are also personally identified in advance by a representative of

Swisscom's registration office using RA-App. This could also be, for example, an RA agent of a reseller who

has carried out the personal identification. This enables the person to sign the application using an

electronic signature. The application is sent to Swisscom unsigned and Swisscom invites the persons to

sign electronically. The next steps now differ depending on the type of seal:

Advanced signature: The applicant sends Swisscom an SSL certificate, which he wants to use as an access

certificate for the interface to the seal.




Datum: 03.06.2019

C1 - Public

FAQ

.do

cx

Qualified/regulated signature: The applicant agrees a date with Swisscom for the joint creation of a

private key. This must be created on a cryptographic device based on the FIPS 140-2 level 2 qualification

(e.g. Yubikey, Key Vault HSM Microsoft, etc.) An access certificate is then created based on this key. I.e. for

the signature process the access must be released by means of this certificate.

faq about swisscom's all-in signing service€¦ · ent-bpn-pfr-ids thema: all-in signing...

Documents