Skip to content
This repository has been archived by the owner on Mar 25, 2021. It is now read-only.

Distinguished Name: Use of Evidence Attributes

Jump to bottom
eramons edited this page Aug 10, 2020 · 15 revisions

Evidence Attributes

All-In Signing Service customers using the Smart Registration Service (a.k.a. "Registration Authority Service") can benefit of a new feature allowing variable substitution with attributes of registered evidences for the Distinguished Name.

Prerequisites:

  • signers must have been identified and registered in RAS/SRS (thus their identification data is available)
  • the SignRequest must include a "stepUpAuthorisation" element with the corresponding MSISDN and other authorisation data (please refer to the Reference Guide for detailed information about the SignRequest elements)

The current approach used by many customers is to perform a verifyCall() in order to get the evidenceId and further attributes needed for building the Distinguished Name. New, evidence properties registered in the Smart Registration Service can be referenced like this:

"sc.CertificateRequest": {
 "sc.DistinguishedName": "cn=${given_name} ${family_name},c=${country},serialNumber=${evidence_id}",
}

The following evidence properties are defined:

  • family_name (surname or family name)
  • given_name
  • country (ISO 3166-1 alpha-2 code)
  • evidence_id

References to undefined properties will result in an error.

An additional mechanism of this new feature allows the usage of pre-defined templates for the most usual distinguished names. For example, it is possible to specify following distinguished name:

"sc.CertificateRequest": {
 "sc.DistinguishedName": "template:name"
}

Currently there are two available templates:

Template "pseudonym", which translates to:

cn=${given_name} ${family_name},pseudonym=${evidence_id},c=${country},serialNumber=${evidence_id}

Template "name", which translates to:

cn=${given_name} ${family_name},givenname=${given_name},surname=${family_name},c=${country},serialNumber=${evidence_id}

References to unknown templates result in an error.

Please take into consideration:

  • Your configured DN pattern must exactly match the template in order for the feature to work. Otherwise a "Invalid Distinguished Name" error would be returned by AIS in the SignResponse.
  • The ${country} variable shall NOT be used if the distinguished name contains the organisation (O) attribute.
Clone this wiki locally