Skip to content

Distinguished Name: Use of Evidence Attributes

paulmuntean edited this page Mar 4, 2021 · 1 revision

Evidence Attributes

All-In Signing Service customers using the Smart Registration Service (a.k.a. "Registration Authority Service") can benefit of a new feature allowing variable substitution with attributes of registered evidences for the Distinguished Name.

Prerequisites:

  • the Customer's account has "Identity Verification" enabled i.e. all signers must have been identified and registered in RAS/SRS
  • the SignRequest must include a "stepUpAuthorisation" element with the corresponding MSISDN and other authorisation data (please refer to the Reference Guide for detailed information about the SignRequest elements)

The current approach used by many customers is to perform a verifyCall() in order to get the evidenceId and further attributes needed for building the Distinguished Name. Now, evidence properties registered in the Smart Registration Service can be referenced like this:

"sc.CertificateRequest": {
 "sc.DistinguishedName": "cn=${given_name} ${family_name},c=${country},serialNumber=${evidence_id}",
}

The following evidence properties are defined:

  • family_name (surname or family name)
  • given_name
  • country (ISO 3166-1 alpha-2 code)
  • evidence_id

References to undefined properties will result in an error.

An additional mechanism of this new feature allows the usage of pre-defined templates for the most usual distinguished names. For example, it is possible to specify following distinguished name:

"sc.CertificateRequest": {
 "sc.DistinguishedName": "template:name"
}

Currently there are two available templates:

Template "pseudonym", which translates to:

cn=${given_name} ${family_name},pseudonym=${evidence_id},c=${country},serialNumber=${evidence_id}

Template "name", which translates to:

cn=${given_name} ${family_name},givenname=${given_name},surname=${family_name},c=${country},serialNumber=${evidence_id}

References to unknown templates result in an error.

Please take into consideration:

  • Your configured DN pattern must exactly match the template in order for the feature to work. Otherwise a "Invalid Distinguished Name" error would be returned by AIS in the SignResponse.
  • The ${country} variable shall NOT be used if the distinguished name contains the organisation (O) attribute.

NOTE: The verify() call is still available in case a customer wants to verify the registration status of a signatory. The usage of this functionality is optional and not related to the new feature: you can use the verify call on the basis of either the pseudonym or the name/surname independently of the DN provided later in the signature request.