IFS Signature Service¶
IFS Signature Service enables a technician to sign a document after work complete. The signature is stored and associated with the document.
IFS Signature Service allows an organization to hand out flashed YubiKeys to their end users containing the private and public key pair needed to sign documents.
The process of creating/ordering certificates and preparing the YubiKeys are outside of the scope for this documentation, make sure to read the requirements first.
Before an end user can start signing documents, an administrator needs to create or order certificates tailored specifically for the end user. Once the certificate signing requests has been approved it can be flashed into a YubiKey and handed out to the end user. The certificates also must be registered before it can be used. The root and intermediate certificate might need to be registered and the user's public certificate must be mapped to the designated end user.
When the end user is ready to sign, the document is uploaded and the user is prompted to sign using the YubiKey. The signature is then uploaded and verified together with the document on the server and if the validation succeeds it is stored.
Once a document has been signed it needs to be extended in order to preserve its integrity. All documents are initially stored as Baseline-B and the server will attempt to extend it to Baseline-T as soon as possible. This means that a timestamp is added to the signature. When the documents has been extended to Baseline-T the server attempts to extend to Baseline-LTA as soon as the certificate's revocation data has been updated and it can be certain that the document has not been signed with a revoked certificate. Documents using Baseline-LTA are considered valid for a long time but needs to be re-sealed before the Timestamp Server expires (which can be ten years into the future).