FAQ

In this FAQ you will find the most frequently asked question on our Services. If you do not find a matching answer please contact us directly via contact form.

  1. Are identifications also valid for advanced signatures for a maximum of only 5 years?

    Yes, after 5 years, persons identified for advanced signatures must also be newly identified. However, for advanced signatures it is sufficient if the identity card was valid at the time of identification. If this expires within the 5 years, no new identification is necessary. For qualified signatures, on the other hand, an identification is valid for as long as the ID card was valid or for a maximum of 5 years after this identification.

  2. Can I also identify myself at Swiss Post, Swisscom Shops etc.?

    In Switzerland, Swisscom is in the process of enabling identification in Swisscom shops as well. However, this will not happen before the end of 2019. Abroad, identification will only be possible via partners who offer this. In the medium term, Swisscom is looking for a connection to existing identities (e.g. identity verification online by a bank or a state eID, like the German Personalausweis or SwissID). The first projects in Germany will start in Q2.

  3. Should I exactly use the identification data for the signature request?

    Yes. In case of usage of the surname and given name it must be exactly the same as to be found in the ID or passport. Swisscom is also able to configure the service in a way that only a pseudonym is used instead of the surname and given name. Furthermore the “Common Name” (CN) could be used with the names usually used for this person (independent from the ID document). The RA-Service verify call verifies in this case the mobile number which was used during identification and the country.

  4. Are there libraries that simplify the handling of PDFs?

    Yes, there are several libraries available on the market that allow a quick implementation of a signature application. All of them also have special support for Swisscom Service:

    Intarsys is a premium partner of Swisscom and knows the AIS service very well from a technical point of view and can provide consulting support.

    Swisscom rejects any responsibility for the error free operation of these libraries. These may contain errors and require special knowledge and expertise. Use is at the subscriber’s own risk.

  5. How much space does a signature need in a document?

    See https://github.com/SCS-CBU-CED-IAM/AIS/wiki/Swisscom-CA-4

  6. How many signature requests per minute can our system currently handle?

    At the moment we are in the process of expanding our capacities with other algorithms (pre-generation of keys) and HW expansion. Since several customers use the service, we assume a maximum load of one request per second on average per customer. Higher performance, i.e. especially reserved capacities are optionally possible.

  7. Can multiple signatures be placed on a document?

    Yes, this is the sole task of the subscriber application, which then repeatedly sends the hash with the signature request to the All-in Signing Service. Any number of signatures can be generated for the same digital document.

  8. Can a document be provided with an organizational signature (static signature) and a personal signature (on-demand)?

    Yes, but this requires 2 communication channels and setups, i.e. the signature must first be authenticated by the person signing via one channel (on demand) and then organizationally signed (with previously created static certificate) by an SSL authentication certificate via a second channel.

  9. How is a bulk signature billed, i.e. in a signature request I send e.g. 5 documents?

    Each signature is calculated individually, i.e. in this example 5 signatures are calculated.

  10. How many documents can be sent with a bulk (batch) signature?

    It is limited to 250 due to the security reasons rather than to the capacity of the service.

  11. Can both advanced and qualified signatures be issued via a connection (ClaimedIdentity)?

    Yes, this is possible and will be dealt with an appropriate call in the interface.

  12. How can I test with the RA-App?

    There is a test and demo mode that allows you to try out the app, but no data is transmitted. For this purpose, the mobile phone number +41001234567 must be entered in the registration form and the company name “demo”.

  13. Which countries does the RA-App support?

    Please find a table with all accepted ID documents and passports:

  14. Does the RA agent have to be authorized by Swisscom if it identifies persons for signatures according to EU and CH law?

    This happens indirectly. In practice, the procedure is as follows: The RA agency first appoints a RA master agent. This agent is identified by Swisscom or a Swisscom partner and undergoes training. He then receives a user interface with which he can turn other persons identified by him alone into RA agents or RA master agents. However, they must also undergo training.

  15. How is a person deleted from the RA service?

    In principle, Swisscom must retain the data for a very long time (11 years in Switzerland or 35 years in the EU). But persons can be deactivated by the RA master agent or by Swisscom so that they can no longer sign.

  16. Are the data of EU-authorised and CH-authorised signatories kept separate?

    Yes, a distinction is made between whether the signatories have agreed to the terms of use of Switzerland or the EU or both. All data is also processed by Swisscom (Schweiz) AG for Swisscom IT Services Finance S.E. in Vienna.

  17. How long does a trained RA agent need for identification?

    On average, an identification is completed within 2 minutes.

  18. When photographing the front/rear of the ID card, the camera does not focus...

    Hold the camera up so that the entire ID document is captured by the cut-out (still blurred if necessary). Move the camera slowly closer to the badge and it will start to focus again.

  19. The registered person did not receive the SMS or deleted it with the acceptance of the terms of use.

    Notify your RA-Master agent and ask him to search the portal for the mobile number. You can resend the SMS with the terms of use by clicking on the link with the PDF symbol:

  20. The registered person has not received an SMS and cannot be found.

    Make sure that you have not registered the person in the RA-App Demo Mode (mobile number +41001234567, company “demo”).

  21. Is only Mobile ID or PWD/OTP possible for authentication?

    In Switzerland we switch Mobile ID to PWD/OTP fallback mode by default if the SIM card is not enabled for Mobile ID. In the eIDAS room we only allow PWD/OTP as standard.

    We offer also an authentication app based on the Mobile ID interface, which also offers authentication with fingerprint or face recognition. This app only requires an Internet connection during authentication and can therefore be used internationally. However, an international SIM card (mobile phone number) is still required for the setup of the app. See http://documents.swisscom.com/product/filestore/lib/0027a527-304d-44a3-b467-9e655ee7025e/mobileidapp-en.mov .

    In general, other authentication methods are also possible, but these must be approved by KPMG. The partner would have to do this and show his method within the framework of an implementation concept.

  22. I was identified with PWD/OTP and now have a MobileID, can I use it to sign?

    Unfortunately, not. You have a new means of authentication which was not initially recorded with the identification. I.e. you must be newly identified using the MobileID.

  23. Is mobile reception via SMS also guaranteed abroad?

    No guarantee but it should work nearly everywhere – one can have a closer to this overview:

    https://www.swisscom.ch/en/residential/mobile/tariffs-roaming-abroad/query-tariffs.html

    It is expected that in Q4/2019 Swisscom will extend authentication with additional methods (Authentication App). Thus Swisscom cannot give any guarantee about the possibility of authentication abroad due to the external provider abroad.

  24. Is Mobile ID reception also guaranteed abroad?

    Mobile ID is also received everywhere abroad – everywhere an SMS can be received. There is a special protocol in the telecommunications standard. But since several parties are involved in this process Swisscom can never guarantee this service.

  25. Why do we need an additional password and the SMS is not enough for a qualified signature?

    A 2-factor authentication is necessary for the qualified signature: “possession” and “knowledge”, i.e. only the possession (SMS) is not sufficient.

  26. Is 2FA authorization also necessary for advanced signatures?

    No, OTP is sufficient for advanced signatures.

  27. Are there any costs for the Mobile ID or the SMS?

    Swisscom does not charge any costs for sending Mobile ID or SMS. Depending on the roaming partner’s tariff, costs may be incurred for roaming (which happens very rarely, e.g. on cruises).

  28. What happens if I forgot my password?

    The loss of the password leads to a new digital identity. The application providers can react to this and, if necessary, demand a new identification of the signer, e.g. with the RA-App.

  29. What happens if another person picks up a call?

    Since both methods require a secret as well as the possession of the telephone number, no signature for the previously existing digital identity can be triggered once the telephone number has been transferred. This means that the person must be newly identified.

  30. Can a landline phone be used instead of a mobile phone for the SMS query?

    Since a fixed line number can practically not be assigned to a person, this is not possible. The SMS is intended to ensure that something is contacted that is solely and without exception assigned to the person signing the document.

  31. Is it possible to sign without mobile phone reception?

    Modern devices are equipped with WIFIcalling. These can also be used to sign in a WIFI zone. Without the Internet, however, remote signatures are not possible.

  32. Is the MobileID via eSIM supported?

    In most cases yes.

  33. What happens if I change my SIM card?

    In the case of a MobileID, you can use a recovery code to transfer the MobileID to the new SIM. In the case of PWD/OTP and the same phone number, your authentication option also remains.

  34. How is identification linked to an authentication method?

    During identification, the means of authentication (e.g. specifically the mobile phone number) is queried. With this, a first signature is already executed, typically the signature of the terms of use that have been accepted. This signature is transferred to the All-in Signing Service. This means that the All-in Signing System knows exactly the means of authentication.

  35. Is there an API instead of password/OTP screen integration?

    No. Swisscom even requires that, when the PWD/OTP screen is integrated as an “iFrame”, an external person can check that it originates from Swisscom. E.g. the standard browser functions can be used which Swisscom publishes under its website link in accordance with Chapter 4 of the Terms of Use. For iFrame integration have a look to https://github.com/SCS-CBU-CED-IAM/AIS/wiki/SAS-iFrame-Embedding-Guide

  36. Is screen scrapping for entering a PWD/OTP possible?

    There is no support for screen scrapping as an interface. Developers could be confronted with the fact that the screens will be changed. It is also contradictory to the implementation of “sole control” between the signer and the signing certificate.

  37. Can the password/OTP screen be integrated into a website or application?

    Yes, but only as iFrame, instructions can be find here: https://github.com/SCS-CBU-CED-IAM/AIS/wiki/SAS-iFrame-Embedding-Guide

  38. Can the password/OTP screen text or MobileID text be configured?

    Yes, as described in the Reference Guide (www.swisscom.com/signing-service ) under “Step-Up method” in the “Message” field, the text block with the heading to the message for the expression of intent and the language setting with “Language” can be configured within the framework of the protocol. For the SMS input window the language can also be set with the “Language” parameter.

  39. What happens if MobileID is not activated or possible on a SIM card?

    MobileID is always configured in combination with a PWD/OTP fallback solution, i.e. a password window is automatically sent. You can activate your MobileID on the platform https://mobileid.ch . If the MobileID app is used and activated, the MobileID app is used.

  40. When is the password set for the first time?

    In the standard case, after identification, the customer first receives the terms of use for Swisscom’s signature service. The customer confirms this and thereby triggers an initial signature of these conditions, in the context of which he can also define the password for the first time.

  41. Can other authentication methods be used instead of PWD/OTP MobileID?

    By default, Swisscom currently only offers these methods. However, the extension will be worked out in the future, so that biometric methods may also be possible if approval has been granted. In addition, Swisscom will optionally accompany the customer if it wishes to use an audited solution to permit an additional signature at the recognition authority. Additional costs will be incurred.

  42. Isn't a login to the subscriber application and an SMS authentication sufficient as a 2-factor solution?

    The basis of 2-factor authentication is the fact that both factors must be recorded in connection with authentication, i.e. no password may be chosen that only knows the subscriber application, but the subscriber himself has been identified with RA-App. Such an exception could only be imagined if the participant himself carries out a authorized identification by RA delegation and furthermore designs the authentication procedure in such a way that both factors (login, SMS release) are carried out in a short session. Both the own identification procedure and this session procedure must be described in detail in an implementation concept and requires a release by Swisscom and its auditors. Additional costs are incurred here.

  43. Are batch signatures possible?

    Yes, several documents can be signed with one approval within a session.

  44. Are XADES (XML) signatures are possible?

    XML signatures according to XADES standard can be done based on seals but not on personal signatures (in the moment). In the client you have to prepare the XADES standard: The call of a “plain signature” must be implemented.

  45. What is the best interpretation of error codes concerning the RA-Service?

  46. Serial Number mismatch

    What does the error message “Serial Number Mismatch. We strongly advise to go through the Pre-Signing Process in order to retrieve the actual StepUp SerialNumber”. This error message indicates that in a PWD/OTP process the password was reset and re-selected without performing a new identification with the corresponding step-up process according to the Reference Guide.

  47. Why didn't my signature work?

    I authenticated correctly with PWD/OTP or MobileID – but the signature didn’t work … what could be the reason?

    Causes are:

    • You have set a new password for the PWD/OTP procedure. This may only be carried out in exceptional situations at an internal registration authority and must otherwise always take place as part of a new identification.
    • You had previously authenticated with PWD/OTP and you have now activated your MobileID with a Swiss mobile phone number. In this case, a new identification must also take place because the means of authentication belonging to the identity has changed.
    • You have changed the SIM or the mobile phone provider. As a result, the MobileID authentication has changed when using a MobileID. A new identification is also necessary for this.
    • If none of these causes are present, you should open a ticket.
  48. How can I validate signatures?

    For signatures in the Swiss legal area: www.validator.ch  (Attention, the validator is not always up to date). For signatures in the EU legal area: https://www.signatur.rtr.at/de/vd/Pruefung.html

    It should be noted that the EU validators are far from harmonised. This means that test portals can present an electronic qualified signature as “invalid”, even though it meets the requirements for eIDAS dating. Harmonisation is being worked on by the EU.

    Only QES signatures can be validated. There are no validators for AES signatures.

  49. Why does the validator display an invalid signature?

    Often the messages refer to the missing integrity, i.e. the document shows changes after signing the document. For example, elements from the network were downloaded and inserted later. This can be avoided by consistently using the latest version of the PDF/A standard for the signature.

    It should be noted that the EU validators are far from harmonised. This means that test portals can present an electronic qualified signature as “invalid”, even though it meets the requirements for eIDAS dating. Harmonisation is being worked on by the EU.

  50. Does the "green tick" in Adobe indicate the regularity of the signature?

    Adobe is a U.S. American supplier of a software that can display PDF documents. The most prominent and widespread product is the so-called “Adobe Acrobat Reader”. This enables the verification of certificate-based signatures. Whether a signature is valid and thus displayed with a green tick depends on many aspects:

    • Adobe has its own set of rules, which classifies issuing CAs from trust providers or certification service providers as “trustworthy”. These are listed in a so-called Adobe Trust List (AATL). Even if not included in the service description, Swisscom always endeavours to be listed here. In addition, the listed companies must pay annual fees for this entry and file in their self-assessment. According to Adobe, eIDAS trust service providers are considered trustworthy if they have also concluded a contract with Adobe.
    • Adobe offers a variety of settings that can lead to a completely different validation: For example, instead of Adobe’s trust list, Microsoft Windows’ trust list can also be used, which usually only maintains trust service providers that also issue SSL or e-mail certificates. However, the check can also be based on a time given by the computer clock and not on the time stamp in the document.

    This means that you cannot rely on the validity of a signature in Adobe, but you get information about whether changes have been made to the document since the signature was set and how the signature certificate looks like.

  51. The configuration and acceptance declaration asks for two roles: (1) Security Officer for Data Security and Privacy (2) System Administrator. How do I choose these roles appropriately?

    Both should be IT people who are familiar with the application. It does not have to be a person with the official role “Privacy Deputy”. Swisscom simply wants to retain the 4-eyes principle here. The roles are: To be able to provide information about the administration of the user application (who has access, what could an administrator manipulate, where might there be a hitch, SSL connection to Swisscom) and about topics such as virus protection, access control in general, etc. at the person responsible for security.

  52. What do I do in a company with several subsidiaries?

    On the one hand, an internal company can become a Swisscom reselling partner for other companies. In this case, the payment flow goes directly only through this individual company. One company can also assume complete responsibility for the operation of the subscriber application. Even then, invoices will only go through this company. It can then identify employees of the other companies.

    If all companies want to operate the subscriber application independently (with their own liability and responsibility) and also want to provide RA agents themselves, a separate contract is required for each company.

  53. We would like to bill partly "per signer" and partly "per signature", is that possible?

    Here two user accounts (ClaimedIdentity) must be opened, each account is connected with a billing method. This means that the subscriber application must decide for itself which account it will use to send a signature request. There is a service fee per account, but the transaction fee per signature is reduced by 30%. 2 invoices are issued at the end of the month.

  54. If "per signer" is billed, what happens to the months in which no signatures are performed?

    There are no costs for these months.

  55. We would like to sign both in the EU and in the CH legal area, is that possible?

    Two user accounts (ClaimedIdentity) must be opened, each account is related to the respective signature type, i.e. the participant application must decide, over which account it sends a signature inquiry. Both accounts can be addressed via one interface, i.e. the same endpoint. There is a service fee per account, but the transaction fee per signature is reduced by 30%. 2 invoices are issued at the end of the month. Therefore 2 service contracts with 2 different configuration and acceptance declarations must be submitted. If you have 2 legal areas and 2 billing types, you still have only one interface (technical), but 4 service access interface point and by this 4 times a service fee.

  56. Swisscom uses standard PDF contract – how can we adopt them to our needs?

    Every year, Swisscom invests large sums in ongoing audits. However, to be able to place the offer of a trust service provider on the market at a reasonable price, this service is offered in a standardised form. That means in particular:

    • The customer must adhere to the standard ordering process with the standard contract documents released by the auditors.
    • Further assessments by participants and the examination and acceptance of own contract texts are not included in the offer.

    Many aspects of the trust service provider are subject not only to conditions in the execution of the service but also in the specification of important obligations, liability regulations and cooperation services in the contract documents. Therefore, these contract documents are also subject to auditing or are also submitted to the state conformity assessment bodies. Therefore, no changes to the legal system can be accepted, nor can contractual enclosures of the participant be accepted, especially if they are subject to foreign, applicable law.

    If it is nevertheless necessary to adapt contractual texts, add contractual regulations (e.g. your own Code of Conduct, Data Protection Declaration, NDA, etc.), process special assessment questionnaires or if you have even discovered errors or unclear formulations, please report these to our product management.

    If any errors or ambiguities are apparent, a corresponding change process is initiated by product management and implemented as quickly as possible.

    For the evaluation of other questions, a processing team is formed that draws on the relevant experts (e.g. legal department, security officer, compliance officer, etc.) and carries out an evaluation of the request. A project specific fee of CHF 6,000 is due for this. If the team of experts was not able to work out a solution directly, it will prepare an answer and an offer, which will present and assess further steps on the part of Swisscom.

  57. Does the customer need certifications for the operation of the signature application?

    No, only for the operation of the signature application no certification and no audit is required. Within the scope of a “configuration and acceptance declaration”, the customer makes a self-declaration to operate the signature application properly, i.e. not to exchange the hash of a document and to actually display the document to be signed to the customer (WYSIWYS = “What you see is what you sign”). Data traffic between the signature application and Swisscom should be encrypted and basic protection against viruses and attacks should be guaranteed as with any other system. An official audit with certification can only be necessary if the system has its own identification, especially in relation to its own authentication method. In Switzerland, identification with Swisscom authentication methods can be dealt with in a simplified manner by means of a suitable “implementation concept” submitted by the customer and approved by Swisscom; in the EU, an official audit is generally necessary. As a rule, an authentication method must always be certified, as this should ensure “sole control” to the signing certificate (called “sole control” in the ETSI context).

  58. How can I order seals as a company?

    In principle, the company must appoint representatives. These representatives should either be the registered representatives according to the commercial or business register, or employees with appropriate powers of attorney signed by the registered representatives. In any case, the persons must be personally identified with our RA-App. In Switzerland, only companies registered in the UID Register can order seals. With the seal, the SSL access certificate between the signature application at the customer and Swisscom serves as authentication of the company. The access certificate must therefore be handed over by the representative of the organisation. With the advanced seal, simple delivery is sufficient; with the qualified seal, a joint handover ceremony takes place at which the access certificate is jointly generated. The private key must be stored on a cryptodevice (FIPS 140-2 level 2 minimum).

  59. Who is liable for faulty certificates?

    In principle, Swisscom has unlimited liability under the law for the incorrect issue of qualified certificates. In the case of advanced certificates, this liability can be limited. Swisscom is also compulsory insured for this purpose. In the event of errors in the signature application (e.g. the exchange of a hash of a document) or errors in identification by third party registries, Swisscom in turn will hold these third parties liable. In order to avoid the risks of liability, high demands are placed on the issuance and contract process and the possibility of auditing the third parties involved is generally required.

  60. Is the signature accepted in Switzerland?

    Swiss legislation, i.e. the Swiss Federal Electronic Signature Act (ZertES/SCSE), provides the requirements organizations  have to fulfill in order to be recognized as a certification service. The accredited accreditation body for the accreditation of Swisscom as a certification service in Switzerland is KPMG (Accreditation No. SCESm 0071). It issues a conformity assessment certificate (available at www.swisscom.com/signing-service).  The Swiss Accreditation Service SAS maintains a list of accredited certification services:
    https://www.sas.admin.ch/sas/en/home/akkreditiertestellen/akkrstellensuchesas/pki.html

  61. Is the signature recognised in an EU country (also outside Austria)?

    With the entry into force of the Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market of the European Union (eIDAS), the basis has been created for legally valid electronic communication and secure electronic identification throughout Europe. With the help of trust services such as electronic signatures, seals, time stamps, delivery services and certificates for authentication, companies, administrations and private individuals can exchange digital documents such as offers, orders, contracts etc. within the European Union on a uniform legal basis. Thus, the new EU regulation replaces the national signature law and signature regulations.

    Under this Regulation (EC) No 910/2014/EU (eIDAS Regulation), national Trusted Lists have a constitutive effect. In other words, a trust service provider and the trust services it provides will be qualified only if it appears in the Trusted Lists. Consequently, the users (citizens, businesses or public administrations) will benefit from the legal effect associated with a given qualified trust service only if the latter is listed (as qualified) in the Trusted Lists.

    Swisscom’s subsidiary in Austria “Swisscom IT Services Finance S.E.”, Vienna have been included in this list of trust with qualified certificates and seals:

    https://webgate.ec.europa.eu/tl-browser/#/tl/AT

    Swisscom IT Services Finance S.E. has mandated Swisscom (Switzerland) Ltd to operate the trust service and has also delegated the registry authority activities to Swisscom (Switzerland) Ltd. Swisscom (Switzerland) Ltd. thus offers the service to the market and also accepts contractual documents on behalf of Swisscom IT Services Finance S.E..

  62. Can Swisscom guarantee legal compliance for a contract signed with its signature?

    Swisscom can only confirm that it can issue qualified signatures in both legal systems in accordance with the eIDAS Regulation of the EU and the ZertES Act of Switzerland. The qualified Swiss signatures are only recognised as qualified in Switzerland and the eIDAS qualified signatures in the EU.

    Whether the qualified signature is compliant for any contract must always be verified by a lawyer. Swisscom may not provide any legal information in this regard. This is not only related to the signature, but also to other points that may be agreed in contracts. For example, the requirement for “return by registered mail” may mean that an electronic signature cannot be executed at all, as a postal paper route is mandatory.

  63. Is the qualified signature more conclusive?

    In both the EU and Switzerland legal systems, the reversal of the burden of proof (and in Germany also prima facie evidence compared to visual evidence) applies in principle to qualified signatures. This means that an opposing party must prove that the qualified signature was not properly executed if it is contested. And, of course, Swisscom can provide KPMG-certified verifications to prove that the qualified signature has been duly executed.

  64. Can the validity of a signature still be proven after 10 years?

    The retention periods for identity verification and the activity journal and thus also the periods of proof are 11 years in Switzerland and 35 years in the EU. Swisscom generally uses the long-term validation standard of ETSI (LTV).

    Long term validation means validating a signature in such a way that it remains valid for a long time. The LTV validation only allows validation as long as the root certificate for the timestamp has not expired. It is therefore advisable to time stamp the documents again before expiration if long-term evidence is to be preserved, so that the integrity and meaningfulness of the signature evidence continues to be ensured.

    In principle, PDF documents should also be managed in secure archives. A situation can arise in 5, 10 or 20 years in which the signature algorithms are “cracked”, i.e. the integrity or authenticity could no longer be guaranteed. Good archiving systems therefore provide for regular resignation, e.g. with a time stamp, which always uses the latest algorithm and thus ensures the integrity of the document.

    The web offers different links with optimized procedures for this, e.g. “Archisig”. The German BSI has also published a technical guideline “Preservation of the evidential value of cryptographically signed documents”. It is the specification of technical security requirements for the long-term preservation of the evidential value of cryptographically signed electronic documents and data together with the associated electronic administrative data (metadata).

    A middleware defined for these purposes (TR-ESOR middleware) in the sense of this guideline comprises all those modules and interfaces which are used to secure and maintain the authenticity and to prove the integrity of the stored documents and data.

  65. How are changes to the legal basis handled?

    Experience has shown that transition periods can last from 3 months to 2 years.

  66. Can the reproduction of signed original documents be prevented?

    No.

  67. Are there reports on the Web from Swisscom customers who use the digital signature?

  68. How do time stamps affect different time zones?

    In principle, a time stamp also stores the zone (the offset). In this respect, all local programs will display the actual local time.

  69. Adobe reports the error that the signature is invalid because it could not be validated.

    “Signature is valid but the signer’s identity validity could not be verified” is Adobe’s statement if no LTV format was used. The background is that Adobe then tries to check the validity of a 10 minute certificate. If no long-term validation format was used, which stores the validity information at the time of the signature, these can no longer be accessed after some time. Therefore, signatures with short-term certificates (but also signatures with long-term proof) must always be saved in LTV format.

  70. Which data is published in the certificate as Distinguished Name (DN) of the personal certificates?

    The Distinguished Name contains either the person’s first name, surname and country of birth/registration or home country, or a pseudonym with a serial number that can be uniquely traced back to a person by the registry. Organisation names are only permitted in special cases

  71. Which file formats can be signed?

    In principle, Swisscom provides a signed hash and thus supports PADES (PDF) formats and, in the case of organisation certificates, XADES (XML) formats. Word files are not signed and are not intended for this purpose by law.

  72. Data protection in Switzerland and the DSGVO?

    Switzerland is not in the EU and has therefore not introduced EU legislation, the so-called General Data Protection Regulation (GDPR). In reality, the GDPR is also applicable if the companies are based in Switzerland and offer services in the EU.

    Swisscom is therefore subject to the same data handling obligations as all other organizations that have to comply with the GDPR:

    • obtain the consent of the person whose data are processed
    • “Privacy by design” and “Privacy by default” guarantee
    • appoint a data protection representative
    • create a list of processing activities
    • report violations of data protection to the supervisory authority
    • conduct a privacy impact assessment

    All applications which concern data protection and are used for data processing, e.g. also the RA-App must be GDPR compliant. Swisscom provides information on this on its pages:

    Switzerland: www.swisscom.com/signing-service

    Austria: www.swisscom.at

    with corresponding data protection declarations according to GDPR.

    Switzerland has always been and is considered as a secure third country pursuant to Art. 45 GDPR (data transfer based on an adequacy decision), i.e. the usual authorisations as with other third countries (e.g. the U.S.) are not necessary. Thanks to its Data Protection Act and the ongoing adaptation to the GDPR, Switzerland has an “adequate level of protection for the transfer of personal data” in accordance with EU criteria, i.e. it must in fact be treated as an EU country when transferring data:

    https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

  73. Compliance with data protection of the All-in Signing Service

    As part of its ongoing audits, Swisscom must ensure that all the strict data protection requirements necessary for the issue of digital signatures are complied with, both vis-à-vis the certification authority in Switzerland and vis-à-vis the conformity assessment body in Austria. This means that, in addition to self-declaration, trust service providers and certification services are obliged by legislation and the international standards applied, such as ETSI 319 401, to demonstrate and have audited appropriate data protection for all personal data.

  74. Privacy and RA-App/RA-Service

    The data protection requirements to be demonstrated and audited also apply to the registration authority activities – a task of a trust service provider and certification service provider. Thus the RA app as part of the registration process must ensure data protection and privacy. The RA-App itself does not store any personal data permanently. No data can be exported either. As soon as the identification has been completed, the data is transferred signed by the RA agent as so-called evidence. This evidence is stored at Swisscom’s RA service under strict security conditions (e.g. 4-eye access). Only a few people have access to this data and may only pass it on based on a court order or are allowed to check the quality of the identification. According to the law, Swisscom has unlimited liability for the proper execution of the signature and thus also the identification.

    RA Master Agents have web access to a portal in which they can view all persons identified by RA Agents with their surname, first name, expiry date of the ID document and mobile phone number. The ID documents and photos (so-called “evidence”) are not accessible or exportable.

  75. Why order data processing?

    Swisscom is legally obliged to record personal data for the signature. It is therefore responsible for this data. This means that Swisscom cannot play the role of a data processor, even if it receives e.g. employee data from a customer company for the signature. Swisscom has a legal mandate like that of telecoms or postal service providers. Furthermore Swisscom has a legal contractual relationship with the signatories with the terms of use. In this agreement, the signatory also accepts the use of data.

    With the RA app, Swisscom transfers the recording of identity data to an external service provider, which is referred to in the contracts as the “RA agency”. The GDPR requires in this case an order processing contract. The RA agency must therefore comply with the obligations for order data processing.

    Compliance with the GDPR order data processing is also required in purely Swiss projects. There are two reasons for this:

    • On the one hand, it can rarely be guaranteed that persons identified in Switzerland are not EU citizens who are subject to the market principle of the GDPR,
    • On the other hand, the RA app cannot be used in such a way that only persons for Switzerland are identified, i.e. order data processing always takes place for Swisscom IT Services Finance S.E. in Vienna as well.
  76. What are the obligations of RA agencies in the context of their activities?

    RA agencies act on behalf of the Swisscom registration office. In addition to the duties of careful execution of the registry’s activities, data protection is also a priority. The data protection principles from Art. 28 DSGVO apply, which are reflected in precise form in the technical-organisational measures (TOM) in the RA Agency contract. They are based on 2 sections of Art. 28, which reflect the use of the app on the mobile device:

    • The measure must “ensure the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing on a long-term basis” and
    • Include a procedure for regular review, evaluation and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.
    • The controller and the processor shall take steps to ensure that natural persons under their authority who have access to personal data process them only on instructions from the controller, unless they are required to do so by Union or national law.

    This means that in addition to the use of carefully selected and trained employees, the protection of the app on the mobile device and also the protection of access must be guaranteed. Are the devices adequately protected against viruses? Will it be prohibited to download programs from other app stores that do not offer sufficient protection? Do employees keep their PINs and passwords secret? Are devices not rooted?

  77. Identification process with own data does not require order data processing?

    There are projects in which Swisscom relies on legally recognized and audited identification procedures with third parties. A typical example is a bank that carries out a presence identification of a person as part of its KYC process. In this case, Swisscom receives a copy of the bank’s data for its own business purposes (signature). Order data processing is not necessary here, as there are two parties responsible for the data. Conversely, the Joint Controllership Principle of the GDPR is not applied here either, as the responsiveness of data does not serve the same business purpose and both parties do not act responsibly in the sense of a common business purpose. The bank acts for its business purpose, e.g. opening an account, and Swisscom pursues its business purpose of issuing signatures. Nevertheless, in this case our contracts on the “delegation of registry activity” also contain a minimum of provisions on how to proceed regarding data protection and the GDPR.

  78. How does Swisscom keep the private keys to the signature certificates?

    In the case of a remote signature, Swisscom keeps and manages the keys to the signature certificates in trust. In the case of a personal signature, the signature certificates are only generated for the signature and lose their validity after approx. 10 minutes. Company certificates for seals are valid for up to 3 years. According to the law, the private key must be stored on a (qualified) signature creation device. The memory for this is a device which is mainly designed for key storage, the HSM (Hardware Security Module). It is subject to strict regulation, auditing, in terms of security standards and access to this device. Signatures in the EU and Switzerland are subject to particularly high security standards, which are only available from a few HSM manufacturers worldwide.

  79. What is the setup procedure for a personal signature?

    The prerequisite for setup is a “declaration of configuration and acceptance” signed by the customer and verified by the global registration authority. This declaration contains the obligations of the operator of a signature application (e.g. the possibility of displaying the complete document to be signed, securing access to the service), but also the characteristics of the service.

    Another prerequisite is an access certificate, which secures the communication of the signature application to the signature service.

    After checking the document, our Setup Service receives the order to activate the service with the access certificate sent and the selected specification in the configuration and acceptance declaration. In the case of qualified signatures, the service is initially only activated for “advanced” signatures. Subsequently, the contact named in the configuration and acceptance declaration is asked for an example signature with the advanced signature. If this is faultless, the service is switched to the “qualified” level if required so. The customer will also be notified of this. He now has 10 days to report any irregularities directly to the setup team. If they do not receive any complaints during this time, the connection to the service is accepted. Further incidents can then be reported to Swisscom via 1st Level Support in case of a direct contact to Swisscom or to the reselling partner.

  80. What requirements must the access certificate fulfill?

    The access certificate can be a self-signed certificate. For example with openssl software.

    Requirements for the Distinguished Name:

    • CN=<URL of the subscriber system that performs the communication with AIS or other unique identification of the subscriber system>
    • O=<Name of organization>
    • Email=<E-Mail for notification purposes e.g. in case of end of validity>
    • C=<Country of organization>

    The following additional requirements shall be considered when preparing the certificate:

    • Maximum term 3 years
    • Hash algorithm minimum SHA-256
    • Key length minimum 2048 bit

    Special conditions still apply for access certificates within the framework of regulated (ZertES) or qualified (eIDAS) seal creation: The private key of the access certificate must be created on a cryptographic module in a joint ceremony of a Swisscom registration authority representative. This module must meet the requirements of FIPS 140-2 level 2, e.g. Yubikey or Microsoft Key Vault.

  81. How does the setup of a seal take place?

    In the case of a seal, in addition to the configuration and acceptance declaration by the operator of the signature platform, it also requires a certificate application for the seal certificate, an organisation certificate. In contrast to the certificate for the personal signature, the seal certificate is issued for three years. The certificate application must be signed by authorized persons of the organization. The authorisation can result from the register (e.g. procuration) or can also be a special power of attorney, which has been issued for example for the operators in the computer centre. Swisscom needs the proof of this power of attorney. These persons are also personally identified in advance by a representative of Swisscom’s registration office using RA-App. This could also be, for example, an RA agent of a reseller who has carried out the personal identification. This enables the person to sign the application using an electronic signature. The application is sent to Swisscom unsigned and Swisscom invites the persons to sign electronically. The next steps now differ depending on the type of seal:

    Advanced signature: The applicant sends Swisscom an SSL certificate, which he wants to use as an access certificate for the interface to the seal.

    Qualified/regulated signature: The applicant agrees a date with Swisscom for the joint creation of a private key. This must be created on a cryptographic device based on the FIPS 140-2 level 2 qualification (e.g. Yubikey, Key Vault HSM Microsoft, etc.) An access certificate is then created based on this key. I.e. for the signature process the access must be released by means of this certificate.

  82. I get the message " We noticed that your authentication method for the signature has changed. In specific cases you need to be re-identified" .Do I have to do something?

    This message is triggered in two cases:

    a) In case you have just been identified with the Swisscom RA app and a change has taken place before with your authentication method (SIM card/contract change, Mobile ID reset, password for the signature has been changed, change from PWD/OTP to Mobile ID)

    In this case, everything is OK, and you can continue to sign as usual up to level qualified.

    b) In case new Terms & Conditions are available that must be accepted and a change has taken place with your authentication method since the last successful signature (SIM card/contract change, Mobile ID reset, password for the signature has been changed, switching from PWD/OTP to Mobile ID)

    In this case, you must be re-identified in order to be able to make qualified signatures.

  83. How should I embed a signed hash into the PDF document?

    The embedding of signed hashes should be the task of PDF specialists or corresponding libraries. The space for the signature must be precalculated.

    The following solution can provide a solution. We present this here without guarantee, as Swisscom focuses only on the service and not on the signature application:

    • Create a PDF with a blank and pre-filled signature field
    • The byte range should be filled with zeros up to the expected size
    • Calculate the hash of the document
    • Sign the hash with the All-in Signing Service
    • Fill the signed hash into the empty signature field
    • Iterate to the empty signature field
    • Determine the byte range of the empty signature field
    • Calculate the offset of the byte range
    • Open the document with the empty signature field in read-write mode and find the offset where the hash was inserted
  84. Where is the MobileID App available?

    MobileID App can first be downloaded from the App stores in Switzerland, Germany and Austria. Other EU countries will follow.

  85. Is it possible to integrate the MobileID App as white label solution?

    Unfortunately not. It is branded with the MobileID logo – a logo which is used for all Telco providers in Switzerland.

  86. How is the security of the MobileID App compared to the native MobileID?

    The app is as secure as the SIM based variant. A special security assessment has shown the robustness of the solution thus it can be used also for qualified electronic signatures.

  87. Can I choose between MobileID SIM based and the MobileID App?

    No, that is not possible. The Mobile ID system automatically handles Mobile ID authentication requests according to the following rules:

    • if the user has a Mobile ID-enabled SIM (whether enabled or not), it is controlled. If Mobile ID is not already enabled, this must be done. It is not possible to use the app in this constellation
    • if the user does not have a Mobile ID capable SIM (e.g. Yallo customer or foreign subscriber), then the app is activated. If the Mobile ID app is not already installed, it must be downloaded in advance. Activating Mobile ID is the fastest and easiest way to activate it directly in the app.

    In exceptional cases, customers can make their own configuration of their Mobile ID integration, e.g. to allow the app as a fallback for the SIM card. In this case, the app can be used if the SIM-based variant is not available due to a technical problem.

  88. I get an error message after the verify call about an unknown person?

    The verify call which checks if a person is well-known to the RA-Service returns the following error code:

    {

    “statusCode”: 404,

    “message”: “Cannot check jurisdiction of unknown user with msisdn XXXXXXXXX”,

    “exceptionClass”: “EvidenceVerificationException”

    }

    This means that the person is unknown to the RA-Service. It could be that this person is probably identified but did not accept the SMS with the Terms of Use. After a short while (ca. 2 weeks) the person’s data will be deleted.

     

  89. Change from PWD/OTP to Mobile ID App or Mobile ID and vice versa

    If you have been identified and have previously used PWD/OTP:

    • If you want to use the Mobile ID app, you must re-identify yourself
    • If you want to use Mobile ID (Swiss mobile number), you must re-identify yourself

    If you have been identified and have previously used the Mobile ID:

    • If you now want to use the Mobile ID app (this will only be possible on a SIM card that does not support Mobile ID) and use the recovery code of the Mobile ID, you can continue to sign
    • If you activate the app WITHOUT recovery code, you need to be re-identified
    • If you want to use PWD/OTP, you must be re-identified

    If you have been identified and have used the Mobile ID app so far:

    • If you now want to use the Mobile ID of the SIM card (this will only be possible on a Swiss SIM card) and use the recovery code of the Mobile ID app, you can continue to sign
    • If you activate the Mobile ID of the SIM card WITHOUT recovery code, you must be re-identified
    • If you want to use PWD/OTP, you must re-identify yourself

    This means that Mobile ID and Mobile ID App are coordinated authentication methods, PWD/OTP is a completely different authentication method. The remote signature always requires that the authentication means shall be included during registration (i.e. during identification). Therefore, in some cases, new identification will be necessary.

  90. Identification with Smart Registration Service / Video identification: how to become a RA agent?

    An RA agency is associated to a storage area (a so-called “tenant”) in which only those persons identified by the RA master agent or other RA agents of its agency are managed. The RA-Master Agent has access to this tenant and can appoint any identified person of this tenant as a RA agent.

    If a person was identified by another method of the Smart Registration Service (e.g. video identification), the RA-Master Agent cannot appoint that person as an RA agent due to the fact that he is associated to another tenant (the SRS tenant). The RA Master Agent must reidentify him by use of the RA-App.

    The only exception is the very first RA-Master Agent: He is identified anyway by a person of Swisscom, Swisscom Partner or e.g. a video identification and thus ends up in the “wrong” tenant by default. When the agency is set up, the named RA master agent is searched and moved to the correct new tenant of the RA agency. However, further postponements are not possible.

  91. What is necessary to know if I want to install the Mobile ID app?

    If you are already registered (with RA app or the Smart Registration Service), you have to observe the following:

    • If you have confirmed the terms of use with PWD/OTP during identification, you have defined this method as a declaration of will method. Now, if you enable the Mobile ID app as a method, you can no longer sign until you have been newly identified.
    • If you already use the Mobile ID on SIM card and want to use the Mobile ID app, you should use the recovery code when activating or to authenticate with the Mobile ID SIM at activation and not to activate as a “new Mobile ID”. Otherwise, this app will also be considered as a new method of declaration of will and you will need to be re-identified.
    • The same happens the other way round if you want to switch from an installed Mobile ID app to the Mobile ID SIM card.

    Typical error message in such a case is an error message with “serial mismatch”.

  92. I installed the Mobile ID app but it did not work?

    Despite the installation, the Mobile ID app doesn’t come up in the background and asks you for an authentication? Maybe it helps to restart the app explicitly again, often the  message will appear then, or you will restart your smartphone again.

  93. I did some mass tests but the performance of the service is poor?

    Please be aware that we installed a WAF in order to protect our service again denial-of-service attacks. If you want to fulfill some mass tests please contact us beforehand.

  94. What is the time span for the declaration of will?

    The signature must be signed with  a declaration of will (authorization) by Mobile ID (SIM/App) or PWD/OTP. After sending out the request, the user usually has 80 seconds to enter the authorization. The value is not adjustable.

  95. After identification the SMS did not arrive or was accidentially deleted. What should we do?

    The Smart Registration Services tries 5 times all 3 days to send out the SMS again. Only if all attempts fail after 15 days a reidentification is necessary.