Mobile ID

At the moment no technical difficulties are known.

Signature Service

At the moment no technical difficulties are known.

Smart Registration Service

At the moment no technical difficulties are known.

Swisscom shops still open for identification

14. January 2021, Switzerland

Despite the closure of the shops in Switzerland, the Swisscom shops remain open and with them the possibility to register for the electronic signature. Unfortunately, due to the Corona measures, registrations are no longer possible. https://srsident.trustservices.swisscom.com/srs-direct/ . Swisscom has also asked Bakom to make other identification measures possible again.

Maintenance window of DocuSign Connector

14. January 2021

Due to maintenance work, the use of the DocuSign Connector will be limited on 14.01.21 in the period from 07:30 - 08:00.

Service State Smart Registration Service updated

15. December 2020

The State of Smart Registration Service changed from yellow to green

Technical News on our Servcies

  • Mobile ID
  • Signature Service
  • Smart Registration Service

Technical updates - Mobile ID

Mobile ID App Update available

15. - 18. December 2020, Europe

A new version of the Mobile ID app is now available for download in the Android PlayStore (version 1.1.1).

Technical updates - Signature Service

New release to fix the problem with PAdES validators

25. February 2021, worldwide

There was a problem with some PAdES checkers that the attribute RevocationInfoArchival (Adobe OID 1.2.840.113583.1.1.8) was not accepted. Besides a discussion at https://github.com/lovele0107/signatures-conformance-checker/issues/5, we have now defined a new signature standard "PAdES-baseline" that returns OCSP and CRL information as separate elements in the signature response. In the signature application, the signature client must then compose the information for an LTV signature in order to comply with the PAdES Baseline B-LT(A) standard. Error messages in the known PAdES checkers (e.g. https://signatures-conformance-checker.etsi.org) should thus be disappear. The new signature standard will be implemented on Wednesday Feb. 24th, 2021. The new Reference Guide documentation is already available: http://documents.swisscom.com/product/1000255-Digital_Signing_Service/Documents/Reference_Guide/Reference_Guide-All-in-Signing-Service-en.pdf . Changes concern the chapters:

  • 5.1.5.2 Signature Standard
  • 5.1.5.5 Add Revocation Information
  • 5.8.5 (new chapter)
  • 6 (new chapter)

Disturbances under heavy load

05. - 26. February 2021, worldwide

We observe in the last days very isolated disturbances under heavy load of users using the template functionality for signing requests. We will work on our load balancing system next week which will overcome these disturbances.

Migration CA4

19. February 2021, worldwide

Before we will migrate the productive accounts in March 2021 (we will inform you personally about this) we have already migrated the test accounts as follows:

RA App or Smart Registration Service Identification and 2-Factor Authentication

Intentional use: Intended standard procedure when using the RA app or Smart Registration Service for qualified or advanced signature in combination with Mobile ID, Mobile ID Authenticator App or PWD/OTP expression of will. The All-in Signing Service automatically detects whether a mobile phone number (e.g. also foreign mobile IDs) is capable to use Mobile ID or Mobile ID Authenticator App and then selects the corresponding procedure.

Access to the test account jurisdiction CH (ZertES) with the following claimed ID:

ais-90days trial-withRAservice:OnDemand-Advanced4

Access to the test account jurisdiction EU (eIDAS) with the following claimed ID:

ais-90days-trial-withRAservice:OnDemand-Advanced-EU

Own Registration Method with Mobile ID/Mobile ID Authenticator App/Fallback PWD/OTP

Intentional use: No RA app or Smart Registration Service is used for identification, or you do not want test without identification of the RA app or Smart Registration Service during the test phase but first test the signature capability only. Signature release is based on 2 factors (Mobile ID or Mobile ID Authenticator App with fallback to PWD/OTP) as required for qualified signatures. The All-in Signing Service automatically detects whether a mobile phone number (e.g. also foreign mobile IDs) is capable for Mobile ID or Mobile ID Authenticator App and then selects the corresponding procedure.

Access to the test account jurisdiction CH (ZertES) with the following claimed ID:

ais-90days-trial:OnDemand-Advanced4

Access to the test account jurisdiction EU (eIDAS) with the following claimed ID:

ais-90days-trial:OnDemand-Advanced-EU

Own Registration Method with Session Token/OTP only

Intentional use: The easiest and fastest way to test the connection to the All-in-signing service. No RA app or Smart Registration Service is used for identification, or you do not want test without identification of the RA app or Smart Registration Service during the test phase and first test the signature connection only. A 1-factor procedure (SMS with one-time password) is used for signature release, which would only be suitable for the use of advanced signatures. Or you plan to use another second factor.

Access to the test account jurisdiction CH (ZertES) with the following claimed ID:

ais-90days-trial-OTP:OnDemand-Advanced4

Access to the test account jurisdiction EU (eIDAS) with the following claimed ID:

ais-90days-trial-OTP:OnDemand-Advanced-EU

Seals for Switzerland

Intentional use: Possibility to test the access to seals for Swiss jurisdiction.

Access to the test account with the following claimed ID:

ais-90days-trial: static-saphir4-ch

Seals for EU

Intentional use: Possibility to test the access to seals for EU jurisdiction.

Access to the test account with the following claimed ID:

ais-90days-trial: static-saphir4-eu

Timestamps for Switzerland/EU

Intentional use: Possibility to test the access to timestamps for Swiss and EU jurisdiction

Access to the test account with the following claimed ID:

ais-90days-trial

Technical updates - Smart Registration Service

Registration Service: Mobile ID App is now available in all EU stores

06. November 2020, EU

The Mobile ID App is now in all European play stores and iOS app stores available!

Maintenance on Okt. 14th between 4:00 and 5:00 AM

09. October 2020

Due to maintenance work on the messaging services on Oct. 14th between 4:00 and 5:00 AM, the service will be temporarilly unavailable.

SRS, RA-Service, Docusign: Adaptation of the TLS connections

29. October 2020, worldwide

Company Swisscom will change its TLS protocols and will no longer support unsecure TLS protocol versions and cryptographic processes. The change will take place on Oct. 29th, 2020 at 10pm. The following will change:

  1. No longer support of TLS Version 1.0
  2. No longer support of TLS Version 1.1
  3. No longer support of following TLS-Version 1.2-Cryptography:
  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA

Please check your TLS connections to us! This is the new configuration with the remaining supported chiffres after the change:

 

SUITE BITS PROT CIPHER MAC KEYX
ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 AES SHA ECDHE_RSA
ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA
ECDHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_RSA
ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA

Der Vollständigkeit nach ist dies die aktuelle Liste der Verschlüsselungssammlungen, die mit dem entsprechenden Protokoll aktiviert sind:

 

SUITE BITS PROT CIPHER MAC KEYX
ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
ECDHE-RSA-AES256-CBC-SHA 256 TLS1 AES SHA ECDHE_RSA
ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 AES SHA ECDHE_RSA
ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 AES SHA ECDHE_RSA
AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 RSA
AES256-SHA256 256 TLS1.2 AES SHA256 RSA
AES256-SHA 256 TLS1 AES SHA RSA
AES256-SHA 256 TLS1.1 AES SHA RSA
AES256-SHA 256 TLS1.2 AES SHA RSA
AES256-SHA 256 DTLS1 AES SHA RSA
ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA
ECDHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_RSA
ECDHE-RSA-AES128-CBC-SHA 128 TLS1 AES SHA ECDHE_RSA
ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 AES SHA ECDHE_RSA
ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA
AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 RSA
AES128-SHA256 128 TLS1.2 AES SHA256 RSA
AES128-SHA 128 TLS1 AES SHA RSA
AES128-SHA 128 TLS1.1 AES SHA RSA
AES128-SHA 128 TLS1.2 AES SHA RSA
AES128-SHA 128 DTLS1 AES

 

 

Thes suites will be removed:

 

SUITE BITS PROT CIPHER MAC KEYX
ECDHE-RSA-AES256-CBC-SHA 256 TLS1 AES SHA ECDHE_RSA
ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 AES SHA ECDHE_RSA
AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 RSA
AES256-SHA256 256 TLS1.2 AES SHA256 RSA
AES256-SHA 256 TLS1 AES SHA RSA
AES256-SHA 256 TLS1.1 AES SHA RSA
AES256-SHA 256 TLS1.2 AES SHA RSA
AES256-SHA 256 DTLS1 AES SHA RSA
ECDHE-RSA-AES128-CBC-SHA 128 TLS1 AES SHA ECDHE_RSA
ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 AES SHA ECDHE_RSA
AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 RSA
AES128-SHA256 128 TLS1.2 AES SHA256 RSA
AES128-SHA 128 TLS1 AES SHA RSA
AES128-SHA 128 TLS1.1 AES SHA RSA
AES128-SHA 128 TLS1.2 AES SHA RSA
AES128-SHA 128 DTLS1 AES

Certificate updates

Swisscom Timestamp now Qualified for eIDAS

23. December 2020, worldwide

The regulatory supervisory body RTR in Austria informed us today that the Telekom Control Commission has decided that Swisscom can also offer the time stamp as qualified for eIDAS.

NEW: The qualified timestamp is now published in the eIDAS trust list officially.

New CA4 in October

15. February 2021, Switzerland

The new CA4

The new rules and regulations require certification service providers and trust service providers to use better algorithms to ensure the trustworthiness of signatures in the future. Swisscom will first replace the root certificate authority instance (CA) for Switzerland (CH jurisdiction) and later also for the EU (eIDAS jurisdiction), thereby adapting the entire certificate chain and providing for the new algorithms. This concern, on the one hand, the so-called "padding algorithm" which will switch from currently SASSA-PKCS1 v1_5 to RSASSA-PSS, and on the other hand the key length, which will be increased from 2048 to 3072.

What are the implications?

  • The size of the signature in the signed document changes, i.e. the signature takes up more space. Since signature applications make estimates to the best of their knowledge of how much space a signature requires, it may be that this estimate is no longer correct and therefore a signature is no longer possible.
  • If you use standard applications that display trusted signatures, such as Adobe Reader, the latter will continue to trust the signatures. However, if you have special applications that first require the root certificate of the certificate chain for trustworthiness, you must reinstall it.

When will the changes take effect?

We are planning a changeover in quarter I/II 2021. In addition to the existing account ("ClaimedID") we will issue a new ClaimedID based on the new certificate chain to customers. After 2-3 months we will switch off the old ClaimedIDs. In this respect, it is possible to test and switch individually during this period of time.

What do you need to do?

If you are the developer of the signature application you are using, you should observe the notes on the development information page https://github.com/SCS-CBU-CED-IAM/AIS/wiki/Swisscom-CA-4 . Otherwise, you should inform the partner which provided you with the signature application. At the same time, however, we will also inform all our partners.

We will inform you with further details in February 2021.