-
Notifications
You must be signed in to change notification settings - Fork 7
Distinguished Name: Use of Evidence Attributes
NOTE: this Feature wasn't released yet. It will be available soon.
All-In Signing Service customers using the Smart Registration Service (a.k.a. "Registration Authority Service") can benefit of a new feature allowing variable substitution with attributes of registered evidences for the Distinguished Name.
Prerequisites:
- the Customer must be registered with the flag "identity verification"
- the SignRequest must include a "stepUpAuthorisation" element with the corresponding MSISDN and other authorisation data (please refer to the Reference Guide for detailed information about the SignRequest elements)
The current approach used by many customers is to perform a verifyCall() in order to get the evidenceId and further attributes needed for building the Distinguished Name. New, evidence properties registered in the Smart Registration Service can be referenced like this: "sc.CertificateRequest": { "sc.DistinguishedName": "cn=${given_name} ${family_name},c=${country},serialNumber=${evidence_id}", }
The following evidence properties are defined:
- family_name (surname or family name)
- given_name
- country (ISO 3166-1 alpha-2 code)
- evidence_id
References to undefined properties will result in an error.
An additional mechanism of this new feature allows the usage of pre-defined templates for the most usual distinguished names. For example, it is possible to specify following distinguished name: "sc.CertificateRequest": { "sc.DistinguishedName": "template:pseudonym" }
Currently there are two available templates:
Template "name", which translates to: cn=${given_name} ${family_name},pseudonym=${evidence_id},c=${country},serialNumber=${evidence_id}
Template "pseudonym", which translates to: cn=${given_name} ${family_name},givenname=${given_name},surname=${family_name},c=${country},serialNumber=${evidence_id}
References to unknown templates result in an error.
Please take into consideration:
- Your configured DN pattern must exactly match the template in order for the feature to work. Otherwise a "Invalid Distinguished Name" error would be returned by AIS in the SignResponse.
- The use of the ${country} variable is limited to evidences not bound to an organisation.