Polish new signature system - Trusted Profile goes live

in

Trusted Profile (Profil Zaufany - PZ) is a simple digital signature and authentication method to be used for contacts with public administration in Poland.

The profile is fully dependent on governmental forms portal (ePUAP). To sign a document the citizens needs to be logged in to the website with their login and password. After filling in a form they push a "sign with trusted profile" button and the system signs the form. The signature requires additional confirmation — an one-time password (OTP) sent by email or mobile text message (SMS).

From server's perspective the signature is additionally confirmed with standard digital signature placed with system's private key stored in a hardware security module (HSM). If we'd like to describe this in PKI terms, PZ is a classical digital signature placed on a document by the server on request of the user authenticated to the system, and with his or her additional authorisation using OTP.

This model has a significant advantage over classical digital signature — it works from virtually any browser. The PZ doesn't require any kind of external plugins like ActiveX or Java, or smartcard drivers, that tend to cause so much trouble when using qualified electronic signature (QES) in heterogenous environments.

The PZ needs to be initialised in ePUAP on user's request. It contains name, surname, PESEL (Polish id number) and user supplied email address for authorisation (in future mobile number will be also possible). After placing the request in ePUAP the PZ is in "on hold" status and its authenticity needs to be confirmed.

This can be done by either self-signing the PZ with user's qualified certificate — if he or she has it, or for majority of people, physical visit in one of over 500 verification offices placed at popular institutions across Poland.

In addition to digital signature the ePUAP website offers a single sign-on (SSO) service, which is based on Security Assertions Markup Language (SAML). While PZ is intended for administration-only usage, the SSO service can be used by any public or private system. It works much like popular Facebook or OpenID sign-on feature on many websites — after clicking a "sign-in with ePUAP" button on a website the user gets redirected to ePUAP login form. After successful authentication ePUAP would return user's login status to the original website.