Document toolboxDocument toolbox

Distributed components

Owned by Erik Larsen
11 Apr 2019

The Client proxy (L) is introduced in BankID 2.1 in order to provide enhanced signing services. These services include validation of documents to be signed, check for active content, generating the hash of the raw documents to be signed on behalf of the Web-client and conversion of PDF documents to PNG for display in the client. In addition, multiple documents can be sent from the merchant in one batch over (11b) via the Client proxy to the Client for signing, referred to as multi-document signing.

The Client proxy is offered as a centrally hosted component, alternatively merchants may opt to host the component themselves. Note that merchants hosting their own Client proxy may choose between using the centrally hosted component or their own component for each transaction by using the initSession() parameter clientProxyURL. Details about hosting and integrating with the Client proxy component are beyond the scope of this document; please refer to BankID Client proxy Installation Guide and BankID Client proxy Integration Guide.

The BankID Server (H) is modified in several ways to support the BankID Web-client. This includes both the COI-interface (10) and the merchant-protocol (11a, 11b, 11c). The changes between BankID 2.0 and BankID 2.1 for this component are mostly related to the introduction of the Client proxy component (L) and also the introduction of multi-signing.

BankID 2.0 compatibility mode is introduced in BankID 2.1 Server, allowing merchants to gradually on-board their services from BankID 2.0 to BankID 2.1. Thus, merchants may upgrade to the BankID 2.1 Server while continuing support of their existing BankID 2.0 merchant application implementations. A new (optional) parameter is introduced in initSession() in order to determine which client version (2.0 or 2.1) to build. The parameter is configurable per transaction.

The BankIDServer is updated with possibility to select a new PKCS#7 format in release Kiev. The PKCS#7 is slightly modified to be compatible with PDF Advanced Electronic Signatures. In addition the Certificate Status Check support a new OCSPResponse format which is compatible with RFC6960. The new formats are supported together with the sign operation and are selected when transactions are initiated. The sign operation response back from the client to the Merchant will now return the new PKCS#7 and OCSPResponse formats depending on what is selected in the initialization. In addition the verification of the transactions will support and return the new formats when they are selected in the input. Both of these new formats are necessary upgrades to be able to comply with the PAdES specification.

In release København the BankID server includes support for PAdES generation. BankID server and clientProxy together supports four different flows: either the merchant builds the visual seal or the Client proxy does. The same for the validation incremental update holding the OCSP responses and certificates, either the merchant pack these data or the Client proxy do. This totals 4 flows.