Use of QES / AES
КЕП використовується фізичними та юридичними особами для ідентифікації особи, що підписує, та підтвердження цілісності даних в елA digital signature is used by individuals and legal entities to identify the signatory and confirm the integrity of data in an electronic document and has legal force and the presumption of its compliance with a handwritten signature.
When signing documents, users of the Sсhrift system can use the Sсhrift electronic signature, as well as a qualified electronic signature (QES) and an advanced electronic signature (AES) based on a qualified certificate (hereinafter referred to as the QES).
When signing a QES, the Sсhrift system applies a time stamp, which makes it possible to guarantee the legal validity of documents and allows you to confirm the authenticity of the electronic signature even after the certificate has expired or been cancelled.
Read the article on our website about the specifics of using electronic signatures and legislative regulation.
Signing of the QES
The use of a QES to sign electronic documents with any type of signature guarantees protection against forgery. Using cryptographic methods, the QES is associated with the document and the person signing it, so it cannot be forged.
No special applications, plug-ins, or other tools are required to sign a QES. Just any web browser with the Sсhrift system open is enough. An exception is signing a QES key from a hardware device (USB device), which requires the installation of a corresponding plug-in to read data from it.
The Sсhrift system provides the ability to sign multiple signatures, multiple files of any format in one document.
ASIC-E is a modern standard for storing digital signatures (in a file with the asice extension) that provides storage of all signatures and signed document files. This format allows you to store one or more file objects with associated e-signatures and add file objects, e-signature files, and e-time stamps in the future.
The signature technology used by the Sсhrift system ensures signing on the user's local device. Thus, neither data nor signature keys leave the local device of the user signing the document.
After signing one document, the read key data can be used to sign other documents in the same browser without entering the password for each new signing. Refreshing the browser page will clear the stored data and require you to enter the key password the next time you sign a document.
Read this article about the use of European signing algorithms for Ukrainian QEPs and the use of European QEPs in Sсhrift.
Signing with a file key
Read about creating a document in the corresponding article.
To sign a document, you need to read the data from the file key, specifying its location. Next, select the certification authority that issued it or leave the auto-detection option, and the system will automatically detect it. After entering the key password, click Read key. The system will read the key and display the signature certificate data.
If you have already used file keys on this device and selected the option to save information about them, the system will prompt you to select one of the saved keys.
If the user selects the “Save key on this device (browser)” checkbox, subsequent documents can be signed with the saved key without entering the key password even after refreshing the page and even after restarting the computer.
To terminate access to the stored key, it is enough to delete the information about it (the “Delete” icon in the key information plate).
The Sсhrift system does not store information about user keys on its servers. The key data is used only on the user's local device, both during the signing process and at any other time. Key information is also stored only on the user's local device.
Signing with a cloud key
To sign a document with a cloud key, on the signing page, select the Cloud key signing method and choose one of the available cloud key options. The QR code that appears on the screen should be scanned in the mobile application of the respective key issuer. Upon successful completion, the signature certificate data will be displayed and the Sign button will become available. After pressing it, the document will be signed.
The system currently offers three cloud key options - Privatbank, Vchasno and Diia.Signature.
You can generate a Diia.Signature for free in the Diia mobile application(Google Play and Apple Store). To do this, you must have at least one biometric document in Diia: ID card or passport. And you will receive an electronic signature in your smartphone in two versions at once: according to the Ukrainian and international standards.
Diia.Signature is already used by more than 10 million Ukrainians!
ІThere are some technological limitations on the use of cloud keys when signing documents by key providers. For example, all cloud keys cannot use the XaDES signature format (xml file).
Also, cloud keys other than Diia.Signature cannot:
sign files using the asice container;
use signature formats other than CaDES (p7s file) if the document contains 2 or more files.
Signing with a QES key from a hardware medium (token)
A token is a special device in the form of a USB device or a card with a chip. The private key stored on such a device is protected from copying and modification.
To sign a document using a key placed on a token, you need to connect it to your device.
If the token has not been used on the device before, the web browser will prompt you to install the appropriate extension to interact with the token. You must install the proposed extension, which is certified in Ukraine.
The Sсhrift DMS will automatically detect the presence of a connected token and its type. After entering the password, the data of the key certificate owner will be displayed and signing will be available.
If the key remains connected to the device, it can be used to sign subsequent documents without entering a password each time you sign. Refreshing the browser page will clear the saved data and require you to enter the key password the next time you sign a document.
If after installing or updating the library you still receive information about the need to update the library, it is recommended to restart the browser or the entire PC, and then install the library again if necessary.
Identification codes when signing
Any key contains information about the identification code of the individual key holder, as well as the identification code of the organization if the key was issued to an employee of the organization.
The Sсhrift system automatically checks and prevents the mistake of using the key of one employee (key holder) to sign a document that requires the signature of another employee or an external contact, so that the user does not confuse the keys he or she can manage. To do this, the system compares the identification code from the key certificate data at the time of its reading with the company directory data. If they do not match, the system will give a corresponding warning.
If the directory does not contain the value of the employee's or external contact's identifier ITN\TIN, then this value will be filled in the key information directory during the first signature.
If an error is made in the identification code information, it can be corrected by an employee with the Administrator role by making the appropriate changes to the directory.
The correspondence of the organisation's identification code from the key and from the data of directories (organisational structure or counterparties) is also checked if a key issued for an employee of a particular organisation is used.
If a position has a “mirror” in the legal structure, then the identification code is checked for compliance using the organization code from the legal structure, not the functional structure.
The Sсhrift system does not intentionally limit the use of individual keys to sign documents on behalf of organisations. In other words, it does not require or control that the key be issued to the organisation on whose behalf the signature is made. We assume that the prohibitions imposed by many authorities on the use of an individual's key to sign a document on behalf of an organisation are illegal and are caused by the technical backwardness of the information systems of these authorities.
Importing ready-made QES into the system
Ready-made signatures (QES) in any format (p7s, xml, asice) that were created (delivered) on any other resource (platforms, websites or DMS) can be imported into the document, if these resources do not block the download of the signature as a file.
Any ready-made (delivered) QES is a self-sufficient entity in the form of a file. This means that its uniqueness is associated only with its author and the file(s) that this signature has certified. Thus, there is no reason to associate a CEP with any DMS, website, etc. in which the signature was generated.
It follows that the parties can simply exchange files containing the signature of a particular document by sending them in any convenient way. As a result, the parties will have the original of the document they signed.
Importing a ready-made signature is convenient if, for example, the counterparty initiated the document and signed it in another system. You can sign it for them in the same system. After that, download the signature files (the counterparty's and yours) and import them into the corresponding document of your company in Sсhrift.
If you initiated the document, the counterparty can sign it in Schrift and, if necessary, import the signature files into their system.
This is the only way to solve the problem of the lack of working schemes for integrating different DMSs with each other at this stage of development of the DMS market in Ukraine.
A counterparty may refuse to sign a document in Sсhrift because their system does not allow importing signatures or because they ignore your interests (usually when they consider themselves “cooler” than you). If there is no other way out of this situation, you can sign the files in their system and then import the signatures into the document in Sсhrift.
After successful import into a document, such a signature will be displayed in the document and will be validated both within the system and on external resources as if it had been added within the system.
You can import a signature at any stage of working with a document that provides for the possibility of changing it.
The signature file can be imported by the signatory instead of “live” signing the document in the system. This situation may arise when the signature key cannot be used directly in the Schrift system. For example, when a signatory uses a cloud signature from a provider that is not supported by the Sсhrift system. In this case, after signing the document on one of the resources where this support is provided, you can import the signature file into Sсhrift.
Files with a signature can be imported into the modal form of creating a document or later into the Document Details tab. To do this, simply drag and drop the corresponding files into the document.
You can import one or several signatures into a document. The system will ask you which position within the company or external contact the imported signature corresponds to. If the system determines that the employee's or contact's identifier matches the one specified in their data, the appropriate option will be offered. If necessary, the proposed option can be changed.
The system will report an error if, when importing a ready-made QES, the document contains signed files that do not match this signature.
There are restrictions on importing ready-made PaDES signatures (when the QES is inside a pdf file) to another pdf file, even if it has the same content. This is due to the technological peculiarities of the signature generation standard of this format.
For signatures with separate storage of the original file and the signature file, CaDES (p7s files) and XaDES (xml files) formats, the signature file can only be imported separately if the signed file is already in the document.
How to verify an electronic signature
Signatures are stored in the signed document and can be checked at any time.
Next to the date and time of signing, the signatory's name and initials and the QES icon are displayed. When you hover over this field, information with detailed information about the signature appears.
The second way to verify the validity of the QES is to send an online request to the relevant QESP (qualified electronic trust service provider), which returns a confirmation response about the validity of the signature and the time of signing. The most up-to-date verification fact is then displayed in the QES information.
The third way to verify the validity of the QES is to check it on an external resource, for example, on the website of the state certifying authority of the Ministry of Digital Transformation of Ukraine (MinCity). To do this, it is enough to download the signature file and upload it on the specified page of the website.
The Sсhrift system allows you to download ready-made (delivered) QEPs as files by any user of the system, at any stage of working with the document.
After successful verification, the service will provide the results.
Based on the results of the audit, a protocol for the creation and verification of the QES will be drawn up, which will indicate the signatories (name, tax number and date of signing), the type of signature (advanced or qualified) and other information.
