If you wonder what differentiates all the various electronic signatures and signature providers in principle then one of the key question is how do they approach the non-repudiation problem of electronic signatures.
In simple terms non-repudiation means that it would be very difficult (if not impossible) to dispute the signature (statement) of the author, identity of the author nor the validity of the associated contract. It boils down to the technology what the electronic signature service provider uses to ensure the security of its systems.
The security and authenticity of .ID signed documents stand on 3 pillars:
Keeping the integrity of the original digital files that are signed, binding it with the identity, and finally ensuring that a combination of signers identities and signed files are bound securely.
All those components are stored inside the digital signature container file, called ASiC container. ASiC container file is actually a .zip file, that compresses together original signed files and digital signature files (signature.xml-s) associated with the original files. One digital signature container may have multiple files and multiple signatures.
Let’s dig into the signature files and see how they work.
.ID is a unique digital service, that allows users to sign any type of digital file. The beautiful feature of a digital file is that it’s relatively easy to create a unique fingerprint out of it which allows to check the file integrity.
In .ID we create this unique hash in the moment when the document and files it contains are signed.
There are many well-known methods of creating the hash (or “digest”). They are called hash-formats. We are using a format called SHA256, which was developed by the United States National Security Agency (NSA) and first published in 2001. You can read more about SHA256 here.
Essentially what we want to achieve is that if you are presented with the digital file, you can check the hash/digest and see if that hash is the same value as stored in the digital signature.
Example of SHA256 hash of the digital file
You can try “hashing” the documents yourself. Just Google “Generate SHA256 hash from file” or click here (https://emn178.github.io/online-tools/sha256_checksum.html).
If you get a file that is claimed to be digitally signed on one hand and the signature XML on another hand, you can use an online tool to create a SHA256 hash of the file and see if it is the same as in the Digital signature file.
If it is, then yes, the file is really the one that is associated with the signature.
Below is an example of a signature.xml file and you can see the file hash on row 11.