📘

Due to the sensitive nature of delegated registration, this mode requires a specific contractual framework. The related legal terms are beyond the scope of the current documentation. Please contact your customer representative to learn more.

What is it?

The Advanced Electronic Signature with Delegated Registration Authority (AES with DRA) allows API users to verify Signers' identities without relying on an external identity verification provider. This is typically useful when your business process already includes upstream identity verification, and you do not want Signers to provide their identity document agains at the time of signing.

In practice, when this mode is used, Yousign expects the API integrator to provide a durable reference to the attestation of identification for each impacted Signer. Once this attestation is provided, these Signer can go through the Advanced Signature flow without uploading identity documents.

Please note that this AES feature provides customers with an authentication process of at least the same quality as conventional AES with our provider. In other terms, this AES offers the same level of protection for your signatures as an AES with identity verification via a provider, and complies with eIDAS + ETSI standards. The resulting signature certificate will still be of Advanced level, issued in the name of the Signer.

To use AES level with delegated identification, you must contact your customer representative to contract this feature, as it requires specific guarantees provided to Yousign.

How to use the AES with DRA mode

❗️

This feature is available only through a contractual agreement.

Identification phase

The first phase involves verifying the Signer's identity and information on the customer's side. This step is non-technical and handled by a registration operator. The registration operator is a trusted role, defined in the agreement between Yousign and the customer, ensuring the quality of the registration process.

1. The signer must provide:
   1. An original, unexpired identity document;
   2. A valid phone number and email address.
2. Thanks to a registration operator, the customer with the AES with DRA mode has to verify:
   1. the information conformity given by the Signer;
   2. the Signer's ID document used belongs to the declared Signer;
   3. the ID document used is valid and it's an original document.
3. A proof of the ID document used for the verification has to be stored by the customer.
It could be: the MRZ (Machine Readable Zone) extracted or a copy of the ID document.

Identification attestation phase

1. First make sure to retrieve a Advanced Seal certificate ID via your customer representative, and review the related documentation The Advanced Seal certificate used must be specific to the sealing of an identification certificate, as we shall see below. For other sealing needs with an Advanced level, you'll need another Advanced Seal certificate.
2. Make sure the API end-user duly identifies the Signers as per the contractual framework (main steps are mentioned in the previous section).
3. Document the identification process with a durable attestation (e.g. PDF document). The MRZ extracted from the ID document used by the Signer can be stored here.
4. Submit the document for sealing using the dedicated endpoint.
5. The sealed document must be stored for 10 years. You can decide to store the sealed document in your own systems or in Yousign's.
6. Regardless of the storage method, retrieve the unique ID of the sealed attestation (either an internal ID or the ID of the sealed documents in Yousign's systems).

Signature request preparation

1. Create a Signature Request.
2. Add each identified Signer to the Signature Request using the dedicated endpoint, and specify the following fields in the Signer payload:
   1. signature_level should be set at advanced_electronic_signature (see API reference);
   2. identification_attestation_id should be set to the unique ID from Identification attestation phase step 6 (see API reference). This field is optional and its presence will activate the DRA mode. Setting it to null / blank will revert to classic AES mode. It can have any string format with a max length of 255 characters.
3. Activate the Signature Request.

Signing phase

1. When the identified Signer will perform the Signature flow, they will not need to provide their identity documents.
2. When retrieving the signed Documents, they will be signed with an AES-level certificate issued in the name of the Signer.
3. The Audit Trail of the Signer will indicate that AES with DRA was used for this Signature, and it will contain the identification attestation ID provided at the time of Signature creation.