A simple solution for using EDS - development

In my previous article “A simple solution for using EDS” I described the idea for implementing an application for using EDS. Since then, quite a lot has changed. The most important thing is that we decided to switch to the model without using intermediate proxy servers and more actively use QR codes. We also have a nicer demo site , which allows us to try how our application works for various applications: to sign a petition, to vote, to confirm our actions on the site.

For those who do not want to read the previous article, let me remind you what it is about ...

Our GPL Vote project is focused on creating a distributed and secure voting system and collecting signatures. We believe that the use of electronic digital signature is a prerequisite for its creation. However, many existing solutions are either too complex for the average man in the street, either paid or closed. And, more often, all this is observed together. Therefore, we decided to offer an easy-to-use, free and open solution.

I note once again - we do not offer any new ideas. We offer only an implementation that includes a mobile application and an API for sites that want to use its capabilities. There are no restrictions on using a mobile application - any site can implement the necessary API and offer its users the protection of their data through the mobile application. So any site can take the source of the mobile application and remake it to fit your needs. The main thing is to comply with the license.
')

About changes

We thought, thought and decided what to include in the chain of intermediary in the form of proxy servers, despite the fact that the work goes on with the site, this is not a good idea. But in this case it is necessary to somehow transfer the contents of the document being signed to the mobile application.

And then we remembered QR codes. Through it, you can also directly transfer all document data to the mobile application directly from the screen. However, the documents can be quite large. So no screen is enough to display a QR code. What can we say about the procedure for its recognition with a low-power smartphone. The solution was found quite obvious. Since to send a signature to the site, you still need to connect your smartphone to the network; in the same way, you can get a document through the network. Therefore, in the QR code we decided to place the URL data on the website, by which you can get the contents of the document for signing. Only they replaced the scheme with their own, so that such links could be automatically sent to our application.

Thus, the whole procedure of signing a document is reduced to scanning the QR code and signing it in the opened window of our application. The advantage of this option is also the fact that QR codes for signing petitions can be placed not only on websites, but also on leaflets or paper announcements. Of course, in this case, the signed document is available in open form, but often this is quite acceptable (for example, for the same petitions).

Just the second significant change concerns the fact that a document for signing can be presented in two forms: in a personalized form, when the document data is encrypted with the user's key, and in a public form, when the document is intended for multiple signing by different people. The public option, as I have already noted, can be used to collect petition signatures or to organize open polls.

Well, the last change - an attribute is included in the structure of the document for signing, containing the URL to which the mobile application should send the signature of the document. With the introduction of this feature, we completely untied the signing procedure from intermediate proxy servers. The consequence of this innovation was the fact that the delay between sending the document signature and its processing disappeared.

Plans

We have a lot of improvements in our plans. They mainly relate to backing up a secret key, restoring it from a backup copy, and creating an infrastructure for canceling a compromised key.

I also started working on a mobile application that implements a “network of trust” using this application as a module for signing.

Links to additional information

Mobile application in Google Play Store
New demo site
API description for sites
Mobile app source code (Android)
Demo site source code (Perl)