The environment presented in chapter 1 is the basis for the server signing architecture.
In addition, [EN419241-2] specifies the requirements for possible users, components and operations provided by server signing using a so called Signature Activation Module (SAM).
The resulting architecture with the environment, requirements and components provided by procilon is shown below:
Figure 2: Server Signing Architecture
In this architecture, the signer resides in the local environment and uses a user interface provided by a module called Server Signing Service (SSSrv). In the context of server signatures, the SSSrv acts as a signature creation application. The user interface displays the document to be signed and other relevant data for the signer. This includes, among other things, the document hash, the signature key selected for signature creation, and the associated signer certificate.
The component SAK operations (SAK/OS) as well as the Remote Signature API (RSAPI), which in the context of server signatures correspond to the Signer Interaction Component (SIC) according to [EN419241-1], can be used to generate the signature activation data (SAD) and to communicate (e.g., send requests by the signer) with the SSA. The SSA interacts directly with the SAM and forwards communications from the SAK/OS to it. It requires successful identification and authentication of the signer before allowing any actions that may affect the SAM or signature key.
Within the dedicated protected environment, the SAM receives requests forwarded by the SSA and processes requests regarding verification of these. When the SAM successfully verifies the SAD provided by a Signer, it can authorize the activation of the signature key associated with the signature operation within the cryptographic module and have a digital signature value generated by the cryptographic module. The value is returned to the SSA and further delivered to the SAK/OS after verification.
An attached CA must generally comply with the requirements of [EN319401], [EN319411-1] and [EN319411-2].