Technical Deep Dive for IT Professionals

This page extends the technical basics with concrete cryptographic and validation logic used in the DOCTAG environment.

Signature scheme

• Key type: Elliptic Curve (EC) on secp256r1.
• Signature algorithm: SHA256withECDSA.
• Public key format: X.509 SubjectPublicKeyInfo (stored as Base64).
• Private key format: PKCS#8 (stored as Base64).

Signature data (business payload)

Each signature signs a structured payload containing timestamp, key fingerprint, document hash, workflow hash, and hash of the previous signature chain.

Validation logic in document context

1. Verify cryptographic signature against stored public key.
2. Match document hash with actual stored PDF content.
3. Match workflow hash against signed input values.
4. Verify hash consistency for all referenced file attachments.
5. Verify signature chain via previousSignaturesHash (order/integrity protection).

Site certificates and trust chain

Public keys can be distributed via key server and enriched with an additional verification signature. This enables a federated trust context between instances in addition to basic signature verification.

Standards relation and eIDAS status

The approach uses established primitives (EC + ECDSA + SHA-256) and therefore satisfies typical application-layer requirements for integrity and authenticity.

No formal eIDAS claim in terms of qualified signatures: this is not a certified QES infrastructure with QTSP-bound trust services.

Note: Individual cryptographic components are regularly updated as part of ongoing product maintenance.