Mobile Signature Service

Mobile Signature Service (MSS) is a high-level service specified by the European Telecommunications Standards Institute that defines the roles participating in mobile identity management and mobile signature transactions, as well as functional and business-related requirements and interfaces. The specification is the governing standard for PKI and enables cross-compatible mobile signature solutions.

Background
The mobile signature services industry began in the early 2000s, with the release of the European Telecommunications Standards Institute (ETSI) mobile commerce standards (ETSI 102 203, 102 204, 102 206 and 102 207). The standards defined mobile signature as a universal method for using a mobile device to confirm the intention of a citizen to proceed with a transaction (digitally sign transactions on their mobile devices, turning the mobile device into personal trusted devices.) and mobile signature service as a facility that coordinates and manages the mobile signature process.

Mobile user
The mobile user is either a private person in possession of the mobile device, or a device embedded in the mobile device to which a mobile signature is associated.

Application provider
The application provider (AP) provides the service that the mobile user wishes to authenticate themselves to or the contract that the user wishes to sign.

Smart card issuer
The smart card issuer, typically a mobile network operator, issues the mobile user with a smart card that is in some form capable of completing signature operations and on-board key generation. The issuer associates itself with an MSSP.

Registration authority
The registration authority (RA), typically a mobile network operator, is in charge of registering Mobile Users to MSS.

Certificate authority
The certificate authority (CA) is a service, typically a third party, that issues digital certificates to the mobile user's public key.

Mobile signature service provider
The mobile signature service provider (MSSP) is a service that facilitates the communication between the AP and the mobile user's SIM card. The MSSP of the ETSI specification typically consists of a HomeMSSP, AE (acquiring entity) MSSP and possibly an RE (routing entity). APs connect to a HomeMSSP via AE MSSPs. HomeMSSPs connect to the mobile user's SIM card directly.

Establishing a mobile identity
When a Mobile User subscribes to a Mobile Signature Service, the RA confirms their identity and binds their identity to a key pair as per public key infrastructure. The keys can be generated server-side or on the User's SIM card with On-Board Key Generation. With OBKG, the SIM card generates the key pair, sends the public key to the MSSP to be bound by the RA and certified by the CA, and has the Mobile User assign a signing PIN on the private key, which begins its existence on and never leaves the SIM card.

Completing a signature transaction
When a mobile user accesses an AP's service and wishes to perform a mobile signature, the AP sends a signature request to the mobile user's HomeMSSP via an AE MSSP. The MSSP forwards the AP's request to the mobile user's SIM card. Upon receiving the signature request, the mobile user's SIM card can only complete the signature when the mobile user gives their signing PIN. The requested data is signed with the mobile user's private key and sent back to the mobile user's HomeMSSP, which then returns the signature to the AP, who can verify it with the mobile user's public key.

Roaming
The ETSI mobile commerce standard TS 102 207 defines a roaming framework between multiple MSS systems. If the AP and Mobile User's HomeMSSPs are different, the AP's MSSP can reach the Mobile User's by roaming.

This way, an AP can make a contract with any of the MSS system operators provide a service for all Mobile Users in the MSS mesh.

Revoking an identity
If at any point there is reason to believe that the user's mobile identity is at risk, they may ask the mobile network operator to have the CA revoke their certificate. Revoking the certificate of a user's public key makes the key pair unusable. Commonly, a revoked certificate cannot be reinstated remotely. Instead, a user must re-register in person in order to resume the use of MSS.