Trusted SIC is positioned as a unified web-based digital signing interaction layer, integrating FIDO2/WebAuthn/SPC authentication with remote signing infrastructure and a multi-CA model. The objective is not only to streamline UX but to build a “signature gateway” aligned with ETSI/eIDAS principles for large-scale digital signing environments.
A true SIC layer for the new digital signing era
In many current digital signature systems, the user experience is fragmented: onboarding, authentication, and the signing operation itself often occur in silos and are tethered to a specific CA’s proprietary app. Trusted SIC reverses this trend by consolidating all interactions into a unified web-based layer. Users experience a consistent signing journey while the backend orchestrates connections across multiple CA/HSM providers.
Crucially, this SIC serves as more than just a UI; it acts as a robust authentication orchestration layer. Passkey/FIDO2/WebAuthn/SPC are utilized to bind authentication keys to signing accounts, triggering signing actions through an anti-phishing mechanism. Once authentication is verified, the SIC issues a Signature Activation Data (SAD) token to the remote signing layer, where the actual signing keys remain secured within server-side HSM/QSCD environments.
Unified signing UX for Web, Mobile, and Merchants
Seamless connectivity via Multi-CA Connector
Zero dependency on USB tokens or SMS OTP by default
Architecture aligned with ETSI/eIDAS standards
Why this model matters now?
1. Signing UX must mirror digital payments
Users expect the same seamless experience provided by unified payment gateways. Enterprises now demand a universal signature gateway that abstracts the complexity of multiple CAs, SDKs, and onboarding workflows.
2. Passkey maturity replaces OTP
FIDO2/WebAuthn elevates authentication to a higher tier: phishing-resistant, biometric-enabled, and frictionless for high-frequency signing across multi-device environments.
3. Remote signing requires a user-friendly interface layer
While the backend infrastructure (CA, HSM, audit logs) is complex, the user-facing SIC must be transparent, consistent, and intuitive to maintain trust and adoption.
4. European standards prioritize governance & evidence
ETSI/eIDAS compliance focuses on “Sole Control,” secure remote signing protocols, and the transparency of the approval process via comprehensive audit trails.
Trusted SIC Architecture: Web Frontend, Multi-CA Backend
The overall model is structured into three distinct tiers. At the top is the user (Web/Mobile/Enterprise App). In the middle is the Web-based Trusted SIC utilizing FIDO2/WebAuthn/SPC for interaction and authentication. The foundation is the Multi-CA Connector, which routes signing requests to the appropriate CA/HSM/QSCD.
Layer 1: Experience & Approval
Displays transaction context, documents, and consent prompts. This is where users review the payload and authorize via Passkey/Biometrics.
Layer 2: SIC Trust Logic
Verifies WebAuthn assertions, binds user identity to signing accounts, and issues SAD/JWT/JWS tokens following policy validation.
Layer 3: Multi-CA Connector
Acts as an abstraction layer (adapter) to various TSPs/CAs, preventing vendor lock-in and enabling price optimization across different markets.
Layer 4: CA / HSM / QSCD
The actual private keys reside in secure server-side environments. The SIC coordinates activation and evidence collection without exposing keys to the client device.
Trusted SIC can be viewed as the “Payment Gateway for Digital Signatures”: a single interface for the end-user, with a backend capable of orchestrating multiple signing providers.
Initial Onboarding: Digital ID + Passkey + Signing Profile
The onboarding flow leverages Digital Identity (eID) to minimize friction. Users authenticate via an OIDC/SSO platform, sharing verified attributes (Name, ID number, Biometrics). The system then automatically provisions a signing account profile.
The next phase involves Passkey registration via navigator.credentials.create(). The SIC then requests certificate issuance through the Multi-CA Connector, binding the FIDO2 credential and CA metadata to the user’s permanent signing profile.
Step 1 — Identity & Data Sharing
SSO/OIDC is used to retrieve authorized identity attributes, automating the KYC process and reducing onboarding abandonment.
Step 2 — Passkey Registration
The Passkey becomes the phishing-resistant authentication factor, bound directly to the signing account rather than just a general login session.
Step 3 — Signing Profile Creation
Establishes the relationship between the user, FIDO2 credentials, certificate references, and the CA—critical for future signing orchestration.
Step 4 — Multi-CA Integration
Instead of a monolithic link to one provider, the connector allows for dynamic selection of CAs based on use case, cost, or regulatory requirements.
Recurring Signing: Biometric-triggered remote signing
For subsequent signing events, the Relying Party (RP) or Merchant simply sends a tx_id and doc_hash to the Trusted SIC. The SIC presents the transaction details, invokes WebAuthn/SPC for biometric approval, verifies the assertion, and generates the SAD for remote signing.
ETSI/eIDAS Alignment: More Than Just UX
Viewing the SIC merely as a web interface underestimates its value. It is the implementation site for core remote signing principles: signer authentication, sole control, SAD issuance, and transaction-to-consent binding. A web-based SIC is often the most cost-effective and user-friendly approach compared to fragmented CA-specific mobile apps.
Web-based Trusted SIC
A unified activation layer for PC/Mobile using WebAuthn/SPC. Highly effective for session pooling and batch signing within ETSI frameworks.
Third-party Identity Hubs
Useful for KYC but can create heavy dependencies on external SLAs, impacting time-to-market and operational overhead.
Proprietary CA Apps
Often increases vendor lock-in, fragments the user journey, and scales poorly in multi-tenant enterprise environments.
| Criteria | Trusted SIC Approach | Architectural Value |
|---|---|---|
| Signing Approval | Passkey/FIDO2/WebAuthn/SPC | Anti-phishing, biometric-native, frictionless |
| Orchestration | SAD/JWT/JWS to Remote Signing | Decouples user auth from HSM execution |
| Connectivity | Multi-CA Connector | Mitigates lock-in, optimizes cost/scaling |
| End-point | PC, Mobile, Cross-device | Unified journey vs. fragmented app silos |
| Compliance | ETSI/eIDAS Alignment | Enables cross-border and regulated market entry |
Business Value: From Signature Gateway to Trusted Platform
A well-architected Trusted SIC enables new revenue models beyond simple signing. It creates three natural revenue streams: certificate issuance sharing, transaction-based fees, and value-added Trusted services.
Revenue Stream #1
Certificate Issuance
The SIC acts as the customer gateway, enabling revenue sharing with CAs
during the issuance phase.
Revenue Stream #2
Usage-based Fees
As the standard SIC layer for multiple apps, every signature becomes a clear
commercial touchpoint (SaaS/Subscription).
Revenue Stream #3
Value-added Services
Timestamping, Batch Signing, Evidence-as-a-Service, LTV, and advanced audit
reporting.
Target Market Segments:
Banking & Fintech
High-value transactions, digital contracts, and eKYC integration requiring robust fraud prevention.
Insurance & Healthcare
Sensitive documentation requiring multi-party workflows and strict auditability.
E-commerce & Platforms
High-volume signing at checkout, requiring rapid onboarding and multi-tenant scalability.
Public Sector & Cross-border
Standardized interaction and evidence for regulated international digital trust frameworks.
SWOT Analysis
Strengths
International standard alignment, superior UX, Passkey-native, and zero-OTP/token overhead.
Weaknesses
Dependency on eID availability and browser-level SPC/WebAuthn behavior consistency.
Opportunities
Rapidly expanding eSign market and rising demand for high-frequency signing in Fintech.
Threats
Shifting CA policies and browser/OS-level restrictions on cross-device authentication.
Deployment Roadmap
Conclusion
Trusted SIC represents a paradigm shift from “CA-centric apps” to “standardized signing interaction layers.” By merging remote signing with Passkeys, enterprises achieve a trifecta: superior UX, open architecture, and ETSI/eIDAS compliance.
Final Message: If the goal is cost-efficiency, high-frequency signing UX, and vendor independence, a web-based Trusted SIC is the logical backbone for the next generation of digital trust services.
Community Discussion
Comments
Comments