REST object references

anonymous

For dynamic link based flows anonymous REST API endpoints may be used. Here the RP learns the identity of the user only when receiving the successful session result.

Usage of the anonymous endpoint is optional.

For the dynamic link based flows, the other REST object references may be used as well. In that case the check whether the identifiers match is done right after the user has interacted with the dynamic link (QR code, Web2App link, or App2App link), but before signature creation.

etsi/:id-etsi-qcs-SemanticsId-Natural

Objects referenced by etsi/:id-etsi-qcs-SemanticsId-Natural are persons identified by their ETSI Natural Person Semantics Identifier specified in ETSI EN 319 412-1 in section Natural person semantics identifier.

The identifier contains information using the following structure in the presented order:

  • 3 character natural identity type reference, that shall have one of the following defined values (the standard supports more than these three references):

    • PAS for identification based on passport number.

    • IDC for identification based on national identity card number.

    • PNO for identification based on (national) personal number (national civic registration number).

  • 2 character ISO 3166-1 alpha-2 country code (for example EE, LT, LV, KZ)

  • hyphen-minus - (0x2D (ASCII), U+002D (UTF-8))

  • identifier (according to country and identity type reference)

Example values may be:

  • etsi/PASKZ-987654321012

  • etsi/PNOEE-48010010101

  • etsi/IDCCZ-1234567890

Please note:

  • :id-etsi-qcs-SemanticsId-Natural value should be encoded according to the rules defined in ETSI EN 319 412-1

  • the country code part in :id-etsi-qcs-SemanticsId-Natural conforms to ISO 3166-1 alpha-2 code and as such must be in upper case.

document/:documentnumber

Objects referenced by document/:documentnumber are particular documents (also known as user accounts) in the Smart-ID system.

This may be used for signing once a user has already authenticated, for re-authentication or for signing once the document is known from a certificatechoice session query.