External-party signing — Phase 2: Internal-tier external signers (design)

Date: 2026-06-29
Status: Approved (design); ready for implementation plan
Builds on: Phase 1 (2026-06-28-external-party-signing-design.md) — the shipped Global-external flow (roster esign_sign_envelopes/esign_envelope_signers, per-signer 256-bit access tokens, the public token-gated signing page, MySign/Send/SubmitSignerOTPByToken, roster-driven finalizeEnvelopeIfComplete + FinalizeInstance, and the LOW-polish hardening).

1. Goal

Let a requester invite an external party (no Obscura account) to sign a document on the Internal tier — verified by an Obscura-sent email OTP and sealed with an in-house PAdES signature (“self-hosted attestation”) — with no Mekari dependency and no per-signature provider cost. This is the lower-assurance, high-volume counterpart to the certified Global-external flow already shipped.

Assurance positioning: an internal-tier external signature proves “someone who controlled that email address signed this document at time T, via a link only they received.” It is NOT a government-PKI or AATL-certified identity (that is the Global tier, which already ships PAdES-B-LT). The trust anchor is the deployment’s own in-house CA.

2. Decisions (locked during brainstorm)

• OTP channel: email only. Internal-tier externals are invited by email and the OTP is emailed too (we have a working SMTP path; the SMS/WhatsApp sender is a no-op stub). An internal-tier external requires an email address (it carries both the invite link and the code). No phone needed.
• Cert identity: one “Obscura Attestation” service cert from the in-house CA. The cryptographic identity is Obscura (“we attest X signed”); the external’s name/email + “email-verified at ” live in the visible appearance and the evidence record. No per-signer cert issuance.
• Scope: minimal. Only an Internal-tier request that contains ≥1 external signer creates a roster/envelope. Internal-only multi-party requests keep the existing workflow-task path (no envelope) — not refactored. PSrE-external stays deferred (Tilaka channel blocked). In-house LTV is separately deferred (see ROADMAP).

3. Architecture

An internal-tier request with an external signer creates a local envelope: the same esign_sign_envelopes + esign_envelope_signers roster and per-signer access tokens as the Global flow, but provider="local", sign_kind="internal", and no Mekari RequestMultiSign call. The public signing page, token hashing/storage, deadline-as-token-expiry, the per-token+IP rate limiter, token revocation on sign, and roster-driven completion are all reused unchanged. Only three steps branch on the envelope’s provider:

1. OTP send — local: Obscura emails a code; Mekari: existing WhatsApp path.
2. OTP submit — local: validate the local code; Mekari: existing ChallengeSealer.SubmitOTP.
3. Apply signature — local: in-house PAdES per submit; Mekari: provider seal fetched at finalize.

This keeps the new surface area small and isolated behind a provider branch.

4. Data model

• Reuse esign_sign_envelopes with provider="local", sign_kind="internal". (provider already exists; “local” is a new value, no schema change there.)
• Migration (next free number at execution — currently 00068) — add local-OTP state to esign_envelope_signers:
• otp_code_hash text (nullable; sha256hex of the issued code)
• otp_expires_at timestamptz (nullable)
• otp_attempts int NOT NULL DEFAULT 0
• No new top-level entity. (The existing provider_envelope_id/signer_id columns stay empty/synthetic for local rows.)

5. Request creation

In the RequestSignature HTTP handler + buildEnvelope:

• An external signer may now be Internal-tier OR Global — relax the current “any external ⇒ sign_kind must be global” rule. The rule becomes: a Global external requires a phone (WhatsApp OTP); an Internal external requires an email (email OTP + link). Both still require a name.
• buildEnvelope runs when sign_kind=="global" OR (sign_kind=="internal" AND ≥1 external signer). For the internal/local case it: builds the roster rows (internal users + externals), mints a 256-bit access token per external row, persists the envelope as provider="local", and sends each external an email invite (real EmailInviter) with the /sign/<token> link. It does not call Mekari and sets no provider signer ids.
• Internal-tier request with no external signer → unchanged (workflow tasks only, no envelope).
• Duplicate-signer guard, deadline (3–31 days → token expiry), and order (parallel/sequential) apply as today.

6. OTP flow (email)

SendSignerOTPByToken(tokenHash) and SubmitSignerOTPByToken(...) branch on the loaded envelope’s provider:

• Local — send: generate a 6-digit numeric code; store sha256hex(code) + otp_expires_at = now + 10m and reset otp_attempts = 0 on the signer row; email the code to the signer’s email (subject e.g. “Your Obscura signing code”); return otp_channel = "email". Respects the existing per-token+IP send limiter + ensureSignerTurn (sequential).
• Local — submit: reject if otp_code_hash is null/expired (esign.otp.expired), or otp_attempts >= 5 (rate-limited), or the hash doesn’t match (increment otp_attempts, esign.otp.invalid). On match → apply the signature (§7).
• Global — unchanged (Mekari RequestOTP/SubmitOTP).

7. Signature — self-hosted attestation

On a valid local OTP + the decoded drawn-signature PNG:

1. Ensure a singleton “Obscura Attestation” signing cert exists by reusing the existing per-principal signing-cert issuance/storage (EnsureSigningCert) with a reserved system principal id (e.g. system:obscura-attestation) — no new cert storage, idempotent ensure-on-first-use, issued from the same in-house CA as user certs.
2. Apply an in-house PAdES signature to the document’s current version via the existing Signer.Sign(attestationCertPEM, attestationKeyPEM, caCertPEM, pdf, SignInfo{...}):
   - Name = <external name>, Reason = "Self-hosted attestation — <name> <email>, email-verified, <UTC RFC3339>", Image = drawnPNG, Placement = the signer’s box (default if none). It is an ApprovalSignature (stacks with other signatures).
3. Land it as a new version via the existing versionWriter.AddSignedVersion (idempotent-by-content-hash from the regression fix). Insert an evidence row in signatures: assurance="internal", is_external=true, signer_name=<external name>, signed_ip/ua, signed/source hashes.
4. Mark the roster row signed (MarkSignerSignedExternal — also nulls the row’s token). When all roster rows are signed → mark the envelope completed + FinalizeInstance (roster-driven, idempotent). No FetchSealed — there is no external provider.

Multi-signer note: each submit signs the current version, so signatures stack as PAdES approval signatures. ensureSignerTurn keeps a sequential request clean (each signer signs after the prior). A parallel local request signs whatever the latest version is at submit time (acceptable; documented).

8. UI

• RequestSignatureModal: the tier selector (Internal / Global / PSrE) is usable when externals are present (today it force-locks Global). Validation per tier: a Global external needs name+phone(+email); an Internal external needs name+email (no phone). Helper text explains the Internal-tier external is “email-verified, in-house attestation (no certified provider).”
• Public signing page: unchanged in shape (PDF preview + draw/type pad + OTP). For a local signer the channel label reads “email” and the “code will be sent to {masked email}” line is shown. The 202/processing, expired-vs-wrong, transient-vs-dead handling from the polish work all apply.
• Signatures list / roster: already shows the external + “In-house” assurance tag + “External” badge (Phase-1 polish). Add a tooltip clarifying “self-hosted attestation — verified by email, signed under this organization’s own authority.”

9. Security

• Same token model as Phase 1: 256-bit token, stored as sha256hex, deadline = expiry, public routes gated on the esign module, per-token+IP rate limiter, token nulled on sign/cancel/expiry, signed_ip from X-Forwarded-For.
• Local OTP: hashed at rest, 10-minute expiry, ≤5 attempts, rides the same limiter; never logged in plaintext.
• The attestation private key is a service key (not a user’s), held with the encrypted CA material; only the esign service signs with it.
• Evidence is explicit that this is an email-verified self-hosted attestation, not a certified identity — so it is never misrepresented as Global/PSrE assurance.

10. Out of scope

• PSrE-external (Tilaka channel still blocked) — deferred.
• SMS/WhatsApp OTP for the internal tier — email only for now; the send path stays behind the provider branch so a real SMS sender can be added later without touching callers.
• Roster generalization for all-internal multi-party requests — the existing workflow-task path is untouched.
• In-house PAdES-LTV — separately deferred (ROADMAP).

11. Testing

• go build ./... && go vet ./...; cd web && npx tsc --noEmit && npx vite build; regen npm run gen:api after OpenAPI edits. NEVER go test (writes the live demo Postgres).
• Deploy from repo root; assert /me enabled_modules == [correspondence,watermarking,ai,esign] after each deploy.
• Full self-driven e2e (no user OTP relay): create an internal-tier request with an external signer → read the invite + the 6-digit OTP from mailpit → drive the public page (state/preview/send-OTP/submit with a drawn image) → assert the in-house-attested signed version lands, the evidence row is internal/is_external, the roster completes, and the instance is approved. Also verify a mixed internal+external internal-tier request and the relaxed modal validation. Clean up test artifacts.