ascertia adss server signing & verifying
DESCRIPTION
TRANSCRIPT
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Ascertia Signing & Verification Products
October 2007
2
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Ascertia Limited
• A Leader in e-Trust products and solutions – Comprehensive solutions for Global Trust– Focused on meeting real customer needs – Working with System Integrators & Service providers– Selling to resellers & end-users
• Mission– Making digital signatures easy to use and trust– Providing secure, flexible, multi-functional trust services for
businesses and managed service providers
• A private limited company– All products designed and developed in-house– Strong R&D investment continues at 25+%– Self-funded with tight expense controls– Carefully managing business growth– Wholly owned by Directors and staff
3
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Products - 2007
CLIENT SOFTWARE
Digital signaturesVerification & validation, Encryption
PDF Sign&Seal File Sign&Seal
ARP SE (OCSP & CRL services) ARP SDK (validation toolkit)
SERVER SOFTWARE
Digital signature creation,Verification & validation, Encryption & other options
ADSS Server - PDF Signer Server option - XML Signer Server option - File Signer Server option
ARP EE (OCSP & CRL services) Full validation + history logs
ARP SDK (validation toolkit)
INFRASTRUCTURE SOFTWARE
- TrustFinderOCSP OCSP Server
- TrustFinderCA Enterprise credentials
- TrustFinderTSA TimeStamp Server
- TrustFinderSCVP SCVP Server (Q1 2008)
- TrustFinderXKMS XKMS Server (Q1 2008)
PKI ProtocolsDATA
4
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Business Workflow Example
Create
Sign
VerifyTimestamp
Review
Approve
VerifyCountersign
Review/Release
VerifyCountersign
Audit
Verify
ERPCRMECM
5
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Business Workflow Example
Create
SignCountersign
VerifyTimestamp
Review
Approve
Review/Release
Audit
Users identified using strong authentication techniqueswith an option to confirm and authorise signature and counter-signature
If using signed PDFs then Adobe® Reader also verifies at the desktop
6
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
DESKTOP SOFTWARE
Desktop Applications:PDF Sign&SealFile Sign& Seal
ARP OCSP Client
Browser based (Server controlled):- PDF Signing- File Signing- XML Signing
- Signing & uploading files
SERVER SOFTWARE
ADSS Server- PDF signing, encryption & verification - XML signing and verification- File signing and verification- Timestamp Authority services- OCSP Validation Authority services
ARP OCSP Client (for servers)
Multiple document formats
Multiple signature formats
Notary archive services
Implementation Options
DATA
7
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
New Products for Sep07 onwards
• ADSS Server OCSP Module– OCSP Module to deliver TrustFinderOCSP v5 functionality
OR as part of a multi-functional ADSS Server
• ADSS Server TSA Module– Timestamp Authority Module for timestamp issuance and
authorisation and transaction recording, reporting & management
• ADSS Server – Gateway v3.1 - for use with third parties and their systems - sends
only the signature for processing (not the full document)– Supports ETSI long-term signatures
• PDF Sign&Seal v4 – .NET Implementation – smaller, faster– enhanced PDF viewer with smooth scrolling– PDF encryption using certificates, long-term signatures
8
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
New Partner Solutions for Sep07 onwards
• For SAP and Oracle invoice signing – Enables SAP and Oracle certified integration with effective
data transformation and signing using an integrated ADSS Server
• For Secure and intelligent eMail Gateway – Enables effective personal or corporate digital signatures to
be applied on outgoing emails and/or attachments– Enables automated encryption of emails after virus scanning – Enables automated decryption of emails prior to virus
scanning (Dec 2007)
9
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server Product Architecture
ApplicationWeb Services
ApplicationJava API
Email Gateway
WatchedFolder
OCSP Clients SCVP clientsXKMS clientsusingHTTPHTTP/SXML/SOAP
Synchronous Asynchronous
= Q1 2008
10
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server Powered Products
• PDF Signer Server– Signing & Verification
• XML Signer Server– Signing & Verification
• File Signer Server – Signing & Verification also Forms
• TrustFinderOCSP v5– RFC 2560 Validation Authority
• TrustFinderTSA v5– RFC 3161 Timestamp Authority
• In R&D– TrustFinderCA (Full features)– TrustFinderSCVP– TrustFinderXKMS
11
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – Business Usage
• Can be used to deliver trust for internal or external e-business workflows– Central or local Government– Financial, Telco, Pharma, Petrochemical, etc– Health services, multi-agency services, etc
• Satisfies business needs for – Traceability, audit, compliance– Identity assurance, integrity– Document and data authentication– Certainty in dealing with final, approved documents – Immediate, medium term and long-term trust– Optional digital notary services
12
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server Product Differentiators
• Business applications need comprehensive services not just simple protocols
– ADSS Server is a comprehensive multi-functional server
• ADSS Server offers a single service point – For signing, for verification, for validation & timestamping– For application authorisation & transaction management
• ADSS saves time everywhere - for everyone– Solution Architect learning time– Solution delivery / build time – Operations Management training time– Security Audit training time
• All modules have a consistent look & feel
• Solution build & enhancement is easierADSS Server does it all from just one box!
OCSPServer
(XKMS/SCVP)
TSA
CA /RA
Server-sideSigning
&Verification
13
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Why use ADSS Server?
• Maximises options and enables easy usage– Multiple integration approaches, optional HSMs– Handles multiple document formats– Handles multiple signature locations and formats – Corporate signatures, end-user signatures
• Minimises internal effort to apply trust– High level services – even using just one line of code !– Manages all keys and certificates– Built-in management, logging, audit, reporting
• A world-class product for today and tomorrow! – All the business options in one product– Services multiple concurrent applications– High availability and scalability– Easy to use, managed, controlled security
14
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Ascertia ADSS Server Trust Services
Note: You only need license and use what is needed today
PDF Documents - Basic signature (visible / invisible) - Certify - Sign & timestamp - Long-term signatures
XML Documents - XML DSig (XAdES ES) - Timestamps (XAdES ES-T) - Long-term signatures (XAdES X-Long)
PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X-Long)
Historic VerificationOCSP Validation (immediate verify & long term sign)Time Stamp Authority (TSA) Server
Sign Verify
-
15
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – usage exampleSimple Outgoing Signing
For any internal, published or outgoing data
Signed Invoices, Signed Receipts Signed Documents, Orders & Order ConfirmationsRegulatory Reporting, Policies and Procedures
End Users
File Stores
ECM, ERP apps
SIGN
Business Applications
ADSS Server
Internal Systems
16
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – usage exampleSimple Incoming Notarising
For received documents or data
eProcurement submissions, Financial Reports Regulations, Orders, Receipts, Statements
Customer orders
Supplier info
Government documents
Internal Systems
Notary/ Archive
SIGN & TIMESTAMPBusiness Applications
ADSS Server
17
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
eProcurement, eTendering, eBPM actionsPurchasing, Business AgreementsAccepting, Approving, Confirming
Workflow /Confirmation
SIGN & VERIFY
Display Document
Ask to Sign
Signature
Display signed document
Action
End-user & Corporate Signatures AppliedEnd-user signature verified & validated
ADSS Server – usage exampleCorporate and End-User (Client) Signing
User keys
GoSign Applet
G
Business Applications
ADSS Server
18
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – usage exampleCorporate and End-User (Server) Signing
eBPM actions, Purchasing, Business AgreementsAccepting, Approving, Confirming
Workflow /Confirmation
PDF SIGN
Display Document
Ask to Sign
Confirm wish to Sign
Display signed document
Action
End-user & CorporateSignatures Applied
User keys
Business Applications
ADSS Server
19
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
eBanking, eProcurement, eTenderingTrade finance systems, etc
VERIFY & Timestamp
Application Dialogue
Ask to Upload
Signed file uploaded
Optional signed receipt is recommended!
WorkflowAction
End-user signature verified & validated Optional timestamp applied to confirm time
ADSS Server – usage exampleSigned upload of client documents or files
User keys
GoSign Applet(local file signing option specified)
G
Business Applications
ADSS Server
20
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – usage exampleBusiness Portal – Multiple Businesses
eProcurement, eTendering, eBPM actionsPurchasing, Business AgreementsAccepting, Approving, Confirming
E-Portal Documents and WorkflowManagement
SIGN & VERIFY
Display & ask to Sign
Signature
Display signed document
End-user and corporate signatures appliedEnd-user signature verified & validated
Multiple Users,Different Organisations
SIGN
G
G
Business Applications
ADSS Server
21
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – Integration Options
• Integration Options:– Web-Services, Java API, Watched Folder, Email
• The business application may be allowed to control:
– Choose what format to sign / verify– Choose how to sign / verify
signature formats– Choose where to sign
Keys on the desktop or server– Choose how many “places/pages” to sign – Choose location to sign– Choose appearance of signatureNote: Defaults are set by ADSS Server Operators and these may be
configured to allow / disallow application over-rides
22
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – Signing Capabilities
• Sign various data formats– PDF, XML, File, Form (PKCS#7) and S/MIME
• Sign various signatures– Embedded – e.g. PDF, XML – Wrapping – e.g. PKCS#7 / CMS / XML)– Detached (XML, PKCS#7, CMS)– Plus timestamp information (ETSI / PDF)– Plus validation status information (ETSI / PDF)
• For use with any internal or external document– Use Corporate server signatures– Use individual server-side signatures– User individual client-side signatures via GoSign
23
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – Verify Capabilities
• Verify & Trust various data formats– PDF, XML, File, Form (PKCS#7) and S/MIME
• Verify various signature types– Embedded – e.g. PDF, XML – Wrapping – e.g. PKCS#7 / CMS / XML)– Detached (XML, PKCS#7, CMS)
• Special options– Add/check timestamp information (ETSI / PDF)– Add/check validation status information (ETSI / PDF)– Optional Historic verification of any signature– Optional quality module and “additional information“
• For use with any internal or external document– Use with any received signatures at a server– Use with any received signature at a desktop
24
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – Certificate Validation
• ADSS Certificate Validation– Current validation using CRL checks– Current validation using OCSP calls– Historic validation using retained old CRLs– DNV VAS protocol – SCVP and XKMS options in Q1 2008
– Quality ratings and additional information options
25
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – Timestamp Authority
• ADSS Timestamp Authority– Provides RFC3161 Timestamp Authority services – Can provide management services for an existing TSA
• Management Features– Authorisation of user / system access – Authenticating acceptable TSA responses – Multiple profiles supported– Recording of all requests / responses including timestamp
tokens as evidence for dispute resolution– Auto-archiving of transactional logs
• Invaluable for – Evidencing / notarising / archiving– For systems & users when creating long-term signatures
26
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – Certificate Management • ADSS Key generation
– Authenticated applications can register users– Keys generated according to a profile
• Certification– PKCS#10 / PKCS#7 request response processing– Internal CA OR External CA – Automated processing options can be discussed
Issuance Renewal
– Certificate suspension can be discussed
• Long keys lengths and strong algorithm support– RSA to 4096 (longer if required)– SHA1 and SHA-2 (to SHA-512)– ECC can be discussed
27
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server – License Options
– Base Module (One interface & HSM support)– PDF Signing / Verification Modules– XML Signing / Verification Modules– File Signing / Verification Modules– Client-side Signing (GoSign Applet) Module– Historic Validation module– Support for Multiple issuer CAs– OCSP Module– TSA Module– Notary Module (Project based delivery)– Quality Module for signatures and certificates– Multi-User Modules for signing – Multi-User Modules for verification– Multi-User Modules for Timestamping– Multi-user Modules for key generation and certification
(using Internal CA module or an external CA)Note: You only need license and use what is needed today
28
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
ADSS Server Scalability / Resilience
Hardware Load Balancer
ADSS
CA 1
CA 2
CA nDB Cluster
SQL ServerOracleMySQL
replication
Signature / Verification / Validation requests (HTTP/HTTPS)
CRLs
CRLs
CRLs
E.g.Big-IPCisco
ADSS ADSS OCSP
OCSP
OCSP HSM 1
HSM 2
29
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Solution Summary
• Trust is essential for e-business– Enhances credibility – Prevents changes to data– Meets legislative requirements– Enables legal acceptance – Enhances dispute resolutions– Prevents draft or unapproved data being used– Substantially reduces print and delivery costs– Reduces business risk and costs– Offers a competitive advantage
• Ascertia is a trust products leader
• Ascertia has excellent references
Sign-off & approval
Clear ownership
Assure traceability
Legal weight signatures
Strengthen audit & compliance
Reduce identity fraud
Strengthen internal policies
Prevent document changes
Reduce paper & postage costs
And reduce your carbon footprint
Provide undeniable evidence
Protect archived data
30
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Ascertia Summary
• Ascertia leads the world with its trust solutions
• The right company to do business with
• The right architecture for the future
• The right products for today’s market
• The right attitude and commitment to our customers and partner
• Vision and capability to secure the future
31
www.ascertia.com
© Copyright 2001-2007 Ascertia Ltd.
Questions:Rod Crook+44 1256 [email protected]