ascertia signing solutions leveraging new business ...•software containers have security issues...
TRANSCRIPT
Copyright © Ascertia 2015
Ascertia Signing SolutionsLeveraging New BusinessNovember 2015
2Identity Proven
Trust Delivered Copyright © Ascertia 2015
Ascertia Overview
Established since 2001, owned and managed by people with decades of relevant experience with global PKI security
Key verticals are all government departments plus financial services, aviation, pharma, health
Product focus is on providing advanced digital signature solutions that deliver legal weight, high-trust cryptographic security
Main message: “the most secure way to sign”
Company focus is on long-term relationships and secure, high quality products that leverage the value of Public Key technology and services
A privately held company that listens to it’s customers and partners!
3Identity Proven
Trust Delivered Copyright © Ascertia 2015
AscertiaProducts 2015
4Identity Proven
Trust Delivered Copyright © Ascertia 2015
Opportunity 1: SigningHub (Cloud or Enterprise)
5Identity Proven
Trust Delivered Copyright © Ascertia 2015
SigningHub Services
Four modes of use:
Direct user interaction to upload documents and send to others
Tight integration with a businessapplication via iFrame technology
Loose integration for older legacy applications with no suitable user web-browser interface
Advanced integration using connectorsfor Salesforce, SharePoint, Dynamics
Sales note: SigningHub is more than digital signatures – initials, comments, group workflow and much, much more
6Identity Proven
Trust Delivered Copyright © Ascertia 2015
SigningHub workflow – Person to Person
One or any number of users can be in a workflowEach user receives the notification, then views and signs the document(s)
Upload & Share (optional sign)
Review & Sign
7Identity Proven
Trust Delivered Copyright © Ascertia 2015
Tight integration
A user interacts with a web application and reaches a point where a signature is needed for their request to proceed
Web application communicates with SigningHub via API
The document is shown to the user for review/sign-off(the user is unaware that SigningHub is being used)
Tight integration using iFrames to display document and gather signature (preserve branding, URL etc.)
Web ApplicationDocument
HTML in an iFrame
Review & Sign
8Identity Proven
Trust Delivered Copyright © Ascertia 2015
Loose IntegrationTo enable separate internal or external workflows, suitable for internal/external usersProcess driven by the business application through a RESTful API
The user interacts with SigningHub and the signed document is returned
Business Application
1
4
OPTIONAL Preparation Stage e.g. Internal Signer e.g. External Signer
23
Prepare/Upload Review & Sign Review & Sign
9Identity Proven
Trust Delivered Copyright © Ascertia 2015
In-person Signing
This allows two people to view and sign using a single screen in the same login session
This is useful where one of the person is not registered and doesn’t hold a digital certificate.
The host simply shares their screen and the second person can sign with a pre-defined “in-person” signature field. This just creates a e-signature mark.
This e-signature mark can be protected using a central signing key. Also the host can apply their e-signature and advanced digital signature as a witness.
Web Application
1
3
4
2
Review & Sign
Review & Sign
10Identity Proven
Trust Delivered Copyright © Ascertia 2015
Any Device,
Any Browser
or
SigningHub mobile app
USER
INTERNET
HTTPS
SIGNING SERVICE
SigningHub
HSM
ADSS Server
Users use a browser or SigningHub mobile app to login to SigningHub
SigningHub Architecture – Used directly person to person
Optional External PKIs
CAs
TSA
OCSP
11Identity Proven
Trust Delivered Copyright © Ascertia 2015
SigningHub Architecture – Loose Integration
Any Device,
Any Browser
or
SigningHub mobile app
USER
INTERNET
HTTPS HTTPS
(REST/JSON)
BUSINESS LAYERSIGNING SERVICE
SigningHub
HSM
ADSS Server
Business
ApplicationVPN
Users use a browser or SigningHub mobile app to login to SigningHub
Optional External
CA, TSA, OCSP
12Identity Proven
Trust Delivered Copyright © Ascertia 2015
SigningHub Architecture – Tight Integration
BUSINESS LAYER SIGNINGHUB
Windows / MacOSX
+ any Browser
Local key and certificate
in Windows CAPI/CNG
or Mac Keychain store
Use new local Go>Sign
Desktop application to
sign
HSM
SigningHub
ServerPDF and Word 2013
PAdES and XAdES
long-term signatures
USERS
INTERNET
HTTPS HTTPS
Can sign using Central, local or Mobile keys/certificates
Existing
Business
Application
Optional PKIs
CAs
TSA
OCSP
13Identity Proven
Trust Delivered Copyright © Ascertia 2015
The SigningHub User Interface
14Identity Proven
Trust Delivered Copyright © Ascertia 2015
SigningHub - View & Sign
The document is securely imaged on the server and shown to the user
They can scroll up and down or use the navigation guide
Note: Only the assigned signature field can be signed by the named user
15Identity Proven
Trust Delivered Copyright © Ascertia 2015
SigningHub - View & Sign
Click the Navigation Guide to take you to the next action (optional)
Click “Sign Now” or click the highlighted signature field to sign
Note: This will be slightly different when using a local key and certificate. The signer certificate will be shown and the PIN will be prompted for on the local system
16Identity Proven
Trust Delivered Copyright © Ascertia 2015
SigningHub - View & Sign
The signature is created and workflow control is passed to the second signer
To view the signature verification information, click the signed signature field
17Identity Proven
Trust Delivered Copyright © Ascertia 2015
SigningHub - VerifyTo view the signature verification information, click the signed signature field
18Identity Proven
Trust Delivered Copyright © Ascertia 2015
Mobile apps for signing
Easy to sign on mobiles & tablets!
19Identity Proven
Trust Delivered Copyright © Ascertia 2015
Exploring ADSS Server Solutions
20Identity Proven
Trust Delivered Copyright © Ascertia 2015
Opportunity 2: Bulk Signing using ADSS Signing Server
Bulk PDF Signing
• ADSS Signing Server - using high trust certs provides full automated signing – especially for invoices
• Immediately usable with Auto File Processor (AFP) or can be integrated with business applications via DotNet or Java APIs
• Long-term PDF PAdES, XAdES or CAdES signatures using internal or external TSA and OCSP services
ADSS Server can be configured to connect to various external CAs to automatically fetch certificates
Many Satisfied Clients
• Most using AFP, some using our API
• Leaseplan, Ireland CRO, Netherlands KvK, ACN Euro
Auto File Processor
Final documents (to be signed)
Signed documents
System or networked
document folders
ADSS Signing Server
Various intelligent features
High availability option
Remote processing option
Windows / Unix
Full signing policy controls
Separation of security
Keys in appropriate HSMs
High availability / high
throughput on Windows /
Unix
Cloud or On-premise
Sales note: SigningHub has bulk signing for 10’s of documents – this is for 1000’s or millions
21Identity Proven
Trust Delivered Copyright © Ascertia 2015
Opportunity 3: Individual User Signing using ADSS Signing Server
Unique per user document signing
• Any format of data including PDF, Word, XML, and others
• Using keys held:
• Centrally using an HSM
• On USB tokens
• On mobile devices
• Creating basic, timestamped or long-term signatures
using external TSA and OCSP services
ADSS Server can be configured to connect to external PKIs to
automatically fetch certificates for each user when these are
held centrally
Business application
ADSS Signing Server
Can use OASIS DSS calls
or use our DotNet / Java
APIs to call our Signing
service or Go>Sign Service
Full signing policy controls
Separation of security
Keys in appropriate HSMs
High availability / high
throughput
Windows / Unix
Sales note: Lead with SigningHub then switch if the requirement is actually for XML signing or GUI-less signing
22Identity Proven
Trust Delivered Copyright © Ascertia 2015
Opportunity 4: ADSS LTANS Archive Server
10 to 100 year protection for any data per user document signing
• Some documents need to be secured for up to 100 years,
sometimes indefinitely – the answer is ADSS LTANS
Archive Server
• Any format of data can have an RFC 4998 ERS evidence
object created, including PDF, Word, XML, video, voice,
pictures, etc
• Uses a TSA to timestamp the Evidence object
• Can also use a corporate signing certificate to show who
accepted and processed the original data to create the
evidence record
ADSS Server can be configured to connect to external CAs to automatically fetch certificates
Business application
ADSS LTANS Archive Server
Can use our DotNet / Java
APIs to call the LTANS service
Full signing policy controls
Separation of security
Keys in appropriate HSMs
High availability / high
throughput
Windows / Unix
Sales note: LTANS = “Long-term Archive and Notary Signing” and leverages existing TSAs
23Identity Proven
Trust Delivered Copyright © Ascertia 2015
Exploring EU / High Trust Signatures
24Identity Proven
Trust Delivered Copyright © Ascertia 2015
Where to hold user signing keys?
Centrally: ideal for signing on any device, anywhere
• Using keys protected by an HSM, or using keys held in an encrypted DB
Locally: issues in some browsers and mobiles!
• Smartcard or USB token offer strong security but complex for user and costly
• Software containers have security issues
Mobile: for projects that do not want centrally held keys
• Mobile apps with soft key storageor optional hardware “secure elements”
Support all the options - let the business, security and regulatory requirements decide which is best for the use case!
25Identity Proven
Trust Delivered Copyright © Ascertia 2015
Different levels of signatures
EU Qualified Signatures Advanced
Electronic Signatures
BasicElectronicSignatures
All can be accepted in court
Higher-levels provide greater trust and non-repudiation
Qualified level adds complexity/cost
Support different levels of signatures and select level based on specific business use case
Note: Adobe trusted CDS and AATL certificates are also supported
26Identity Proven
Trust Delivered Copyright © Ascertia 2015
New eIDAS Regulations
.
Blog:
http://blog.signinghub.com/eidas-changing-landscape-for-e-signature-regulations
Replaces the old 1999 EU Directive on Electronic
Signatures
1999 regulations become obsolete in July 2016
Provides mechanism to harmonise different eID
schemes across Europe
Allows server-side “remote signatures”
eIDAS is currently only high-level regulation, no
implementation guides and Protection profiles yet…
• ETSI TS 419 241 is being worked on
• probably available mid 2016
• Certified products from late 2016 / early 2017
27Identity Proven
Trust Delivered Copyright © Ascertia 2015
Server-side signing using eIDAS Approach
.
TS 419 241 provides high-level requirements for server-side
signing and has two levels:
• Level 1 – capable of creating advanced signatures:
requires unique signing keys for users in certified HSM,
user authentication can be done by the software
application
• Level 2 – capable of creating qualified signatures:
requires unique signing keys for users in certified HSM,
user authentication must be two factor and must be
enforced by HSM
Ascertia products already capable of meeting Level 1
Ascertia working with HSM and IDP partners aims to be
certified at both levels in late 2016
28Identity Proven
Trust Delivered Copyright © Ascertia 2015
Why Ascertia
Ascertia has great products that:• Leverage the value of any standards based eID trust scheme
• Provide a solid digital signature framework that ensures the future
• eIDAS is supported both today and we are progressing with a great solution to meet TS 419 241
• Central, local and mobile keys and certificates are supported
• Multiple PKI and eID schemes can be used and signatures from these verified within the same solution
• Long-term ETSI PAdES, XAdES and CAdES signatures are supported and recommended
• Good security management to CWA 14167-1
• Meets all EU and US and other electronic signature acts and the requirements of FDA 21 CFR 11
• Provide strong traceability, accountability and auditability
Our products make it easy for business users: • Ascertia leads in high trust, simple to use document workflow and approval
• Our technology does not get in the way of a good user experience
• We avoid technically difficult questions or selections
• We expect the user to make mistakes and prevent these
• We use central trust policies rather than making local environment decisions
29Identity Proven
Trust Delivered
www.ascertia.com
Copyright © Ascertia 2015
Identity Proven, Trust Delivered
High Trust Solutions from a European Company Rod CrookSolutions [email protected]
[email protected]+44 1256 895416