ascertia signing solutions leveraging new business ...•software containers have security issues...

Copyright © Ascertia 2015

Ascertia Signing SolutionsLeveraging New BusinessNovember 2015

2Identity Proven

Trust Delivered Copyright © Ascertia 2015

Ascertia Overview

Established since 2001, owned and managed by people with decades of relevant experience with global PKI security

Key verticals are all government departments plus financial services, aviation, pharma, health

Product focus is on providing advanced digital signature solutions that deliver legal weight, high-trust cryptographic security

Main message: “the most secure way to sign”

Company focus is on long-term relationships and secure, high quality products that leverage the value of Public Key technology and services

A privately held company that listens to it’s customers and partners!

3Identity Proven


AscertiaProducts 2015

4Identity Proven


Opportunity 1: SigningHub (Cloud or Enterprise)

../../000 - DOWNLOADS/SigningHub- The Most Secure Way to Sign (Official Video)-HD.mp4

../../000 - DOWNLOADS/SigningHub- The Most Secure Way to Sign (Official Video)-HD.mp4

5Identity Proven


SigningHub Services

Four modes of use:

Direct user interaction to upload documents and send to others

Tight integration with a businessapplication via iFrame technology

Loose integration for older legacy applications with no suitable user web-browser interface

Advanced integration using connectorsfor Salesforce, SharePoint, Dynamics

Sales note: SigningHub is more than digital signatures – initials, comments, group workflow and much, much more

6Identity Proven


SigningHub workflow – Person to Person

One or any number of users can be in a workflowEach user receives the notification, then views and signs the document(s)

Upload & Share (optional sign)

Review & Sign

7Identity Proven


Tight integration

A user interacts with a web application and reaches a point where a signature is needed for their request to proceed

Web application communicates with SigningHub via API

The document is shown to the user for review/sign-off(the user is unaware that SigningHub is being used)

Tight integration using iFrames to display document and gather signature (preserve branding, URL etc.)

Web ApplicationDocument

HTML in an iFrame

Review & Sign

8Identity Proven


Loose IntegrationTo enable separate internal or external workflows, suitable for internal/external usersProcess driven by the business application through a RESTful API

The user interacts with SigningHub and the signed document is returned

Business Application

1

4

OPTIONAL Preparation Stage e.g. Internal Signer e.g. External Signer

23

Prepare/Upload Review & Sign Review & Sign

9Identity Proven


In-person Signing

This allows two people to view and sign using a single screen in the same login session

This is useful where one of the person is not registered and doesn’t hold a digital certificate.

The host simply shares their screen and the second person can sign with a pre-defined “in-person” signature field. This just creates a e-signature mark.

This e-signature mark can be protected using a central signing key. Also the host can apply their e-signature and advanced digital signature as a witness.

Web Application

1

3

4

2

Review & Sign

Review & Sign

10Identity Proven


Any Device,

Any Browser

or

SigningHub mobile app

USER

INTERNET

HTTPS

SIGNING SERVICE

SigningHub

HSM

ADSS Server

Users use a browser or SigningHub mobile app to login to SigningHub

SigningHub Architecture – Used directly person to person

Optional External PKIs

CAs

TSA

OCSP

11Identity Proven


SigningHub Architecture – Loose Integration

Any Device,

Any Browser

or

SigningHub mobile app

USER

INTERNET

HTTPS HTTPS

(REST/JSON)

BUSINESS LAYERSIGNING SERVICE

SigningHub

HSM

ADSS Server

Business

ApplicationVPN

Users use a browser or SigningHub mobile app to login to SigningHub

Optional External

CA, TSA, OCSP

12Identity Proven


SigningHub Architecture – Tight Integration

BUSINESS LAYER SIGNINGHUB

Windows / MacOSX

+ any Browser

Local key and certificate

in Windows CAPI/CNG

or Mac Keychain store

Use new local Go>Sign

Desktop application to

sign

HSM

SigningHub

ServerPDF and Word 2013

PAdES and XAdES

long-term signatures

USERS

INTERNET

HTTPS HTTPS

Can sign using Central, local or Mobile keys/certificates

Existing

Business

Application

Optional PKIs

CAs

TSA

OCSP

13Identity Proven


The SigningHub User Interface

14Identity Proven


SigningHub - View & Sign

The document is securely imaged on the server and shown to the user

They can scroll up and down or use the navigation guide

Note: Only the assigned signature field can be signed by the named user

15Identity Proven



Click the Navigation Guide to take you to the next action (optional)

Click “Sign Now” or click the highlighted signature field to sign

Note: This will be slightly different when using a local key and certificate. The signer certificate will be shown and the PIN will be prompted for on the local system

16Identity Proven



The signature is created and workflow control is passed to the second signer

To view the signature verification information, click the signed signature field

17Identity Proven


SigningHub - VerifyTo view the signature verification information, click the signed signature field

18Identity Proven


Mobile apps for signing

Easy to sign on mobiles & tablets!

19Identity Proven


Exploring ADSS Server Solutions

20Identity Proven


Opportunity 2: Bulk Signing using ADSS Signing Server

Bulk PDF Signing

• ADSS Signing Server - using high trust certs provides full automated signing – especially for invoices

• Immediately usable with Auto File Processor (AFP) or can be integrated with business applications via DotNet or Java APIs

• Long-term PDF PAdES, XAdES or CAdES signatures using internal or external TSA and OCSP services

ADSS Server can be configured to connect to various external CAs to automatically fetch certificates

Many Satisfied Clients

• Most using AFP, some using our API

• Leaseplan, Ireland CRO, Netherlands KvK, ACN Euro

Auto File Processor

Final documents (to be signed)

Signed documents

System or networked

document folders

ADSS Signing Server

Various intelligent features

High availability option

Remote processing option

Windows / Unix

Full signing policy controls

Separation of security

Keys in appropriate HSMs

High availability / high

throughput on Windows /

Unix

Cloud or On-premise

Sales note: SigningHub has bulk signing for 10’s of documents – this is for 1000’s or millions

21Identity Proven


Opportunity 3: Individual User Signing using ADSS Signing Server

Unique per user document signing

• Any format of data including PDF, Word, XML, and others

• Using keys held:

• Centrally using an HSM

• On USB tokens

• On mobile devices

• Creating basic, timestamped or long-term signatures

using external TSA and OCSP services

ADSS Server can be configured to connect to external PKIs to

automatically fetch certificates for each user when these are

held centrally

Business application

ADSS Signing Server

Can use OASIS DSS calls

or use our DotNet / Java

APIs to call our Signing

service or Go>Sign Service





throughput

Windows / Unix

Sales note: Lead with SigningHub then switch if the requirement is actually for XML signing or GUI-less signing

22Identity Proven


Opportunity 4: ADSS LTANS Archive Server

10 to 100 year protection for any data per user document signing

• Some documents need to be secured for up to 100 years,

sometimes indefinitely – the answer is ADSS LTANS

Archive Server

• Any format of data can have an RFC 4998 ERS evidence

object created, including PDF, Word, XML, video, voice,

pictures, etc

• Uses a TSA to timestamp the Evidence object

• Can also use a corporate signing certificate to show who

accepted and processed the original data to create the

evidence record

ADSS Server can be configured to connect to external CAs to automatically fetch certificates

Business application

ADSS LTANS Archive Server

Can use our DotNet / Java

APIs to call the LTANS service





throughput

Windows / Unix

Sales note: LTANS = “Long-term Archive and Notary Signing” and leverages existing TSAs

23Identity Proven


Exploring EU / High Trust Signatures

24Identity Proven


Where to hold user signing keys?

Centrally: ideal for signing on any device, anywhere

• Using keys protected by an HSM, or using keys held in an encrypted DB

Locally: issues in some browsers and mobiles!

• Smartcard or USB token offer strong security but complex for user and costly

• Software containers have security issues

Mobile: for projects that do not want centrally held keys

• Mobile apps with soft key storageor optional hardware “secure elements”

Support all the options - let the business, security and regulatory requirements decide which is best for the use case!

25Identity Proven


Different levels of signatures

EU Qualified Signatures Advanced

Electronic Signatures

BasicElectronicSignatures

All can be accepted in court

Higher-levels provide greater trust and non-repudiation

Qualified level adds complexity/cost

Support different levels of signatures and select level based on specific business use case

Note: Adobe trusted CDS and AATL certificates are also supported

26Identity Proven


New eIDAS Regulations

.

Blog:

http://blog.signinghub.com/eidas-changing-landscape-for-e-signature-regulations

Replaces the old 1999 EU Directive on Electronic

Signatures

1999 regulations become obsolete in July 2016

Provides mechanism to harmonise different eID

schemes across Europe

Allows server-side “remote signatures”

eIDAS is currently only high-level regulation, no

implementation guides and Protection profiles yet…

• ETSI TS 419 241 is being worked on

• probably available mid 2016

• Certified products from late 2016 / early 2017

http://blog.signinghub.com/eidas-changing-landscape-for-e-signature-regulations

27Identity Proven


Server-side signing using eIDAS Approach

.

TS 419 241 provides high-level requirements for server-side

signing and has two levels:

• Level 1 – capable of creating advanced signatures:

requires unique signing keys for users in certified HSM,

user authentication can be done by the software

application

• Level 2 – capable of creating qualified signatures:

requires unique signing keys for users in certified HSM,

user authentication must be two factor and must be

enforced by HSM

Ascertia products already capable of meeting Level 1

Ascertia working with HSM and IDP partners aims to be

certified at both levels in late 2016

28Identity Proven


Why Ascertia

Ascertia has great products that:• Leverage the value of any standards based eID trust scheme

• Provide a solid digital signature framework that ensures the future

• eIDAS is supported both today and we are progressing with a great solution to meet TS 419 241

• Central, local and mobile keys and certificates are supported

• Multiple PKI and eID schemes can be used and signatures from these verified within the same solution

• Long-term ETSI PAdES, XAdES and CAdES signatures are supported and recommended

• Good security management to CWA 14167-1

• Meets all EU and US and other electronic signature acts and the requirements of FDA 21 CFR 11

• Provide strong traceability, accountability and auditability

Our products make it easy for business users: • Ascertia leads in high trust, simple to use document workflow and approval

• Our technology does not get in the way of a good user experience

• We avoid technically difficult questions or selections

• We expect the user to make mistakes and prevent these

• We use central trust policies rather than making local environment decisions

29Identity Proven

Trust Delivered

www.ascertia.com

Copyright © Ascertia 2015

Identity Proven, Trust Delivered

High Trust Solutions from a European Company Rod CrookSolutions [email protected]

[email protected]+44 1256 895416

mailto:[email protected]

mailto:[email protected]

ascertia signing solutions leveraging new business ...•software containers have security issues...

Documents