Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Rod Crook Liaquat KhanSolutions Director Technical Director
Copyright © Ascertia 2015
Driving Regional Business Efficiency by Implementing cross‐border Digital Signatures
June 2015
2 Identity ProvenTrust Delivered Copyright © Ascertia 2015
AgendaWhy are digital signatures inevitable for business efficiency?
How to overcome the challenges of cross‐border digital signatures:
Legality issuesInteroperability issuesCommercial issuesComplexity issues
3 Identity ProvenTrust Delivered Copyright © Ascertia 2015
A little bit about Ascertia…
Established since 2001 with decades of relevant expertise with global PKI security
Key focus on financial services and government organisations
Product focus is on providing advanced digital signature solutions that deliver legal weight, high‐trust cryptographic security
Main message: “the most secure way to sign”
Company focus is on long‐term relationships and secure, high quality products
A privately held company that listens to it’s customers and partners!
4 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Who relies on ushttp://www.ascertia.com/company/customers
5 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Why are digital signatures inevitable for businesses?
6 Identity ProvenTrust Delivered Copyright © Ascertia 2015
The Challenge for PKI Providers
Making PKI ubiquitous, invisible, easier to use
Delivering a full range of interoperable trust services
Allowing business processes to leverage this trust
Making it easier to create and verify signatures
Enabling the use of roles, rights, limits
Allowing all documents and data to be securedagainst unauthorised changes
Preserving information for the long term
Electronic documents and data cannot be trusted without cryptography
7 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Remember these…
8 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Where we are now
Access to everything
All the time
From anywhere
In today’s connected digital world, users want:
9 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Paper processes have issues
• Time wasted
• Greater costs
• Inefficient processes
• Susceptibility to errors
• Poor data integrity
• Increase business risk
• Data leakage
• Lower level of trust
• Tracking issues
• Archive costs
Substantial impacts:
Complex leasing paper‐based signing time: 28 days
Complex e‐document digitalsigning time: 28 hrs
10 Identity ProvenTrust Delivered Copyright © Ascertia 2015
All kinds of documents need a signature
11 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Some statistics
60% of companies admit to printing and ink signing documents and then scanning them back in to their DMS [AIIM 2014]
It is time to migrate to a complete, end‐to‐end, electronic document system!
Employees who use paper‐based processes can spend up to 20% of their workdays searching for information.
12 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Digital signatures remove paper issues
with paper documents using e‐Documents
Originality Paper copy of the original is needed Always available on‐line and more than one original can exist
Completeness Pages can be missing, lost or damagedNot possible to have missing, lost or damaged pages
Authenticity Achieved using pen and ink initials and hand signatures
Achieved using advanced digital signatures
Non‐repudiationAchieved using multiple witnessed/notarised copies
Achieved using advanced digital signatures with optional notary
Confidentiality Using sealed envelopes and couriers etc. Using encrypted SSL/TLS secure sessions
Time notarisation May be unclear exactly when signedOn‐line timestamp authority provides secure and trusted time of signing action
Workflow managementUnclear who has the document and where the hold‐up is!
The document status and next user action is always available
ArchivingEasy to misplace or lose and scanned backupsare unsuitable for proof
Multiple copies can be kept at different sites in a secure digital archive format
13 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Business face many challengesIncreasing efficiencies and revenues
• Winning more business, more frequently• Speeding up the customer acquisition/ on‐boarding process (KYC)• Streamlining business processes• Reducing paper use, archive, recovery• Driving customer loyalty and repeat business and referrals
Meeting customer demands and expectations• Ensuring 24/7 availability and convenient access to services• Shifting into a mobile and digital‐first world• Improving customer satisfaction• Understanding the power shift and connecting on all channels
Meeting regulations and compliance• Delivering strong security and standards compliance• Ensuring legally binding documents, with evidence and audit trails• AML measures and reducing susceptibility to fraudulent activity• Improving traceability, accountability, internal controls• Ensuring validity of documents and files for 20+ years
14 Identity ProvenTrust Delivered Copyright © Ascertia 2015
The value of digital signatures
On average, up to 3 days is added to most processes in order to collect physical signatures. ‐ AIIM
68% of companies using digital signatures have had payback within 12 month budget cycle ‐AIIM
For the sender:• Much Less time and effort to manage overall process• Easy to track status• Easy to search and find documents • Less mistakes by signers • Reduce signer drop‐off rates
For the signer:• Simple • Quick• Can sign anytime, anywhere
For the company:• Happy customers & employees • More productivity, concentrate on core tasks • Much higher security than ink‐based paper signatures• Easy to deploy, manage and control • Clear audit trails • High availability and back‐up of important documents • Cost effective
15 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Reasons for using digital signatures
• Identify & sign from any location on any device• Enhanced digital workflow minimising errors• Speed up internal & external signing processes• Easy to use, robust and flexible• Fast and secure archive of documents
• Clearly identify signers and approvers• Guarantee no document changes• Provide full audit trail & evidence of actions• Long term archiving of documents• Legal acceptance compliance
• No paper, printer, postage, handling, storage• Reduced carbon footprint and green credentials• Fast ROI can be achieved by going digital• Maintain integrity and accuracy of data• Faster conversion of new business transactions
Improve efficiencies & customer experience
Prevent fraud & reduce business risk
Reduce cost & deliver fast ROI
16 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Basic security properties of digital signaturesSigner authentication
• proof of who actually signed the document. i.e. digital signatures linking the user’s signature to an actual identifiable entity.
Data integrity• proof that the document has not been changed since signing. The digital signature depends on every binary bit of the document and therefore can’t be re‐attached to any other document.
Non‐repudiation• i.e. the signer should not be able to falsely deny having signed their signature. That is, it should be possible to prove in a court that the signer in fact created the signature.
17 Identity ProvenTrust Delivered Copyright © Ascertia 2015
The opportunity for CAs…
Grow business beyond TLS / SSL certificate sales
Growing the value of Digital Identity Certificates by providing really useful business applications
Electronic signing of documents is a solution business leaders understand and want ‐ compared to just PKI. We have learnt from experience…!
Certificate Authorities need to:
Delight customers in their dealings
Streamline processes and cut costs
Free‐up employees to focus on core tasks instead of chasing paper
Meet regulatory requirements
Avoid mistakes and minimize fraud
Businesses want to:
18 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Cross‐border Challenges Legality Issues
19 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Different levels of signatures
EU Qualified Signatures Advanced
Electronic Signatures
BasicElectronicSignatures
• All can be accepted in court
• Higher‐levels provide greater trust and non‐repudiation
• Higher levels add complexity & cost
Support different levels of signatures and select level based on specific business use case
20 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Basic e‐signatures
Properties:
• No protection of the document itself
• Signer can claim e‐signature was copied from another document
• Signer can claim document was changed after e‐signing
• Signer can claim that this is not their signature
Signer makes their “mark” on the document
21 Identity ProvenTrust Delivered Copyright © Ascertia 2015
E‐Signature with user’s digital signature
Properties:• User’s identity bound with the
document (no one else can sign on behalf of this user)
• Document can’t be changed without detection
• Signer can’t deny having signed the document
After e‐signing, John digitally signs the whole document using his private signing key
22 Identity ProvenTrust Delivered Copyright © Ascertia 2015
E‐Signatures with witness digital signatures
Properties: • User authentication is not bound
with the document (since user did not sign with their own key)
• Document cannot be changed without detection since its digitally signed by the corporate key
After e‐signing, the whole document is digitally signed using a central authority’s private signing key
23 Identity ProvenTrust Delivered Copyright © Ascertia 2015
What’s required for legal certainty Many laws but what it essentially boils down to:
Does the signature identify the signer?
Can the user make their signature mark on the document?
Can the signer’s intention to sign be proven?
Can you prove the signer was the only one who could have created the signature?
Will any subsequent changes to the document invalidate the signature?
Can the signature be verified many years into the future?
Can the signature be verified independently of the solution provider?
Is there a complete audit trail?
Remember legal certainty is more than just the techie stuff ‐ i.e. was the signing a wilful act!
Don’t rely on just national laws, have specific contractual agreements that define the acceptance and responsibilities of all parties
24 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Cross‐border ChallengesInteroperability Issues
25 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Many different PKIs…Internal Enterprise
PKIs
Adobe Approved Trust ListPublic browser‐based PKIs
Industry specific PKIs & Trust lists
National Government
PKIs
26 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Trust interoperability
Many approaches to achieving PKI level interoperability!In complex environments, the Signing platform must be capable of:
• Dynamic Cert Path Discovery (using LDAP/S & HTTP/S)• Full Cert Validation (RFC 5280 / PKITS Test Suite compliance)
The signing platform must support standard protocols:• RFC 5280 X.509 Certs/CRLs• RFC 6960 OCSP real‐time validation • RFC 3161 Time Stamps
The platform must understand multiple regional CAs
Relying PartyCountry B
SignerCountry A
CA A CA B
Signing Platform
PKI trust relationships should be selectable within the platform at an business application level or organisation level and define the acceptable regional CA quality levels
Trust Lists
Bridge VA
Bridge CA
Cross‐certificates
27 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Where to hold user signing keys?
• Locally: issues in some browsers and mobiles!• Smartcard/USB token – strong security but complex for user & costly
• Software container – security issues• Centrally: ideal for signing on any device, anywhere!
• Using keys protected by an HSM – hot topic! • Use keys in an encrypted DB – security concerns!
• Mobile: the future• Software apps• Secure hardware elements
Support all the options, let the business, security & regulatory requirements decide which is best for the use case!
28 Identity ProvenTrust Delivered Copyright © Ascertia 2015
User authentication before signing
No authenticatione.g. for immediate
e-signing
Single factore.g. username / password
Multi-factor e.g. OTP via SMS, tokens (time-based, event-based, FIDO, PKI)
External IDPe.g. Trusted / Licensed Identity Provider using SAML / OAuth
Support all the options, let the business, security & regulatory requirements decide which is best for the use case!
29 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Document/Sig Format Interoperability
For humans – 95% of the time its PDFs:• Used everywhere• Very rich support for digital signatures• Supports long‐term preservation (PDF/A format)
• Many freely available readers• Not tied to one vendor ‐ ISO standards
For Machines – 95% of the time its XML!
Use PDF Signatures (PAdES) & XML Signatures (XAdES). Note there are many standard profiles…
30 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Automatic Trust for PDFs
ClickSupport Adobe® Approved Trust List (AATL) for automatic trust in Reader
31 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Long‐term verification
Documents need to verified 10, 20, 30+ years…sometimes indefinitely!
At the time of verification, certificates will be expired, certificate status information will no longer be available
Cryptographic algorithms will have weakened since signing and may no longer trusted!
Use long‐term verifiable signature formats which can be extended over time with fresh evidence (PAdES Part 4 and XAdES‐A formats)
32 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Cross‐border ChallengesCommercial Issues
33 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Commercial challenges
Only viable if clear and quick ROIMust be cheaper than current process costsMust be affordable to all – including SMEs Must support free & offline validation Documents & supporting evidence data must be available to owners at all times now & in the future Must be multi‐lingual and branded for acceptance by end‐users
Ensure public or private cloud or on‐premise, with flexible pricing models based on users or transaction volumes
34 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Cross‐border ChallengesComplexity Issues
35 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Get your priority right ‐ to be effective the solution has to solve the real business problems!
Complexity challengesUser experience is key:Must be easy to review, sign and verify documents –avoid s/w installs, browser configs, java warnings…Must prevent mistakes by users (e.g. choosing wrong certs or signing in wrong place) Must guide the user to ensure no signing/initials/form field is missed Must be easy to integrate into any custom web application or portalMust have connectors for popular business applications to allow signing from within familiar environments Support real world scenarios like delegated signing, group/role‐based signing, bulk signing, parallel signing etc
36 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Real‐world is about workflow & integrations
(ERP, CRM, DMS, etc.)
Digital signatures are only part of the solution, they need to fit into the bigger picture!
37 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Flexibility in signature appearances
Signer’s Name
Location
Signer’s Reason
TrustedDate/Time
Company Logo
Hand‐signature image
38 Identity ProvenTrust Delivered Copyright © Ascertia 2015
Flexibility in e‐signature capture
Draw with mouse
Image held on eID Card
Signature Pad Device
Draw on tablet/mobile (iOS & Android)
Type/font signature
Image provided via business application
through API
Upload Image
39 Identity ProvenTrust Delivered Copyright © Ascertia 2015
The time is right to digitally sign!
Efficiencies can be quickly seen and easily realised
Costs can be substantially lower
Process errors can be substantially reduced
Data integrity can be assured
Business risks can be lowered
Data leakage can be prevented
High levels of trust can be achieved
Excellent traceability, accountability and audit
Something is signed / approvedOR not signed and not approved
No more assumptions about business process approvals
40 Identity ProvenTrust Delivered
www.ascertia.com
Copyright © Ascertia 2015
Identity Proven, Trust Delivered
Register for an enterprise trial account today and start signing with advanced digital signatures! Rod Crook and Liaquat Khan