over 10 years of securing identities, web sites & transactions
Best prac*ces in Cer*fying and Signing PDFs
Paul van Brouwershaven
Business Development Director EMEA, GlobalSign @vanbroup on TwiEer
www.globalsign.com
INTERNATIONAL FOOTPRINT Customers spanning all industries
www.globalsign.com
GlobalSign History PROVEN TRACK RECORD
Issued over 1.4m digital certificates / digital IDs to people, web sites & machines
Issued over 200,000 SSL Certificates
Over 20 million certificates worldwide rely on the public trust provided by the GlobalSign root
§ Founded in 1996 by BE Chambers of Commerce, ING Bank & Vodafone.
§ Acquired by GMO Internet Inc (ticker symbol Tokyo Stock Exchange: 9449) & re-launched in 2006 as true worldwide operation. § GMO parent to over 50 Internet technology & hosting
companies, including largest hosting company in Asia. § Current shareholders include Yahoo!,
Morgan Stanley & Credit Suisse. § GlobalSign is Digital Certificate
security division of global group. § Web services & offline services for
provisioning Digital Certificates for enterprise, Government, developers, hosting & Cloud services.
www.globalsign.com
GlobalSign Products | Visible Trust in an online world
Server, Database & Network Security
SSL Certificates Managed SSL
Developer Solutions Code Signing
Embedded SSL
Secure Email Digital IDs for Individuals Digital IDs for Depts Managed Digital IDs
eDocument /File Security & Compliance Adobe CDS for PDF Microsoft Office Encrypting File System (EFS)
Automated SSL for Web Hosts
SSL Reseller Program One-Click SSL
PKI & Root Signing Trusted Root for CAs
www.globalsign.com
Digital Cer*ficates – An Introduc*on
www.globalsign.com
Authen*city and Integrity
www.globalsign.com
A normal cer*ficate VS an Adobe one
www.globalsign.com
Adobe Cer*fied Document Services
• GlobalSign is an authorized Adobe CDS provider
• Web-Trust Certified, third party Certificate Authority
• Governed by Adobe Certificate Policy
• Only CDS issued digital IDs are instantly trusted in Adobe Reader 7.0+ (SHA-256)
www.globalsign.com
“Meet or exceed FIPS 140-‐1 Level 2”
“Subscriber key pairs must be generated in a manner that ensures that the private key is not known by anybody other than the Subscriber or a Subscriber’s authorized representative. Subscriber key pairs must be generated in a medium that prevents exportation or duplication and that meets or exceed FIPS 140-1 Level 2 certification standard.”
www.globalsign.com
EV Guidelines state: Code signing keys are to be protected by a FIPS 140-2 level 2 (or equivalent) crypto module. Techniques that may be used to satisfy this requirement include: § (A) Use of an HSM, verified by means of a manufacturer’s certificate; § (B) A hardware crypto module provided by the CA; § (C) Contractual terms in the subscriber agreement requiring the
Subscriber to protect the private key to a standard equivalent to FIPS 140-2 and with compliance being confirmed by means of an audit.
EV Code Signing -‐ Private-‐Key Protec*on
www.globalsign.com
Adobe Cer*fied Document Services
• Allows recipients of PDF documents to know:
• who signed the document • the content is intact • the time the document is
signed • Recipients only need to have the
free Adobe Reader 7.0+ (installed on >800M computers worldwide)
Strong Authentication Data Integrity Non Repudiation
Recipients of Certified PDFs need no special software, plug-ins, or special configuration!!!
www.globalsign.com
Simple and effec*ve GUI
Trusted Modified Changed
Signed Certified Unknown Author
www.globalsign.com
Without *me stamping and CRL Services
Certification without time stamping and CRL Services. The validity of the signature expires with the validity of the digital certificate used to sign the document.
2011 2012 2013 2014
www.globalsign.com
What about revoca*on?
With a “Revocation Event” the validity of the signature expires with the revocation of the digital certificate.
Basic Signatures are not suitable for Long Term Validation signing (Documents)
2011 2012 2013 2014
www.globalsign.com
ETSI TS 102 778
With “Services” the validity of the signature applied to the document never expires even if there is a revocation event.
Part 1: "PAdES Overview - a framework document for PAdES"; Part 2: "PAdES Basic - Profile based on ISO 32000-1"; (Best Practice) Part 3: "PAdES Enhanced - PAdES-BES and PAdES-EPES Profiles"; Part 4: "PAdES Long Term - PAdES-LTV Profile"; Part 5: "PAdES for XML Content - Profiles for XAdES signatures".
2011 2012 2013 2014
www.globalsign.com
Where do customers use CDS?
www.globalsign.com
§ A constantly changing landscape § No single EU wide solution for
compliance* § Recommendations by PWC for 2013
already changing the requirements on a country by country basis.
§ No consistent approach to preserve authenticity and integrity for ‘Archive and Storage Purposes’ offering the possibility of legal recourse. (AMEX)
§ *Adobe CDS offers the only Pan European (Global) authenticity and Integrity validation system. All other systems require a separate system/service that is not automatic, nor guaranteed.
Electronic Invoicing in the EU
The Amex legal case and subsequent lessons learnt? http://www.legalethics.com/include/content/amex012406.pdf
§ QES (Qualified Electronic Signature)
§ Automatic legal standing in EU. § Issued on a SSCD § Generally issued from a government
root CA. § Not usable for Time stamping services.
§ AES /AdES) (Advanced Electronic Signature)
§ Unique to the signatory; § Identifying the signatory; § Created using sole control; § Linked to the data to which it relates.
Change of the data is detectable;
www.globalsign.com
Electronic Invoicing – Is it legal?
Assumes VAT supply country is consistent
2A. Acceptance of ‘advanced e-signatures’ to send e-invoices (■ = yes / ■ = no )
2B. If yes, can AES be used without obligation to use a qualified certificate (■ = yes or not applicable / ■ = no)
2C. If yes, are qualified certificates from other EU Member States accepted (■ = yes / ■ = subject to conditions)
2D. If yes, can AES be used without obligation to use a secure signature-creation device (■ = yes / ■ = no)
2E. If yes, can the recipient process the invoice without verifying the signature (■ = yes / ■ = no)
3A. Other means than AES or EDI accepted? (■ = yes / ■ = only “other" electronic signatures / ■ = no )
3B. If yes, can other means be used without prior approval? (■ = yes / ■ = in some cases / ■ = no ) 3C. Unsigned pdf invoice accepted? (■ = as an e-invoice in case authenticity and integrity are guaranteed by other means / ■ = as a paper invoice ■ = no )
www.globalsign.com
Some EMEA Customers
www.globalsign.com
Possible Architecture (e-‐Invoice)
Document Generation Engine (Content, Layout, Storage and other specific
compliancy rules)
Application of Digital Signature To Customer
Archive
Digital Certificates
Optional TSA (>1M)
HSM
AdES (CDS)
AdES (CDS)
GlobalSign TSA
Service
over 10 years of securing identities, web sites & transactions
Thank you
Paul van Brouwershaven [email protected]
Recommended
