Ascertia PKIconference 2015 - final€¦ · 12 Identity Proven Trust Delivered Copyright ©...

Rod Crook Liaquat KhanSolutions Director Technical Director

Copyright © Ascertia 2015

Driving Regional Business Efficiency by Implementing cross‐border Digital Signatures

June 2015

2 Identity ProvenTrust Delivered Copyright © Ascertia 2015

AgendaWhy are digital signatures inevitable for business efficiency?

How to overcome the challenges of cross‐border digital signatures:

Legality issuesInteroperability issuesCommercial issuesComplexity issues


A little bit about Ascertia…

Established since 2001 with decades of relevant expertise with global PKI security

Key focus on financial services and government organisations

Product focus is on providing advanced digital signature solutions that deliver legal weight, high‐trust cryptographic security

Main message: “the most secure way to sign”

Company focus is on long‐term relationships and secure, high quality products

A privately held company that listens to it’s customers and partners!


Who relies on ushttp://www.ascertia.com/company/customers


Why are digital signatures inevitable for businesses?


The Challenge for PKI Providers

Making PKI ubiquitous, invisible, easier to use

Delivering a full range of interoperable trust services

Allowing business processes to leverage this trust

Making it easier to create and verify signatures

Enabling the use of roles, rights, limits

Allowing all documents and data to be securedagainst unauthorised changes

Preserving information for the long term

Electronic documents and data cannot be trusted without cryptography


Remember these…


Where we are now

Access to everything

All the time

From anywhere

In today’s connected digital world, users want:


Paper processes have issues

• Time wasted

• Greater costs

• Inefficient processes

• Susceptibility to errors

• Poor data integrity

• Increase business risk

• Data leakage

• Lower level of trust

• Tracking issues

• Archive costs

Substantial impacts:

Complex leasing paper‐based signing time: 28 days

Complex e‐document digitalsigning time: 28 hrs


All kinds of documents need a signature


Some statistics

60% of companies admit to printing and ink signing documents and then scanning them back in to their DMS [AIIM 2014]

It is time to migrate to a complete, end‐to‐end, electronic document system!

Employees who use paper‐based processes can spend up to 20% of their workdays searching for information.


Digital signatures remove paper issues

with paper documents using e‐Documents

Originality Paper copy of the original is needed Always available on‐line and more than one original can exist

Completeness Pages can be missing, lost or damagedNot possible to have missing, lost or damaged pages

Authenticity Achieved using pen and ink initials and hand signatures

Achieved using advanced digital signatures

Non‐repudiationAchieved using multiple witnessed/notarised copies

Achieved using advanced digital signatures with optional notary

Confidentiality Using sealed envelopes and couriers etc. Using encrypted SSL/TLS secure sessions

Time notarisation May be unclear exactly when signedOn‐line timestamp authority provides secure and trusted time of signing action

Workflow managementUnclear who has the document and where the hold‐up is!

The document status and next user action is always available

ArchivingEasy to misplace or lose and scanned backupsare unsuitable for proof

Multiple copies can be kept at different sites in a secure digital archive format


Business face many challengesIncreasing efficiencies and revenues

• Winning more business, more frequently• Speeding up the customer acquisition/ on‐boarding process (KYC)• Streamlining business processes• Reducing paper use, archive, recovery• Driving customer loyalty and repeat business and referrals

Meeting customer demands and expectations• Ensuring 24/7 availability and convenient access to services• Shifting into a mobile and digital‐first world• Improving customer satisfaction• Understanding the power shift and connecting on all channels

Meeting regulations and compliance• Delivering strong security and standards compliance• Ensuring legally binding documents, with evidence and audit trails• AML measures and reducing susceptibility to fraudulent activity• Improving traceability, accountability, internal controls• Ensuring validity of documents and files for 20+ years


The value of digital signatures

On average, up to 3 days is added to most processes in order to collect physical signatures. ‐ AIIM

68% of companies using digital signatures have had payback within 12 month budget cycle ‐AIIM

For the sender:• Much Less time and effort to manage overall process• Easy to track status• Easy to search and find documents • Less mistakes by signers • Reduce signer drop‐off rates

For the signer:• Simple • Quick• Can sign anytime, anywhere

For the company:• Happy customers & employees • More productivity, concentrate on core tasks • Much higher security than ink‐based paper signatures• Easy to deploy, manage and control • Clear audit trails • High availability and back‐up of important documents • Cost effective


Reasons for using digital signatures

• Identify & sign from any location on any device• Enhanced digital workflow minimising errors• Speed up internal & external signing processes• Easy to use, robust and flexible• Fast and secure archive of documents

• Clearly identify signers and approvers• Guarantee no document changes• Provide full audit trail & evidence of actions• Long term archiving of documents• Legal acceptance compliance

• No paper, printer, postage, handling, storage• Reduced carbon footprint and green credentials• Fast ROI can be achieved by going digital• Maintain integrity and accuracy of data• Faster conversion of new business transactions

Improve efficiencies & customer experience

Prevent fraud & reduce business risk

Reduce cost & deliver fast ROI


Basic security properties of digital signaturesSigner authentication

• proof of who actually signed the document. i.e. digital signatures linking the user’s signature to an actual identifiable entity.

Data integrity• proof that the document has not been changed since signing. The digital signature depends on every binary bit of the document and therefore can’t be re‐attached to any other document.

Non‐repudiation• i.e. the signer should not be able to falsely deny having signed their signature. That is, it should be possible to prove in a court that the signer in fact created the signature.


The opportunity for CAs…

Grow business beyond TLS / SSL certificate sales

Growing the value of Digital Identity Certificates by providing really useful business applications

Electronic signing of documents is a solution business leaders understand and want ‐ compared to just PKI. We have learnt from experience…!

Certificate Authorities need to:

Delight customers in their dealings

Streamline processes and cut costs

Free‐up employees to focus on core tasks instead of chasing paper

Meet regulatory requirements

Avoid mistakes and minimize fraud

Businesses want to:


Cross‐border Challenges Legality Issues


Different levels of signatures

EU Qualified Signatures Advanced

Electronic Signatures

BasicElectronicSignatures

• All can be accepted in court

• Higher‐levels provide greater trust and non‐repudiation

• Higher levels add complexity & cost

Support different levels of signatures and select level based on specific business use case


Basic e‐signatures

Properties:

• No protection of the document itself

• Signer can claim e‐signature was copied from another document

• Signer can claim document was changed after e‐signing

• Signer can claim that this is not their signature

Signer makes their “mark” on the document


E‐Signature with user’s digital signature

Properties:• User’s identity bound with the

document (no one else can sign on behalf of this user)

• Document can’t be changed without detection

• Signer can’t deny having signed the document

After e‐signing, John digitally signs the whole document using his private signing key


E‐Signatures with witness digital signatures

Properties: • User authentication is not bound

with the document (since user did not sign with their own key)

• Document cannot be changed without detection since its digitally signed by the corporate key

After e‐signing, the whole document is digitally signed using a central authority’s private signing key


What’s required for legal certainty Many laws but what it essentially boils down to:

Does the signature identify the signer?

Can the user make their signature mark on the document?

Can the signer’s intention to sign be proven?

Can you prove the signer was the only one who could have created the signature?

Will any subsequent changes to the document invalidate the signature?

Can the signature be verified many years into the future?

Can the signature be verified independently of the solution provider?

Is there a complete audit trail?

Remember legal certainty is more than just the techie stuff ‐ i.e. was the signing a wilful act!

Don’t rely on just national laws, have specific contractual agreements that define the acceptance and responsibilities of all parties


Cross‐border ChallengesInteroperability Issues


Many different PKIs…Internal Enterprise

PKIs

Adobe Approved Trust ListPublic browser‐based PKIs

Industry specific PKIs & Trust lists

National Government

PKIs


Trust interoperability

Many approaches to achieving PKI level interoperability!In complex environments, the Signing platform must be capable of:

• Dynamic Cert Path Discovery (using LDAP/S & HTTP/S)• Full Cert Validation (RFC 5280 / PKITS Test Suite compliance)

The signing platform must support standard protocols:• RFC 5280 X.509 Certs/CRLs• RFC 6960 OCSP real‐time validation • RFC 3161 Time Stamps

The platform must understand multiple regional CAs

Relying PartyCountry B

SignerCountry A

CA A CA B

Signing Platform

PKI trust relationships should be selectable within the platform at an business application level or organisation level and define the acceptable regional CA quality levels

Trust Lists

Bridge VA

Bridge CA

Cross‐certificates


Where to hold user signing keys?

• Locally: issues in some browsers and mobiles!• Smartcard/USB token – strong security but complex for user & costly

• Software container – security issues• Centrally: ideal for signing on any device, anywhere!

• Using keys protected by an HSM – hot topic! • Use keys in an encrypted DB – security concerns!

• Mobile: the future• Software apps• Secure hardware elements

Support all the options, let the business, security & regulatory requirements decide which is best for the use case!


User authentication before signing

No authenticatione.g. for immediate

e-signing

Single factore.g. username / password

Multi-factor e.g. OTP via SMS, tokens (time-based, event-based, FIDO, PKI)

External IDPe.g. Trusted / Licensed Identity Provider using SAML / OAuth

Support all the options, let the business, security & regulatory requirements decide which is best for the use case!


Document/Sig Format Interoperability

For humans – 95% of the time its PDFs:• Used everywhere• Very rich support for digital signatures• Supports long‐term preservation (PDF/A format)

• Many freely available readers• Not tied to one vendor ‐ ISO standards

For Machines – 95% of the time its XML!

Use PDF Signatures (PAdES) & XML Signatures (XAdES). Note there are many standard profiles…


Automatic Trust for PDFs

ClickSupport Adobe® Approved Trust List (AATL) for automatic trust in Reader


Long‐term verification

Documents need to verified 10, 20, 30+ years…sometimes indefinitely!

At the time of verification, certificates will be expired, certificate status information will no longer be available

Cryptographic algorithms will have weakened since signing and may no longer trusted!

Use long‐term verifiable signature formats which can be extended over time with fresh evidence (PAdES Part 4 and XAdES‐A formats)


Cross‐border ChallengesCommercial Issues


Commercial challenges

Only viable if clear and quick ROIMust be cheaper than current process costsMust be affordable to all – including SMEs Must support free & offline validation Documents & supporting evidence data must be available to owners at all times now & in the future Must be multi‐lingual and branded for acceptance by end‐users

Ensure public or private cloud or on‐premise, with flexible pricing models based on users or transaction volumes


Cross‐border ChallengesComplexity Issues


Get your priority right ‐ to be effective the solution has to solve the real business problems!

Complexity challengesUser experience is key:Must be easy to review, sign and verify documents –avoid s/w installs, browser configs, java warnings…Must prevent mistakes by users (e.g. choosing wrong certs or signing in wrong place) Must guide the user to ensure no signing/initials/form field is missed Must be easy to integrate into any custom web application or portalMust have connectors for popular business applications to allow signing from within familiar environments Support real world scenarios like delegated signing, group/role‐based signing, bulk signing, parallel signing etc


Real‐world is about workflow & integrations

(ERP, CRM, DMS, etc.)

Digital signatures are only part of the solution, they need to fit into the bigger picture!


Flexibility in signature appearances

Signer’s Name

Location

Signer’s Reason

TrustedDate/Time

Company Logo

Hand‐signature image


Flexibility in e‐signature capture

Draw with mouse

Image held on eID Card

Signature Pad Device

Draw on tablet/mobile (iOS & Android)

Type/font signature

Image provided via business application

through API

Upload Image


The time is right to digitally sign!

Efficiencies can be quickly seen and easily realised

Costs can be substantially lower

Process errors can be substantially reduced

Data integrity can be assured

Business risks can be lowered

Data leakage can be prevented

High levels of trust can be achieved

Excellent traceability, accountability and audit

Something is signed / approvedOR not signed and not approved

No more assumptions about business process approvals

40 Identity ProvenTrust Delivered

www.ascertia.com

Copyright © Ascertia 2015

Identity Proven, Trust Delivered

Register for an enterprise trial account today and start signing with advanced digital signatures! Rod Crook and Liaquat Khan

[email protected]

Ascertia PKIconference 2015 - final€¦ · 12 Identity Proven Trust Delivered Copyright ©...

Documents

Transcript of Ascertia PKIconference 2015 - final€¦ · 12 Identity Proven Trust Delivered Copyright ©...