SSLPost Electronic Document Signing

Transcription

1 SSLPost Electronic Document Signing

2 Overview What is a Qualifying Advanced Electronic Signature (QAES)? A Qualifying Advanced Electronic Signature, is a specific type of digital electronic signature, that when applied to a document is accepted in the EU as a legally binding document as if it had been physically signed in a traditional manner. A QAES is obtained from a Qualified Certificate and only an accredited Certificate Authority (CA) can issue Qualifying Certificates. What is the unique selling point in providing e-signing? The relationship between your organisation and an end user becomes very sticky when you are using a digital signature issued by SSLPost, which has been configured to sign documents and reports that are traditional outputs from well know industry software. An overview of the QAES distribution hierarchy CA RA RS Certificate Authority QuoVadis Registration Authority SSLPost Registered Senders CA RA RS European Union North America Southern Hemisphere 1

3 An overview of how a document is digitally signed server side Document is sent to SSLPost and the sender authenticates themselves on the SSLPost platform. 2 Factor Authentication sender Sign document with an ETSI approved certificate held in escrow by SSLPost. Encrypt / Decrypt document using the proprietary SSLPost platform. 256 BIT Recipient simply opens digitally signed document OR alternatively they counter sign the document using ETSI certificate held on the SSLPost platform which requires a 2 factor authentication process to be completed. 2 Factor Authentication The document is delivered by MTA. Document recorded by SSLPost (non repudiation) The document is received by SSLPost. Recipient s server accepts encrypted signed document. Signed Document The document is sent to SSLPost. Recipient downloads document from their server. recipient 2

4 Proprietary SSLPost Platform Message data & recipient details are combined The session key is used to decrypt the message data and the result is returned to the user s web browser over an SSL link. A hash value of the message is calculated and signed with the sender's private key. 5 #VALUE SSL Message data is encrypted with a unique random 256 bit AES session key. 256 BIT 3 The session key is encrypted with the recipient s public 2048 bit key. 256 BIT The result is encrypted with a 256 bit seal key (used to track access to the data if recipient s private key is held client side) BIT SSL Decrypt Secure Message Please enter your password: *********** decrypt message The message is checked against the hash value using the sender s public key and if it matches the recipient is prompted to enter their password BIT BIT PASSWORD 9 The server validates the password entered, retrieves the seal key to decrypt step 4 and then uses the recipient's private 2048 bit key to decrypt step 3 and obtain the session key. #VALUE Internet Browser SSL 6 A standard internet is created with an HTML form containing the recipients details, the encrypted message data, encrypted session key, an SHA 1 hash value of the message and the signature. form form Internet The recipient receives the and opens the HTML form attachment. They click the open button and the information in the message is sent to the sender s server for decryption. 7 Decode Secure Message Please click decode button to view message open message 3

5 What is accepted as a legally binding e-document? SSLPost uses QuoVadis as its Certificate Authority The key accreditation that allows QuoVadis to issue qualified certificates comes from its accreditation as a Netherlands and EU Qualified Certification Services Provider, which requires QuoVadis to be annually audited against the European standards for EC Qualified Certification Service. Online reference: There is nothing contained within UK/EU legislation that precludes a foreign CSP from issuing Qualified Certificates to UK/EU customers. Extracts for reference The following page from the European Commission website (European Commission website - esignature standardisation in the UK) discusses the esignature standardisation aspects for the United Kingdom: It states that there are no additional UK requirements pursuant to Article 3(7) of the EC Directive. Article 3(7) of the EC Directive relates to additional requirements imposed by member states. See below for the extract from Article 3(7) of the EC Directive. EC Directive (DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT) Article 3(3): Article 3(3) of the Directive requires Member States to ensure the establishment of an appropriate system that allows for supervision of certification-service-providers (CSPs) which are established on its territory and which issue qualified certificates (QCs) to the public. Article 3(7) of the Directive states: 7. Member States may make the use of electronic signatures in the public sector subject to possible additional requirements. Such requirements shall be objective, transparent, proportionate and non-discriminatory and shall relate only to the specific characteristics of the application concerned. Such requirements may not constitute an obstacle to cross-border services for citizens. 4

6 The Electronic Signatures Regulations 2002 Definitions: Certification-service-provider means a person who issues certificates or provides other services related to electronic signatures. Qualified certificate means a certificate which meets the requirements in Schedule 1 and is provided by a certification-service-provider who fulfills the requirements in Schedule 2; Regulation 3 Regulation 3 of the Electronic Signatures Regulations 2002, which implements Article 3.3 of the Directive, imposes a duty on the Secretary of State to: Keep under review the carrying on of activities of Certification Service Providers (CSPs) established in the United Kingdom which provide Qualified Certificates (QCs) to the Public, and of the persons by whom they are carried on, with a view to the Secretary of State becoming aware of the identity of those persons and circumstances relating to the carrying on of those activities, Establish and maintain a register of those CSPs, record in the register the name and address of those CSPs of whom the Secretary of State is aware, Publish the register in an appropriate manner, Have regard to any evidence of the conduct of those CSPs, which is detrimental to users of QCs, with a view to publication of any evidence. UK Electronic Communications Act 2000 ( the Act ) Note: Section 7 of the Act talks about the signature being admissible in terms of legal proceedings and does not mention CSPs, Qualified or Advanced certificates. An extract of Section 7 of the act is provided in below: Electronic signatures and related certificates: 7 (1) In any legal proceedings: (a) An electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and 5

7 (b) The certification by any person of such a signature shall each be admissible in evidence in relation to any question as to the authenticity of the communication or data or as to the integrity of the communication or data. (2) For the purposes of this section an electronic signature is so much of anything in electronic form as: (a) Is incorporated into or otherwise logically associated with any electronic communication or electronic data; and (b) Purports to be so incorporated or associated for the purpose of being used in establishing the authenticity of the communication or data, the integrity of the communication or data, or both. (3) For the purposes of this section an electronic signature incorporated into or associated with a particular electronic communication or particular electronic data is certified by any person if that person (whether before or after the making of the communication) has made a statement confirming that: (a) The signature, (b) A means of producing, communicating or verifying the signature, or (c) A procedure applied to the signature, Is (either alone or in combination with other factors) a valid means of establishing the authenticity of the communication or data, the integrity of the communication or data, or both. Annex II Annex II of the EU Directive is transposed into UK law through Schedule II of the Electronic Signature Regulations 2002 as follows: CSPs that wish to issue Qualified Certificates must therefore: Show the necessary reliability for providing certification services, Run a prompt and secure directory and a secure and immediate revocation service, Ensure that the date and time of issuance and revocation can be determined precisely, Verify the identity and any applicable attributes of the person to whom a qualified certificate is issued, Employ personnel that are qualified and technically competent to run the services securely and apply administrative and management procedures, which are adequate and correspond with recognized standards (e.g. ISO/IEC 27001), 6

8 Use trustworthy systems and products, which are protected against modification and ensure the technical and cryptographic security of the process supported by them, Protect against forgery of certificates, and guarantee confidentiality during in-house signature-creation data processes, Maintain sufficient financial resources to operate in conformity with the Directive, in particular to cover liabilities, for example by obtaining appropriate insurance, Keep all relevant records (manually or electronically) concerning a qualified certificate for an appropriate period of time, in particular to provide evidence in legal proceedings, Not store or copy signature-creation data (e.g. a private key) of any person to whom the CSP has provided key management services, Before entering into any contractual relationship for a certificate, inform anyone seeking certification services of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary approval scheme, complaints and dispute settlement procedures. Such information may be transmitted electronically, but must be in writing, and in readily understood language. Upon request, relying third parties must also have access to relevant parts of the information, Use trustworthy systems to store certificates in a verifiable form so that only authorised persons can make entries or changes, information authenticity can be checked, certificates are publicly available for retrieval only where the certificate holder s consent has been obtained, and any technical changes compromising these security requirements are apparent to the operator. 7