Best prac*ces in Cer*fying and Signing PDFs

over 10 years of securing identities, web sites & transactions Best prac*ces in Cer*fying and Signing PDFs Paul van Brouwershaven Business Development Director EMEA, GlobalSign @vanbroup on TwiEer

INTERNATIONAL FOOTPRINT Customers spanning all industries

GlobalSign History Founded in 1996 by BE Chambers of Commerce, ING Bank & Vodafone. Acquired by GMO Internet Inc (ticker symbol Tokyo Stock Exchange: 9449) & re-launched in 2006 as true worldwide operation. PROVEN TRACK RECORD Issued over 1.4m digital certificates / digital IDs to people, web sites & machines Issued over 200,000 SSL Certificates GMO parent to over 50 Internet technology & hosting companies, including largest hosting company in Asia. Current shareholders include Yahoo!, Morgan Stanley & Credit Suisse. GlobalSign is Digital Certificate security division of global group. Web services & offline services for provisioning Digital Certificates for enterprise, Government, developers, hosting & Cloud services. Over 20 million certificates worldwide rely on the public trust provided by the GlobalSign root

GlobalSign Products Visible Trust in an online world Server, Database & Network Security SSL Certificates Managed SSL Automated SSL for Web Hosts SSL Reseller Program One-Click SSL Developer Solutions Code Signing Embedded SSL Secure Email Digital IDs for Individuals Digital IDs for Depts Managed Digital IDs edocument /File Security & Compliance Adobe CDS for PDF Microsoft Office Encrypting File System (EFS) PKI & Root Signing Trusted Root for CAs

Digital Cer*ficates An Introduc*on

Authen*city and Integrity

A normal cer*ficate VS an Adobe one

Adobe Cer*fied Document Services GlobalSign is an authorized Adobe CDS provider Web-Trust Certified, third party Certificate Authority Governed by Adobe Certificate Policy Only CDS issued digital IDs are instantly trusted in Adobe Reader 7.0+ (SHA-256)

Meet or exceed FIPS 140-1 Level 2 Subscriber key pairs must be generated in a manner that ensures that the private key is not known by anybody other than the Subscriber or a Subscriber s authorized representative. Subscriber key pairs must be generated in a medium that prevents exportation or duplication and that meets or exceed FIPS 140-1 Level 2 certification standard.

EV Code Signing - Private- Key Protec*on EV Guidelines state: Code signing keys are to be protected by a FIPS 140-2 level 2 (or equivalent) crypto module. Techniques that may be used to satisfy this requirement include: (A) Use of an HSM, verified by means of a manufacturer s certificate; (B) A hardware crypto module provided by the CA; (C) Contractual terms in the subscriber agreement requiring the Subscriber to protect the private key to a standard equivalent to FIPS 140-2 and with compliance being confirmed by means of an audit.

Adobe Cer*fied Document Services Allows recipients of PDF documents to know: who signed the document the content is intact the time the document is signed Recipients only need to have the free Adobe Reader 7.0+ (installed on >800M computers worldwide) Strong Authentication Data Integrity Non Repudiation Recipients of Certified PDFs need no special software, plugins, or special configuration!!!

Simple and effec*ve GUI Modified Changed Unknown Certified Author Signed Trusted

Without *me stamping and CRL Services Certification without time stamping and CRL Services. The validity of the signature expires with the validity of the digital certificate used to sign the document. 2011 2012 2013 2014

What about revoca*on? With a Revocation Event the validity of the signature expires with the revocation of the digital certificate. 2011 2012 2013 2014 Basic Signatures are not suitable for Long Term Validation signing (Documents)

ETSI TS 102 778 With Services the validity of the signature applied to the document never expires even if there is a revocation event. 2011 2012 2013 2014 Part 1: "PAdES Overview - a framework document for PAdES"; Part 2: "PAdES Basic - Profile based on ISO 32000-1"; (Best Practice) Part 3: "PAdES Enhanced - PAdES-BES and PAdES-EPES Profiles"; Part 4: "PAdES Long Term - PAdES-LTV Profile"; Part 5: "PAdES for XML Content - Profiles for XAdES signatures".

Where do customers use CDS?

Electronic Invoicing in the EU A constantly changing landscape No single EU wide solution for compliance* Recommendations by PWC for 2013 already changing the requirements on a country by country basis. No consistent approach to preserve authenticity and integrity for Archive and Storage Purposes offering the possibility of legal recourse. (AMEX) *Adobe CDS offers the only Pan European (Global) authenticity and Integrity validation system. All other systems require a separate system/service that is not automatic, nor guaranteed. The Amex legal case and subsequent lessons learnt? http://www.legalethics.com/include/content/amex012406.pdf QES (Qualified Electronic Signature) Automatic legal standing in EU. Issued on a SSCD Generally issued from a government root CA. Not usable for Time stamping services. AES /AdES) (Advanced Electronic Signature) Unique to the signatory; Identifying the signatory; Created using sole control; Linked to the data to which it relates. Change of the data is detectable;

Electronic Invoicing Is it legal? 2A. Acceptance of advanced e-signatures to send e-invoices ( = yes / = no ) 2B. If yes, can AES be used without obligation to use a qualified certificate ( = yes or not applicable / = no) 2C. If yes, are qualified certificates from other EU Member States accepted ( = yes / = subject to conditions) 2D. If yes, can AES be used without obligation to use a secure signature-creation device ( = yes / = no) 2E. If yes, can the recipient process the invoice without verifying the signature ( = yes / = no) 3A. Other means than AES or EDI accepted? ( = yes / = only other" electronic signatures / = no ) 3B. If yes, can other means be used without prior approval? ( = yes / = in some cases / = no ) 3C. Unsigned pdf invoice accepted? ( = as an e-invoice in case authenticity and integrity are guaranteed by other means / = as a paper invoice = no ) Assumes VAT supply country is consistent

Some EMEA Customers

Possible Architecture (e- Invoice) Document Generation Engine (Content, Layout, Storage and other specific compliancy rules) GlobalSign TSA Service PDF Archive Application of Digital Signature To Customer Digital Certificates HSM AdES (CDS) Optional TSA (>1M)

over 10 years of securing identities, web sites & transactions Thank you Paul van Brouwershaven paul.vanbrouwershaven@globalsign.com