View from a European Trust Service Provider Server Signing: Return of experience and certification strategy January 16, 2014 - Berlin Thibault de Valroger VP Strategy & Development OPENTRUST Thibault.devalroger@opentrust.com
2 words about OPENTRUST OpenTrust : Technology and Service provider in Digital Trust Our mission : Bring trust in the new digital business Offices in Europe, Middle East, and North America 2 Datacenters 120 employees with 40% R&D +200 large account customers in Government, Finance and Industry Creator of the esignature service 25 millions eid secured worldwide 300,000 documents digitally signed and notarized every month 200 millions of transactions secured every month Reseller partners in 20 countries
Digital Signature market dynamics Digital signature market benefits from 50% yearly growth rate from 2012 to 2016 (Gartner) Remote transaction Online subscription Paperless SEPA SDD Mandate Paperless Account creation Supplier contract management Customer contract management HR contract management Face to face transaction Contract signing in Point of Sale Contract signing by retailers and distributors (loans, insurance) Contract signing in mobility (insurance, real estate, pharmaceutics, commerce of goods) BtoC BtoB 3
Use cases integrated in online selling process or business workflow Signing online instantly at home, at office Online signing associated to phone selling or cross channel / multi-signer process Signing online asynchronously Signing in Point of Sale Cross channel Contracting in mobility Online or offline with asynchronous transaction confirmation 4
Signing online instantly Improve transform rate, avoid back-office post-sale costs, be present 24/7 Customer Offerer website 1. Subscription process 2. redirect 2. To be signed contract 3. Signed contract + evidence file 4. Evidence creation & Archiving 5
Signing online asynchronously Manage campains, avoid back-office post-sale costs, reduce delays Personal advisor 1. Contract preparation Advisor Back-Office application Customer 2. E-mail notification 2. To be signed contract 4. Signed contract + evidence file 3. Consent & signature process 4. Evidence creation & Archiving 6
Personal advisor Signing in Point of Sale Improve PoS efficiency, concentrate PoS on selling, avoid back-office postsale costs, keep all digital 1. Contract preparation Advisor Back-Office application 2. Tablet synchronisation 2. To be signed contract 3. Signed contract + evidence file 3. Consent & signature process 4. Evidence creation & Archiving 7
Face to face Selling process Contracting in mobility Improve sales rep. efficiency, improve business traceability, keep all digital 2. Synchronisation Back-Office application 1. Consent process (mostly offline ; transaction recorded and sealed) 2. delayed signature process 3. Signed contract + evidence file 3. Evidence creation & Archiving 2. Transaction confirmation (optional but recommended) 8
Facing lack of qualified signature in BtoC eid embedding digital signature feature is not always convenient May not exist May not be pluggable on display terminal (tablet) May not be provided with appropriate middleware or signing SW May not benefit from clear liability scheme for business transaction Is anyway relevant (when exists) and easier to use for authentication 9
A pragmatic & winning approach Use server signing associated with authentication methods Certify the solution against AdES complemented with evidence management to compensate the reverse of the burden of the proof When transaction are performed in F2F, certify the solution against AdES based on Qualified Certificate to improve trust and interoperability We missionned the European Leader TUV-IT for this certification 10
Protect & Sign Certification Protect&Sign Cloud Personal Signing is certified as Advanced Signature for 2 respective use cases : Remote : the signatory is signing a document without physical presence of a RA representative, he / she is authenticated by remote method (SMS, OTP, shared secret, ) Avanced LCP certification (ETSI TS 102 042) Face to face : the signatory is signing a document with physical presence of a RA representative, the RA representative verifies ID of the signatory face to face against official ID document. Transaction is confirmed by a 2 factors authentication method QCP without SSCD certification (ETSI TS 101 456) 11
Protect & Sign Certification 12
Protect & Sign Evidence Management Every transaction is associated to an «evidence file» that contains all the elements to prove the validity of the signature in case of legal proceeding Consent protocole (legal mentions, check boxes, refuse / accept buttons, ) that can be «replayed» during legal proceeding or audit Authentication protocole (cellphone number + OTP SMS sent code for instance) To be signed document and Signed document as seen by the signatory (WYSIWYS) The evidence file is timestamped and signed by OPENTRUST as Trusted third Party The signed evidence file is archived for 3 to 10 years (or more) 13
Protect & Sign Principles vs EU Directive Protect & Sign principles for Advanced Signature level within EU Directive : (a) Signature creation data is uniquely linked to the signatory; Protect&Sign delivers to end-user a short time digital with a dedicated and unique Key pair (within a secure Hardware Security Module) for each end-user (b) Signature verification data is capable of identifying the signatory; Protect&Sign delivers to end-user a short time digital certificate at his / her name (c) Signature is created using means that the signatory can maintain under his sole control End-user Key pair and certificate is generated only after authentication of end-user, inside a certified HSM, and is destroyed just after the transaction. Nobody can reuse the private key for another transaction Authentication procedure is registered within the evidence file associated to the transaction (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable; Document is digitally signed by offerer (not modifiable) and displayed to end-user in a WYSIWYS (What You See Is What You Sign) way prior to be signed by end-user Document with both digital signatures is timestamped and archived for 10 years inside the «evidence file»
Authentication Strategy Protect & Sign activates personal remote signing key with authentication method Vocal record Biometric Signature pad small / large size SMS OTP CAP EMV OTP Token EID with reader ID upload / scan / verification Evidence management User private signing key Archiving
Authentication Strategy Signing online instantly at home, at office Signing online asynchronously OTP token SMS OTP Login password eid with smart reader CAP EMV Vocal recording Upload of proving document Signing in Point of Sale eid with tablet reader Biometric Sig. pad ID check & scan ID capture SMS OTP (transaction confirmation) Contracting in mobility 16
Shared Responsibility Model managed by the TSP Contract offerer responsibilities: Create the To Be Signed document Identify (First name, surname, etc) and associate authentication method to the end user. Inform the end-user about terms & conditions OPENTRUST (Certification Authority and Evidence Management Authority) responsibilities: Check integrity and authenticity of the To Be Signed document Ensure WYSIWYS Authenticate the end-user to enforce sole-control of private key Obtain consent of the end-user and generate its digital signature creation data (that remains under its sole control) Destroy digital signature creation data after signature of the document Generate evidence file of the transaction Archive and retrieve in real time for 3-10 years (optional) 17
Conclusion Successful approach => volume of transactions is growing by 17% monthly Compliance is key to risk management => customers are ready to pay more for certified solutions if they bring them better legal protection Next steps : EU Regulation will enable qualified signature with server signing under an evolution of the certification scheme (2015) 18
Questions? Thibault de Valroger VP Strategy & Development OPENTRUST Thibault.devalroger@opentrust.com