SSLPost Electronic Document Signing



Similar documents
ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

2002 No. 318 ELECTRONIC COMMUNICATIONS. The Electronic Signatures Regulations 2002

Qualified Electronic Signatures Act (SFS 2000:832)

Merchants and Trade - Act No 28/2001 on electronic signatures

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

Security framework. Guidelines for trust services providers Part 1. Version 1.0 December 2013

Ericsson Group Certificate Value Statement

Guidelines for the use of electronic signature

CERTIFICATION PRACTICE STATEMENT UPDATE

Danske Bank Group Certificate Policy

Land Registry. Version /09/2009. Certificate Policy

Secure Signature Creation Device Protect & Sign Personal Signature, version 4.1

Neutralus Certification Practices Statement

Electronic Documents Law

National Authority for Electronic Certification. Electronic Signature in Albania by Eris Asllani- Head of Department

Legal Status of Qualified Electronic Signatures in Europe

OB10 - Digital Signing and Verification

Using etoken for Securing s Using Outlook and Outlook Express

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

TTP.NL Scheme. for management system certification. of Trust Service Providers issuing. Qualified Certificates for Electronic Signatures,

Certipost Trust Services. Certificate Policy. for Lightweight Certificates for EUROCONTROL. Version 1.2. Effective date 03 May 2012

Frequently Asked Questions. Frequently Asked Questions SSLPost Page 1 of 31 support@sslpost.com

EMA esignature capabilities: frequently asked questions relating to practical and technical aspects of the implementation

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures

Guidelines Related To Electronic Communication And Use Of Secure Central Information Management Unit Office of the Prime Minister

How To Understand And Understand The Certificate Authority (Ca)

E-Signatures. Chris Reed. Professor of Electronic Commerce Law

Implementation of eidas through Member States Supervisory Bodies

Code of Practice on Electronic Invoicing in the EU

Legal aspects of electronic signatures in Bulgaria

Secure Frequently Asked Questions

Controller of Certification Authorities of Mauritius

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Future directions of the AusCERT Certificate Service

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Protection Profiles for TSP cryptographic modules Part 1: Overview

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Using etoken for SSL Web Authentication. SSL V3.0 Overview

TELSTRA RSS CA Subscriber Agreement (SA)

ETSI TS V1.1.1 ( ) Technical Specification

TC TrustCenter GmbH Certification Practice Statement and Certificate Policy for Qualified Certificates

Federal law on certification services in the area of the electronic signature

ELECTRONIC SIGNATURE LAW. (Published in the Official Journal No 25355, ) CHAPTER ONE Purpose, Scope and Definitions

Using Voltage Secur

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

COMMISSION OF THE EUROPEAN COMMUNITIES

ETSI TS V1.4.3 ( )

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

ELECTRONIC COMMERCE AND ELECTRONIC SIGNATURE ACT (ZEPEP-UPB1) (Official consolidated text)

HOW IT WORKS E-SIGNLIVE 1 INTRODUCTION 2 OVERVIEW

ELECTRONIC TRANSACTIONS ACT

A7-0365/133

ETSI TS V2.1.1 ( ) Technical Specification

Secure Mail Registration and Viewing Procedures

GlobalSign Subscriber Agreement for DocumentSign Digital ID for Adobe Certified Document Services (CDS)

REPUBLIC OF LITHUANIA. LAW ON ELECTRONIC SIGNATURE

ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

ETSI TS V2.1.2 ( )

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

4. Laying of orders and regulations before Houses of Oireachtas.

ETSI EN V1.1.1 ( )

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Trustis FPS PKI Glossary of Terms

Certum QCA PKI Disclosure Statement

Law Governing Framework Conditions for Electronic Signatures and Amending Other Regulations

Certification Practice Statement

ELECTRONIC SIGNATURES FACTSHEET

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

Guidelines on use of encryption to protect person identifiable and sensitive information

Concept of Electronic Approvals

THE LAW OF THE REPUBLIC OF ARMENIA ON ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE CHAPTER 1. GENERAL PROVISIONS. Article 1. The subject of the Law

User Guide Using Certificate in Microsoft Outlook Express

Receiving Secure from Citi For External Customers and Business Partners

ELECTRONIC SIGNATURE LAW

Secure Part II Due Date: Sept 27 Points: 25 Points

Draft ETSI EN V1.1.1 ( )

Personal Secure Certificate

Incorporating Digital Signing & Encryption in Transactions in the Payment System of Sri Lanka

The name of the Contract Signer (as hereinafter defined) duly authorized by the Applicant to bind the Applicant to this Agreement is.

Class 3 Registration Authority Charter

NIST-Workshop 10 & 11 April 2013

USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY

Information Security

LAW. ON ELECTRONIC SIGNATURE (Official Gazette of the Republic of Montenegro 55/03 and 31/05)

Citizen CA Certification Practice statement

Texas Medicaid & Healthcare Partnership (TMHP)

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Transcription:

SSLPost Electronic Document Signing

Overview What is a Qualifying Advanced Electronic Signature (QAES)? A Qualifying Advanced Electronic Signature, is a specific type of digital electronic signature, that when applied to a document is accepted in the EU as a legally binding document as if it had been physically signed in a traditional manner. A QAES is obtained from a Qualified Certificate and only an accredited Certificate Authority (CA) can issue Qualifying Certificates. What is the unique selling point in providing e-signing? The relationship between your organisation and an end user becomes very sticky when you are using a digital signature issued by SSLPost, which has been configured to sign documents and reports that are traditional outputs from well know industry software. An overview of the QAES distribution hierarchy CA RA RS Certificate Authority QuoVadis Registration Authority SSLPost Registered Senders CA RA RS European Union North America Southern Hemisphere 1

An overview of how a document is digitally signed server side Document is sent to SSLPost and the sender authenticates themselves on the SSLPost platform. 2 Factor Authentication sender Sign document with an ETSI 101 456 approved certificate held in escrow by SSLPost. Encrypt / Decrypt document using the proprietary SSLPost platform. 256 BIT Recipient simply opens digitally signed document OR alternatively they counter sign the document using ETSI certificate held on the SSLPost platform which requires a 2 factor authentication process to be completed. 2 Factor Authentication The document is delivered by MTA. Document recorded by SSLPost (non repudiation) The document is received by SSLPost. Recipient s email server accepts encrypted signed document. Signed Document The document is sent to SSLPost. Recipient downloads document from their email server. recipient 2

Proprietary SSLPost Platform Message data & recipient details are combined. 1 10 The session key is used to decrypt the message data and the result is returned to the user s web browser over an SSL link. A hash value of the message is calculated and signed with the sender's private key. 5 #VALUE SSL 29128403995 2 Message data is encrypted with a unique random 256 bit AES session key. 256 BIT 3 The session key is encrypted with the recipient s public 2048 bit key. 256 BIT The result is encrypted with a 256 bit seal key (used to track access to the data if recipient s private key is held client side). 4 256 BIT SSL Decrypt Secure Message Please enter your password: *********** decrypt message The message is checked against the hash value using the sender s public key and if it matches the recipient is prompted to enter their password. 8 256 56 BIT BIT PASSWORD 9 The server validates the password entered, retrieves the seal key to decrypt step 4 and then uses the recipient's private 2048 bit key to decrypt step 3 and obtain the session key. #VALUE 29128403995 Internet Browser SSL 6 A standard internet email is created with an HTML form containing the recipients details, the encrypted message data, encrypted session key, an SHA 1 hash value of the message and the signature. form form Internet Email The recipient receives the email and opens the HTML form attachment. They click the open button and the information in the message is sent to the sender s server for decryption. 7 Decode Secure Message Please click decode button to view message open message 3

What is accepted as a legally binding e-document? SSLPost uses QuoVadis as its Certificate Authority The key accreditation that allows QuoVadis to issue qualified certificates comes from its accreditation as a Netherlands and EU Qualified Certification Services Provider, which requires QuoVadis to be annually audited against the European standards for EC Qualified Certification Service. Online reference: http://www.quovadisglobal.com/en-gb/aboutus/accreditations.aspx There is nothing contained within UK/EU legislation that precludes a foreign CSP from issuing Qualified Certificates to UK/EU customers. Extracts for reference The following page from the European Commission website (European Commission website - esignature standardisation in the UK) discusses the esignature standardisation aspects for the United Kingdom: http://ec.europa.eu/information_society/policy/esignature/eu_legislation/notification/uk/index_en.htm It states that there are no additional UK requirements pursuant to Article 3(7) of the EC Directive. Article 3(7) of the EC Directive relates to additional requirements imposed by member states. See below for the extract from Article 3(7) of the EC Directive. EC Directive (DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT) Article 3(3): Article 3(3) of the Directive requires Member States to ensure the establishment of an appropriate system that allows for supervision of certification-service-providers (CSPs) which are established on its territory and which issue qualified certificates (QCs) to the public. Article 3(7) of the Directive states: 7. Member States may make the use of electronic signatures in the public sector subject to possible additional requirements. Such requirements shall be objective, transparent, proportionate and non-discriminatory and shall relate only to the specific characteristics of the application concerned. Such requirements may not constitute an obstacle to cross-border services for citizens. 4

The Electronic Signatures Regulations 2002 Definitions: Certification-service-provider means a person who issues certificates or provides other services related to electronic signatures. Qualified certificate means a certificate which meets the requirements in Schedule 1 and is provided by a certification-service-provider who fulfills the requirements in Schedule 2; Regulation 3 Regulation 3 of the Electronic Signatures Regulations 2002, which implements Article 3.3 of the Directive, imposes a duty on the Secretary of State to: Keep under review the carrying on of activities of Certification Service Providers (CSPs) established in the United Kingdom which provide Qualified Certificates (QCs) to the Public, and of the persons by whom they are carried on, with a view to the Secretary of State becoming aware of the identity of those persons and circumstances relating to the carrying on of those activities, Establish and maintain a register of those CSPs, record in the register the name and address of those CSPs of whom the Secretary of State is aware, Publish the register in an appropriate manner, Have regard to any evidence of the conduct of those CSPs, which is detrimental to users of QCs, with a view to publication of any evidence. UK Electronic Communications Act 2000 ( the Act ) Note: Section 7 of the Act talks about the signature being admissible in terms of legal proceedings and does not mention CSPs, Qualified or Advanced certificates. An extract of Section 7 of the act is provided in below: Electronic signatures and related certificates: 7 (1) In any legal proceedings: (a) An electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and 5

(b) The certification by any person of such a signature shall each be admissible in evidence in relation to any question as to the authenticity of the communication or data or as to the integrity of the communication or data. (2) For the purposes of this section an electronic signature is so much of anything in electronic form as: (a) Is incorporated into or otherwise logically associated with any electronic communication or electronic data; and (b) Purports to be so incorporated or associated for the purpose of being used in establishing the authenticity of the communication or data, the integrity of the communication or data, or both. (3) For the purposes of this section an electronic signature incorporated into or associated with a particular electronic communication or particular electronic data is certified by any person if that person (whether before or after the making of the communication) has made a statement confirming that: (a) The signature, (b) A means of producing, communicating or verifying the signature, or (c) A procedure applied to the signature, Is (either alone or in combination with other factors) a valid means of establishing the authenticity of the communication or data, the integrity of the communication or data, or both. Annex II Annex II of the EU Directive is transposed into UK law through Schedule II of the Electronic Signature Regulations 2002 as follows: CSPs that wish to issue Qualified Certificates must therefore: Show the necessary reliability for providing certification services, Run a prompt and secure directory and a secure and immediate revocation service, Ensure that the date and time of issuance and revocation can be determined precisely, Verify the identity and any applicable attributes of the person to whom a qualified certificate is issued, Employ personnel that are qualified and technically competent to run the services securely and apply administrative and management procedures, which are adequate and correspond with recognized standards (e.g. ISO/IEC 27001), 6

Use trustworthy systems and products, which are protected against modification and ensure the technical and cryptographic security of the process supported by them, Protect against forgery of certificates, and guarantee confidentiality during in-house signature-creation data processes, Maintain sufficient financial resources to operate in conformity with the Directive, in particular to cover liabilities, for example by obtaining appropriate insurance, Keep all relevant records (manually or electronically) concerning a qualified certificate for an appropriate period of time, in particular to provide evidence in legal proceedings, Not store or copy signature-creation data (e.g. a private key) of any person to whom the CSP has provided key management services, Before entering into any contractual relationship for a certificate, inform anyone seeking certification services of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary approval scheme, complaints and dispute settlement procedures. Such information may be transmitted electronically, but must be in writing, and in readily understood language. Upon request, relying third parties must also have access to relevant parts of the information, Use trustworthy systems to store certificates in a verifiable form so that only authorised persons can make entries or changes, information authenticity can be checked, certificates are publicly available for retrieval only where the certificate holder s consent has been obtained, and any technical changes compromising these security requirements are apparent to the operator. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information