|
|
|
|
Ascertia’s products support a variety of country specific and vertical business
needs for e-trust. Many of these needs have their own specific legislative or regulatory
requirements but digital signature solutions are widely accepted by all.
To avoid repetition our solutions are described in a horizontal technology manner
but they can add value to every business sector. The range of deployment and usage
options that Ascertia’s products offer ensures that we have a solution that can
add considerable value. Ascertia is skilled at providing an optimum solution fit
and offers unique services for rapid product enhancement to meet specific business
requirements where they make technical and commercial sense. The applicability of
our solutions is only limited by one’s imagination – call us or call our partners
to discuss your needs today and see how we can help.
|
|
Solution:
|
Server based signing
|
|
Requirement: |
e-invoicing, invoice statements, credit notes orders, order acknowledgements, receipt
issuance, company reports, financial reports, regulatory reports etc
|
|
Usage: |
For PDF documents, XML files, web form data and Office documents |
|
|
 |
|
|
Business applications can call ADSS Server signing services to use corporate signing
keys OR an unique individual signing key (e.g. in the finance director’s name) to
sign output documents as they are produced.
Ascertia's partners specialise in integration with SAP, Oracle and other ERP
environments for the production of e-invoices and other out-bound documents.
Interfacing options are via (1) web services calls, (2) watched folder processing,
(3) Email using the Secure Email Server.
Its never been easier to sign data leaving the organisation to ensure that the brand
image is protected and enhanced using financial strength trust services to prevent
unauthorised change, document substitution or brand foregery.
The products applicable to this solution are:
|
|
|
 |
ADSS Server
|
|
|
|
Select: PDF, XML or File (PKCS#7, CMS, S/MIME) signing module
Option: Auto File Processor module (Watched Folder processing)
Option: Time stamp client and embedding, ETSI XAdES, CAdES ES-T
Option: Long term signature support ETSI XAdES, CAdES ES-X-Long
Option: Explicit Policy and Archive signature support ETSI ES-EPES, ES-A |
|
Alternatives to consider: |
|
|
ADSS Server with end-user signing – see multi-user signing solution
|
|
|
PDF Sign&Seal for desktop based sign-off – see PDF Sign&Seal
|
These datasheets are relevant to this solution:
ADSS Enterprise Server datasheet.pdf
ADSS Server - Corporate Signing.pdf
These solution sheets are recommended for additional reading:
Solutions for signing SAP and other ERP invoices.pdf
Has the paperless office arrived.pdf
Using ADSS Server as a internal service.pdf
ADSS Server - Using Signing and Verification Profiles.pdf
Secure Email Server - Concepts and Architecture.pdf
|
|
Solution: |
Multi-User Signing and Signature Verification
|
|
Requirement: |
Adding trust, integrity, assurance, traceability, audit and compliance to internal
business processes during the creation, sign-off and approval of key internal documents
or data. |
|
Usage: |
For PDF documents, XML files, web form data and Office documents |
|
|
 |
|
|
As each person reviews documents with the ERP, CRM, ECM or other application a signature
can be applied. These can be created in various ways:
|
|
|
|
|
Using ADSS Server Zero Footprint client-side signing by using the ADSS GoSign Applet
– this is dynamically downloaded on demand and requires no installation yet it can
access locally held keys to sign documents presented by the server or even files
held locally that need to be signed and uploaded |
|
|
Using keys held securely on the ADSS Server on behalf of end-users – the business
application can easily register users on the ADSS Server and then request ADSS Server
to sign data after the user has authorised this action |
|
|
Using desktop software such as PDF Sign&Seal or other third party products,
web-signers, etc. |
Users can sign and upload documents or be offered documents to review and sign.Once
the business application receives the signed data it can request ADSS Server
to verify the signatures and establish the trust status for each of these. If they
are good then automatic processing can be established with archived evidence of
sign-off and approvals. If they are unacceptable then the workflow process can be
suspended pending review or signing off by other keys or other parties as required.
Solution Options: After verification ADSS Server can timestamp
such signatures or even create long-term signatures. The documents can also be centrally
notarised and archived (using long-life archive signing keys and algorithms). Using
the advanced features of ADSS Server signatures can be checked back in time using
historic verification techniques.
The products applicable to this solution are:
|
|
ADSS Enterprise Server
|
|
|
|
Select: ADSS GoSign client-side signing module
Select: PDF, XML or File (PKCS#7, CMS, S/MIME) verification module
Option: Time stamp client and embedding, ETSI XAdES, CAdES ES-T
Option: Long term signature support ETSI XAdES, CAdES ES-X-Long
Option: Explicit Policy and Archive signature support ETSI ES-EPES, ES-A
Option: Historic verification |
|
Other products to consider: |
|
|
PDF Sign&Seal for desktop based sign-off |
|
|
Other standards-based third party signing tools can be integrated
|
These datasheets are recommended for additional reading:
ADSS Enterprise Server datasheet.pdf
These solution sheets are recommended for additional reading:
ADSS GoSign - the most flexible client-side signer.pdf
Has the paperless office arrived.pdf
Authorising Corporate or Role based signatures.pdf
|
|
|
Solution: |
Notary and Evidence Archiving |
|
Requirement: |
In many business workflows there will be a point where a final document has been
produced that needs to be kept years (anywhere from 2 years to 100+)
|
|
Usage: |
For PDF documents, XML files, web form data and Office documents |
|
|
 |
|
|
The business application can take signed or unsigned data and documents and request
ADSS Server to sign and timestamp the data using special archiving keys that will
ensure the integrity and evidentiary capability of the preserved data. Documents
can be stored in SQL databases or returned to selected enterprise content management
(ECM) applications.
This solution addresses the need for documents that need to be protected for up
to 25-30 years. Using signatures and timestamps documents, data and files can be
shown to have existed, been processed, been accepted, been notarised by a particular
system and or organisation at a proven date and time.
Note: For archiving beyond this or for comprehensive document archive management,
retention policy management or for archive algorithm flexibility the Trusted Archive
Server product should be selected.
The products applicable to this solution are:
|
|
|
|
|
ADSS Server
|
|
|
|
Select: PDF, XML or File (PKCS#7, CMS, S/MIME) signing module
Option: Auto File Processor module (Watched Folder processing)
Option: Time stamp client and embedding, ETSI XAdES, CAdES ES-T
Option: Long term signature support ETSI XAdES, CAdES ES-X-Long
Option: Explicit Policy and Archive signature support ETSI ES-EPES, ES-A |
|
Alternatives to consider: |
|
|
IETF LTANS compliant archive server – see Trusted Archive Server
|
|
|
Other standards-based third party signing tools can be integrated
|
These datasheets are relevant to this solution:
ADSS Enterprise Server datasheet.pdf
ADSS Server - Notary Archiving.pdf
These solution sheets are recommended for additional reading:
Business Need for Evidence Archiving.pdf
Has the paperless office arrived.pdf
Using ADSS Server as a internal service.pdf
ADSS Server - Using Signing and Verification Profiles.pdf
Secure Email Server - Concepts and Architecture.pdf
|
|
Solution: |
Identity Assurance / Validation |
|
Requirement: |
When users connect to web-based application or use local applications there may
be a requirement to verify user identities and check their current trust status.
|
|
Usage: |
This can be done using web-servers such as IIS or Apache, C, C++, C# or Java applications
or even local Windows based applications (based on Microsoft CAPI platform). |
|
|
 |
|
|
ARP and TrustFinderOCSP form an incredibly powerful solution for enabling advanced
CRL and OCSP services for a range of business applications.
ADSS Server includes an OCSP client that can also interact with OCSP Validation
Authorities such as TrustFinderOCSP
Key requirements of such solutions are central policy management and policy flexibility
to provide for clock drift, for system failure and failover processing, detailed
logging and history viewing. Ascertia excels at all these areas.
Of course standards-based third party OCSP clients can also be used.
Note: Some organisations are looking to off-load the client from the responsibilities
of path building and validation and the SCVP standard is near final release. However
for trust checking to known trust chains then you should also review the signature
(and certificate) verification solution that follows.
The products applicable to this solution are:
|
|
|
These datasheets are relevant to this solution:
TrustFinderOCSP Server.pdf
ARP Datasheet.pdf
These test and management tools should also be considered:
OCSP Monitor Datasheet.pdf
CRL Monitor Datasheet.pdf
OCSP Client Tool Datasheet.pdf
OCSP Crusher Tool Datasheet.pdf
These solution sheets are recommended for additional reading:
ARP compared with OCSP toolkits.pdf
|
|
|
Solution:
|
Strong User Authentication
|
|
Requirement: |
Strong user authentication is provided using digital certificates as discussed in
the previous solution, however users that need to roam also need to be authenticated.
Server held keys may require strong user authorisation to strengthen the trust in
the overall signing process for mobile users or in environments where local credentials
held on a tocken of smartcard are deemed impractical or unaffordable. |
|
Usage: |
Any business environment – for web-access or for mobile document signing. |
|
|
 |
|
|
The ADSS GrIDsure Server provides very user friendly, yet strong user authentication
using a grid-based challenge and password digits selection based one time password
system. The challenge grid is typically a 5x5 grid of numeric digits (0-9). The
grid can be presented in various ways and can be implemented to protected against
various crack attacks. GrIDsure technology is licensed by multiple vendors and thus
same technology solutions can be used effectively in various situations, e.g. use
with laptops, kiosks, mobile devices / phones, smartcards and more.
|
|
|
These datasheets are relevant to this solution:
ADSS GrIDsure Server datasheet.pdf
These solution sheets are recommended for additional reading:
Enabling Strong User Authentication and Online Document Signing Services.pdf
|
|
|
Solution: |
Server-Side Verification Services |
|
Requirement: |
Data received from customers, suppliers, partners, Governments and financial and
legal institutions that have signatures attached should be verified immediately
on receipt to ensure that trust can be established and audit trails kept. |
|
Usage: |
For PDF documents, XML files, web form data and Office documents |
|
|
 |
|
|
Used in this way ADSS Server can act as a pre-processor for existing business systems
– checking that the data can be automatically processed or flagging via the business
application that human intervention is required to resolve the trust issues found.
Information can be returned from ADSS Server to the application showing the trust,
quality status and other data from the digital signatures.
Systems that receive signed regulatory reports, e-invoices, orders, tender documents,
etc need such a system to flexibly review and trust the signatures from various
trust schemes.
Once the business application receives the signed data it can request ADSS Server
to verify the signatures and establish the trust status for each of these. If they
are good then automatic processing can be established with archived evidence of
the verification process. If the signatures are unacceptable then the document can
be filtered out for separate review.
The products applicable to this solution are:
|
|
|
|
|
ADSS Enterprise Server
|
|
|
|
Select: PDF, XML or File (PKCS#7, CMS, S/MIME) verification module
Option: Historic verification |
These solution sheets are recommended for additional reading:
Verification Service Providers need ADSS Server.pdf
|
|
|
Solution: |
Email-based signing or verification
|
|
Requirement: |
There is an undeniable need to bind and protect the corporate brand to business
documents. However organisations find it hard sometimes to retrofit advanced security
systems. This solution ensures that emails can be scanned, filtered and processed:
|
|
Having a digital signature applied to the attached PDF, XML or File
|
|
|
Having a digital signature verified on the attached PDF, XML or File
|
|
|
Having the email itself signed or verified and trusted |
|
|
Having the email archived |
|
|
|
|
|
|
 |
|
|
Email is a universal transport but it is a poor choice for sending important data.
Email body text should be used for setting a context for the human or automated
application. Real trustworthy information should always be sent as an attachment
with an appropriate digital signature applied.
The products applicable to this solution are:
|
|
|
|
|
Secure Email Server |
|
|
|
Option: signing functionality
Option: signature verification functionality
Option: email archive (future)
Option: email encryption / decryption (future)
Option: web-mail functionality (future) |
|
|
ADSS Enterprise Server
|
|
|
|
Select: PDF, XML or File (PKCS#7, CMS, S/MIME) signing module
Select: PDF, XML or File (PKCS#7, CMS, S/MIME) verification module
Option: Timestamping and long-term signature options |
These datasheets are relevant to this solution:
ADSS Enterprise Server datasheet.pdf
These solution sheets are recommended for additional reading:
Secure Email Server - Concepts and Architecture.pdf
|
|
Solution: |
Using a Tablet PC to capture hand signatures and notary sign them |
|
Requirement: |
Many professionals such as lawyers, accountants, notaries, financial service providers
need to be able to discuss business with retail customers, fill in paperwork and
then witness the end-user signature. Traditionally either paper has been used or
signing pads have been used – which can be awkward to use with additional wires
trailing around. Tablet PCs allows “ink” to be placed on documents – driven by a
touch sensitive screen and a special pen.
|
|
|
 |
|
|
The retail customer can initial a document and sign a document, so can the professional.
Finally a digital signature is applied that binds all this data to the document
such that unauthorised changes can be easily identified. With a timestamp or a long-term
signature on a PDF/A document this is a very easy way of providing transmittable
binding documentary proof of a contract document.
When received by a central office the signatures on the document can be verified,
the status of the professional checked, their role based authority and rights confirmed
for compliance reasons and then document can be archived. Of course it would be
possible to create a notary record of the document and timestamp this information.
The products applicable to this solution are:
|
|
|
|
|
PDF Sign&Seal
|
|
Other products to consider: |
|
|
ADSS Enterprise Server for central verification and notary signing |
|
|
|
Select: PDF, XML or File (PKCS#7, CMS, S/MIME) verification module
Option: PDF, XML or File (PKCS#7, CMS, S/MIME) signing module
Option: Timestamping and long-term signature options |
These datasheets are relevant to this solution:
PDF Sign&Seal Datasheet.pdf
ADSS Enterprise Server datasheet.pdf
These solution sheets are recommended for additional reading:
Using online Notary Services with PDF Sign&Seal-s.pdf
|
|
|
Solution:
|
Server-held user keys and certificates for signing and approval |
|
Requirement: |
In some cases it is considered to difficult to distribute digital credentials to
end-users. When dealing with a large set of retail customers it becomes costly to
use technology that can issue keys and certificates to such a group.
Ascertia solves the problem by providing a web-services CA (TrustFinder CA ) within
ADSS Server. This is ideal for those applications that already act as registration
authorities. The applications have already carried out the essential “know your
customer” checks and the need is for a key and certificate to be generated immediately
with no further delay and minimal cost. This signing key can be used for signing
orders, instructions, transactions, submissions, approvals, etc.
|
|
|
 |
|
|
The great thing about this approach is that the application can choose how to authenticate
the user and it can also decide on how the user authorises the signature creation
– it could use the same authentication password, one-time password or token or a
different one.
The products applicable to this solution are:
|
|
|
|
|
ADSS Enterprise Server
|
|
|
|
Select: PDF, XML or File (PKCS#7, CMS, S/MIME) signing module
Select: Internal CA / Key generation with optional links to external CAs
Option: Timestamping and long-term signature options |
These datasheets are relevant to this solution:
ADSS Enterprise Server datasheet.pdf
These solution sheets are recommended for additional reading:
Enabling Strong User Authentication and Online Document Signing Services.pdf
|
|
|
Solution: |
Compliance solutions to show sign-off and approval, to provide audit evidence,
to provide HR evidence of roles, responsibilities, limits of authority, training
requirements, examination results, assessment reports, etc |
|
Requirement: |
In so many business areas there is a variety of data that needs good evidence collection.
Regulators will expect to see evidence of the policies and procedures in place to
ensure that legislative and regulatory requirements are being obeyed.
Too many organisations use word processor and spreadsheet documents to define the
requirements and to monitor progress against these. In general systems are weak
because:
|
|
There is no evidence of the requirements at a given date. Regulations change and
so reviewing what happened months and years ago required a clear evidential document
that confirms the actual requirement. |
|
|
There is no evidence of the response to the requirements at a given date. Policies
and procedures change, some documents are in draft all final documents need clear
sign-off a clear date and time. Draft documents need to be clearly identified as
such.
|
|
|
Final documents have no evidence that they are in fact approved, unchanged since
approval and are valid for a specific period of time. |
|
|
Roles and rights change – was someone authorised to sign at that point in time? |
|
|
Were signatures and authorisations checked on a regular basis? |
Clear sign-off and approval and verification of the signatory’s status, role and
rights are required.
All Ascertia’s products are aimed at enhancing trust within business documents,
based on clear digital identities, document integrity, timestamps to confirm the
date and time, notarised signatures and evidence archives.
|
|
Solution:
|
Document Rights Management
|
|
Requirement: |
Almost every business has invested heavily in knowledge and expertise that is written down in documents that need to be protected. Typically PDF documents are used to publish information and even though DRM controls are requested during PDF production these can be easily circumvented by tools that are readily available on the Internet. PDF viewers and readers also allow local copies to be taken. |
|
Usage: |
Any business document that contains legal text, technical information, news, views or opinions that are considered valuable.
Ascertia is developing a secure PDF viewer that will ensure that the PDF data protected during transmission and local viewing so that no local copies can be kept, no copy/paste actions can be carried out and no printing is allowed. Additionally rights may be granted to some or all of these actions to be performed, as well as local signing.
(This area is still under development so please ask for details of how this solution can complement your business requirements) |
| |
|
|
|
|
|
|
|
|
|