Common applications are e-Submissions or e-Filings, where end-users review and perhaps upload completed documents to a central service. Other example applications include forms based systems such as online account management, online purchasing plus local government services and central services such as e-tax, and e-Procurements. e-Tendering is a growing part of public sector business and has some specific requirements.
The underlying requirement for all such applications is that the transaction or document offers proof of authenticity, data integrity and non-repudiation. In the paper world ink is used. In the new electronic age digital signatures meet these requirements and do it better than ink. The signing key must be unique to the signer, under their control and the act of signing must be performed wilfully by the end-user. Typically this means signing using just a standard Internet browser and a locally-held signing key on a smartcard or USB token, however there are other options discussed later.
For public procurement confidentiality is a growing requirement. Currently systems protect information within a tender application but there is often weak legal binding. Privacy is also a concern since privileged users may be able to access very sensitive data. Encryption therefore requires strong cryptography. The decryption of data or documents can now be controlled by a security server that logs the action. Advanced security requirements may insist that the central authority cannot decrypt the tender information until after the official tender opening date and time). Furthermore the decryption process may need to offer a properly authorised and fully auditable operation. Multiple members of a jury may need to agree before the decryption process is authorised.
When assessing the tenders, all end-users signatures must be verified as part of determining that adequate trust exists. Within the EU it is entirely possible that the end-user’s qualified certificate may have been issued by any one of a large number of Certificate Authorities (CAs). Verifying the end-users’ digital signatures and assessing their quality and acceptability for the intended purpose can become a substantial challenge! Once successfully decrypted and verified, the application may then also require to securely archive the document and any verification process metadata within a secure archive system for long-term availability either for regulatory/legal reasons or for dispute resolution purposes.
The benefits of e-submission process compared with a paper-based system include:
Manual Paper-based Process
Automated Electronic Process
Expensive to handle and transfer
Up to 80% cheaper
Extended delivery times with concern about deadlines being missed
No proof document was received (assumes no recorded delivery for bulk documents)
Documents are uploaded to central site and acknowledgments or receipts are routinely provided. These should of course be signed and timestamped
Separate manual workflow (e.g. payment of invoice)
Integrated workflow for straight-through-processing of document (e.g. automated validation of signed e-invoice and transfer to accounts payable system)
Requires expensive paper and transport with a negative impact on environment
Green alternative with a positive impact on the environment
Solutions by Technology
/ e-Tendering, e-Submissions, e-Fillings
Any business application can request web forms to be filled in and request e-document submissions in place of paper, however in order to ensure authenticity and trust, it’s important to digitally sign the documents before they are sent externally.
Simply asking user to login to the web application is not sufficient for later proving that the user actually submitted a particular document. Login security mechanisms such as usernames/passwords only provide authentication security for a specific session and do not help to show whether a document was later changed and was sent or approved by a particular individual.
Thus digital signatures are essential; however none of the current Internet browsers provide a standard signing method that can be used by web applications. Organisations do not wish to provide installed desktop software to multiple third parties and own the problems of training, support and upgrade for such software. Clearly a simple zero-footprint signing solution is needed. The solution must be able to cater for multiple signature formats including PDF and PAdES, XML DSig and XAdES, PKCS#7/CMS and CAdES profiles.
The role of the solution components is as follows:
For applying signature on document. ADSS Go>Sign Applet can also encrypt documents using a PKI certificate provided by the Business Web Application. ADSS Go>Sign Applet provides the signed and optionally encrypted document to the Business Web Application.
For verifying the user’s signature, which includes certificate path building and validation, revocation checking as well as signature and certificate quality assessment. ADSS Server can also enhance a basic signature to create a long-term signature with embedded timestamp and revocation information as part of the verification process, alternative ADSS Go>Sign Applet may have been involved in creating the long-term signature before it’s verified.
For long-term archiving of the user submitted document and also the verification process metadata (e.g. CRLs, OCSP responses etc.). ADSS Archive Server may store the archive objects or return to the business application for storage in a separate document management system.
This can be any web application (e.g. e-Tendering) which interacts with end-users and with ADSS Server and ADSS Archive Server as explained above.
Ascertia’s products offer the widest support for digital signature formats and standards and the greatest flexibility in how to implement these. The products support PDF, XML, PKCS#7, CMS, S/MIME and PKCS#1 signatures as required to sign business documents. German and other country qualified certificates can be used to provide advanced electronic signatures.
Ascertia is a clear leader in creating long-term signatures – these can be verified many years in the future, an essential requirement for most government related data. ADSS Server supports all the ETSI XAdES and CAdES as well as latest PAdES (PDF format) profiles.
Different applications have different needs for how signatures are created. Some require server-side batch-signing features, some require signatures to be created locally by users that have eID smartcards or secure USB tokens. Others even want key and certificate roaming solutions that offer virtual “smartcards”. Ascertia’s ADSS Server and Go>Sign Applet already provide all these options and more.
Organisations cannot control which systems and browsers end-users will work with when submitting documents. It is essential the digital signature and encryption solutions work on any platform with any browser and support multi-lingual capability. ADSS Go>Sign Applet supports all Windows platforms as well as many Linux versions and has also been tested in various browsers.
Many organisations feel uncomfortable about performing corporate (or department) signatures using keys held on the server and not under the control of a particular individual employee. To relieve this concern Ascertia has implemented its unique authorising mechanism for server-side signatures which allows one or more authorisers to apply a personal signature to a document which is verified first by ADSS Server before applying a corporate signature. For further details see this white paper.
ADSS Enterprise Server can be easily integrated with any business document production environment using our Watched Folder application called Auto File Processor, or our high-level Java and .NET ADSS Client SDKs or via direct XML/SOAP web service calls or even email integration using Secure Email Server.
ADSS Server can be run in load-balanced configuration to sign millions of documents in automated manner. All signature operations can be conducted in a secure Hardware Security Module (HSM) and multiple HSMs can be connected for performance and resilience purposes. All signing operations are securely logged in ADSS Server database.
Digital signature creation is only one part of the solution – there are also requirements for signature verification, trust anchor management, key management, certification, real-time certificate validation, time-stamping and secure long-term archiving. ADSS Server is unique in being able to address all these requirements in one multi-function server. All these services are based on leading industry standards including OASIS DSS & DSS/X (singing, verification and encryption), RFC 3161 (timestamping), IETF LTANS (archiving), RFC 6960 (OCSP validation), RFC 5055 (SCVP validation), W3C XKMS (validation), etc.