Mobile Signatures

The cost-saving, security and efficiency benefits of digital signatures are clear.

For maximum legal effect in many jurisdictions digital signatures, however, need to be created in “secure signature creation devices” (SSCD). Typically this requires a secure smartcard and sometimes even a reader with display capabilities to present the full details of the transaction to be “signed” (i.e. What-You-See-Is-What-You-Sign). For consumer markets, it is unlikely individual citizens will ever want to invest in such equipment.

An alternative approach is to capitalize on the fact that many citizens already possess smart phones which contain a smartcard and a display. If web applications can send signing requests to a user’s mobile for local signing on the mobile device then not only does this represent a separate channel for extra security but also the signature produced can be of the highest quality – all this without the hassle of managing smartcards and readers separately by the user. Digital signatures produced on mobile devices in this way are referred to as “mobile signatures”.

Ascertia is actively involved in the mobile signature space and has a number of possible solutions, and working through technology partners we can offer a complete mobile signing platform.

SOLUTION DESCRIPTION

Ascertia caters for mobile signatures in two different ways. The main difference is where the signature is actually produced:

Server-side signing

In this case user keys are held on ADSS Server. The user is authenticated via a One Time Password (OTP) sent to the user’s mobile phone via SMS. The user must enter this OTP into their browser to complete the signing action. This approach is not true mobile signing, since user is only being authenticated by the mobile phone and signing is taking place on the server. However the advantage of this solution is that any mobile phone supporting SMS can use this approach to offer a separate user authentication channel for signing purposes. Contact us for a demo of this solution as implemented in our SigningHub product.

Full Mobile Signing

In this case the actual signature takes place on the mobile device. Depending on the solution components, the user’s signing key can be located in a secure PKI-based SIM, Micro SD-card or software app. The following diagram and text explains the high-level process:

A User interacts with a web application (e.g. SigningHub, banking site, etc.). A document or transaction is prepared which needs to be signed by the user on their mobile device.
The web application sends a signing request to ADSS MSSP Server with the transaction details. ADSS MSSP Server prepares a message to send to the user’s mobile. This message will provide full guidance to the user on what they are signing.
ADSS MSSP Server passes a notification to the relevant Notification Centre for the user’s mobile platform. The user will get an alert that there is a signing action pending via the Notification Centre. After login the user can download and view the pending signing transactions. The transaction details, references etc can be displayed on the smart phone’s screen. To apply a mobile signature the user must enter their PIN for authentication. If this is valid the basic digital signature is produced locally on the mobile device (secure SIM, Micro-SD card or software key) and returned back.
Upon receiving the mobile signature, ADSS MSSP Server can verify it by making calls to the ADSS Verification Service behind the scene it can connect with multiple CAs, CRL issuers, OCSP Servers and TSA Servers. This process can also enhance the basic user signature to a long-term signature (PAdES, XAdES and CAdES) by adding the necessary timestamps and PKI certificate status information.
The final enhanced signature can be given back to the web application for further processing and workflow depending on the business need.

WHY ASCERTIA?

There are very good reasons for choosing Ascertia for mobile signing

Multiple Signature Formats

Ascertia’s products offer the widest support for digital signature formats and standards and the greatest flexibility in how to implement these. Whether its PDF, XML, PKCS#7, CMS, S/MIME or PKCS#1 signatures we can sign your business document or transaction.

Long-Term Digital Signatures

Ascertia is a clear leader in creating long-term digital signatures which can be verified many years in the future, an essential requirement for most businesses and governments. We support all the ETSI XAdES and CAdES as well as latest PAdES (PDF format) profiles.

Multiple Signing in Options

Different applications have different needs for how digital signatures are created. Some require server-side signing with mobile used only for OTP authentication. Others require mobile signing to be done in the mobile devices using certified tamper-resistant hardware chip whilst others even want soft keys managed by the mobile app. Ascertia can offer solutions within any of these methods.

PKI Components

Digital signature creation is only one part of the solution for mobile signing – there are also requirements for signature verification, trust anchor management, key management, certification, real-time certificate validation, time-stamping and secure long-term archiving. ADSS Server is unique in being able to address all these requirements in our multi-function ADSS server. All these services are based on leading industry standards including OASIS DSS & DSS/X (signing, verification and encryption), RFC 3161 (timestamping), IETF LTANS (archiving), RFC 6960 (OCSP validation), RFC 5055 (SCVP validation).

Full Solution

Ascertia and its technology partners can offer the complete solution including Mobile Signature Servers, client-side software apps and secure hardware components.

WHY ASCERTIA?

Long-Term Digital Signatures

Multiple Signature Formats

Ascertia’s products offer the widest support for digital signature formats and standards and the greatest flexibility in how to implement these. Whether its PDF, XML, PKCS#7, CMS, S/MIME or PKCS#1 signatures we can sign your business document or transaction.

Long-Term Digital Signatures

Ascertia is a clear leader in creating long-term digital signatures which can be verified many years in the future, an essential requirement for most businesses and governments. We support all the ETSI XAdES and CAdES as well as latest PAdES (PDF format) profiles.

Multiple Signing in Options

Different applications have different needs for how digital signatures are created. Some require server-side signing with mobile used only for OTP authentication. Others require mobile signing to be done in the mobile devices using certified tamper-resistant hardware chip whilst others even want soft keys managed by the mobile app. Ascertia can offer solutions within any of these methods.

PKI Components

Digital signature creation is only one part of the solution for mobile signing – there are also requirements for signature verification, trust anchor management, key management, certification, real-time certificate validation, time-stamping and secure long-term archiving. ADSS Server is unique in being able to address all these requirements in our multi-function ADSS server. All these services are based on leading industry standards including OASIS DSS & DSS/X (signing, verification and encryption), RFC 3161 (timestamping), IETF LTANS (archiving), RFC 6960 (OCSP validation), RFC 5055 (SCVP validation).

Full Solution

Ascertia and its technology partners can offer the complete solution including Mobile Signature Servers, client-side software apps and secure hardware components.