Getting a document approved and signed-off is a crucial part of any business, be it an order, sales contract, claim forms, internal HR documents or any other type of document that needs to be clearly agreed and approved preferably with a clear audit trail.
In today’s economic climate the traditional inefficient paper-based approach of manually sending, signing, tracking and storing documents has become a major cost burden for organisations.
Organisations today are also facing a variety of pressures to provide enhanced security of data, better accountability, traceability and auditing capabilities to ensure compliance with local legislation, regional directives and market and shareholder/ stakeholder expectations and requirements.
Online Document signing Solution Types
An obvious solution to the above paper document approval problem is to use electronic documents and digital signatures. Typically document signing solutions are categorised as:
- “e-signature” solutions – these can be a simple mouse scribble, scanned signature image or any other mark which indicates the user’s consent.
- “digital signature” solutions – these are based on strong cryptographic techniques and provide both data integrity and strong evidence of who signed the document thereby helping to provide non-repudiation services.
Why a Cloud solution?
Standalone document signing desktop products have been around for some time, however today organisations require a full document approval workflow solution, which can gather signatures from multiple parties, provide document tracking and history details. A fully automated approval process is required so that business professionals can concentrate on the core business tasks rather than chasing paper or emails – and with emails one never quite knows if you are dealing with the latest version.
Ascertia’s products fully support PDF/A compliant digital signatures and recommends that PDF documents are first converted to PDF/A and then a PAdES signature is applied.
Furthermore there is a need to agree and sign-off on documents with both internal and external users. With external users it’s not possible to control which software they have locally on their machines. Also users need to sign documents when on the move, always signing from one particular machine is just not workable in real-life situations.
What to look for…
Many online document approval solutions are available on the market, which encompass document signing, but typically they have the following serious limitations:
- They require complex user software to be installed, which senior business managers do not find easy to use. Additionally management and maintenance of this software becomes a real burden for administrators.
Answer: The solution should be cloud-based, ensuring ease of use by end-users and ease of maintenance and centralised management by administrators.
- They use proprietary “closed” signature schemes, such that signed documents cannot be verified independently. Instead the relying parties need to feed the document through the service provider’s systems in order to verify them.
Answer: The solution must use standard digital signature formats. By far the most popular document format in business is PDF; therefore standard PDF Signatures must be supported. Signatures produced by the solution must be “open” i.e. verifiable in freely available PDF Reader, without having to upload documents to the service provider for verification. Signed documents must stand on their own, i.e. be verifiable on their own without having to analyse the service provider’s system logs.
- They do not use unique signing keys under the sole control of the signer. Many solutions use a single server-held signing key that is used for all users, in effect a “proxy” signature. Some approaches do not even use a cryptographic digital signature but rely on hand-drawn squiggles with proprietary crypto techniques.
Answer: The solution must use different keys for each signer. This is an essential requirement for advanced digital signatures within Europe. Electronic hand-signature images can be used to give human recognition for technology acceptability reasons but can be easily copied so the solution must not rely solely on these as a security measure. Their use for aiding human recognition and acceptance is welcome. The solution must protect each user’s signing key such that only the authorised owner can knowingly release their key for signing purposes.
- They do not allow the use of locally held signing keys (e.g. on smartcards or secure USB tokens).
Answer: Many countries have issued electronic ID (eID) cards to their citizens. These offer the highest level of identity authentication and signing key protection. If such an eID infrastructure exists then the solution must allow these eID cards to be used for signing purposes. Qualified signatures within the Europe require the signing key to be held on a smartcard or USB token (officially called a Secure Signature Creation Device or SSCD) under the sole control of the signer. The solution must allow use of such smartcards or tokens. Within a corporate environment, employees may have already been issued with certificates by the organisation’s PKI system. The solution should also allow the use of these certificates.
- Many signed documents are not verifiable in the long-term. Even if the solution uses standard digital signatures with unique signer keys, the signature are not designed for long-term use. Once the signer’s certificate expires then the documents signed with this certificate can be hard to verify. When viewed in Reader the trust status is shown as ‘unknown’.
Answer: The solution must support long-term signature verification by using specially enhanced digital signatures that include a timestamp and also the signer's certificate status information at the time of signing
- There is a lack of “trust” interoperability. Users of one PKI system are not able to trust the signatures from users of another PKI system.
Answer: The solution must allow multiple PKI systems to be used and therefore trusted. There will never be just a single global PKI system which everyone connects to. Trust interoperability is especially important for cross-border interactions. The solution must be able to distinguish between the different levels of “quality” offered by the different PKI systems. The solution must allow users to compartmentalise which PKI systems they wish to trust and for which purposes.
In addition to the above, organisations require a solution which reflects real business approval processes, for example the ability for anyone from a typical department or group to sign a document, the ability to control the document such that it can only be signed within a specific area of the page, the ability to defined delegated signers in case the primary signer is ill, on holiday or otherwise not available. Ascertia has developed the SigningHub solution to avoid all the issues discussed above and use individual signatures with high-security and long-lived trust. Furthermore SigningHub supports the complexity of real-world business document approval processes so that it can be effective in replacing paper and ink signature processes.
To learn more about SigningHub and to get a free trial account today visit: SigningHub