Cloud Signature Consortium benefits for TSPs and customers

Posted by Victoria Allen on Nov 17, 2020 1:35:25 PM
Cloud Signature Consortium

What is the Cloud Signature Consortium (CSC)?

Ascertia is a CSC member. The Cloud Signature Consortium is a group of industry and academic organisations committed to building a new standard for cloud-based digital signatures.

These digital signatures will support web and mobile applications and comply with the most demanding electronic signature regulations in the world. The CSC was created to develop common protocols so that distributed applications and services can leverage digital signatures in a non-proprietary way.

Why is it useful and beneficial?

Ascertia works with other members to create a standard API to integrate the essential components of a remote signature solution among different service providers and consumers.

It enables Ascertia to provide solutions that comply with CSC standards for remote signing, opening doors for high-trust remote signing globally.

Ascertia works with Trust Service Providers (TSPs) and Qualified Trust Service Providers (QTSPs) to power their remote signing services. We are committed to developing easy to use, flexible digital signature solutions that provide high-trust to enable the widespread adoption of remote signing.

Ascertia’s solutions comply with the latest CSC standard API implementation and Ascertia works with many TSPs and Remote Signing Service Providers (RSSPs) to power their high-trust remote signing solutions.

When was the CSC established?

One innovation of the Electronic Identification and Trust Services (eIDAS) Regulation was to give legal standing to cloud-based Advanced and Qualified electronic signatures for the first time, by enabling the creation of electronic signatures using a remote signature creation device.

In response to this innovation, in 2016 industry leaders and academic organisations united to form the CSC.

How does it work?

With digital signatures moving to the cloud, the functions needed to create digital signatures are distributed across several service instances, each carrying out one or more steps in the signature creation process.

The interfaces between such services are now standardised. Using these standards, the different services perform operations in a non-proprietary way.

Instead of signing keys being held locally by users (e.g. on a smartcard or token), they are held remotely in a secure TSP or QTSP certified environment in on-premise server/virtual server-based systems or secure cloud services.

This typically means all private keys are stored centrally in a secured encryption device such as a certified Hardware Security Module (HSM) or QSCD Appliance that contains a certified HSM, such as the Ascertia ADSS SAM Appliance.

When a signature is required, the end user using a signing solution such as SigningHub, sends a hash to be signed using the CSC API calls to a RSSP like ADSS Server hosting the end customer’s signing key(s).

The RSSP sends an authorisation request to the end user who approves the request using the RSSP’s outlined method, allowing Sole Control Assurance Level 2 (SCAL2) (where a SAM Appliance is used).

Once approved, the end user key is retrieved and used to generate the signed hash which is returned to the signing solution for compilation in a digital signature.

Where can it be used?

Before the creation of the CSC, signature devices were typically personal devices such as a smart cards or USB tokens. This can now be replaced by cloud-based services using centrally held keys, providing the ability to create digital signatures on any device, at any time, from anywhere.

How remote signing is powering cross-border business

Ascertia has championed remote signing for years, but its business benefits have become clearer this year than any other before.

For any business, especially those operating cross-border, face-to-face meetings appear unlikely for some time. However, business must continue and security should not be compromised when signing contracts. This is where remote signing demonstrates its value.

In order to provide high-trust remote signing, a secure, PKI-based signing solution is required. When signing remotely, a signer’s credentials must be indelibly linked to the signature and provide assurance of the validity of the signature for years to come.

Where PKI based local signing (smartcards/tokens) requires a card reader or additional hardware to authorise a signer’s credentials and signature, remote signing enables signing from any device, anywhere.

With no need for an additional signing device, remote signing is a quick, easy high trust signing solution for consumers and businesses. eIDAS supports the use of Qualified Remote Signatures, the highest trust level of signatures in Europe.

Ascertia was the first organisation to deliver a Common Criteria EN 419 241-2 Certified Qualified Signature Creation Device (QSCD). This includes an embedded Hardware Security Module (HSM) for cryptographic processing and key management, independently certified under Common Criteria EAL4+ Protection Profile EN 419 221-5.

This technology assures Trust-Service providers and their customers that signatures are compliant with the latest standards, non-reputable and legally the same as a paper and ink signed document.

For more information on cloud eSignatures and remote digital signing check out CSC, Trust Service Providers (TSPs) and Qualified Trust Service Providers (QTSPs) here.

Get in touch to discuss high-trust remote signing.