Digital Signature Solutions: Why You Should Take a Second Look
Signing documents digitally (usually over the Internet) is hot, and for a reason. Heads of state may afford pomp and ceremony when signing an agreement.
Businesses need a much less costly way for their steady flow of transactions. So does the public sector in their interactions with citizens. Digital signatures have the potential to reduce hassle and cost.
But how safe are they? If you are evaluating solutions, stop and take a second look. Does the solution deliver in the area you expect?
Europe and eIDAS
This post is written with a European bias. Digital signatures became legally binding in the European Union in 1999, decades ago. The current piece of EU legislation is a regulation from 2014 usually referred to as eIDAS.
You will see mentions of eIDAS in marketing. However, eIDAS name dropping does not immediately translate to quality. eIDAS includes a range of trust levels, some of which you would probably not consider secure. What eIDAS does is to provide a vocabulary for discussing these things, secure and less secure.
So, if a solution claims to be eIDAS compliant, you should ask, at what trust level?
Aspects of Trustworthiness
Let’s dissect what we mean by a trustworthy digital sigature. A classic Stevie Wonder song title comes to mind, Signed, Sealed, Delivered. These are important aspects of digital signatures.
- Signing: Reliably connecting a person to a signature
- Sealing: Making sure nothing changes after a document has been signed
- Delivery: Accessing the signed document
It turns out that several digital signature solutions lean heavily towards sealing. Their marketing invokes images of a digital fortress protecting your documents. As a consequence, accessing a signed document directly from the fortress is the preferred delivery mode.
The question arises: How about signing? Some of the same solutions are surprisingly lenient. In many cases an email where somebody claims to be John the Con is all that links a signature to a person. It is a weak link indeed if there is no independent verification. Even if there is, email spoofing is in the beginner’s toolkit of any hacker.
Some solutions offer a range of options for identifying the person signing a document, but the signed document does not necessarily indicate the option actually used. Again, it is important to be explicit about the level of trust.
A solution may offer the Adobe “Blue Ribbon”: When you open a signed document in an Adobe PDF reader, a conspicuous ribbon appears across the screen saying approximately This document contains signatures. All signatures are valid. However, on closer examination, the message may refer to a signature made by the company delivering the solution. In such case it does not refer to the person you think signed the document. It is a convincing way of stating that the document has been sealed. It is outright misleading if it makes people believe it refers to the person signing the document.
Eye Candy
Several solutions for digital signatures modify your document before storing it. They may add banners or symbols signifying a seal applied by the solution.
Some even offer to add an image of a physical signature (ink on paper).
Let it be known that this is, at best, eye candy for the naive. It is totally irrelevant for real security.
In fact, it is questionable to modify originals at all. Why would you let your valuable documents be processed in an unknown way before storage? This carries over into another area.
Honour PDF/A
The format exclusively used for document storage is PDF, for a good reason. The Portable Document Format was invented explicitly for rendering documents with identical visual impressions on all kinds of platforms.
There are several versions of PDF. One group of related versions is called PDF/A, “A” as in “Archive”. A plain PDF document saves space by referring to external resources rather than including the resources in the document itself. PDF/A requires a document to be completely self-sustaining. This is important for long term archiving.
Some commercial signature solutions affect PDF/A documents such that after signing they are no longer PDF/A compliant.
Storage and Cloud Storage
As already stated, several digital signature solutions lean heavily towards sealing, that is, guaranteed preservation of documents. Delivery from centralised document storage is a cornerstone of their concept.
If you are evaluating digital signature solutions, take a break and ask yourself, is sealing and storage a major reason for you to consider digital signatures?
In addition, are you comfortable with entrusting your documents to an external service? Consider the US Cloud Act. If the company behind the solution is US based, the Cloud Act allows federal law enforcement to compel the company via warrant or subpoena to provide data stored on servers regardless of whether the data is stored in the US or in other countries.
Certificate-Based Signatures
Certificate-based digital signatures is the current state of the art. A person’s credentials are stored in a smart card, or (somewhat less safely) in a mobile phone. A signature links so strongly to a person that it cannot reasonably be repudiated.
A certificate-based digital signature may be copied and shared freely without affecting its validity. Validity does not depend on storage in any particular system. Tampering is detected anyway. Storage is a non-issue.
Certificate-based digital signatures shift focus towards signing. Sealing and delivery require little additional attention.
Certificate-based signatures are secure enough to be supported by law in the EU. Solutions based on other technologies have to build their own legal cases.
The technology of certificate-based signatures is surprisingly simple. It is based on international standards and is available as library components of several software development environments.
Clearly, certificate-based signatures would be the obvious choice for any digital signature system. The catch is that they require a PKI, a Public Key Infrastructure. In Sweden, where I live, banks were quick to begin building a nationwide PKI called BankID. These days it is available to just about everyone without cost. This is not true of all countries.
Several digital signature solutions on the market exist to compensate for the absence of certificate-based signatures.
This might be another occasion for you to stop for a second look. Are there compelling reasons for you to select a digital signature technology other than certificate-based?
Note in passing: The Adobe “Blue Ribbon” for signatures is certificate-based. The question is, whose certificate? If the solution under examination offers this feature, go for a test run, sign a document and check the signature. Is it yours?
Summary
In summary, we advocate two technologies: PDF/A and certificate-based signatures. The two go well together. You may be surprised to find that both are based on international standards. No trade secrets are involved as far as security mechanisms go. This means that signatures may be validated by independent third parties. Certificate-based signatures have legal support within the EU.
With certificate-based signatures you don’t have to buy into any particular storage solution. Use standard storage and standard access control for signed documents, no problem.
Certificate-based signatures offer a solution to the signing and sealing aspects of digital signatures. Hassle-free delivery comes as a bonus.
You might find yourself forced to accept a solution that is not certificate-based. You will do well to find out if security in a given solution is based on trade secrets and whether you will be notified if those secrets are broken. Another area to examine is how to handle legal challenges. That is, what can you do if someone takes a signature to court, disputing its validity? I suggest you go through a hands-on test case with someone from the legal department of your company.
Comments are closed due to spam overload, but you may email
blog AT soderstrom DOT se