SubscribeAll unsecured e-business documents can have unauthorised changes made to them. Ascertia delivers e-Trust solutions that ensure business documents, data and workflows are protected. Sign-off and approval as well as data integrity are assured.
Providing digital signature verification services for Det Norske Veritas (DNV) in Norway.
Today there is a clear need for organisations to respond ever more quickly to business opportunities. All governments, public and private companies are moving rapidly to exploit the cost savings from e-business. With the advantage of such communication comes a potential disadvantage - how can trust be established in these transactions or document flows and how can both parties be sure that the data can't be changed once it has been accepted.
The authenticity and integrity of such information is a critical issue that is often overlooked and business risk rises considerably as a result. How can one party be sure that the other party has effective controls in place to ensure final document release or correctly authorised transactions. Typically one party places too much reliance on the other party and when a problem arises it becomes difficult to fully assess what was valid and what was not. For many businesses this would create substantial contractual and legal issues which would be expensive to resolve. The value of e-business is that it can markedly decrease errors, lower business risks, dramatically reduce cycle times and provide a substantial differentiator in a competitive global market. All of these aspects require trust in the identity and authenticity of the parties and their data.
An Electronic Approach
The handwritten signature is one of the most common and widely accepted ways of establishing who did what, when and why with paper documents and audit trails. The only way of providing a stronger electronic analogue to the handwritten signature in a multi-party environment is to use digital signatures to confirm the identity of the signer and the integrity of the document. Also bound within the digital signature is a digital certificate that provides information from a trusted third party that issued the signer with their signing credential. The trusted third party could be a bank, government department, employer or any other recognised (and possibly licensed) organisation within a particular jurisdiction.
When using digital signatures for e-commerce, considerable trust is required in the identity of the communicating parties. Identity assurance is provided by the trusted third parties also known as certificate service providers (CSPs) that issue certificates under various trust schemes. The problem for business is that the level of trust that can be placed in these providers and their certificates varies enormously. Trust is dependant on many factors including the registration process, the key generation and protection mechanisms and the policy and procedures of the CSP.
For effective multi-third party business use there is an urgent need for objective ways to compare trust levels of various identity trust schemes and to do this in-house or to use a managed service provider. Furthermore digital signatures can be applied in various different ways depending on many different industry standards, to complicate the situation further, the signer's certificate can be issued by a foreign CSP with which a relying party has no previous relationship - in such complex real-world scenarios reliable, trustworthy and risk-management approach to signature verification becomes essential. Business require a means to simplify the signature verification process within their applications whilst also at same time offering interoperability for different trust schemes and providing liability if something goes wrong.
A Solution Case Study
Ascertia is a global expert in digital signature creation and verification as well as certificate validation products and solutions. Early in 2006 it was selected by Det Norske Veritas (DNV) to provide its products and services to build a new global service for verifying digital signatures and validating digital identity certificates. DNV's Validation Authority (VA) service is currently being piloted in a few industry projects. It provides technical verification and validation as well as quality assessment of digital signatures and identity certificates.
DNV's VA service will be fully launched to a global market by Q2 2007 and demonstrated at Infosec 2007. Ascertia was chosen as DNV's security partner because of their existing ADSS (Advanced Digital Signature Services) Server product capabilities and their plans for ADSS development. These enhancements have accommodated DNV's particular business requirements such as providing an enhanced web-services protocol and a quality rating system.
ADSS can be used by managed service providers to provide verification and validation services or it can be used internally by organisations that need to operate their own trust scheme. In fact it is possible to operate a hybrid environment where part of the processing is in house but the actually signature verification is outsourced to a managed service provider such as DNV and their VA service. This can be extremely useful where organisations wish to enforce privacy of documents but want to use the services of an independent expert organisation to assess trust and to provide liability.
Solution Features
ADSS can create digital signatures as well as verify them to suit a variety of business needs:
Creating Digital Signatures and sending documents to internal or external parties:
- Reports - consultancy and project reports, regulatory data, case notes, government submissions
- Receipts, Invoices, Quotations, legal agreements, policy documents
- Approved documents such as loans, insurance, expenses, certificates
- Personnel data, reports, reviews, references, training assessments
Verifying received digital signatures as part of a new front-end to existing applications:
- For financial documents received from business customers
- On submitted quotations and tender documents
- On Orders, Invoices, Reports,
- For approving expense sheets, time sheets, HR forms, design documents
ADSS can also be used to create a signed notary archive of received documentation even if the originator did not sign the document. Using such a solution allows the recipient to show that the document is unchanged from the point of receipt.
Business Integration
One of the keys to success in providing effective digital signature security solutions is the ease with which the products can be added into an existing business application environment. Most often the need is for security services such as these to be added as a new feature so the integration must be easy and fit in with minimal changes.
ADSS can be integrated with existing applications for signing and verification services using web services, a Java API, using watched folders or using an email gateway. The product has been designed to service a wide range of business requirements with substantial flexibility for trust related services, and it has excellent features for implementation and management, in particular:
- High performance - built using J2EE architectures to provide high performance and scalability
- High resilience - multiple servers can be used in load-balanced mode to maximise availability
- Effective management using a browser-based interface to enable easy local or remote management with granular controls for all ADSS modular functionality and featuring dual control on critical areas of functionality to ensure maximum security
- Managed services options - multiple users can be managed, authorised for different services and billing records maintained
- Connections to multiple CAs, their CRLs, OCSPs, and LDAPs ensure that ADSS can bridge interoperability between disparate PKI trust schemes without the need for cross-certificates or bridge CAs and the complex rules that these require
Use Cases
All organisations could use this type of service or solution: within a large disparate enterprise; within a closed community of organisations and also within a diverse global community or businesses. In all cases there are considerable efficiencies and savings that can be made from the use of fast, low cost and trusted electronic transfers between the communicating parties.
