Most of us, by now, take electronic signatures for granted.
Popular services, like DocuSign and Adobe Sign, have established themselves as convenient, familiar tools to conduct daily commerce, exclusively online. Yet electronic signatures do have their security limitations. That’s why “wet” signatures, i.e. signing in the presence of a notary, remains a requirement for some transactions involving high dollars or very sensitive records.
Clearly, a more robust approach to verifying identities in the current and future digital landscape would be useful. After all, conducting business transactions strictly online was already on the rise before Covid 19, a trend that only accelerated due to the global pandemic.
And this is why DigiCert recently introduced DigiCert® Document Signing Manager (DSM) – an advanced hosted service designed to increase the level of assurance of the identities of persons signing documents digitally.
I had the chance to learn more about this new tool from Brian Trzupek, DigiCert’s senior vice president of product DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage Public Key Infrastructure. And PKI, of course, is the behind-the-scenes authentication and encryption framework on which the Internet is built.
Trzupek outlined how DSM allows for legally-binding documents with auditability and management of signers. “It adds trust and security into each signature, with the ability to easily work with third-party signing workflows such as Adobe, DocuSign, or other signing workflow platforms,” he says.
As digital transformation has quickened, it has become clear that electronic signatures are destined to become even more pervasively used to conduct business remotely. DigiCert is bringing PKI to bear to help make that happen. Here are the main takeaways from our discussion:
The experience on many signing platforms goes something like this: you receive a document via email, you select a signature font, and then you click to insert that signature on highlighted areas of the document. You conclude by clicking submit and when the document arrives back at the sender, both of you are bound by an agreement you clicked-thru to accept the document as signed.
There are numerous ways for a bad actor to access a targeted email account. And anyone who can access and open your email could carry out the familiar electronic signature steps – and commit fraud or even alter the content in the document without the receiver knowing.
Now imagine repeating the electronic signature steps except this time both the content of the document is protected, as well as the identities of the principals, have been digitally verified – by leveraging PKI. That’s what Document Signing Manager does
PKI is a perfect fit for this, Trzupek says. PKI is the framework by which digital certificates get issued to authenticate the identity of users; and it is also the plumbing for encrypting data moving across the Internet.
PKI revolves around the issuing and management of digital certificates. For websites, it does this by distributing TLS/SSL certificates – electronic ID issued by CAs, which verify the authenticity of websites and provide the cryptographic keys to enable the encryption and decryption of information exchanges between a visitor’s browser and the web server. This protects the data from being tampered with or eavesdropped upon.
Achieving high assurance
Applying PKI to electronic signatures essentially leverages this tried-and-true authentication and encryption framework to create strong, tamper proof documents and authenticated digital identities for the express purpose of digitally signing important documents. Here’s how Trzupek broke it down for me:
“By applying PKI, when you do that activity of digitally signing a document, it is signed in a non-repudiable way, because private keys have been assigned to the persons doing the signing. And the digital certificates associated with those keys have been signed by DigiCert, so recipients can have a high level of assurance that the electronic signatures and the document itself are authentic and unchanged.
“So let’s say the document was for a loan for $100,000; nobody can go in afterwards and make it $200,000 because it can be proved, cryptographically, that the document was altered and somebody put $200,000 in there; it would be hogwash and not enforceable, because of PKI technology.
“And it’s not possible to forge a document, say by sending an email to open a loan and signing in someone else’s name. It would not be accepted because you would not have the correct private key. By using DSM, you end up with a basic electronic signature process, but with very strong security around the integrity of the document and the validated and authenticated identities of the parties doing the signing.”
Trzupek points out that companies can implement DSM on its own or they can integrate it into how they’ve traditionally used established services like DocuSign and Adobe Sign. DSM has also been accredited as meeting the EU’s “eIDAS” mandate, as well as Switzerland’s “ZertES” law; these are longstanding regulations setting parameters for the use of electronic signatures in Europe. Some other countries are looking to incorporate the European regulations into their own regulations..
“PKI protects the integrity of the document and the validated identities of the signers,” Trzupek says. “By issuing unique cryptographic keys, this creates cryptographically provable and auditable identities, tied to specific individuals, that can’t be forged.”
The key feature of DSM is that it validates and authenticates the signers and protects the integrity of the document, ensuring the contents have not been altered. It can do this at scale – thousands of times across a large organization. The workflows involved with issuing and managing certificates are all automated and get executed in the cloud.
This enhances the ability of an enterprise to authorize many employees to electronically sign legally binding documents in a way that complies with global regulations and adheres to corporate best practices. There is a singular business need for this – something that was highlighted by the widespread and extended workplace shutdowns spinning out of the global pandemic.
“Covid 19 has been a huge driver for this,” Trzupek says. “I wish we had these solutions generally available 18 months ago because it would have helped a whole lot more businesses.”
So how did DigiCert manage to retain high integrity without physical, in-person verification of folks receiving private keys? In short, how do they add efficiency to the old Face-to-Face or notary-based registrations of the past? With a mobile app, of course.
In some workflows, the user downloads an app called IDNow AutoIdent and types in a verification code sent by DigiCert. Next the user simply follows the in-app instructions for imaging a government ID, such as a driver’s license or a passport; the user next follows more instructions for taking a 3D selfie.
The Verify by DigiCert process associates the 3D image with a private key in a way that cannot be imitated, Trzupek says. This eliminates in-person signing and the need for paper documents. Signing can be done anywhere using any type of supported computing device. And an audit trail gets established that can be reviewed for authenticity and legal matters.
PKI is up to this task; it’s what we’ve come to rely on for privacy and security, not just accessing websites, but also in using every ‘smart’ service we’ve come to depend on: streamed media, mobile apps, Internet of Things systems, etc. “Most people don’t realize that PKI literally exists everywhere,” Trzupek says. “This is because PKI is so secure and so rigorously tested that it has become the foolproof way to ensure the security of identities and enable the interoperation of different systems.”
In the wake of Covid 19 and with digital transformation continuing to advance, it makes good sense to adapt PKI to high-end digital document signing. This has the potential to foster more agile record exchanges in support of things like advanced medicine and addressing climate change, for instance. I’ll keep watch and keep reporting.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-digicert-document-signing-manager-leverages-pki-to-advance-electronic-signatures/