ADSS Secure eMail Server For General Document Security and Invoice Signing Saving Time & Money, Avoiding Risk & Fraud

Agenda Secure Email Server ADSS Server Trust Services Outbound emails Incoming emails Archiving

Secure Email Server

ADSS Server

Trust Services

Outbound emails

Incoming emails

Archiving

ADSS Secure eMail Server Built on Apache James A Java MTA mail server Selects emails using one or more “matchers” Interacts with ADSS Server using one or more “mailets” James matchers – for filtering emails “ Subject” field, “To” field, “From” field, “ has attachment”, “attachment file name is” Other options available (e.g. based on key words) James mailets – to process filtered emails Sign attachment using ADSS Server (e.g. PDF, XML, File) Verify signed attachments using ADSS Server Sign and verify emails

Built on Apache James

A Java MTA mail server

Selects emails using one or more “matchers”

Interacts with ADSS Server using one or more “mailets”

James matchers – for filtering emails

“ Subject” field, “To” field, “From” field,

“ has attachment”, “attachment file name is”

Other options available (e.g. based on key words)

James mailets – to process filtered emails

Sign attachment using ADSS Server (e.g. PDF, XML, File)

Verify signed attachments using ADSS Server

Sign and verify emails

Basic Architecture ADSS Server + sign/verify + encrypt*/decrypt* + archive*/recover* HSM DB Request (Sign / Verify Encrypt / Decrypt) Response Future Options Policy Management for signing and verification and archiving. Customer console for recovery and other management. ADSS Secure eMail Server (MTA Server)

Future Options

ADSS Server A multi-function security server Server-side signing, Server based verification, Timestamping CRL manager/archiver, OCSP Validation Authority Time Stamp Authority (TSA) and Certificate Authority It powers the Secure eMail Server Secure eMail Server is a ‘business application’ for ADSS Server Supports signing and verification Of PDF, XML and other file attachments Multiple options for PDF signing style (visible, invisible, certified, timestamped, long-term signatures) Key Management Supports organisation or organisation role signing Supports end-user key signing (server-side) signing Inbuilt Key Manager linked to internal or external CA Can use FIPS compliant HSM for strong private key protection

A multi-function security server

Server-side signing, Server based verification, Timestamping

CRL manager/archiver, OCSP Validation Authority

Time Stamp Authority (TSA) and Certificate Authority

It powers the Secure eMail Server

Secure eMail Server is a ‘business application’ for ADSS Server

Supports signing and verification

Of PDF, XML and other file attachments

Multiple options for PDF signing style (visible, invisible, certified, timestamped, long-term signatures)

Key Management

Supports organisation or organisation role signing

Supports end-user key signing (server-side) signing

Inbuilt Key Manager linked to internal or external CA

Can use FIPS compliant HSM for strong private key protection

Ascertia ADSS Server Trust Services Note: You only need license and use what is needed today PDF Documents - Basic signature (visible / invisible) - Certify - Sign & timestamp - Long-term signatures XML Documents - XML DSig (XAdES ES) - Timestamps (XAdES ES-T) - Long-term signatures (XAdES X-Long) PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X-Long) Historic Verification OCSP Validation (immediate verify & long term sign) Time Stamp Authority (TSA) Server Sign Verify                     -    [email_address]  

Secure Email Server - Future Options Archiving the email With Archive management, review, resend, retention policy management, logging etc WebMail support Allowing users to sign and verify emails and attachments and also handle encrypted emails Encrypt emails using ADSS Server using recipient certificate(s) Decrypt emails using ADSS Server using recipient private key Timestamp the receipt of inbound emails Option to also apply a Notary signature Apply an Electronic Post Mark (EPM) Work with Trusted Archive Server Ascertia is always happy to discuss the commercial drivers and technical requirements and then set the dates for the delivery of the required options

Archiving the email

With Archive management, review, resend, retention policy management, logging etc

WebMail support

Allowing users to sign and verify emails and attachments and also handle encrypted emails

Encrypt emails using ADSS Server

using recipient certificate(s)

Decrypt emails using ADSS Server

using recipient private key

Timestamp the receipt of inbound emails

Option to also apply a Notary signature

Apply an Electronic Post Mark (EPM)

Work with Trusted Archive Server

Signing Outbound Emails Architecture Internet 1) Alice sends email Alice Bob Ascertia Secure eMail Server Ascertia ADSS Server 2) Request signature 3) Signature 4) Forward email 5) Bob receives Signed email

ERP Email System Architecture Internet 1) ERP system sends email ERP System Recipient Ascertia Secure eMail Server Ascertia ADSS Server 2) Request signature 3) Signature 4) Forward email 5) Recipient receives signed email

Signing Outbound Emails Secure Email Server sends request to ADSS Server ADSS Server Signs using unique user keys (e.g. Alice) Using corporate keys (e.g. Finance Dept for Company A) Using software or keys in FIPS or Common Criteria HSM/Token Can sign attachments PDF attachments: using PDF signature standard XML files: using XML DSig standard Other file types: using wrapping PKCS#7/CMS signature OR basic signatures plus timestamps (PDF/ETSI) OR basic signatures plus timestamps and signer’s certificate status (usually OCSP) at time of signing (PDF/ETSI) Can sign emails using feature support in ADSS Server v3.4

Secure Email Server sends request to ADSS Server

ADSS Server Signs

using unique user keys (e.g. Alice)

Using corporate keys (e.g. Finance Dept for Company A)

Using software or keys in FIPS or Common Criteria HSM/Token

Can sign attachments

PDF attachments: using PDF signature standard

XML files: using XML DSig standard

Other file types: using wrapping PKCS#7/CMS signature

OR basic signatures plus timestamps (PDF/ETSI)

OR basic signatures plus timestamps and signer’s certificate status (usually OCSP) at time of signing (PDF/ETSI)

Can sign emails using feature support in ADSS Server v3.4

Verifying Incoming Emails Architecture Internet Recipient ADSS Server 2) Request signature verification 3) Signature verification response details 4) Recipient receives verified email Ascertia Secure eMail Server CA-1 CA-2 CA-N CRL CRL OCSP ERP System 1) ERP system sends email

Verifying incoming signed emails Secure Email Server Checks received emails .v. Matcher rules Sends document to be verified to ADSS Server ADSS Server Checks PDF or XML or File or S/MIME signature Signature integrity check Signer certificate validation check: Issued by a trusted CA Certificate is not expired Certificate is not revoked (using CRLs, or OCSP) Certificate contains valid extensions Certificate meets minimum certificate quality level (option) Embedded signatures within attachments can be verified, e.g. PDFs, XML Multiple trusted CAs can be registered

Secure Email Server

Checks received emails .v. Matcher rules

Sends document to be verified to ADSS Server

ADSS Server

Checks PDF or XML or File or S/MIME signature

Signature integrity check

Signer certificate validation check:

Issued by a trusted CA

Certificate is not expired

Certificate is not revoked (using CRLs, or OCSP)

Certificate contains valid extensions

Certificate meets minimum certificate quality level (option)

Embedded signatures within attachments can be verified, e.g. PDFs, XML

Multiple trusted CAs can be registered

Verification processing Verification Result delivery options Allow email to be delivered normally Send email on to recipient with results attached / appended Only allow successfully verified emails to be sent to recipient All untrusted emails sent to an administrator with results report Other custom options Mailet processing options Can send ADSS Server the signed email hash + signature for privacy or speed/throughput purposes Can send entire email + attachments for verification Can also send entire email for archive (see later) ADSS Server records all sign/verify transactions Logs can be searched / filtered / reports produced Logs can be exported in CSV format

Verification Result delivery options

Allow email to be delivered normally

Send email on to recipient with results attached / appended

Only allow successfully verified emails to be sent to recipient

All untrusted emails sent to an administrator with results report

Other custom options

Mailet processing options

Can send ADSS Server the signed email hash + signature for privacy or speed/throughput purposes

Can send entire email + attachments for verification

Can also send entire email for archive (see later)

ADSS Server records all sign/verify transactions

Logs can be searched / filtered / reports produced

Logs can be exported in CSV format

Secure eMail Server – Archiving (Q408) “ mailet” based policy for archiving emails For outbound emails For incoming emails For simple short-medium term archiving Sends emails to local email archive management module Keeps all email header, body, attachment data Option to timestamp the archived data Archive Management Use Secure eMail Server Console (secure browser based) Search & recover & resend emails Database archive feature Retention Policy auto-delete feature as a future option

“ mailet” based policy for archiving emails

For outbound emails

For incoming emails

For simple short-medium term archiving

Sends emails to local email archive management module

Keeps all email header, body, attachment data

Option to timestamp the archived data

Archive Management

Use Secure eMail Server Console (secure browser based)

Search & recover & resend emails

Database archive feature

Retention Policy auto-delete feature as a future option

Signed Webmail Architecture (future) Internet 1) Alice creates and sends webmail Alice Bob Secure eMail Server ADSS Server 2) Sign 3) Verify / archive 4) Forward 5) Bob receives Signed email Simple Webmail Application Note: These servers could be co-located on a single system or arranged in separate or a high-availability mode Uses GoSign applet

Summary Meets business needs for an easy to deploy document signing and secure email solution Filters, processes, signs, verifies Encryption, decryption options archive, recovery, resend options Easy to integrate A separate drop-in secure email MTA Server using ADSS Server as a powerful high-security engine Multi-platform Windows 2003 Server today (others by request) Secure Storage Uses industry leading databases with secured content Oracle, SQL Server, PostgreSQL Secure Management A well proven multi-functional security services platform with full security management plus event and transaction logging

Meets business needs for an easy to deploy document signing and secure email solution

Filters, processes, signs, verifies

Encryption, decryption options

archive, recovery, resend options

Easy to integrate

A separate drop-in secure email MTA Server using ADSS Server as a powerful high-security engine

Multi-platform

Windows 2003 Server today (others by request)

Secure Storage

Uses industry leading databases with secured content Oracle, SQL Server, PostgreSQL

Secure Management

A well proven multi-functional security services platform with full security management plus event and transaction logging

Questions: Rod Crook Clive Flatau +44 1256 895416 +44 7789 991686 [email_address] [email_address]