PotsPan Project Workpackage 3Institutional Document Management Pilot1. Overview and PlanningWorkpackage 3 of the JISC PotsPan project was to pilot the use of digital signatures withmanagement and administrative documents at Swansea Metropolitan University in the context of itsmerger with University of Wales Trinity Saint David during the project period. The intention was toexplore the benefits of electronic signatures on documents that needed to be shared on multiplesites. The original Workpackage specification can be seen in Appendix A.The merger took place in October 2012 and the new institution is now engaged in a managementplanning process that aims to have a fully integrated system in place by mid 2013. Understandably,the new management document systems that will accompany this process have yet to be designedand agreed. As a consequence, to meet the objectives of Workpackage 3, a document managementsystem needed to be chosen that would anticipate future operational needs and be of use to boththe new institution and the wider JISC community.An expectation of future HE delivery strategies is that online blended and distance learning willbecome an increasingly important component. The authentication of assessment documentssubmitted remotely online has been a contentious issue1 and many reviews of potential solutionsand new methods have been published2,3. Swansea Metropolitan (the name is retained in themerged university structure) is currently considering the validation of online distance learningcourses. It therefore seemed both appropriate and potentially valuable to focus the digital signaturepilot on this management issue.An additional advantage that this Workpackage brings to the project is the opportunity to furtherexplore the acceptable use of electronic signatures. As noted in other project documents, the use ofa digital pen for signatures in the WBL administrative system was a compromise solution that metEU audit requirements for a handwritten signature whilst enabling a fully digitised document systemto be established. The proposed Swansea Metropolitan pilot for authenticating online assessment isnot constrained in this way and presents an opportunity to take the electronic signature agendaforward.2. Electronic SignaturesSecure electronic signatures are accepted for financial and business transactions globally4 andvirtually any level of security can be included in document management workflows5. Adobe1 Weller, M. (2002) Assessment Issues on a Web Based Course. Assessment and Evaluation in Higher Education,vol 7, no. 2. pp109-116.2 Toole, A. M. (2001) Assessment Authentication for On-line Learning. Professors & Heads of EngineeringConference. Millennium Stadium, Cardiff.3 Toole, A. M. (2002) On-line Assessment, Authentication and the design of a VLE. UCLES Seminar Series. TheUniversity Centre, Cambridge.4 Toole, A. M. (2012) Making Your Mark – Digital Signatures. JISC Innovating e-Learning Online Conference.November 2012.5 Adobe Systems Inc. (2011) Digital Signatures Enterprise User Guide. [online]. Available at:http://www.adobe.com/devnet-docs/acrobatetk/tools/DigSig/Acrobat_DigSig_WorkflowGuide.pdf
summarise the capability well in their introduction to the use of electronic signatures6 using theirAcrobat PDF authoring application:Digital signature capabilities allow authors to set up a secure signing environment and create simpledocuments and complex forms with one or more fields. Document authors can design documentswith multiple signature fields each with unique behavioural characteristics and appearances.A signed field can lock other fields so that signed data can’t be changed, and authors can forcecertain signature fields to be a required part of a workflow. Attention to signature field design andconfiguration can help make the document “do the right thing” when someone receives it as well ascontrol what that person can and cannot do with it.Similarly, the Open Office suite of open source office applications includes the ability to add digitalsignatures (and encrypt entire documents) in a secure way. They provide a number of applicationscenarios7 including one that is entirely relevant to this case study:Scenario: Education: Signing and encrypting documents in the education area is interesting,because it can replace the paper process of correcting dissertations, etc. Students would send theirsigned dissertations to professors, who would make annotation, sign these annotation and send thesigned document back to the student.Product Requirement 1: Sign Complete Open Office Documents;Product Requirement 2: Encrypt complete documents;Product Requirement 3: Protect content via password and allow to add annotations (comments) ortracked changes only;Product Requirement 4: Sign tracked changes or annotations.Both Adobe and Open Office enable very similar degrees of security to be applied to theirdocuments and electronic signature systems. The difference between them is that Adobe is acommercial product and Open Office is an open source software application and free to use. Costwill clearly be an important consideration for institutions, and the students using the system, in thechoice of software to adopt.3. Electronic Signature SecurityThe basic features of a secure electronic signature system is that it should be able to confirmownership of the document, that the signatory was authorised to sign the document and that thedocument has not been changed since the signature was applied. Typically the systems will alsoidentify the computer used to create the document and the date and time the signature was added.There are a number of systems that achieve this, but one of the most secure involves asymmetricpublic/private key encryption where only the owner with the private key can encrypt thesignature/document but anyone with the linked public key can verify the authenticity of the digitalsignature/document when they open it.A further element of security in the system is the use of a third party Certification Authority (CA) thatgenerates the public and private key certificates. The private key certificate is held on the owners’computer and ensures that the encrypted data includes verification information that is recognisedby the receiving computer(s) with the public key. If any aspect of the document and signaturesecurity is not verified, then a ‘not valid’ alert will be shown.As with the software suppliers, there are both commercial and freely available CA providers. Clearlythere must be complete trust by all users in the integrity and security of the provider chosen.However, as noted earlier, cost is clearly an issue for the institution and the students and this6 Ibid. P 11.7 Loehmann, F. (2004) Electronic Signatures and Encryption GUI. [online]. Available at:http://bcn.boulder.co.us/~neal/i2/OpenOffice_Electronic_Signatures_and_Security.pdf
particular evaluation exercise will assess the information from service users in identifying a suitablefree CA service.For the purposes of the PotsPan project only the electronic signature process will be looked at indetail, although references to full document encryption will be made where relevant. The generalobjective is to identify and test the lowest cost options available and for that reason the Open Officesoftware application will be used and a choice made from the free CA providers available.4. Electronic Signatures Pilot PlanThe plan for piloting the use of electronic signatures on documents will involve choosing a CAprovider and creating digital authentication certificates, installing the certificates on the computercreating the documents, creating of a range of documents using Open Office software and applyingelectronic signatures to those documents. The documents will be then transmitted electronically andan assessment made of the validity of the electronic signatures received and the trust attributable tothem. The pilot will conclude with a further assessment of their use, based on evidence gainedduring the exercise, on the value electronic signatures would bring to the authentication of onlineassessment submissions.Implementation of the plan will therefore include: Identifying a free Certification Authority service, registering as a user and completing all the security procedures for the creation of authenticated certificates; Installing the certificates on the PC to be used to create and sign the documents using the Microsoft Management Console; Create test documents using Open Office Writer and use the Digital Signatures function to add certificated electronic signatures; Send the documents electronically and test the received documents for validity against the security criteria applied; Repeat the exercise using assessment cover sheets attached to student assignments submitted online using Moodle.The pilot will conclude with a case study based report for inclusion with the JISC PotsPan projectdeliverables.Tony TooleNovember 2012
Appendix A: Workpackage 3 Specification PotsPan Project WorkpackagesWorkpackage 3: Institutional WBL Document Management PilotPilot Institution: Swansea Metropolitan UniversityPrimary Contact: Kathryn David, Head of Commercial ServicesWorkpackage Specification: WORKPACKAGE 3: Institutional WBL Document Start Finish Action (deliverables indicated in bold) Milestone Responsibility Management Pilot Objective: To implement and evaluate the digital signature system for distributed institutional document management, particularly in support of online Work Based Learning provision 1. Digital pen systems procurement & testing 01.06.2012 31.07.2012 Completed testing exercise and report TT indicating recommended system. 2. Digital document management system review 01.08.2012 30.08.2012 Completed document review. TT, KD, NP 3. JISC WBL toolkit evaluation & testing 01.09.2012 31.10.2012 Mapping of the JISC WBL toolkit process 31.10.2012 TT, KD, WBL to SMU WBL delivery. Report & staff recommendations. 4. Trial of electronic signature systems in online 01.10.2012 21.12.2012 Completed evaluation and test report on TT, KD, WBL WBL document administration & management electronic signature usage in the WBL staff documentation system. 5. Online WBL document electronic signature 07.01.2013 26.04.2013 WBL stakeholder workshop and report 26.04.2013 TT, KD system refinement, evaluation & reporting on digital document management.