10+ Years Securing Identities, Sites & Transactions
1. over 10 years of securing
identities, web sites & transactions
Best
prac*ces
in
Cer*fying
and
Signing
PDFs
Paul
van
Brouwershaven
Business
Development
Director
EMEA,
GlobalSign
@vanbroup
on
TwiEer
3. www.globalsign.com
GlobalSign
History
PROVEN TRACK RECORD
Issued over 1.4m digitalcertificates / digital IDs to people,web sites & machines
Issued over 200,000 SSL
Certificates
Over 20 million certificatesworldwide rely on the public trustprovided by the GlobalSign root
§ Founded in 1996 by BE Chambers of Commerce,
ING Bank & Vodafone.
§ Acquired by GMO Internet Inc (ticker symbol Tokyo
Stock Exchange: 9449) & re-launched in 2006 as
true worldwide operation.
§ GMO parent to over 50 Internet technology & hosting
companies, including largest hosting company in Asia.
§ Current shareholders include Yahoo!,
Morgan Stanley & Credit Suisse.
§ GlobalSign is Digital Certificate
security division of global group.
§ Web services & offline services for
provisioning Digital Certificates for
enterprise, Government, developers, hosting & Cloud services.
4. www.globalsign.com
GlobalSign
Products
|
Visible
Trust
in
an
online
world
Server, Database &
Network Security
SSL Certificates
Managed SSL
Developer Solutions
Code Signing
Embedded SSL
Secure Email
Digital IDs for Individuals
Digital IDs for Depts
Managed Digital IDs
eDocument /File
Security & Compliance
Adobe CDS for PDF
Microsoft Office
Encrypting File System
(EFS)
Automated SSL for
Web Hosts
SSL Reseller Program
One-Click SSL
PKI & Root Signing
Trusted Root for CAs
8. www.globalsign.com
Adobe
Cer*fied
Document
Services
• GlobalSign is an
authorized Adobe CDS
provider
• Web-Trust Certified,
third party Certificate
Authority
• Governed by Adobe
Certificate Policy
• Only CDS issued
digital IDs are instantly
trusted in Adobe
Reader 7.0+ (SHA-256)
9. www.globalsign.com
“Meet
or
exceed
FIPS
140-‐1
Level
2”
“Subscriber key pairs must be generated in a manner that ensures that the private key is
not known by anybody other than the Subscriber or a Subscriber’s authorized
representative. Subscriber key pairs must be generated in a medium that prevents
exportation or duplication and that meets or exceed FIPS 140-1 Level 2 certification
standard.”
10. www.globalsign.com
EV Guidelines state:
Code signing keys are to be protected by a FIPS 140-2
level 2 (or equivalent) crypto module. Techniques that may
be used to satisfy this requirement include:
§ (A) Use of an HSM, verified by means of a manufacturer’s certificate;
§ (B) A hardware crypto module provided by the CA;
§ (C) Contractual terms in the subscriber agreement requiring the
Subscriber to protect the private key to a standard equivalent to FIPS
140-2 and with compliance being confirmed by means of an audit.
EV
Code
Signing
-‐
Private-‐Key
Protec*on
11. www.globalsign.com
Adobe
Cer*fied
Document
Services
• Allows recipients of PDF documents
to know:
• who signed the document
• the content is intact
• the time the document is
signed
• Recipients only need to have the
free Adobe Reader 7.0+ (installed
on >800M computers worldwide)
Strong Authentication
Data Integrity
Non Repudiation
Recipients of
Certified PDFs
need no special
software, plug-
ins, or special
configuration!!!
13. www.globalsign.com
Without
*me
stamping
and
CRL
Services
Certification without time stamping and
CRL Services. The validity of the signature
expires with the validity of the digital
certificate used to sign the document.
2011 2012 2013 2014
14. www.globalsign.com
What
about
revoca*on?
With a “Revocation Event” the validity of
the signature expires with the revocation of
the digital certificate.
Basic Signatures are not suitable for Long Term Validation signing (Documents)
2011 2012 2013 2014
15. www.globalsign.com
ETSI
TS
102
778
With “Services” the validity of the signature
applied to the document never expires
even if there is a revocation event.
Part 1: "PAdES Overview - a framework document for PAdES";
Part 2: "PAdES Basic - Profile based on ISO 32000-1"; (Best Practice)
Part 3: "PAdES Enhanced - PAdES-BES and PAdES-EPES Profiles";
Part 4: "PAdES Long Term - PAdES-LTV Profile";
Part 5: "PAdES for XML Content - Profiles for XAdES signatures".
2011 2012 2013 2014
17. www.globalsign.com
§ A constantly changing landscape
§ No single EU wide solution for
compliance*
§ Recommendations by PWC for 2013
already changing the requirements on
a country by country basis.
§ No consistent approach to preserve
authenticity and integrity for ‘Archive
and Storage Purposes’ offering the
possibility of legal recourse. (AMEX)
§ *Adobe CDS offers the only Pan European (Global) authenticity and
Integrity validation system. All other systems require a separate
system/service that is not automatic, nor guaranteed.
Electronic
Invoicing
in
the
EU
The Amex legal case and subsequent lessons learnt?
http://www.legalethics.com/include/content/amex012406.pdf
§ QES (Qualified Electronic
Signature)
§ Automatic legal standing in EU.
§ Issued on a SSCD
§ Generally issued from a government
root CA.
§ Not usable for Time stamping services.
§ AES /AdES) (Advanced
Electronic Signature)
§ Unique to the signatory;
§ Identifying the signatory;
§ Created using sole control;
§ Linked to the data to which it relates.
Change of the data is detectable;
18. www.globalsign.com
Electronic
Invoicing
–
Is
it
legal?
Assumes VAT supply country is consistent
2A. Acceptance of ‘advanced e-signatures’ to send e-invoices (■ = yes / ■ = no )
2B. If yes, can AES be used without obligation to use a qualified certificate (■ = yes or not applicable / ■ = no)
2C. If yes, are qualified certificates from other EU Member States accepted (■ = yes / ■ = subject to conditions)
2D. If yes, can AES be used without obligation to use a secure signature-creation device (■ = yes / ■ = no)
2E. If yes, can the recipient process the invoice without verifying the signature (■ = yes / ■ = no)
3A. Other means than AES or EDI accepted? (■ = yes / ■ = only “other" electronic signatures / ■ = no )
3B. If yes, can other means be used without prior approval? (■ = yes / ■ = in some cases / ■ = no )
3C. Unsigned pdf invoice accepted? (■ = as an e-invoice in case authenticity and integrity are guaranteed by other means / ■
= as a paper invoice ■ = no )
20. www.globalsign.com
Possible
Architecture
(e-‐Invoice)
Document Generation Engine (Content,
Layout, Storage and other specific
compliancy rules)
PDF
Application of
Digital Signature To Customer
Archive
Digital Certificates
Optional
TSA (>1M)
HSM
AdES
(CDS)
AdES
(CDS)
GlobalSign
TSA
Service
21. over 10 years of securing
identities, web sites & transactions
Thank you
Paul van Brouwershaven
paul.vanbrouwershaven@globalsign.com