Pots pan case study swansea met


Published on

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Pots pan case study swansea met

  1. 1. Pilot of the Swani Project Administrative Network (PotsPan)Project Pilot Case StudyPartner Institution: Swansea Metropolitan, University of Wales Trinity St DavidDate: January 2013Case Study Title: Electronic Signatures for Online Distance Learning DocumentAuthentication1. SummaryThe contribution to be made by Swansea Metropolitan University as a partner in the JISC PotsPanproject was to pilot the use of digital signatures with management and administrative documents inthe context of its merger with University of Wales Trinity Saint David during the project period. Theintention was to explore the benefits of electronic signatures on documents that needed to beshared on multiple sites, particularly with regard to the delivery of work-based learning.The importance of this pilot exercise was that it was not constrained by the EU requirement for handwritten signatures that led to the use of digital pens for the other pilot exercises. It was therefore anopportunity to explore the use and effectiveness of secure electronic signatures on documents andhow they could be used to authenticate digitally communicated administrative paperwork.The basic features of a secure electronic signature system are that it should be able to confirmownership of the document, that the signatory was authorised to sign the document and that thedocument has not been changed since the signature was applied. Typically the system will alsoidentify the computer used to create the document and will verify the date and time the signaturewas added.A further element of security in the systems accepted by international finance and commerce is theuse of a third party Certification Authority (CA) that generates encrypted public and private keycertificates. The private key certificate is held on the owners’ computer and ensures that theencrypted data includes verification information that is recognised by the receiving computer(s) withthe public key. If any aspect of the document and signature security is not verified, then a ‘not valid’alert will be shown.Both commercial and open source document creation applications are available that include theability to add secure electronic signatures to documents and provide CA services. An objective in thePotsPan project was to identify the most cost effective solution for the institutions and this casestudy shows how open source solutions are both available and effective.The pilot exercise created and tested a series of documents with secure electronic signatures. Thesedocuments were sent electronically as attachments and uploaded to institutional websites and wereshown to retain the encrypted data confirming signature and document validity.It was concluded that the work confirmed that electronic signatures that authenticated digitallytransmitted administrative documents were achievable in a cost effective way and that metcommercially accepted levels of verification and security.2. The Work-Based Learning ContextSwansea Metropolitan based the electronic signature pilot exercise on plans for the online distancelearning delivery of logistics and transport training for British Forces stationed in Germany and otheroperational areas. The courses, validated by the Chartered Institute of Logistics and Transport1, are1 http://courses.independent.co.uk/training-provider/chartered-institute-of-logistics-transport-13079 1
  2. 2. currently delivered on-site by peripatetic tutors and are consequently expensive to deliver. Onlinedelivery would be much more cost effective, but would require the authentication of worksubmitted online by the work based learners. This would normally be in the form of assignmentsuploaded to the Swansea Metropolitan Moodle site, accompanied by front sheets signed by anaccredited local work-based mentor.The planning for the online distance learning version of the CILT course was carried out in parallelwith another project funded under the Embedding Benefits strand of the JISC e-LearningProgramme. The Dewi project2, led by Cardiff Metropolitan University, had the objective of using theJISC WBL Maturity Toolkit3 to assist in the design of WBL programmes in the partner institutions. AtSwansea Metropolitan the exercise centred on the CILT online delivery proposal4 and hence fitted inwell with the PotsPan pilot. A third project at Swansea Metropolitan, again part of the the JISCEmbedding Benefits programme, also contributed to the pilot exercise. The was the Smudie project5which was using Enterprise Architecture and similar modelling techniques to plan improved studentinformation management systems at the university and thus also aligned well with the pilot exerciseobjectives.3. The Pilot ExerciseThe pilot exercise was carried out in three phases. The first was an initial research phase whichexplored the methods used to securely authenticate digitised documents and the signatures thatverified them in current global commerce and finance. This phase had the goal of identifyingestablished trusted practice that could be replicated in an educational authentication and auditcontext.Once established practice appropriate for educational use had been identified, the second phaseobjective was to design an implementation plan that satisfied the academic quality assurancerequirements as well as optimising system cost effectiveness. This involved exploring and testingappropriate implementation options and arriving at a solution that met both conditions.The final phase of the pilot exercise was to implement, test and evaluate the chosen option and todraw conclusions about future viability, sustainability and value in supporting future online distancelearning for the institution. It was also hoped that the outcomes would be of value to others in thesector considering similar issues.Phase 1: initial researchSecure electronic signatures are accepted for financial and business transactions globally6 andvirtually any level of security can be included in document management workflows. Adobesummarise the capability well in their introduction to the use of electronic signatures7 using theirAcrobat PDF authoring application:Digital signature capabilities allow authors to set up a secure signing environment and create simpledocuments and complex forms with one or more fields. Document authors can design documentswith multiple signature fields each with unique behavioural characteristics and appearances.A signed field can lock other fields so that signed data can’t be changed, and authors can forcecertain signature fields to be a required part of a workflow. Attention to signature field design andconfiguration can help make the document “do the right thing” when someone receives it as well ascontrol what that person can and cannot do with it.2 http://www.jisc.ac.uk/whatwedo/programmes/elearning/embeddingbenefits2012/dewi.aspx3 http://wbltoolkit.pbworks.com/w/page/35396849/Home%20page%20-%20WBL%20Maturity%20Toolkit4 http://swanseametwbl.pbworks.com/w/page/61324658/JISC%20Dewi%20Project%20Information%20and%20Documents5 http://smudieprojectblog.blogspot.co.uk/6 Toole, A. M. (2012) Making Your Mark – Digital Signatures. JISC Innovating e-Learning Online Conference. November 2012.7 Adobe Systems Inc. (2011) Digital Signatures Enterprise User Guide. [online]. Available at: http://www.adobe.com/devnet-docs/acrobatetk/tools/DigSig/Acrobat_DigSig_WorkflowGuide.pdf 2
  3. 3. Similarly, the Open Office suite of open source office applications includes the ability to add digitalsignatures (and encrypt entire documents) in a secure way. They provide a number of applicationscenarios8 including one that is entirely relevant to this case study:Scenario: Education: Signing and encrypting documents in the education area is interesting, becauseit can replace the paper process of correcting dissertations, etc. Students would send theirsigned dissertations to professors, who would make annotation, sign these annotation and send thesigned document back to the student.Product Requirement 1: Sign Complete Open Office Documents;Product Requirement 2: Encrypt complete documents;Product Requirement 3: Protect content via password and allow to add annotations (comments) ortracked changes only;Product Requirement 4: Sign tracked changes or annotations.Both Adobe and Open Office enable degrees of security to be applied to their documents andelectronic signature systems that meet the authentication needs of the project. The differencebetween them is that Adobe is a commercial product and Open Office is an open source softwareapplication and free to use.Secure and trusted electronic signature systems typically involve the use of third party CertificationAuthority (CA) providers who ensure the validity of the digital certificates they issue for confirmingauthor identity, ensuring document integrity and providing encryption keys for secure documentdistribution. The CA providers would carry out a series of verification tests to prove identity,including those typically used by banks in providing financial services. In the most secure systems,the CAs would themselves be legally liable for any fraud carried out through the use of their digitalcertificates. Again, both commercial and free to use service provision is available.Central to both the Adobe and Open Office ability to add electronic signatures to their documents isthe fact that they are in PDF format. PDF documents not only contain the document content, theyalso include any meta-data relating to that content, including electronic signature data, added whenthe document was created and saved. When opened in a PDF document reader, the meta-data willbe read and, where it relates to a digital signature, will be able to verify the status of the document,including the validity of the CA digital certificate.Phase 2: the implementation planPDF file format is commonly used for the transmission of digital documents as it is an independentformat able to be opened by any PDF reader. It is commonly used in education as a trusted formatand would typically be requested for any document upload or email attachment. It is entirelyappropriate for the purpose of assignment submission by online distance work-based learners.Online submission would be through the Swansea Metropolitan Moodle site. Each submission wouldbe a PDF file containing the assessment document prepared by the learner, together with a top-sheet containing the electronic signatures of the learner and the WBL mentor responsible forconfirming authenticity. The validity of electronic signatures would be assured by registering all theusers with the CA provider.Both Adobe Acrobat and Open Office Writer were tested as PDF authoring applications and wereboth found to be perfectly adequate. Open Office Writer9 was chosen as the preferred option as itwas open source and could be freely used by the institution, the WBL employer and the learners.8 Loehmann, F. (2004) Electronic Signatures and Encryption GUI. [online]. Available at:http://bcn.boulder.co.us/~neal/i2/OpenOffice_Electronic_Signatures_and_Security.pdf9 http://www.openoffice.org/product/writer.html 3
  4. 4. The CA organisation selected for trialling in the pilot exercise was CAcert10 who provide a free to usedigital certificate service.Phase 3: testing and evaluationTo use Open Office Writer, it needs to be downloaded and installed on each computer to be used11.Each user then needs to register with CAcert, the sequence being: Registration as a user and create an account on the CAcert website12. This involves entering a user name and password, along with other unique security data; When registered and logged in, the process is to select ‘new client certificate’ and then ‘create certificate’; A security strength level is selected for the encryption key at this stage. For the exercise, ‘Microsoft enhanced cryptographic provider v1.0’ was chosen;When the certificate is created it opens in a new window with an invitation and link to import intothe browser. An email is also sent confirming the creation of the certificate, providing a link to it inthe user account, and also a reminder that the CAcert root certificate also needs to be importedbefore certificates can be used. A link to this process is also provided.The installation process begins with the Root Certificate and this is accessed on the CAcert RootCertificate website13. There are links on the page to initiate the Root Certificate download. Once thishas been done, the download is imported in the Internet Options>Content>Personal>Certificates> ofthe browser using the ‘Trusted Root Certification Authorities’ tab. The digital certificate can then beimported by clicking on the link in the certificate page on the CAcert website. The certificate is nowready for use.With the digital certificate imported, it can be used to add electronic signatures to Open Officedocuments. For the purpose of Pilot Exercise 1 a test document was created in Open Office Writerand the electronic signature process tested.Once the document had been created the File>Digital Signatures option was selected and the newlyimported digital certificate option appeared in a new window and was activated by clicking on theSign Document button. Once signed and saved, whenever the file is opened it will have the smallicon next to the ‘The signatures in this document are valid’ line in the image above showing in thedocument toolbar confirming that it is a valid signed document:When the document is opened and the icon is double clicked, the documentation verification will beconfirmed and the security information can be viewed:10 https://wiki.cacert.org/FAQ/AboutUs11 http://www.openoffice.org/download/12 https://www.cacert.org/index.php?id=113 http://www.cacert.org/index.php?id=3 4
  5. 5. If, at any time, the signed document is edited or changed in any way, the electronic signature will beinvalidated and the icon in the document toolbar will disappear. The edited document can, ofcourse, be re-signed by an authorised signatory.The system was tested and evaluated using a series of test documents. The test document abovewas sent by email as an attachment and when opened in Open Office Writer, it included the digitalsignature that confirmed validity and that the document had not been altered since the signaturehad been applied.When opened, the document was in read-only format which further avoids the possibility ofinvalidating the signature. The attached file was saved locally and, when opened as a local file, stillretained the digital signature verification. However, it was now in edit mode and, if editing did takeplace, then the digital signature was invalidated.4. The Pilot OutcomesHaving established the viability of combining the open source document creation and editingapplication Open Office with the freely available Certification Authority services provided by CAcert,the next phase of the pilot exercise was to trial the system with University assessment documents.The standard assessment front-sheet used by the Faculty of Applied Design and Engineering atSwansea Met was chosen. It was imported into Open Office Writer and, after some appropriateformatting changes suitable for export as an OpenDocument Text file, the document was digitallysigned using the authentication certificate set up during the first pilot exercise. After confirming thevalidity of the signature, the file was then sent as an email attachment and, on receipt, the file wassaved and opened using Open Office. 5
  6. 6. The received document can be seen below, along with images demonstrating that the digitalsignature was valid and verifiable on receipt.The outcomes of the pilot exercises can therefore be reported to have met all expectations anddemonstrate that the use of electronic signatures can be reliably applied to remotely submittedassessment documents. It can be further reported that the outcome is achievable using open sourcetools and freely available services, thus making the process highly cost effective and accessible.5. Conclusions and RecommendationsThe overall conclusions that can be drawn from the outcomes of this pilot exercise are that theyconfirmed that electronic signatures that authenticated digitally transmitted administrativedocuments were achievable in a cost effective way and that they met commercially acceptable levelsof verification and security.In the context of the plans for the delivery of work-based learning by online distance learning, itdemonstrated that the system would facilitate the authentication of remotely submitted assessmentmaterials. Clearly academic quality approval processes would need to be satisfied for accreditation,but it is felt that a level of quality assurance equivalent to that of campus based courses could bedemonstrated with this system.It is recommended that the electronic signature system be further tested and that this shouldinclude exploring alternative applications and services to ensure the most robust and cost effectivecombination is adopted. It is suggested that this be included in the preliminary trials of onlinedistance learning WBL delivery at the university.This case study is submitted as one of the planned deliverables of the JISC PotsPan project managedby Coleg Sir Gâr.Tony TooleJanuary 2013 6