1. over 10 years of securing
identities, web sites & transactions
Best
prac*ces
in
Cer*fying
and
Signing
PDFs
Paul
van
Brouwershaven
Business
Development
Director
EMEA,
GlobalSign
@vanbroup
on
TwiEer
3. GlobalSign
History
§ Founded in 1996 by BE Chambers of Commerce,
ING Bank & Vodafone.
§ Acquired by GMO Internet Inc (ticker symbol Tokyo
PROVEN TRA
CK RECORD
Issued over 1.4
m digital
certificates / digi
tal IDs to people
,
web sites & mac
hines
Issued over 20
Stock Exchange: 9449) & re-launched in 2006 as
0,000 SSL
Certificates
true worldwide operation.
§ GMO parent to over 50 Internet technology & hosting
companies, including largest hosting company in Asia.
§ Current shareholders include Yahoo!,
Morgan Stanley & Credit Suisse.
Over 20 mil
lion certificates
worldwide rely
on the public tr
ust
provided by the
GlobalSign root
§ GlobalSign is Digital Certificate
security division of global group.
§ Web services & offline services for
provisioning Digital Certificates for
enterprise, Government, developers, hosting & Cloud services.
www.globalsign.com
4. GlobalSign
Products
|
Visible
Trust
in
an
online
world
Server, Database &
Network Security
SSL Certificates
Managed SSL
Automated SSL for
Web Hosts
SSL Reseller Program
One-Click SSL
Developer Solutions
Code Signing
Embedded SSL
Secure Email
Digital IDs for Individuals
Digital IDs for Depts
Managed Digital IDs
eDocument /File
Security & Compliance
Adobe CDS for PDF
Microsoft Office
Encrypting File System
(EFS)
PKI & Root Signing
Trusted Root for CAs
www.globalsign.com
8. Adobe
Cer*fied
Document
Services
• GlobalSign is an
authorized Adobe CDS
provider
• Web-Trust Certified,
third party Certificate
Authority
• Governed by Adobe
Certificate Policy
• Only CDS issued
digital IDs are instantly
trusted in Adobe
Reader 7.0+ (SHA-256)
www.globalsign.com
9. “Meet
or
exceed
FIPS
140-‐1
Level
2”
“Subscriber key pairs must be generated in a manner that ensures that the private key is
not known by anybody other than the Subscriber or a Subscriber’s authorized
representative. Subscriber key pairs must be generated in a medium that prevents
exportation or duplication and that meets or exceed FIPS 140-1 Level 2 certification
standard.”
www.globalsign.com
10. EV
Code
Signing
-‐
Private-‐Key
Protec*on
EV Guidelines state:
Code signing keys are to be protected by a FIPS 140-2
level 2 (or equivalent) crypto module. Techniques that may
be used to satisfy this requirement include:
§ (A) Use of an HSM, verified by means of a manufacturer’s certificate;
§ (B) A hardware crypto module provided by the CA;
§ (C) Contractual terms in the subscriber agreement requiring the
Subscriber to protect the private key to a standard equivalent to FIPS
140-2 and with compliance being confirmed by means of an audit.
www.globalsign.com
11. Adobe
Cer*fied
Document
Services
• Allows recipients of PDF documents
to know:
• who signed the document
• the content is intact
• the time the document is
signed
• Recipients only need to have the
free Adobe Reader 7.0+ (installed
on >800M computers worldwide)
Strong Authentication
Data Integrity
Non Repudiation
Recipients of
Certified PDFs
need no special
software, plugins, or special
configuration!!!
www.globalsign.com
12. Simple
and
effec*ve
GUI
Modified Unknown Certified Signed
Changed Author
Trusted
www.globalsign.com
13. Without
*me
stamping
and
CRL
Services
Certification without time stamping and
CRL Services. The validity of the signature
expires with the validity of the digital
certificate used to sign the document.
2011
2012
2013
2014
www.globalsign.com
14. What
about
revoca*on?
With a “Revocation Event” the validity of
the signature expires with the revocation of
the digital certificate.
2011
2012
2013
2014
Basic Signatures are not suitable for Long Term Validation signing (Documents)
www.globalsign.com
15. ETSI
TS
102
778
With “Services” the validity of the signature
applied to the document never expires
even if there is a revocation event.
2011
2012
2013
2014
Part 1: "PAdES Overview - a framework document for PAdES";
Part 2: "PAdES Basic - Profile based on ISO 32000-1"; (Best Practice)
Part 3: "PAdES Enhanced - PAdES-BES and PAdES-EPES Profiles";
Part 4: "PAdES Long Term - PAdES-LTV Profile";
Part 5: "PAdES for XML Content - Profiles for XAdES signatures".
www.globalsign.com
17. Electronic
Invoicing
in
the
EU
§ A constantly changing landscape
§ No single EU wide solution for
compliance*
§ Recommendations by PWC for 2013
already changing the requirements on
a country by country basis.
§ No consistent approach to preserve
authenticity and integrity for ‘Archive
and Storage Purposes’ offering the
possibility of legal recourse. (AMEX)
§
*Adobe CDS offers the only Pan European (Global) authenticity and
Integrity validation system. All other systems require a separate
system/service that is not automatic, nor guaranteed.
§ QES (Qualified Electronic
Signature)
§
Automatic legal standing in EU.
§
Issued on a SSCD
§
Generally issued from a government
root CA.
§
Not usable for Time stamping services.
§ AES /AdES) (Advanced
Electronic Signature)
§
Unique to the signatory;
§
§
Identifying the signatory;
Created using sole control;
§
Linked to the data to which it relates.
Change of the data is detectable;
The Amex legal case and subsequent lessons learnt?
http://www.legalethics.com/include/content/amex012406.pdf
www.globalsign.com
18. Electronic
Invoicing
–
Is
it
legal?
2A. Acceptance of ‘advanced e-signatures’ to send e-invoices (■ = yes / ■ = no )
2B. If yes, can AES be used without obligation to use a qualified certificate (■ = yes or not applicable / ■ = no)
2C. If yes, are qualified certificates from other EU Member States accepted (■ = yes / ■ = subject to conditions)
2D. If yes, can AES be used without obligation to use a secure signature-creation device (■ = yes / ■ = no)
2E. If yes, can the recipient process the invoice without verifying the signature (■ = yes / ■ = no)
3A. Other means than AES or EDI accepted? (■ = yes / ■ = only “other" electronic signatures / ■ = no )
3B. If yes, can other means be used without prior approval? (■ = yes / ■ = in some cases / ■ = no )
3C. Unsigned pdf invoice accepted? (■ = as an e-invoice in case authenticity and integrity are guaranteed by other means / ■
= as a paper invoice ■ = no )
Assumes VAT supply country is consistent
www.globalsign.com
20. Possible
Architecture
(e-‐Invoice)
Document Generation Engine (Content,
Layout, Storage and other specific
compliancy rules)
Application of
Digital Signature
Archive
PDF
GlobalSign
TSA
Service
To Customer
Digital Certificates
HSM
AdES
AdES
(CDS)
(CDS)
Optional
TSA (>1M)
www.globalsign.com
21. over 10 years of securing
identities, web sites & transactions
Thank you
Paul van Brouwershaven
paul.vanbrouwershaven@globalsign.com