Presentation Best practices in Certifying and Signing PDFs

We'll take a deep dive into the world of Digital Certificates and future proof algorithms and remove some of the jargon and hyperbole around signatures. We'll highlight the simple and effective steps that iText delivers in order to create a PDF document that preserves its integrity, its authenticity and its longevity towards a diverse set of multilingual relying parties. We'll focus on key areas such as the choice of certificate hierarchy and the provision of additional trust services. As a Certification Authority, GlobalSign provides ongoing support throughout the lifetime of the Digital Certificate with key PAdES best practice services such as Timestamping, Certificate Revocation Lists and OCSP responder services. We'll touch on some code samples and highlight the alternative vertical markets that are already operational.
Published on: 2012-05-07T12:55:01.000Z
Channel: iText Summit 2012 (all)
Tags: digital signing pdf digital certificates itext
Speakers:

Paul Van Brouwershaven

Paul van Brouwershaven has recently joined GlobalSign as EMEA Business Development Director, bringing with him 10 years of experience of the hosting industry. Prior to joining GlobalSign, Paul held the position of CTO of Networking4all B.V., where he helped gain international name recognition and a solid customer base through technical competence, programming skills and passion for the Internet business. Paul has a wealth of experience of the online security business and a high expertise of digital certificate solutions. A trusted public figure, Paul is dedicated to increasing public awareness of the requirements for online security and has presented at various key industry events and seminars.

PDF: slides.pdf

Slides:

Introduction

over 10 years of securing identities, web sites & transactions Best prac*ces in Cer*fying and Signing PDFs Paul van Brouwershaven Business Development Director EMEA, GlobalSign @vanbroup on TwiEer

International footprint

INTERNATIONAL FOOTPRINT Customers spanning all industries www.globalsign.com

GlobalSign History

GlobalSign History § Founded in 1996 by BE Chambers of Commerce, ING Bank & Vodafone. § Acquired by GMO Internet Inc (ticker symbol Tokyo Stock Exchange: 9449) & re-launched in 2006 as true worldwide operation. § GMO parent to over 50 Internet technology & hosting companies, including largest hosting company in Asia. § Current shareholders include Yahoo!, Morgan Stanley & Credit Suisse. § GlobalSign is Digital Certificate security division of global group. § Web services & offline services for provisioning Digital Certificates for enterprise, Government, developers, hosting & Cloud services. Over 20 mil lion certificates worldwide rely on the public tr ust provided by the GlobalSign root PROVEN TRA CK RECORD Issued over 1.4 m digital certificates / digi tal IDs to people , web sites & mac hines Issued over 20 Certificates 0,000 SSL www.globalsign.com

GlobalSign Products

GlobalSign Products | Visible Trust in an online world Server, Database & Network Security SSL Certificates Managed SSL Automated SSL for Web Hosts SSL Reseller Program One-Click SSL Developer Solutions Code Signing Embedded SSL Secure Email Digital IDs for Individuals Digital IDs for Depts Managed Digital IDs eDocument /File Security & Compliance Adobe CDS for PDF Microsoft Office Encrypting File System (EFS) PKI & Root Signing Trusted Root for CAs www.globalsign.com

Digital certificates - an introduction

Digital certificates - an introduction Ctd.

Digital Cer*ficates An Introduc*on www.globalsign.com

Authenticity and Integrity

Authen*city and Integrity www.globalsign.com

A normal certificate VS an Adobe one

A normal cer*ficate VS an Adobe one www.globalsign.com

Adobe Certified Document Services

Adobe Cer*fied Document Services · GlobalSign is an authorized Adobe CDS provider ·Web-Trust Certified, third party Certificate Authority ·Governed by Adobe Certificate Policy ·Only CDS issued digital IDs are instantly trusted in Adobe Reader 7.0+ (SHA-256) www.globalsign.com

"Meet or exceed FIPS 140-1 Level 2"

"Meet or exceed FIPS 140-1 Level 2" "Subscriber key pairs must be generated in a manner that ensures that the private key is not known by anybody other than the Subscriber or a Subscriber's authorized representative. Subscriber key pairs must be generated in a medium that prevents exportation or duplication and that meets or exceed FIPS 140-1 Level 2 certification standard." www.globalsign.com

EV Code Signing - Private-Key Protection

EV Code Signing - Private-Key Protec*on EV Guidelines state: Code signing keys are to be protected by a FIPS 140-2 level 2 (or equivalent) crypto module. Techniques that may be used to satisfy this requirement include: § (A) Use of an HSM, verified by means of a manufacturer's certificate; § (B) A hardware crypto module provided by the CA; § (C) Contractual terms in the subscriber agreement requiring the Subscriber to protect the private key to a standard equivalent to FIPS 140-2 and with compliance being confirmed by means of an audit. www.globalsign.com

Adobe Certified Document Services

Adobe Cer*fied Document Services · Allows recipients of PDF documents to know: · who signed the document · the content is intact · the time the document is signed · Recipients only need to have the free Adobe Reader 7.0+ (installed on >800M computers worldwide) Recipients of Certified PDFs need no special software, plugins, or special configuration!!! Strong Authentication Data Integrity Non Repudiation www.globalsign.com

Simple and effectuve GUI

Simple and effec*ve GUI Modified Unknown Certified Signed Changed Author Trusted www.globalsign.com

Without time stamping and CRL Services

Without *me stamping and CRL Services Certification without time stamping and CRL Services. The validity of the signature expires with the validity of the digital certificate used to sign the document. 2011 2012 2013 2014 www.globalsign.com

What about revocation?

What about revoca*on? With a "Revocation Event" the validity of the signature expires with the revocation of the digital certificate. 2011 2012 2013 2014 Basic Signatures are not suitable for Long Term Validation signing (Documents) www.globalsign.com

ETSI TS 102 778

ETSI TS 102 778 With "Services" the validity of the signature applied to the document never expires even if there is a revocation event. 2011 2012 2013 2014 Part 1: "PAdES Overview - a framework document for PAdES"; Part 2: "PAdES Basic - Profile based on ISO 32000-1"; (Best Practice) Part 3: "PAdES Enhanced - PAdES-BES and PAdES-EPES Profiles"; Part 4: "PAdES Long Term - PAdES-LTV Profile"; Part 5: "PAdES for XML Content - Profiles for XAdES signatures". www.globalsign.com

Where do customers use CDS?

Where do customers use CDS? www.globalsign.com

Electronic Invoicing in the EU

Electronic Invoicing in the EU § A constantly changing landscape § No single EU wide solution for compliance* § Recommendations by PWC for 2013 already changing the requirements on a country by country basis. § No consistent approach to preserve authenticity and integrity for `Archive and Storage Purposes' offering the possibility of legal recourse. (AMEX) § *Adobe CDS offers the only Pan European (Global) authenticity and Integrity validation system. All other systems require a separate system/service that is not automatic, nor guaranteed. § QES (Qualified Electronic Signature) § § § § Automatic legal standing in EU. Issued on a SSCD Generally issued from a government root CA. Not usable for Time stamping services. § AES /AdES) (Advanced Electronic Signature) § § § § Unique to the signatory; Identifying the signatory; Created using sole control; Linked to the data to which it relates. Change of the data is detectable; The Amex legal case and subsequent lessons learnt? http://www.legalethics.com/include/content/amex012406.pdf www.globalsign.com

What about revocation?

Electronic invoicing in the EU

Electronic invoicing - is it legal?

Electronic Invoicing Is it legal? 2A. Acceptance of `advanced e-signatures' to send e-invoices ( = yes / = no ) 2B. If yes, can AES be used without obligation to use a qualified certificate ( = yes or not applicable / = no) 2C. If yes, are qualified certificates from other EU Member States accepted ( = yes / = subject to conditions) 2D. If yes, can AES be used without obligation to use a secure signature-creation device ( = yes / = no) 2E. If yes, can the recipient process the invoice without verifying the signature ( = yes / = no) 3A. Other means than AES or EDI accepted? ( = yes / = only "other" electronic signatures / = no ) 3B. If yes, can other means be used without prior approval? ( = yes / = in some cases / = no ) 3C. Unsigned pdf invoice accepted? ( = as an e-invoice in case authenticity and integrity are guaranteed by other means / = as a paper invoice = no ) Assumes VAT supply country is consistent www.globalsign.com

Some EMEA Customers

Some EMEA Customers www.globalsign.com

Possible Architecture (e-Invoice)

Possible Architecture (e-Invoice) Document Generation Engine (Content, Layout, Storage and other specific compliancy rules) Archive GlobalSign TSA Service PDF Application of Digital Signature To Customer Digital Certificates HSM AdES AdES (CDS) (CDS) Optional TSA (>1M) www.globalsign.com

Thank you!

over 10 years of securing identities, web sites & transactions Thank you Paul van Brouwershaven paul.vanbrouwershaven@globalsign.com