CoSign from DocuSign providing esignature complying with eIDAS
Enterprise
Consumers
Customers
Partners
Suppliers
EmployeesEnterprise
DisconnectedSystems
ManualProcesses
Poor CustomerExperience
Consumers
Customers
Partners
Suppliers
EmployeesEnterprise
There’s a Better Way
Consumers
Customers
Partners
Suppliers
EmployeesEnterprise
10+ Years ofContinuous InnovationARX add 25+ years in PKI
188 Countries“DocuSigned”43 languages
50M+ Users in SaaS20 M in On premise120K+ Customers50K+ Per Day
DOCUSIGN CONFIDENTIAL
ARX Company background
1991PrivateCardPrivateSafe
1995PrivateServer HSM
1997PrivateWireSSL VPN
1998MiniKeyUSB token
2015CoSign Digital Signature is acquired by DocuSign
2003CoSign Digital Signature server
Some of our investors
TrustThe most reliable and globally-trusted service for digital transactions.
Simple to use, implement, and manage, driving immediate user adoption.
Experience
The DocuSign DifferenceWhy customers choose DocuSign
Works with applications, services, and devices you already use.
Choice
With pre-built integrations into the systems you are already using
Customized to your needs using leading APIs
Choice
You can deploy DocuSign:
On any mobile device, in 43 languages around the world
Fast and simple to implement, manage, and use
A great user experience from the very first transaction
Your DocuSign experience starts the moment we decide to partner.
A trusted partner in DocuSign
Experience
50M+ users and 50,000 new users joining the DocuSign Global Trust Network everyday.
Uses the xDTM standard
Strongest encryption practices
Always available and always at peak performance
Trust A full digital audit trail
All Successful Businesses Will be 100% Digital.
PharmaceuticalCommunications/
MediaReal
EstateHigh TechInsurance Consumer
FinancialServices
Everywhere
100K+ companies, 50M+ users, 50,000 new users/day
DocuSign Customers using CoSign CentralPublic Sector (Fed., Local, Court, Security)
Top Universities
AEC Design Firms
Financial Services
Leading Medical Device
Leading CRO’s
Leading Pharmaceutical Customers
Sysmex Japan
W&H in Austria
MEDRADThermo Fisher
Brainlab Germany
Phonak Switzerland
Burns & McDonnell
Hatch Canada McDermott SingaporeFoster
Wheeler Italy
Terracon
Sanofi Pasteur Schering AG
Pisa
ColumbiaDuke
Barcelona Chiba (Japan)
PRA
PPD
PharmaNet
Kendle
CovanceIDDI Belgium
South Africa
Sumitomo TrustAPAX UK
Ireland Holland
Central Banks of Italy
Seychelles and Bahamas
Department of
Justice
Dept. of Veteran Affairs
Norfolk VA Circuit Court
Auckland City New Zealand
The Senate in Rome
European Court of Human Rights
Saudi Arabia Ministry
of Foreign Affairs
Hellenic ParliamentSupreme Court of the
Netherlands
Comm. Sec. Establish-
ment Canada
CoMSec Iraq
County of Hawaii
IAI Israel
City of Amsterdam
VA Supreme Court
Police Italy
DOT: SC/OR/WA/UT
Stanford
Black & Veatch
City of San Francisco
Italian Ministries
International Criminal Court
F.B.I.
DOCUSIGN CONFIDENTIAL
Terminology
TSP – Trusted Service Provider. This covers the following “services”: Certificate Service Provider, Time-Stamping Provider, Signature service provider,…Qualified TSP – A TSP that works according to the procedures, audited, using certified products, ….
• Formal qualification is done by the MS supervisory body.• The QTSP gets an EU Trust Mark• The QTSP is listed in the MS QTSP List and can provide services to all member states.
Qualified Signature Creation Devices (Not using the terms SSCD anymore) – List of approved QSCDQualified Signature == Handwritten signatureAdvanced Signature = legal Evidence
eIDAS
DOCUSIGN CONFIDENTIAL
Other quotes
(40d) IT Security certification based on international standards (like ISO 15408 and related evaluation methods and mutual recognition arrangements) is an important tool to verify the security of qualified signature creation devices and should be promoted. However, innovative solutions and services (such as mobile signing, cloud signing, etc.) rely on technical and organizational solution for qualified signature creation devices for which
security standards may not be available yet or the first IT security certification is on-going.
Only in such two cases, the level of security of such qualified signature creation devices could be evaluated by using alternative processes. These processes should be comparable to the standards for IT security certification insofar as security levels are equivalent.
These processes could be facilitated by a peer review
eIDAS
DOCUSIGN CONFIDENTIAL
Other quotes
Sole Control DefinitionIt should be possible to entrust qualified electronic signature creation devices to the care of a third party by the signatory, provided that appropriate mechanisms and procedures are implemented to ensure that the signatory has sole control over the use of his electronic signature creation data, and the qualified signature requirements are met by the use of the device.
eIDAS
DOCUSIGN CONFIDENTIAL
Standard
The published standards by ETSI/CEN will cover the technical aspects of the regulation and
present as a Implementation Acts.
One of the standards is EN/TS-419241, also known as T4S . Protection Profiles for Qualified
Electronic Signature Devices. Level 2 focus on: 2 factor authentication and Authentication in
SCDEV.
DocuSign is active in both ETSI/ESI and CEN WG17 committees.
2016
TS 419241 will become 419241-1
219221-5 HSM definition, Q1 2016
419241-2
419241-3
eIDAS
Sole Control, Authentication and signature application
DOCUSIGN CONFIDENTIAL
Italian case Mid 2000s – dominant smartcard presence. Many purchases, few renewals of certificates.
Key visionary customer for server-side signing – the Italian Senate
Decree change, 2010 – acceptance of trustworthy signature server solutions by CAsChange was driven by the Italian Supervisory body (CNIPA, now AgID)
Italian decision to formalize process, 2012 – only certified products will have legal validity
Jan 2012 CoSign started its Common Criteria certification as an approved SSCD in Italy
July 2014 CoSign received Common Criteria EAL 4+ (AVA.VAN5) certification and was approved by the Italian Regulatory body – OCSI
December 2015, hundreds of customers, +12M certificates in CoSign deployed
Apart from Italy CoSign is recognized as SSCD in Hungary, Greece, Cyprus, Netherlands,
eIDAS
Centralized Digital Signature Server
CoSign Digital Signatures - feature set
Extended Application Support
Certificate ManagementSigning Key Management
Graphical Signatures
Active Directory Sync
Strong Authentication Support
Secure hardware enclosure
DOCUSIGN CONFIDENTIAL
DOCUSIGN CONFIDENTIAL
DOCUSIGN CONFIDENTIAL
CoSign Central as a Secure Signature Creation Device
Certifications
• FIPS 140-2 level 3
• Common Criteria EAL 4+ (AVA_VAN.5)
Security
• Banking-grade physical and logical security
• All keys are non-extractable
• Random is based on FIPS-approved HRNG
• All sensitive data inside the appliance is encrypted
• All access to CoSign accounts requires authentication
• Possible require authentication credentials for every usage of the private key
• All network communication is TLS encrypted
CoSign Central as a Secure Signature Creation Device
Compliance
• Fully compliant with TS 419 241 level 2
• Maintain concept of Sole Control
• DocuSign is part of CEN WG 17
• EU eSig Directive compliant & eIDAS-ready
Performance per appliance (current version 7.4)
• Over 250 tps (signatures with RSA 2048 bit keys)
• Support 2.5 million accounts
High-Availability / Load-Balancing
• Support Active/Active, Active/Passive, cold backup
• Geography-neutral services – Disaster Recovery sites
Deploys in Customer’s Data Center
Admin
Key-Mgmt;Private-key
Ops
ID-Certificate Mgmt
Personal Sigs Pro Seals
Desktop Apps
Web Apps
Mobile Apps
Signers
Request for Signature
Central Control over Signature Privileges
Policy & ProcedureEmployee
Provisioning/Revocation
CoSign = Turnkey Solution (deploys in ~2 hours)
Active Directory
(or LDAP Directory)
CoSign listens to the Directory
Central Control over Signature Privileges
How to Access CoSign – Allows Broader User Adoption
Web Access*Mobile AppConnectors:ECM & Workflow
Web Agent(for Developers)
Client or App Add-ins
Personal Signatures& Professional Seals
Built-in CAor 3rd-Party CA
Signing-Key Management & Signature Function
* Use mainly to demo capability of Web
Agent
CoSign APIs and integration options
• Standard APIs (Windows) PKCS#11, CAPI, CNG, JCA/JCE
• SAPI Local for Windows (C/C++, COM, .NET)Included SAPI-Crypt and SAPI-UM
• SAPI SOAP Web Services
• SAPI REST Web Services
• CoSign Signature Web Agent
• Enrollment Connector
• Others (SharePoint, SAP, and more…)
CoSign Connectors
ECM - Enterprise Content Management
• SharePoint
• OpenText (LL 9.7.1, CS10, eDOCS)
• Oracle (WCC)
• Alfresco
• Documentum (D2, Webtop, xCP)
• ELO
• iManage
ERP - Enterprise Resource Planning
• SAP
CRM - Customer Relationship Management
• Salesforce
• MS Dynamics
DOCUSIGN CONFIDENTIAL
Workflows
• Nintex
• Alfresco
• K2
• OpenText (LL 9.7.1, CS10)
• Oracle (WCC)
• Documentum
PLM - Product Lifecycle Management
• Teamcenter
Miscellaneous
• CLM Matrix
• PDF Share forms
http://www.arx.com/connections
Authentication methods
• Username / Password(tunneled)
• Active Directory ticket
• Smartcard / USB Token (PKI)
• OTP (RADIUS)
• SAML
• Biometric
• User-defined
Certificate Enrollment process to CoSign
Key Generation – RA software (Enrollment Connector)
• Use standard APIs (PKCS#11, CAPI, JCA)
• All keys are generated inside the SSCD
• FIPS approved random and key generation algorithm
• All keys are bound to a CoSign Account
• Key sizes: RSA 2048, 4096 bits
• Requires signer login (if passwords are set)
Certificate Enrollment process to CoSign
Certificate issuing– RA software (Enrollment Connector)
• Build CSR (certificate request) – PKCS#10
• Sign CSR (requires user intervention)
• Send to CA (online or offline)
• Receive certificate and upload to CoSign account
Standards-based
Multiple CAs, multiple certificate templates
Multiple certificates per user
Top security
Sole Control
Demo
Thank You