Skip to main content

Understanding the challenges of document sealing and how to overcome them

Mar

11

2021

Time to read

Read so far

Written by: 

Jordi Buch

Time to read

Written by: 

SAS blog

In our previous blog post about Signing Automation Service, we explained how digital seals provide document integrity and authenticity. In part two of this series, we’ll focus on the business and technical challenges of digital seals, and how automating the process can greatly improve the efficiency and reliability of your sealing workflow.

Challenge #1: Document signing certificates must generate publicly trusted signatures/seals in order to be recognized by computers and software

Digital seals are based on document signing certificates. The technology behind them, called Public Key infrastructure (PKI), has many complexities. One of them is the concept of trust, which notably relies on whether the certificate comes from an authority that is known and trusted by computers and software.

Anyone can issue document signing certificates and start generating seals on documents, but those certificates will only be trusted locally. Other computers and software will not trust the seal if the signing certificate does not come from a Certification Authority (CA) they know and trust.

Solution: Document signing certificates issued by public Certification Authorities generating publicly trusted seals

Adobe is a reference in the world of PDFs, and the company maintains a program for public CAs called the Adobe Approved Trust List (AATL). If the documents you’re planning to seal will be shared publicly, you’ll need document signing certificates issued by a Certification Authority member of the AATL, since Adobe Reader is the major PDF tool used all around the world.

Entrust is a long-standing member of the AATL, and our certificates generate signatures and seals that will be automatically recognized and trusted by Adobe’s software. We’re also part of the Microsoft Root Program, which means our document signing certificates will generate trusted seals for documents from Microsoft Office software such as Word, Excel, and even PowerPoint.

Challenge #2: Document signing certificates require secure hardware storage

Document signing certificates must be stored in secure hardware. This is especially true for document signing certificates issued by public CA members of the AATL, as it is a mandatory requirement from Adobe.

For manual and local use cases, CAs like Entrust provide document signing certificates in a secure USB token that meets the FIPS 140-2 security level. But when hundreds of thousands of documents need to be signed, USB tokens simply won’t scale. They’re not designed to perform a large number of seals, and they’re built to be a plug-in to a local computer, not to be accessed by one or several services across a network.

It’s possible to request a document signing certificate to store on your own hardware security module (HSM), but the cost of the hardware and maintenance can be prohibitive for smaller organizations.

Solution: A centralized signing service backed by cloud-based HSM

Entrust offers a Signing Automation Service leveraging our own publicly trusted certificates, our own cloud HSM service, our own PKI solutions, and our own data centers. This ensures we fully control the entire process for you – from identity verification and certificate issuance to HSM and signature management. Entrust is the only CA capable of this thanks to our comprehensive portfolio of solutions dedicated to digital security.

Challenge #3: The number of documents to seal can grow exponentially, making manual signing impossible

Even with a centralized service, if the signing process relies on human action, it will be subject to specific risks and requirements, such as training, supervision, signature activity during employee working hours, etc.

Solution: The full integration of a signing service into document workflows for a truly unattended process

A good signing service will let you select several documents at a time to seal in batches. The best signing service will simply work in the background for you, and seal documents on the fly.

The Entrust Signing Automation Service can be integrated to your workflows via any toolkit or application that supports the PKCS #11 standard.

Although our service is based in the cloud, the documents to be sealed never leave your premises – we only receive document hashes, which are random strings of characters with no value.

Try it yourself

Lean more about our Signing Automation Service here or contact us to discuss your needs with a digital signing expert now.

jordi burch_150x150
Jordi Buch
Jordi Buch is a Product Management Director of Document Signing solutions at Entrust. The document signing portfolio – which includes document signing certificates and automation solutions for document signatures – is built on decades of expertise in PKI and public trust management. Jordi is responsible for developing innovative and leading digital signature services to accompany organizations in their digital transformation.
View all of Jordi's Posts