In our previous blog post about Signing Automation Service, we explained how digital seals provide document integrity and authenticity. In part two of this series, we’ll focus on the business and technical challenges of digital seals, and how automating the process can greatly improve the efficiency and reliability of your sealing workflow.
Challenge #1: Document signing certificates must generate publicly trusted signatures/seals in order to be recognized by computers and software
Digital seals are based on document signing certificates. The technology behind them, called Public Key infrastructure (PKI), has many complexities. One of them is the concept of trust, which notably relies on whether the certificate comes from an authority that is known and trusted by computers and software.
Anyone can issue document signing certificates and start generating seals on documents, but those certificates will only be trusted locally. Other computers and software will not trust the seal if the signing certificate does not come from a Certification Authority (CA) they know and trust.
Solution: Document signing certificates issued by public Certification Authorities generating publicly trusted seals
Adobe is a reference in the world of PDFs, and the company maintains a program for public CAs called the Adobe Approved Trust List (AATL). If the documents you’re planning to seal will be shared publicly, you’ll need document signing certificates issued by a Certification Authority member of the AATL, since Adobe Reader is the major PDF tool used all around the world.
Entrust is a long-standing member of the AATL, and our certificates generate signatures and seals that will be automatically recognized and trusted by Adobe’s software. We’re also part of the Microsoft Root Program, which means our document signing certificates will generate trusted seals for documents from Microsoft Office software such as Word, Excel, and even PowerPoint.
Challenge #2: Document signing certificates require secure hardware storage
Document signing certificates must be stored in secure hardware. This is especially true for document signing certificates issued by public CA members of the AATL, as it is a mandatory requirement from Adobe.
For manual and local use cases, CAs like Entrust provide document signing certificates in a secure USB token that meets the FIPS 140-2 security level. But when hundreds of thousands of documents need to be signed, USB tokens simply won’t scale. They’re not designed to perform a large number of seals, and they’re built to be a plug-in to a local computer, not to be accessed by one or several services across a network.
It’s possible to request a document signing certificate to store on your own hardware security module (HSM), but the cost of the hardware and maintenance can be prohibitive for smaller organizations.
Solution: A centralized signing service backed by cloud-based HSM
Entrust offers a Signing Automation Service leveraging our own publicly trusted certificates, our own cloud HSM service, our own PKI solutions, and our own data centers. This ensures we fully control the entire process for you – from identity verification and certificate issuance to HSM and signature management. Entrust is the only CA capable of this thanks to our comprehensive portfolio of solutions dedicated to digital security.
Challenge #3: The number of documents to seal can grow exponentially, making manual signing impossible
Even with a centralized service, if the signing process relies on human action, it will be subject to specific risks and requirements, such as training, supervision, signature activity during employee working hours, etc.
Solution: The full integration of a signing service into document workflows for a truly unattended process
A good signing service will let you select several documents at a time to seal in batches. The best signing service will simply work in the background for you, and seal documents on the fly.
The Entrust Signing Automation Service can be integrated to your workflows via any toolkit or application that supports the PKCS #11 standard.
Although our service is based in the cloud, the documents to be sealed never leave your premises – we only receive document hashes, which are random strings of characters with no value.