Transformation for South American Business

Gestión de Seguridad Electrónica (GSE S.A.) has started the paradigm shift in South America. Understanding the needs of users in digital signature services, our company has enabled its products with the aim of facilitating their implementation and generating value for end customers, enriching the user experience, making it simpler and more secure.

“As of December 1, 2020, Gestión de Seguridad Electrónica – GSE S.A., began to be part of the Cloud Signature Consortium (CSC) as an associate member, thus being the first South American digital certification entity to obtain this distinction. This has allowed us to achieve part of the fundamental objectives that we have as an Organization and transcend borders from the implementation of the API model of cloud signing defined by the CSC ”. -Affirms Borja Carreras, CEO of GSE.

Currently, some digital certification authorities, active members of the CSC, in Europe and North America, are working on the expansion and standardization of signing operations in the cloud, developing and creating digital signature solutions for different scenarios and business cases.

So far GSE S.A. has positioned its portfolio with the following products and services:

  • Central Digital Signature.
  • Virtualized Digital Signature.
  • Firm@email, email services with proof of shipment on receipt and delivery.
  • Firm@archivo, storage service and safe custody of data.
  • Cronofirma, chronological stamp service.
  • Vinkel, web application for managing electronic forms and flows.
  • Firmaya Suite, digital signature applications, encryption and information exchange.
  • Colfactura, electronic billing service.
  • Biometrics authentication and identity validation service.

In all these services, the integration of the CSC API will begin, in order to expand its possibilities of use, build a new landscape for customers of digital signature services, generate new application alternatives, and give rise to innovative value-added services, which are supported by the CSC API.

With these activities carried out by GSE, it is expected that the use of these tools in old and new use cases can bring more benefits to each and every one of the members of the CSC, allowing interaction and positioning worldwide and encouraging the interoperability of the digital signature in the cloud.

With the hashtag #destoquenizate, awareness campaigns have been launched on social networks and different communication channels, promoting the use of digital signatures in the cloud, eliminating the need to use smart cards and usb tokens. GSE seeks to culturally transform the users operational and business practices, improving their processes, making them faster, more agile, and eliminating dependency on hardware, installing drivers, and making platforms more open.

GSE aims to be a benchmark in the implementation of solutions that involve signing in the cloud, providing a different point of view to the consortium, from the perspective of knowledge and experience integrating digital signature solutions in Colombia and, in general, for South America. Also, by being a pioneer and generating innovative ideas to the entire digital security ecosystem, thus making it possible for there to be greater in coverage and universality.

Finally, following the trend of cultural transformation, GSE hopes to positively influence the changes at the standards level that can contribute to the continuous improvement of processes by empathizing with customers and solving their problems in the most efficient and easy way.

yes.com rolled out solution based on preliminary CSC work on short-term certificates

Since the beginning of this year, about 35 million German bank customers in the yes ecosystem are able to spontaneously sign contracts easily and securely with third-party providers using their online banking credentials. The service is compliant with the eIDAS regulation for remote signature creation and leverages the existing two-factor authentication systems of the banks along with the verified person data banks gather and maintain for their customers to comply with anti money laundering law.  

The bank acts as identity provider towards the QTSP that uses the verified person data to create short-term certificates, each of them used for an individual signing transaction. The 2-factor authentication of the online banking strong customer authentication (SCA) also enables the user to confirm the signature creation directly with their bank. This is an innovative approach to complying with the eIDAS regulation, which allows bank customers to spontaneously sign without the need for an additional onboarding or registration with a QTSP, giving signing application access to 35 million users that are “ready to sign”. 

The technical underpinning of the new service is an extension to CSC for utilizing short-term certificates, which the Technical Working Group has been working on since last year. yes.com is contributing its experience and technical expertise in this context to enable spontaneously initiated QES based on short-term certificates in the upcoming CSC 2.0 standard, so this functionality can be used by all applications supporting CSC 2.0.

With Namirial and Infocert, two QTSPs already support the generation of QES using this approach based on online banking in cooperation with the yes ecosystem.

Trust Service Providers (TSPs) and Qualified Trust Service Providers (QTSPs) are using CSC globally to enable users to sign documents using Qualified and Advanced Electronic Signatures. With every country having its own requirements and regulations, CSC is enabling TSPs to offer interoperable solution offerings. This provides users with a choice of signature providers, ensuring solutions can adhere to industry standard requirements and offer ultimate flexibility for customers.

This is a benefit for many TSPs but especially in countries where choice is a legal requirement. In Chile, the fair competition law requires companies to offer equal opportunities for companies to partake in solution offerings. CSC’s API enables TSPs in the country to offer certificates and signing from multiple providers, adhering to this law but also ensuring customers receive a tailored approach that is not limited by compatibility or integration requirements.

In Europe, with the eIDAS regulation, QTSPs are using CSC as part of their PKI infrastructures to natively integrate with multiple signing servers and signature solutions to provide a wide choice of eIDAS compliant signatures.

Ascertia works with multiple Enterprise, government organisations, TSPs and QTSPs globally. Ensuring our products are compatible with the latest CSC API ensures we can provide even greater integration and interoperability to our customers, and the TSPs that use us to deliver their services.

This includes the Bangladesh Computer Council (BCC), a government organisation and licensed Certificate Authority in Bangladesh that is part of the country’s Digital Bangladesh initiative.

As part of the digital transformation of the country, BCC searched for solutions that could provide electronic signature services for Bangladesh’s citizens as well as timestamping services for businesses and the government and it chose Ascertia’s solutions. 

SigningHub and ADSS Server are both CSC v1.0.4.0 compliant which future proofs the solution to allow integration with additional signing solutions and TSPs.

You can read the full case study here.

By Elisa Van Ruiten

On 16 October 2020, the Cloud Signature Consortium hosted a member-only virtual roundtable: ID Verification: How to meet customer needs & tackle regulatory challenges? The event was moderated by John Jolliffe, Senior Manager of Strategic Development, Document Cloud at Adobe, and the international panel featured four CSC members, whose companies are innovating in the field of identity verification: Francesco Vetrano of Intesi Group in Italy, Vijay Kumar of eMudhra in India, Carrie Peter of Impression Signatures in South Africa, and Ionut Florea of certSIGN in Romania. In addition to innovation, they each spoke about the challenges they face, sharing insights and best practices from around the globe, and the role CSC can play going forward.

Opportunities for CSC leadership

As a growing association in an evolving field, CSC has many opportunities to take the lead. There was enthusiastic agreement amongst all participants on the positive role of the CSC specification and its potential. There was also discussion about the need for mutual recognition between trust service providers, ensuring an equal level of confidence in using any individual trust provider if they are complying with the same set of standards.

It was also clear that CSC is perfectly poised to be an industry thought leader in this domain and should continue along its path of being the drivers of global standards and integration. In fact, regulators in India are already looking to see what CSC recommends and is referenced at as “the” standard. Although there is still a long way to go, as Vijay Kumar of eMudhra pointed out, ‘CSC can be a great forum to standardize this subject by bringing in best practices to be followed’.

A look at best practices in innovation and regulation in the ID verification space

Looking at the subject from an European perspective, Francesco Vetrano discussed Intesi Group’s journey from a formal identification (ID) procedure that was not responsive to customer needs, to a more market-oriented one that integrates ID providers from the public and private sectors. Through special agreements with the main ID providers in Europe, Intesi Group is able to reach a wide range of users by leveraging their existing digital identity, bypassing an additional authentication step, and allowing the user to sign more easily. As Francesco explains, ‘The electronic ID verification integrated in the signing flow allows any cloud signature provider to offer seamless access to electronic signatures to any citizen who already has got an eID with a public, private or corporate identity provider. The eSignature service is easier and for everyone. And that is our daily target in Intesi Group.’ Although any validation and modification needs to be notified to their supervisory body, Francesco said good communication is key. While Intesi Group may be flagged if there is non-compliance, they do not have any big regulatory issues due to daily interaction with the regulator. And while their supervisory body is open to innovation, change happens slowly, as they want to see how it is done elsewhere first.

Looking to Asia, eMudhra handles an extremely high volume of online ID verification as the largest service provider in India. Vijay said their daily customer acquisition rate reaches 5,000 users per day during the normal period and 10-15,000 per day during the peak season between September and October. On a global scale, eMudhra operates trust services in more than five countries under regulatory framework, and is globally accredited for general purposes, including signing, TLS, and SMIME. Having begun providing virtual identification since 2018, a successful transition that has proven helpful in pandemic times, has led to a six-step ID verification process. It consists of the submission of an online request and electronic documents by users, automated and human checks, electronic verifications, and online checks with the Business and Personal Tax Registries. Their regulatory process is governed by the Indian Information Technology Act, wherein the government regulator is proactive about implementing improvements in order to facilitate easy use for the public. This includes a system of legally valid identity vetting and electronic signature use, with re-verification required every two years.

Joining the discussion from South Africa, Carrie Peter discussed Impression Signatures layering and risk-based approach under South Africa’s Electronic Communications and Transactions Act. Impression Signatures innovates by taking an agile approach, meeting customer budgets and end users needs wherever they are, whether WhatsApp or “feature phones”. According to Carrie, ‘No single factor or process ensures that identity verification is accurate beyond doubt or error, even face-to-face verification can be compromised with enough effort and investment. It is only through layering of multiple controls, that a relying party can be reasonably assured that the accurate identification has taken place.’ Because South Africa has some challenges with facial biometrics due to racial biases, Impression Signatures has developed methods to use fingerprint verification to a very high level of certainty. Some facial recognition can also be used and is triangulated with document verification. Despite infrastructure challenges, Carrie said Impression Signatures is always complying with international standards and strives to achieve the highest level of security available.

Back in Europe, Ionut Florea spoke about certSIGN operating under eIDAS regulation, which sometimes limits their innovation potential. Methods of ID verification at the international level must provide equivalent assurance to physical verification, which can vary widely across Europe. Ionut finds that most supervisory bodies seem reluctant to accept much risk and, therefore, tend to avoid innovation, but he says that clear standards and legal framework are needed all over Europe. As a Qualified Trust Service Provider (QTSP), certSIGN adapts to whatever is allowed, using video wherever possible. certSIGN customers ask for a complete digital journey, from online onboarding for remote electronic signing to e-archiving, with COVID-19 accelerating the desire for these services. Due to current regulations, certSIGN has had to take a safer, more straightforward approach involving video ID solutions that can be tested and integrated into their QTSP system. However, they have planned for a more long-term approach of self-sovereign identity for businesses, in which each business will exist in its own silo and users will have full control over their identity data.

The roundtable showcased the great potential and importance of CSC, both now and into the future. As CSC President, Andrea Valle, commented, ‘The Identity Verification roundtable has been a great opportunity for many of us to discuss a very hot topic these days. With COVID-19 changing the way we run ordinary business, remote identification and electronic identity proofing are now essential to many online services that our community of members serves. We understood how critical it is from the great contributions from the presenters, and this is certainly going to inspire our technical work and our role as market drivers moving forward.’

Interested in hearing more or missed the roundtable the first time? CSC will be holding an external event on ID Verification on 3 December from 2-3:30pm. Register here.

By Venkatraman Srinivasan

In an era where change is happening at a rapid pace, humanity is adopting digital technologies constantly and we are more digitally present that we have ever been. Under these circumstances, the need for cloud signatures and their value in contributing to our lifestyle cannot be underestimated. This shift in humanity, powered by technology, has been happening in parallel and in a fragmented manner in different regions of the world giving rise to disparate technical frameworks and policies around cloud signatures.

Nonetheless, there is one element of commonality to be noted in the fact that the interest levels and consequent adoption of cloud signatures has grown across the world which, in itself, exposes an opportunity to promote standardization around the security, identity, and technology frameworks that power such signature methodologies. Europe, has undoubtedly come to the forefront by establishing what we know to be the first, comprehensive framework around the adoption of Cloud Signatures at all hierarchies (Government, Enterprise, Personal).

Within this framework, the Cloud Signature Consortium (CSC) is playing a significant role in bringing global entities together to drive thought leadership, and, thus, innovation around cloud signature standardization which can have a global impact. As a body made up of many members across almost all different geographic regions, CSC has a strong source of knowledge to drive effective outputs in the standards that are defined for EU and global consumption.

The aim of the advocacy committee of CSC is really to ensure that this cycle is completed in its entirety. It is to ensure that the outputs derived from the joint experience of the consortium members are methodically and actively propagated to other region specific PKI and cloud signature related forums, and the standards developed by CSC are actively adopted in an increasing number of regions across the world. It is to ensure that over time, for the benefit of humanity, we can drive a reasonably interoperable cloud signature ecosystem that makes cross border transactions seamless, and yet, secure.

The committee will aim to engage in collaborative relationships with region or country-specific bodies within the domain, and drive knowledge dissemination through sponsorships, events, and knowledge sessions with regulators and key industry enablers across the globe. Consequently, the knowledge gained from such endeavors will also guide CSC standards to understand varied considerations in arriving at relevant frameworks that can help us move one step closer to standardization.

With a general shift towards cloud adoption over the past few years and Covid-19 in effect, the need for signing through a digital medium, and furthermore, the need for cloud signatures has undoubtedly increased. Further, the impact of this technology on personal convenience has been felt first-hand whether by choice, or by circumstance. Even now, I feel that we are only at the beginning of the growth curve. Advocacy for standardization of cloud signature methodologies is essential to the effective progress and growth of the global cloud signature ecosystem and as a leading consortium of industry members, CSC is optimally placed to help weave the common thread across the different pins on the map.

Interested in joining the new CSC Advocacy committee? Premium and Executive members are eligible. Terms of Reference for the Advocacy Committee may be found here.

Please contact the Secretariat at info@cloudsignatureconsortium.org for more information.

Digital signature for Microsoft Office 365, Microsoft SharePoint 2016 and Microsoft SharePoint 2019

The qualified digital certificates issued by Trans Sped are now integrated with some of the most used software platforms in the world, in both public and private sector. Based on CSC standard, the integration is available for Microsoft Office 365, Microsoft SharePoint 2016 and Microsoft SharePoint 2019, allowing users to add trust and integrity to documents and communications.

This integration brings several benefits for our users: it speeds up the time for signing documents, simplifies the entire process and offers a unified experience across different file types. As Microsoft Office 365 is one of the most used software worldwide, it will be a major workflow improvement for both public and private sector employees. We are also a Microsoft authorized reseller and we can provide our clients with complete package and integrated solutions”, said Camelia Ivan, CEO Trans Sped.  

Trans Sped, with more than 16 years experience on the global market, provides eIDAS qualified digital certificates for electronic signature and cross– certified with SAFE–Identity. The company services comply with the European and North American standards, being one of the few EU TSP published on both Trusted Lists – EU and US.

We joined CSC several years ago. The CSC standard and technical specifications helped us and our clients with an easy integration with different software solutions, and also helped us to provide a great customer experience and increase the adoption of qualified digital certificates in the market”, said Camelia Ivan.

Trans Sped is a Trust Service Provider operating on Romanian market since 2004, offering since 2008 cloud-based qualified electronic signature on national and international market. Since 2019, Trans Sped has been certified in accordance with European Regulation eIDAS (910/2014) to perform certified video identification.