By Elisa Van Ruiten
On 16 October 2020, the Cloud Signature Consortium hosted a member-only virtual roundtable: ID Verification: How to meet customer needs & tackle regulatory challenges? The event was moderated by John Jolliffe, Senior Manager of Strategic Development, Document Cloud at Adobe, and the international panel featured four CSC members, whose companies are innovating in the field of identity verification: Francesco Vetrano of Intesi Group in Italy, Vijay Kumar of eMudhra in India, Carrie Peter of Impression Signatures in South Africa, and Ionut Florea of certSIGN in Romania. In addition to innovation, they each spoke about the challenges they face, sharing insights and best practices from around the globe, and the role CSC can play going forward.
Opportunities for CSC leadership
As a growing association in an evolving field, CSC has many opportunities to take the lead. There was enthusiastic agreement amongst all participants on the positive role of the CSC specification and its potential. There was also discussion about the need for mutual recognition between trust service providers, ensuring an equal level of confidence in using any individual trust provider if they are complying with the same set of standards.
It was also clear that CSC is perfectly poised to be an industry thought leader in this domain and should continue along its path of being the drivers of global standards and integration. In fact, regulators in India are already looking to see what CSC recommends and is referenced at as “the” standard. Although there is still a long way to go, as Vijay Kumar of eMudhra pointed out, ‘CSC can be a great forum to standardize this subject by bringing in best practices to be followed’.
A look at best practices in innovation and regulation in the ID verification space
Looking at the subject from an European perspective, Francesco Vetrano discussed Intesi Group’s journey from a formal identification (ID) procedure that was not responsive to customer needs, to a more market-oriented one that integrates ID providers from the public and private sectors. Through special agreements with the main ID providers in Europe, Intesi Group is able to reach a wide range of users by leveraging their existing digital identity, bypassing an additional authentication step, and allowing the user to sign more easily. As Francesco explains, ‘The electronic ID verification integrated in the signing flow allows any cloud signature provider to offer seamless access to electronic signatures to any citizen who already has got an eID with a public, private or corporate identity provider. The eSignature service is easier and for everyone. And that is our daily target in Intesi Group.’ Although any validation and modification needs to be notified to their supervisory body, Francesco said good communication is key. While Intesi Group may be flagged if there is non-compliance, they do not have any big regulatory issues due to daily interaction with the regulator. And while their supervisory body is open to innovation, change happens slowly, as they want to see how it is done elsewhere first.
Looking to Asia, eMudhra handles an extremely high volume of online ID verification as the largest service provider in India. Vijay said their daily customer acquisition rate reaches 5,000 users per day during the normal period and 10-15,000 per day during the peak season between September and October. On a global scale, eMudhra operates trust services in more than five countries under regulatory framework, and is globally accredited for general purposes, including signing, TLS, and SMIME. Having begun providing virtual identification since 2018, a successful transition that has proven helpful in pandemic times, has led to a six-step ID verification process. It consists of the submission of an online request and electronic documents by users, automated and human checks, electronic verifications, and online checks with the Business and Personal Tax Registries. Their regulatory process is governed by the Indian Information Technology Act, wherein the government regulator is proactive about implementing improvements in order to facilitate easy use for the public. This includes a system of legally valid identity vetting and electronic signature use, with re-verification required every two years.
Joining the discussion from South Africa, Carrie Peter discussed Impression Signatures layering and risk-based approach under South Africa’s Electronic Communications and Transactions Act. Impression Signatures innovates by taking an agile approach, meeting customer budgets and end users needs wherever they are, whether WhatsApp or “feature phones”. According to Carrie, ‘No single factor or process ensures that identity verification is accurate beyond doubt or error, even face-to-face verification can be compromised with enough effort and investment. It is only through layering of multiple controls, that a relying party can be reasonably assured that the accurate identification has taken place.’ Because South Africa has some challenges with facial biometrics due to racial biases, Impression Signatures has developed methods to use fingerprint verification to a very high level of certainty. Some facial recognition can also be used and is triangulated with document verification. Despite infrastructure challenges, Carrie said Impression Signatures is always complying with international standards and strives to achieve the highest level of security available.
Back in Europe, Ionut Florea spoke about certSIGN operating under eIDAS regulation, which sometimes limits their innovation potential. Methods of ID verification at the international level must provide equivalent assurance to physical verification, which can vary widely across Europe. Ionut finds that most supervisory bodies seem reluctant to accept much risk and, therefore, tend to avoid innovation, but he says that clear standards and legal framework are needed all over Europe. As a Qualified Trust Service Provider (QTSP), certSIGN adapts to whatever is allowed, using video wherever possible. certSIGN customers ask for a complete digital journey, from online onboarding for remote electronic signing to e-archiving, with COVID-19 accelerating the desire for these services. Due to current regulations, certSIGN has had to take a safer, more straightforward approach involving video ID solutions that can be tested and integrated into their QTSP system. However, they have planned for a more long-term approach of self-sovereign identity for businesses, in which each business will exist in its own silo and users will have full control over their identity data.
The roundtable showcased the great potential and importance of CSC, both now and into the future. As CSC President, Andrea Valle, commented, ‘The Identity Verification roundtable has been a great opportunity for many of us to discuss a very hot topic these days. With COVID-19 changing the way we run ordinary business, remote identification and electronic identity proofing are now essential to many online services that our community of members serves. We understood how critical it is from the great contributions from the presenters, and this is certainly going to inspire our technical work and our role as market drivers moving forward.’
Interested in hearing more or missed the roundtable the first time? CSC will be holding an external event on ID Verification on 3 December from 2-3:30pm. Register here.
By Venkatraman Srinivasan
In an era where change is happening at a rapid pace, humanity is adopting digital technologies constantly and we are more digitally present that we have ever been. Under these circumstances, the need for cloud signatures and their value in contributing to our lifestyle cannot be underestimated. This shift in humanity, powered by technology, has been happening in parallel and in a fragmented manner in different regions of the world giving rise to disparate technical frameworks and policies around cloud signatures.
Nonetheless, there is one element of commonality to be noted in the fact that the interest levels and consequent adoption of cloud signatures has grown across the world which, in itself, exposes an opportunity to promote standardization around the security, identity, and technology frameworks that power such signature methodologies. Europe, has undoubtedly come to the forefront by establishing what we know to be the first, comprehensive framework around the adoption of Cloud Signatures at all hierarchies (Government, Enterprise, Personal).
Within this framework, the Cloud Signature Consortium (CSC) is playing a significant role in bringing global entities together to drive thought leadership, and, thus, innovation around cloud signature standardization which can have a global impact. As a body made up of many members across almost all different geographic regions, CSC has a strong source of knowledge to drive effective outputs in the standards that are defined for EU and global consumption.
The aim of the advocacy committee of CSC is really to ensure that this cycle is completed in its entirety. It is to ensure that the outputs derived from the joint experience of the consortium members are methodically and actively propagated to other region specific PKI and cloud signature related forums, and the standards developed by CSC are actively adopted in an increasing number of regions across the world. It is to ensure that over time, for the benefit of humanity, we can drive a reasonably interoperable cloud signature ecosystem that makes cross border transactions seamless, and yet, secure.
The committee will aim to engage in collaborative relationships with region or country-specific bodies within the domain, and drive knowledge dissemination through sponsorships, events, and knowledge sessions with regulators and key industry enablers across the globe. Consequently, the knowledge gained from such endeavors will also guide CSC standards to understand varied considerations in arriving at relevant frameworks that can help us move one step closer to standardization.
With a general shift towards cloud adoption over the past few years and Covid-19 in effect, the need for signing through a digital medium, and furthermore, the need for cloud signatures has undoubtedly increased. Further, the impact of this technology on personal convenience has been felt first-hand whether by choice, or by circumstance. Even now, I feel that we are only at the beginning of the growth curve. Advocacy for standardization of cloud signature methodologies is essential to the effective progress and growth of the global cloud signature ecosystem and as a leading consortium of industry members, CSC is optimally placed to help weave the common thread across the different pins on the map.
Interested in joining the new CSC Advocacy committee? Premium and Executive members are eligible. Terms of Reference for the Advocacy Committee may be found here.
Please contact the Secretariat at email@example.com for more information.
Digital signature for Microsoft Office 365, Microsoft SharePoint 2016 and Microsoft SharePoint 2019
The qualified digital certificates issued by Trans Sped are now integrated with some of the most used software platforms in the world, in both public and private sector. Based on CSC standard, the integration is available for Microsoft Office 365, Microsoft SharePoint 2016 and Microsoft SharePoint 2019, allowing users to add trust and integrity to documents and communications.
”This integration brings several benefits for our users: it speeds up the time for signing documents, simplifies the entire process and offers a unified experience across different file types. As Microsoft Office 365 is one of the most used software worldwide, it will be a major workflow improvement for both public and private sector employees. We are also a Microsoft authorized reseller and we can provide our clients with complete package and integrated solutions”, said Camelia Ivan, CEO Trans Sped.
Trans Sped, with more than 16 years experience on the global market, provides eIDAS qualified digital certificates for electronic signature and cross– certified with SAFE–Identity. The company services comply with the European and North American standards, being one of the few EU TSP published on both Trusted Lists – EU and US.
”We joined CSC several years ago. The CSC standard and technical specifications helped us and our clients with an easy integration with different software solutions, and also helped us to provide a great customer experience and increase the adoption of qualified digital certificates in the market”, said Camelia Ivan.
Trans Sped is a Trust Service Provider operating on Romanian market since 2004, offering since 2008 cloud-based qualified electronic signature on national and international market. Since 2019, Trans Sped has been certified in accordance with European Regulation eIDAS (910/2014) to perform certified video identification.
As a CSC member, Ascertia works with other CSC members to create a standard API to integrate the essential components of a remote signature solution among different service providers and consumers.
This enables Ascertia to provide solutions that comply with CSC standards for remote signing, opening doors for high-trust remote signing globally.
Ascertia works with Trust Service Providers (TSPs) and Qualified Trust Service Providers (QTSPs) to power their remote signing services and is committed to developing easy to use, flexible high-trust digital signature solutions to enable the widespread adoption of remote signing.
Ascertia has championed remote signing for years, but its business benefits have become clearer this year than any other before.
For any business, especially those operating cross-border, face-to-face meetings appear unlikely for some time. However, business must continue and security should not be compromised when signing contracts. This is where remote signing demonstrates its value.
In order to provide high-trust remote signing, a secure, PKI-based signing solution is required. When signing remotely, a signer’s credentials must be indelibly linked to the signature and provide assurance of the validity of the signature for years to come.
Where PKI based local signing (smartcards/tokens) requires a card reader or additional hardware to authorise a signer’s credentials and signature, remote signing enables signing from any device, anywhere.
With no need for an additional signing device, remote signing is a quick, easy high trust signing solution for consumers and businesses. eIDAS supports the use of Qualified Remote Signatures, the highest trust level of signatures in Europe.
Ascertia was the first organisation to deliver a Common Criteria EN 419 241-2 Certified Qualified Signature Creation Device (QSCD). This includes an embedded Hardware Security Module (HSM) for cryptographic processing and key management, independently certified under Common Criteria EAL4+ Protection Profile EN 419 221-5.
This technology assures Trust Service Providers (TSPs) and their customers that signatures are compliant with the latest standards, non-reputable and legally the same as a paper and ink signed document.
Ascertia’s solutions comply with the latest CSC standard API implementation and Ascertia works with many Trust Service Providers and Remote Signing Service Providers (RSSPs) to power their high-trust remote signing solutions.
Get in touch if you would like to discover more about our high-trust remote signing solutions.
Andrea Valle was invited to a panel of experts at the Cybersecurity Symposium organized by Keio University in Japan to talk about CSC’s contribution to “Mutual recognition of Trust Services
Please find the contribution of Andrea Valle at 27:14 : here
The first CSC members from the Maghreb region , Agence Nationale de Certification Electronique – TunTrust is a government-owned certificate authority of Tunisia. TunTrust is a leading actor in building trust in the online environment at national level. TunTrust provides trust services for public and private entities and individuals in accordance with the ETSI and the Webtrust requirements.
Evidos stands for Evidence in Online Services and is a market leader in providing digital signature and digital identity solutions. The company has already for 20 years been involved in contributing to the digital identity eco-system and offering cloud services for digital identification and signing. Evidos founder, Kick Willemse, was involved in many standardisation groups, like international board member of the OpenID foundation and eIDAS.
We look forward working together with our two new members and by coming from different spectrums of the sector, TunTrust and Evidos will undoubtably provide valuable insights and expertise to develop the consortium further and increase its global reach.