GlobalSign Blog

20 Mar 2018

Building Digital Signatures into Document Platforms – Don’t DIY, Take It to the Cloud

Regulations like eIDAS, FDA CFR 21 Part 11, and US state architecture and engineering requirements are putting a spotlight on the need for trust and identity in electronic transactions. As a result, the demand for trusted, high assurance digital signatures has never been higher and companies are turning to, and expecting, their document workflow or digital transaction management providers to offer this capability directly within their existing platforms.

The customers want Trusted Digital Signatures; the service providers want to provide them…but how to do it? If you are building a solution for banks or credit statements, loan or mortgage agreements, HR onboarding, clinical trials or pharmaceuticals, auto rentals and loans, school transcripts, or any other business application that needs Document Signing as part of its workflow, then this post is for you.

For years, the most common option for adding digital signatures into a document platform was to piece together the complex cryptographic components you’d need and basically build the integration in-house. Those components include:

  • The signing certificates – issued to the verified signers’ identities, these are used to apply the signature.
  • Revocation services (e.g. OCSP, CRL) – these check the status/validity of the signing certificates
  • Timestamping services – rather than relying on the local system clock, a third party timestamp can be embedded in the signature to provide greater assurance about when the signature was actually applied. This is not technically required to apply a digital signature, but is often needed to meet industry, legal or other regulatory compliance.
  • Cryptographic hardware  - (usually hardware security modules [HSMs] either located and maintained on-premises or hosted by a third party) for storing and protecting the private keys of the signers.
  • Staff with cryptographic and PKI expertise - to set up and maintain the integrations and hardware.

Each of these components would need to be separately sourced with separate API calls back to your platform each time a signature is applied (see example diagram below). Sounds fun, right? Especially considering the amount of cryptographic knowledge needed to set this up. For simplicity’s sake, I’ll refer to this scenario as an “HSM deployment” from here out.

Example of integrations required for an HSM-based digital signature deployment.

For comparison, say you want a new bookshelf for your home office. You can go out and buy lumber and hardware, research plans for the design you want, figure out how to use the required tools, and build it yourself. Yes, you get your bookshelf in the end and it serves its purpose, but how much time did you lose setting it up? What if something breaks or you want to add another shelf in the future? You’d be back to the drawing board.

What if instead you could get your bookshelf delivered almost fully constructed, minimal assembly required (and actual minimal assembly, not IKEA-level assembly), with a guarantee to fix anything that breaks and the ability to expand if needed? And, you don’t need to be a master carpenter to set it up.  That option might be worth investigating, right?

Coming back to our digital signatures scenario, a cloud-based service can deliver all the components you need to easily deploy digital signatures in your platform without any upfront hardware investment or complex development, while also providing scalability and flexibility and assuring compliance and security. GlobalSign’s new Digital Signing Service (DSS) does exactly this – providing everything you need to integrate digital signatures with one REST API call. There is no need to separately source and set up individual integrations for everything back to your platform. We are truly changing how to enable digital signature capabilities in any workflow offering.

Simplified example of integration required for a cloud-based signing service deployment.

In addition to greatly simplifying the integration between the cryptographic components and your platform, which saves internal development resources and eliminates the need for internal PKI expertise, our cloud-based DSS also:

  • Offers greater flexibility with signing identities – generally only organization or department level identities (e.g. Accounting, Finance) are supported with HSM deployments. DSS supports individual identities as well so employees or customers can sign in their own names.
  • Allows for future growth and scaling – separately sourced deployments may require additional HSM partitions and configuration if you need to expand in the future. With DSS, the solution scales with you so expansion is easy.
  • Removes the responsibility of private key management from the service provider – with HSM deployments, the service provider is responsible for sourcing private key management. This generally means investing in and maintaining on-premises HSMs (with back-up) or finding a cloud HSM provider and complex integrations back to the platform. DSS handles this with the REST API, no internal resources required.
  • Ensures high availability by default – HSM deployments would require additional, redundant HSM investment
  • Keeps you in line with the latest best practices/baseline requirements - As trust programs (e.g. Adobe Approved Trust List [AATL]) update their requirements, new regulations come into effect, or HSM vendors release new hardware and firmware, you can rely on GlobalSign to update its Digital Signing Service and keep you in compliance with minimal development investment on your end

The value of integrating digital signatures into your document platform is clear – make it easy for your customers to add trusted, compliant signatures to their workflows – but you shouldn’t have to be a PKI or crypto expert to be able to do so. The Digital Signing Service makes digital signature integrations easy so you can focus your time and efforts on your core offerings.

Have questions about integrating digital signatures into your service? Contact us today. You can also learn more about the Digital Signing Service in action in our new case study - DocuFirst Integrates GlobalSign Digital Signing Service into Paperless Loan Software to Enable Secure End-to-end Document Workflows.

Or if you’re attending RSA in San Francisco next month, stop by our booth S-1715 to learn about our Digital Signing Service in person!

Share this Post

Connect with us

fb_icontw_iconin_icon