Digital Signatures at the Edge
…the “network edge,” that is. In other words, what is the best way to digitally sign documents from mobile devices, tablets, and web browsers?
The original technical idea for digital signatures envisioned each signer having their own personal hardware device, a “Smart Card,” that would contain the signer’s private key. But in practice, the smart card idea doesn’t work very well, especially these days.
Smart cards need to be plugged into a computer. But people want (and need) to sign on the go. Mobile phones and tablets typically don’t support Smart Card readers. Alternatives such as USB tokens also have limitations. In either case, issuing, replacing, canceling and managing hardware-based tokens have high administrative costs.
Suppose the signer’s key was maintained inside the edge device? That doesn’t work well either. Because of their intrinsic properties, web browsers cannot be used for secure cryptographic operations such as digital signatures. This approach also needs to work with Apple, Android and other mobile operating systems. Today’s world is BYOD—you’ll either be limiting people’s choices or trying to solve a very expensive and complicated problem.
The answer? Centralization. Just as your mail server centrally manages your email, use a centralized signing appliance to manage your private keys and sign your documents.
The centralized appliance approach solves multiple problems:
Enables signing at the edge—the signer uses the mobile / tablet / web browser to sign by making a signing request to the signature appliance. As a part of the process, the signer authenticates his identity with the appliance. Signers can authenticate by using their name/password, a One Time Password, Two Factor Authentication, or other techniques.
Lowers administrative costs of a digital signature system. The signing appliance can auto-synchronize with Active Directory or LDAP to automatically create/cancel digital certificates when signers join or leave the organization.
Enables better security. Since signing credentials are stored centrally, they are always under control. There is no opportunity for Smart Cards to be lost or stolen when the cards are not used.
My thanks to the hundreds of people who signed up for my webinar yesterday on “SharePoint Workflows + Digital Signatures: No more paper, Fast ROI” If you’d like to watch the webinar or just view the slides, please see the AIIM Webinars On Demand page. The webinar will be posted there in the next day or two.
I’ll be answering some of the questions raised by the webinar’s participants in my next post.
Photo credit: ccharmon#digitalsignatures #SharePoint #smartcard #electronicsignatures #BYOD