Unlock the Power of Digital Signature Licitness for Administration in Mexico

How to eSign a document: digital signature licitness for Administration in Mexico

[Music] hi my name is nilkamal thyagi and i work at sectigo as a senior product manager i welcome you to our first ever identity first security summit in this short presentation i will walk you through some basic concepts related to digital signatures so before delving into digital signatures let us first understand what a signature is and also look at some common terminology associated with signatures a signature is basically a symbolic artifact made by an individual on an instrument such as a document to signify knowledge approval acceptance or obligation of the individual towards the instrument this individual is often a natural person and is referred to as the signee or signer or signatory but the signee could also be a legal entity such as a corporation in this case the person administering the signature is considered to be legally authorized to sign on behalf of the legal entity the signature is usually in the form of the signer's name nickname or a mark that the signer writes on documents as proof of identity and intent signatures created by hand using a written device such as a pen on a physical document are often referred to as wet signatures this is one of the oldest forms of signatures that has been used since ancient times and continue to be used in the present-day world wet signatures are given the highest legal standing in the court of law and are thus the most widely used and accepted forms of signatures having looked at the basic definition and terminology associated with traditional signatures let us now turn our focus to what are referred to as electronic signatures an electronic signature as the name signifies is basically a signature in electronic form which means at the end of the day it is a series of bytes attached to a digital document there are various standards and regulations around the world that govern the laws around creation and usage of electronic signatures for example in the eu we have the e i dash regulation and in usa we have nist's digital signature standard or dss and we have several other standards in different countries around the world electronic signatures usually have the same legal standing as handwritten signatures however the degree of their authenticity and assurance to serve as proof of identity of the signer varies depending on the level of sophistication and security built into them creation of basic electronic signatures at the minimum requires three things firstly it requires a physical computing device such as a laptop or computer or a smart mobile device on which an electronic document can be edited secondly it requires a document signing application or service that allows the signer to create his or her signature and embed it into the document lastly it requires the signer who either physically or remotely accesses the document and uses the document signing application or service to electronically sign the document more advanced forms of electronic signatures require some additional resources as we'll see in a moment electronic signatures can be broadly divided into two types these are standard electronic signatures and digital electronic signatures standard electronic signatures are the simplest forms of eSignatures a signer could simply type his or her name into the document or could draw a signature using a stylus on a touchscreen device such as a tabloid or smartphone and embed the same into the document the signer could even click a picture of their wet signature and paste that picture or for that matter any other picture into a document for it to be considered an electronic signature basically any random combination of letters symbols pictures audio or even video could be chosen by the signer as his or her standard electronic signature these signatures often help productivity users such as signatories in offices who need to sign documents in bulk speed up their operations as they eliminate the need for frequently taking hard copy printouts of documents signing them and scanning them back to get the signed soft copy the disadvantage however is that these signatures are easy to forge because they do not possess enough security safeguards that prevent them from being copied and misused by bad actors digital signatures are electronic signatures that require a digital certificate for their creation a digital document signing certificate is a cryptographic artifact that uniquely identifies the signer to which it belongs digital signature thus provides a stronger proof of identity of the signer through their underlying digital certificate in addition to that if the contents of a document are altered after it has been signed the document signing and verification application can easily detect the change and thus the integrity of signed documents is assured digital signatures can also include a time stamp which stores the exact date and time when the document was signed into the digital signature itself this keeps the signatures valid even after the digital certificate used for the signature has expired digital signatures are further classified into two types namely advanced signatures and qualified signatures while both of these signature types are considered to be strong qualified signatures are the strongest forms of digital signatures as they are created using specialized signature creation devices sectigo is a world-renowned ca that is both on adobe's approved trusted list as well as on eu trusted list of qualified trust service providers is a digital certificate as explained previously it is a cryptographic artifact used to uniquely identify an individual in terms of its composition a digital document signing certificate mainly comprises of the signers public key the signer's first and last name and optionally other information such as email id organization name job title etc digital certificates may be self-signed or issued by a ca if the certificate is issued by a ca the ca signature is attached to the certificate digital certificates follow the x.509 standard that defines its structure the permissible users of the certificate are included in the key usage or extended key usage fields of the certificate if a certificate is to be used for document signing the same is specified by its key usage field so let us understand how digital signatures work the entire mechanism can be divided into two parts the first part is referred to as the signing process and the second is called the verification process in the signing process a signer signs a document whereas in the verification process a signature attached to a document is verified for genuineness this is achieved by using an asymmetric key pair that belongs to the signer this key pair comprises of two keys namely the signer's private key and its corresponding public key the private key and the public key are cryptographically related to each other such that any data encrypted by one of them can only be decrypted by the other and vice versa this special relationship of these two keys forms the basis for signing and verification operations in the context of digital signatures the private key as the name suggests is kept secret by the signer and is never disclosed to or shared with anyone else as explained in the diagram the signing process takes the document as input and generates its hash value using a hashing algorithm such as sha256 a document and its hash value have a unique one-way relationship such that the same document will always generate the exact same hash value and the slightest change in the document will generate a different hash value this hash value is then encrypted using the signer's private key to produce an encrypted hash value for the given document this encrypted hash coupled with the digital certificate of the signer which comprises of the signer's public key constitutes the digital signature of the signer for the given document when this signature is attached to the document the document is referred to as a signed document now let us see how assigned documents integrity and validity of the signer's identity is verified by a receiver of the document this is done using the verification process wherein the encrypted hash value is taken from the signature attached to the document and it is decrypted using the signer's public key found inside the digital certificate which is also part of the signature in addition to this the hash value of the document is calculated again and this freshly calculated hash value is compared with the decrypted hash value if the two hash values match it means encrypted hash value was produced using the signer's private key since the signer is the only one who possesses his or her private key this proves that the document was signed by the signer also since the original hash value of the document extracted from its signature matches the hash value freshly generated from the received document it proves that the document has not been altered in any way during transit thus the integrity of the document is also confirmed later this year sectigo is coming up with an exciting new cloud-based remote document signing solution that enterprises can use at scale to procure and manage digital document signing certificates for their employees the schematic on this slide describes the high-level workflow for this service this service coupled with cloud-based document signing applications such as adobe sign gives a comprehensive all-in-one solution that not only allows enterprises to manage the procurement and distribution of document signing certificates among their employees from a centralized cloud-based web portal hosted by sectigo but it also allows signers within the enterprise to sign documents anytime and anywhere through the internet using their digital certificates stored securely in the cloud to use this service for certificate management and signing there are two broad use cases that have to be executed in order firstly a designated administrator from the enterprise such as a security officer or id manager who is typically responsible for management of digital certificates used within the enterprise is required to create an account on sectigo's new certificate management portal once the account is created the administrator can subscribe to the document signing module within this portal and procure the required number of digital document signing certificate licenses for employees of the enterprise as part of this procurement process the enterprise undergoes a thorough validation performed by saktigo to verify the identity of its organization once the organization validation is completed successfully the administrator can authorize signers identified by their email ids for issuance of digital certificate against the procured licenses actual issuance of certificate to an authorized signer takes place when the signer tries to sign a document for the first time if an employee leaves the organization the administrator can unauthorize this employee which leads to revocation of any digital certificate issued to this departing employee all certificates are stored within the cloud in highly secured and certified hardware security modules that are compliant with ei-das regulation the second use case is the signing process which begins with the signing applications such as adobe sign allowing a sender of a document to define the signing workflow which comprises of an ordered list of email ids of individuals who need to sign the document or in other words the list of signers once the sender creates and triggers this workflow the signing application sends email notifications to each signer in the given order requesting them to sign the document when a signer opens the email notification received from the signing application it shows him a link which when clicked opens the document in a browser window on the signers computing or mobile device the signing application then guides the signer step by step to place his digital signature in the document in doing so the signer is given a choice of selecting a certificate provider from a list of certificate providers pre-configured within the signing application as soon as the signer selects saktigo from this list the signing application sends a signing request comprising of the document's hash and the signer's email id to sectigo's remote signing service the signing service does three things it first authenticates the signer secondly checks if the signer has been authorized by the enterprise admin for issuance of digital certificate if both these conditions are met in the third step a digital certificate is readily issued to the signer during issuance the signer is asked to create a pin that should be remembered and kept secret by the signer as it will be required every time the signer signs a document using the issued digital certificate in the future the certificate thus issued is stored in the certificate repository of the signing service and stays there until it is either revoked or until it expires all future signing requests from this signer as long as he or she remains authorized by the administrator lead to their certificate being accessed by the signing service from this certificate repository without going through the issuance exercise again the signer's authentication could be performed by the enterprise's own identity provider if one is integrated with sections new certificate management portal if such an integration is not performed the signer will be required to create his or her user profile within sections certificate management portal and the signers email will be verified by sections portal during this process once the user profile is created authentication of the signer will be done by sectigo's certificate management portal by itself through this solution we remove a lot of overhead which enterprises have to otherwise perform in doing face-to-face validations of each employee with the certificate provider through this solution the enterprise uh keeps the responsibility of doing these face-to-face validations which are already being done as part of most enterprises hr processes wherein an employee background is thoroughly checked at the time of hiring the employee to summarize the key benefits of sectigo's document signing service for enterprise customers are as follows productivity users can save a lot of time and cost that otherwise goes in signing hard copy documents it eliminates the possibility of frauds by safeguarding the integrity of signed documents through digital signatures sectigo is a qualified trust service provider and offers digital certificates that are compliant with various security standards and regulations such as e-i-das the u.s electronic signature act and aatl it is a zero-touch solution where signers don't have to carry their private keys in usb s or worry about provisioning them within central signing servers within the enterprise their keys are securely stored in the cloud inside certified hardware security modules and their usage by the signing service for signing documents it's exclusively controlled by the signers who could be located anywhere in the world and they can connect anytime with the service where signing applications such as adobe sign over the internet using both laptops and mobile devices by virtue of being integrated with a popular signing application such as adobe sign the solution offers both electronic and digital signatures for signers it is thus an all-in-one solution that offers digital certificates centralized management of those certificates as well as signing workflow management capabilities with this we come to the end of this presentation i encourage you to reach out to us if you have further questions you can use the speak to us link that is found at the bottom of the left side panel of sectigo identity first security summit 2022 thank you for your time and attention [Music] you