Electronic Signature Legality for Product Management in UAE

How to eSign a document: electronic signature legality for Product Management in UAE

everybody was hoping that people would use their certificates all the time to sign but actually very few did and that's because this is all quite complex and very often usability is not in the and in the first focus so that's that's one of the things I'll discuss today I've start with a with a quote which has protection in security are only valuable if they do not cramped life excessively and that applies really well here to these picky I mean to us PTI and crypto remains complex but what about all the others who are not there in this room who understand very little and who who have a hard time getting to understand what what a certificate if and what is a signature evaluated when it derives from from a cryptogram then they understand very little another result how many of you have actually signed a document electronically to so I can see yeah probably one half and how many have actually old house or sign a contract with a bank on line three four yeah maybe ten and I mean we are here with I we all take Heath but if we go to the outside world then that's that's even less and that's one of the main problem I mean if if PGI and digital signature were big and we were wouldn't be renting here we would be at a city hall in in the centre of Stockholm and our companies would be twenty times bigger and that's not the case we're not the Facebook or Google or or or anything like that where we're all much small organizations because it it never picked up it never picked up to the extent that it could have so here in this presentation before introducing the IRA's topic I'll discuss about signatures and each signatures so the challenges the drivers and how the market is at the moment and and I'll introduce a I'd us and and why these beasts actually come in the European Union and and see how a possible use case for for finding documents online or signing data online so let's start with with a signature so many eggs or a government have digitalization on their agenda so in most cases when you start your experience online then you have in my area so what do you do typically so you start your brother and you you you go to the my re airport you enter some credential and your name password you have access to certain documents and and then you will agree with a with a solution provider on the content that you want to commit to and in most cases nowadays I mean even even now then you have to get back offline so you print that document and then you send it using standard means which is very often both so if you after you open a bank account even if you want to open a savings account then very few banks offer the possibility to have this made electronically even though you have been identified beforehand and and you could be doing that why is that so you reach a dead end and and you have only to accept terms and condition that you do for instance with most merchants so you have very little binding on from a legal standpoint which means you accept some terms which are quite obscure but you don't have any legally binding commitment from your end so it's quite weak so the end to end digital journey is not much longer but you can actually act upon it act upon a transaction or a document and digitalize the experience end to end so from the point where you actually have your your your document you created you would approve it and you commit to it with a digital signature and that's allow you to actually immediately act upon it as if you would have the person in front of you face to face and that that happened really very little so summarizing the the main driver for eSignatures or digital signatures so basically one of the main driver we see with with banks or a government is they want to digitalize a process end to end - in order to save costs and in order to to actually be able to offer more compelling user experience to their customers so gain time save cost do not go using regular mail and offer a streamline experience do they use it and one of the things which is of extreme importance online as if you have a certain level of stress it needs to be as secure and as binding as in the legacy world with with offline processes and the only instrument at this moment which allows you t to actually reach his level is a quality qualified electronic signatures which from from a legal standpoint is equivalent to handwritten one another aspect which eggs have to comply against as non-repudiation and that will we'll touch upon that later it's it's a broad term which is very easy to define but very hard to demonstrate and from other drivers around each signatures in security many banks and government online have started introducing to FA and to e failures is great and it increased security tremendously but it has some quite a few shortcomings in the sense that it is not legally binding it doesn't allow you to actually keep your data well to have some integrity and the data that you commit to and it is very difficult to to implement in a way that allow you to to leverage existing technology such as smart house and other so it's difficult to plug it in to intuit and and the industry has actually industry that actually sells to FA I mean it's logical simple technology compared with PGI but it has a significant market share at the moment which speaking I never managed to grasp so now let's let's get back to two signatures in general when you sign in I mean if we conduct a transaction and we we set up an agreement the signature is the result of that it's a formal way to commit it's a kind of ceremony and how do I transpose online this ceremony where I want to convey trust and and that is actually user friendly so assuming we set up some new business together and and we have some for instance an NDA then typically this is a document which materialized the trust I have in a certain business partner and I need to reflect that online and it's difficult to actually achieve if you dematerialize everything then sometimes you lose the truest worthy part or the user-friendly part because people do not necessarily recognize the data that they have committed to so here is in that's the signature of and in that case it's really a ceremony it's orchestrated and and you need to actually consider that when building a signing experience online because you need to convey this trust and our time I mean signature has evolved at first people would just sign on a on a piece of stone and all the time there have been some hero cliff walk sale will use in medieval time and hand signature become very popular lately in the early 20th century appeared the the real not arrests and and then we had some ething each of had which most people hate because I don't recognize anything here it's it's just and it's not a signature from not a digital signature at least and you also had laser on some smart cards by finding which never really picked up in in the great public and there is new technology which sounds more promising at the moment its central signing which we will discuss later so why do people need to sign electronically what are the main main drivers so the first is if you go online then you have threat and you have a lot of commitment from from your organization so basically banks really need a signatures at the moment from for different reasons first is compliant then there are a bunch of regulators who want you to demonstrate a new creation so the European Central Bank came with his concept of non repudiation of omission and non repudiation of origin so many actually impose that people for the banking experience to not only have authentication but it needs to be context specific like the Singapore Monetary Authority am so-called math or in Hong Kong also it's mandated to actually use contact based authentication and not a generic authentication that it was before the second driver is probably the cost part because if you have your bank online then it needs to be paperless so you need to digitalize and offer an end-to-end process another part is security while strong authentication is known for not being able to resist man-in-the-middle attacks so most many of the middle attacks if you have two FA s I mean you're very vulnerable so you need to have a stronger way to to authenticate your user for in a specific context and last but not least you have some rapid technology switch including which something actually killed smart cards online almost instantly I mean this is the end of the year Java applets so Java applets can no longer be you so it's very difficult as part of a browsing experience to connect a smart card to your device because if you if you use a plate before then the fact that they are being phased out by most browser including Chrome Mozilla and the others make it very very very difficult for you to use the smart cards in addition the number of devices that actually come with with an embedded smart card is very low so I mean if I take this device or that device none of them can actually support smart car natively so it's it's very costly to actually wash a smart card and support a smart card for a user so you end up very easily with with 20 bucks per user which is a lot of money for any signature method especially considering that you have already spent probably 10 bucks for the authentication part before so what not leverage at I have tooth right here on unknown repudiation which where we differentiate two things well it's it's not it's not it's actually the European Central Bank which the non-repudiation of origin is is a link to actually say I did a transaction and the non-repudiation of omission binds that to a certain data set so not only did I do a transaction at that time but that transaction was I sent 50 euro to Thomas and not 50 euro to Magnus or add me and and the possibility to actually demonstrate that lies actually in different environments so first the bank would need to demonstrate that actually I authenticated Thomas that he has visualized a transaction and not something else that I have received an executed operation on on his behalf and that I can actually provide the logs and tamper-evident logs to actually demonstrate that this effectively happened at his point in time and that it thomas was effectively behind his pc and that's in a nutshell so as defining an RFC non-repudiation is a service providing protection against false denial of involvement in a in a given communication and that's critical to to make these signatures a success and that's what our founders created in what you see what you signed her so this concept is still a bit and touch because it's it's difficult to to actually achieve this level and then be able to to prove to someone that what he has actually signed is what he had seen on the screen that there has not been any malware that has modified it so that's what I I said with with my example earlier and so II think it should I've mentioned are are not really catching up at the moment what Ang's do man most banks have invested million in authentication s but very few actually have an e banking relationship which is fully digitalized so many have used card PAP readers mobile otps and tan lists and a new name it and the government have made also their own initiative some use certificates on smart cards some use pretty much nothing and have a low level of security but basically no one went to the step where they say well let's try to leverage that to actually deliver these signatures and most advanced countries here are probably in Scandinavia as you have national schemes in in Denmark in in Norway in Sweden you have also some schemes quite popular it looks on board in Austria but these are I would say the first there's a big countries have not moved yet you don't have such a scheme in in Germany or in France or in the UK or not to mention the US or other countries a very little effort have been put into ething matures and eating issues that are visible and understandable for the users the use cases are egg I mean it we speaking of a big market so between two guys that will actually want to have a contract but it can also be internet banking it can be also in the health industry that you have some some contract it can be also with with the local community value or your line registry so the the market is certainly not mature for eSignatures and one of the reason for that was the lack of standards so now let's look at E is well many people come and ask so why do we have a new framework we had a European directive before and this European directive has certain standard especially for certificate service providers one of the reason for Eid us to actually emerge is that it was a directive and a directive is is a recommendation from the peon Commission to implement certain procedures so that was transpose international law and every country almost had its little twist and say well that's all great I respect the spirit of of the directive but uh yeah we will make it a little bit stronger in our country because we can do it better and at the end it it's really contra productive because what's recognizers secure in one country is not recognized as secure in another country well if I if I print and have a contract I I clean it out I sign turned our science we're in two different countries and it's not even question whether this paper is valid or not so it should be the same in an electronic way so that's why the European Commission started and said well we will do and some new a new legal framework that allow us to have this same level even though many countries have a different understanding so they came with this ers regulation that actually repeals the directive meaning that the directive is no longer valid and the regulation has been implemented in 2000 in in July it's it's effective now and that's a framework that you you need to use in addition with repealing the directive they also came up with additional standards to regulate in in other areas so but the main part are e Ida's means E I D plus authentication and signatures so emerges to environment while the first version of the directive were more was more oriented toward certificate issuance stuff like and stamping validation or or signature was very poorly regulated all the regulation was very small concentric and that has changed so so basically the goal is to offer a common trust service framework that every you citizen can can understand but because the EU is complicated there I mean that even a slide that they made to illustrate I mean I have read it many times but I don't find it very easy to understand either so I like this better the electronic services regulate electronic signature electronic seals time-stamping delivery services and website authentication and it defines certain assurance level so that's what E is is about regulating how our services are to be delivered so now let's look at the text it's I'm afraid it's 40 pages long so I just made a summary here so how how do you deliver to a services in compliance with the IRAs so I've mentioned it's a regulation which is much more powerful than a directive because governments do not have the Liberty to actually make some twists and changes they have to take it one to one and they have to implement it into national law otherwise they can be kicked out of the European Union together with the UK and and that's another important part for for actually providing a comment rest framework so how do you actually launch a choice service which is compliance with with the unite us so what the European Commission has made is that it has issued the regulation and the members they need to transport it international though the actual regulation comes with some implementing Act which is the kind of methodology for actually or it makes reference to very specific standards that people must follow the member state needs to appoint a supervisory body and there's a pervade every body is here to audit the trust service provider and the trust service provider then provides services to citizens and at the end of the process when the conformity assessment body says yes you're signing service to provide our qualified then you can put your your you actually become part of a trust list so and they have uses mark which people can use to actually make sure that everybody anywhere in the European Union can recognize that other the mark of trust on the EU level so now how how do I deliver signatures I can still continue to use smart cards if I want to but there are other techniques that that actually can be more user-friendly and that can bring better usability and one of the standard which which krypton ethic has been working on for for quite some time is the idea of having central signing and central signing is basically you safe-deposit your key in in a secure environment which is an HSM and you keep so control over you key using two-factor authentication techniques so it has the advantage that you don't need to carry around your smart card you safe deposit it in in a secure environment as you do it actually for your cash because when you have a bank then typically you own a certain amount of money but the administration is delegated to the bank so we actually do the same not with cash but with your private key because it's very difficult to keep private key secure because you're not a security expert so this was - in sposed in in some requirements on a signature generation service provider site which is the standard for 192 41 which has actually emerged so that's at for the signing part the identification of the user hasn't changed dramatically there has been new standards written but it hasn't changed really the way people are identified so on the certificate service issuance part so with with a CSP then the standard is three one nine four one - - which is very much like the the older one so what do people need to do in practice to ensure that they have these peaceful control so basically previously there was some part of the directive at the directive is repealed there is some new text and this new text is is described here in annex 2 that the private key can only be used by the owner so that's us to summarize it so how do you do that actually in practice you do that with having a so-called sick component that speaks to to a remote signature server so we you will establish a secure communication channel which starts from the client and which would terminate inside the hsm so this is what we will describe later and you would actually authenticate that signatory using some so-called signature activation data which would make a link to the user to the document that he is about to sign and and that user have a key identifier to make sure that I sign with a certain policy because you can sign with potentially different policies depending on the assurance level that you want to provide so as part of this entire ecosystem some new standards and out of the standards that I will refer to then not all of them has been enforced on on the European Commission level because the implementing act to actually regulate this is still not published but as the regulation is out you can already start issuing qualified electronic signatures based on central signing so looking at four one nine two four one of what I was explaining earlier so you will have a component which is on the browser side which would actually have a direct communication channel and inside the temporary gated environment and I know here there are HSN providers like UT McGoohan and entire life here in the room would provide such HSN's that allow you to actually execute in a temper evident environment some thermo extension so to make it short for those of you who are be technicals and pkc I said eleven is not enough to to actually have this secure communication channel you need to have some part which is executed inside the environment to ensure that an attacker that would even have access to the server would not be able to see the data that you assign and would not be able to pretend that the signature author signatures indication data was approved and validated so in fact you unlock your key with your secure authentication data based on credentials that you possess so I think that that might become a little a technical big spin in regards to authentication one of the nice thing with with a new regulation is that you can leverage existing authentication techniques which means the cost of deployment can be reduced dramatically I mentioned earlier that if you deploy smart cards just for the cost of hardware and provisioning that hardware to the user you very often are in the in the 20 euro area for qualified and here with central signing you fool - yeah maybe a few euros per user and you can reuse the authentication technique which he has though from a user experience perspective it doesn't change much so he has a possibility to visualise and he would approve a document using the that he has been using all the time so which means you can use your existing probably sam'l compatible identity provider to provide a sam'l assertion to first login and then to authorize some authentication data and that comes very handy because it's it's an ecosystem where you change the environment not so much and the user experience is also well accepted because it's based on what he has been done been doing all the time what he has in addition is a legally binding signature method so let's look at now how how crypto Masek implemented it in in in the solution so you typically have you know domains here where as a new business application provider user and your your your twist party and I've mentioned you have your pikia in the background it's almost invisible to the user so you save deposit your key and and you approve it using two-factor authentication techniques so in essence you have in your choice enter you add some some new stuff so this is stuff you have already you have your h-e-b CA you have your application provider with with with a web server and you have a user who would connect using different methods should it be with a browser with an app or or with a native application running on his his PC or Mac so and that's we will offer different integration mechanism for these different environments so should it be with a broader app a mobile app or desktop in addition we provide so-called what you see what you sign server what it does is that either input you get some data to be sign and of output then you have your sign data so the way it works is that you start your experience from your application provider and when you reach a point when you want to commit to certain data then some JavaScript library started which allow you to actually have a so-called what you see what you sign client where you can visualize your data and interact with that so from a workflow perspective and it allows you to have the so-called certificate of the fly if you want to which can be either a short-term certificate or long-term one so you have your egb here running in the background and the user would log in and instantly assuming he has been identified previously than the credentials are pushed and the certificate request is is raised push to the eg BCA certificate gets back and is ready to be used and it's actually using the signing process which I have shown here it's a it's very very small and I guess you can't really read it but typically you start with your driving application that the DA here you have the data that you actually need to sign to actually be able to sign a little later and in this process and this protocol allows you to have what we call a a loop of trust between three components so a human you have you need to start your loop of trust somewhere and that somewhere is typically when you upload or when the doctor the application provider would prepare document what was the application provider wants to ensure he wants to ensure that the user have actually visualized the transaction before committing to it and he also wants to ensure that the all the provisions of the European VI disregulation have been met that the sole control channels that I mentioned earlier is actually reached so to actually do that then the receiver server would start to render the document present the document to the user and initiate the signature workflow with the with the HSN so the hsm here is a the sign up because it's a part that actually control it so in a nutshell you ensure that the ADA to be signed is effectively visualized by the user and approved by that user using means under his sole control and you could also provide an extensive audit trail to ensure on the new affiliation of origin because you have the user and of a mission and which actually leverages two-factor authentication techniques and at the same time with this ecosystem then you're also able to mitigate attacks so many the middle attacks man in the browser attacks and reverse engineering attacks to ensure that you have your user authenticated so as input data to be signed as output sine data the rest of the user experience remains unchanged that's it I wanted to also potentially show you how it works in a in a real life demo if you I think I'm probably a bit over time but so here we emulated a so called crypto bank website who wants to actually digitalize a banking experience and I authenticate here using a new authentication technique which we call here unique pics which uses a pattern noise of your camera device so we we have three image processing techniques used to to do that so here i authenticate with my phone which has been previously registered I capture that frame that frame is analyzed we extract the paranoid compare it with a reference one and I have a proof of possession of my device and I can actually go and sign documents so here I go in a in a signing platform and I see here that I have multiple document that would be ready to be to be signed I click on view and sign and I start here my what you see what we signed client which renders a document so I can see and browse for different pages I don't know choose a standard adobe reader or any reader you provided by the browser because this one cannot be trusted I click here and I look at the content first page second page oh yes certificate of partnership with prime key that's so great so I use unique pics of the authentication method and here I will be able to authenticate my my request so I start here in in video mode I don't know if you can see that so here I look for frame and as look as soon as the frame is is captured and it is sent and will be useful for signatures so here I used an old challenge because I signed it earlier so I will see I need to start it again but typically I have my the authentication data already inside the the app to look so I will start again click start and I can find my document which was here because I have some time out as well and one of the nice thing here that you actually take a picture of what the user has seen so you have these what you see what you sign experience by default which is which can be also be used in in litigation cases so now it's it's been signed in the backend in in our server in Denmark and one could actually open up and visualize a signature using an adobe reader and verify that it has actually been in sign like here so I can see here the signature panel so that's an embodiment here of all the what what ERF can brings you so you can have very simple method to to sign online with no additional hardware no additional authentication technique and reach a qualified level and one of the advantages is that you can leverage your existing environment you can leverage the jeebies here you can leverage your authentication method and you can plug in your your business process so that signatures can really become an enabler and that's one of the key things which was which was missed earlier being able to have qualified cannot be an objective it's only a min to an end so the end is is a business process thank you do you guys have any questions to that have you given any thought to how to sign a paper document electronically sign something that been printed on paper and electronically upload it and get that signed yes there have been some I mean you you you II think the truth will not replace traditional signatures and you need to have an organization that I can actually live with both environment so you have some actually work also on Etsy and CN standards to be able to scan and sign and transpose a signature typically it's you would seal but has been signed earlier because in the sense here if you if the user has signed in you know with a wet signature then you will not ask him to sign again you have to consider the signature already valid so you capture the document with a signature and you witness somehow with a seal and the seal can be qualified that this was actually done using secure in a secure fashion thank you