Monday, May 9, 2016

Trusted Digital Signatures

Our good friend Patrick Cormier, former CEO of the Canadian Centre for Court Technology, now Vice President for Business Development at Notarius wrote a great piece on Digital Signatures that he has allowed us to re-post below.  I think you will find it interesting...

The Final Piece to (genuinely) Go Paperless: Trusted Digital Signatures

by Patrick Cormier, Vice President, Business Development, Notarius

It amazes me how information technology promised, decades ago, to herald an brave new world devoid of paper in the workplace and yet... Notwithstanding "because it's 2016" argument to the contrary, we are and we remain, very much so flooded with paper in the workplace. Why is that so?

Whether it is in courts and tribunals, in municipalities and governments, in banking and insurance sectors and, more generally, everywhere at work, there has been three final areas that resist digitization: official documents received, generated and archived. In other words, when the organization receives, produces or wants to keep documents which, because of their nature, have high reliability requirements, paper looks down on electronic documents in a snide manner: "My my, Mr. Paper, no way you can even think being of same value as beautiful me with blue ink from my masters meshed with my fabric?! How dare you?!"

At Notarius, founded in 1998 by the Quebec Chamber of Notaries, we defined "document reliability" as having four facets: origin, integrity, authenticity and longevity. Whereas the first three such attributes are always properties of official documents, the fourth, longevity, is in play only for some documents requiring to be kept, read and authenticated over long periods of time. Document reliability must be distinguished from document security which is primarily concerned with confidentiality, integrity and availability.

I think that we have not witnessed a genuine digitization wave in the workplace because people are afraid that electronic documents (or information) do not possess sufficient reliability. Shortly put, people don't trust electronic documents. Are rightly so! Electronic documents, even pdf's, are too easily alterable. So how can this nut be cracked?

The answer is a 4 steps thought process:
  1. Carefully define what document reliability ought to be (abstract its support medium). We propose document reliability to be all about certainty of origin (who signed? when - date and time? in some contexts - was the person an engineer? lawyer? CPA? etc.), integrity (being sure the document has not been altered since its creation), authenticity (everything required to prove origin and integrity is in the document so the document is not merely what's called by us fancy lawyers a "commencement of proof") and longevity (ability to open, read and verify the authenticity of a document for long periods of time). If that suits you, proceed to step 2;
  2. Assess what is the best information technology to maximize document reliability as defined above. I think there is little disagreement that some form of cryptography must bind the identity of the signer to a document and allow a reader to verify the integrity of the document. In information technology, that is achieved with digital signatures, which is basically a cryptography-super-charged electronic signature prohibiting a signer from saying "hey I never signed this!". Neat! So, digital signatures take care of origin, integrity and authenticity. They do nothing for longevity though... For that, we have the PDF/A standard to thank, an ISO standard promoting the longevity of documents. Therefore we have:

    Origin + Integrity + Authenticity + Longevity => Digital Signatures + PDF/A

    If you agree, proceed to step 3;
  3. Not all technology is created equal!! For example, I can, right now, create for myself an Adobe Self-Sign Digital Certificate and call myself Barack Trump. Or Donald Clinton. Or Justin Trudeau. Whatever. You see the point... Just saying "it's a digital signature" does not necessarily mean it can be relied upon. How to counter this? By requiring adherence to three criteria for digital signatures:

    signatures based on individual digital signature certificates + certified, audited and trusted Certification Authority (CA) + Strong emission and usage authentication methods

    All three criteria are necessary. If you miss one, you are not providing assurance levels that typically match those required by government authorities to secure, for example, documents filed in a land registry or electronic payment instructions sent to banks.

    What about PDF/A? Well, you also need PDF/A related assessment criteria:

    Ability to convert to PDF/A-1, -2 or -3 +
    Ability to verify compliance with the PDF/A standard

    Although the latter seems obvious, you'd be surprised how many software vendors offer to oh-so-reassuring message "The document declares being compliant with the PDF/A standard". Wow. I'm sure a lawyer wrote that one. Translated: "We are not sure if this document is compliant with the PDF/A standard. We either do not know how to check, do not care or want you to pay more for us to check this for you. Got it?".

    So, in short, step 3 is all about "not all technology is equal - set meaningful criteria in place - in relation to digital signatures and to PDF/A". Works for you? Onward to Step 4 then;
  4. Now is time to shop. Get educated. Learn. And choose! Isn't this exciting? Now, armed with the thought framework developed in steps 1 to 3 (above), you are ready to dive into Information Technology and not be dazzled by slick UI/UX experiences. Oh... I should say this: UI = User Interface and UX = User Experience, for the non-tech-savvy-like-me-not-too-long-ago. In a blatant disregard for any conflict of interest, I do encourage you to start your journey with this down-to-earth and short (2-3 mins) Notarius video: Digital Signatures: Your Trusted Solution for Official Documents. We have it in French too: La signature numérique: gage de confiance pour vos documents officiels.
Want to read more? You were sitting in front of your class, didn't you? ;) ...Then onward you shall go to the Notarius Foundation series of articles or the the Série Les fondements should la langue de Molière be your thing (as it is for me). Enjoy and remember, the budget will balance itself out.

1 comment:

  1. Great post.
    I like this blog and way of writing. It is fully informative and useful.
    Court Reporter Fayetteville