ADSS Signing Service Overview
The purpose of the Signing Service module is to apply digital signatures to electronic documents. There are three different ways in which the ADSS Server Signing Service can be utilised to sign documents:
The three modes of signing are discussed briefly below:
On Demand Server-Side Signing
This mode is characterized by the fact that documents are digitally signed at ADSS Server. The workflow is as follows:Note that ADSS Server can manage multiple signing keys and certificates and thus the Signing Service can sign documents using unique keys for multiple corporate or individual end-users. Also note that the signature may be attached (as shown), embedded (e.g. inside a PDF) or detached (i.e. the signature exists on its own, separate from the original document).
For example, the client application may be a web application responsible for registering Internet-based end customers and generating their keys/certificates using the ADSS Certification Service (explained in the section ADSS Server - Certification Service). Subsequently these customers can sign documents using the ADSS Signing Service with their unique keys held on the ADSS Server. The following illustration explains this workflow:
The following workflow description explains the process shown in the diagram above.
This is just one example of a possible workflow – the ADSS Server is flexible enough to support multiple business workflow scenarios.
In both the use cases (i.e. corporate signing and end-user signing) above, the ADSS Signing Service supports PDF-based signatures, PKCS#7 / CMS and XML DigSig signatures. The ADSS Signing Service can also optionally embed a cryptographic timestamp issued by an external Time Stamp Authority (TSA) to independently prove the exact time of signing. It is also possible for the ADSS Signing Service to embed an OCSP Validation Authority response to create an ETSI AdES long-term signature (this proves that the signer’s signing key was valid at the time of signing). CRL based revocation information can also be embedded by ADSS Signing Service although this is only recommended if the size of CRLs is small, as otherwise the document size will become bloated because of the embedded CRL.
The ADSS Signing Service request /response protocol schema is described in the ADSS Developer Guide. Client application developers can build their own web services call handlers, or use the Ascertia provided Java or C# client wrappers.
On Demand Client-Side Signing (Zero Footprint Signing)
This mode of operation is characterised by the fact that end-users hold their signing keys locally within the Windows key store or perhaps on smartcards or USB secure tokens; and they wish to use these keys and certificates to sign documents on their desktop systems. The Ascertia Go>Sign applet has been created specifically to allow such end-users to sign documents without requiring any signing software to be installed on the client-side machine. In such cases the ADSS Signing Service can be called upon to produce a hash of the document to be signed, and then the hash value is actually signed by the Go>Sign applet within the customer’s browser environment. The ADSS Signing Service then receives the signed hash value and embeds this back into the document to form the final signed document. The following diagram illustrates this process:
The process above is only a high-level representation of the workflow and there can be variations. Ascertia also provides a range of applets for different business scenarios including one for hashing, signing and assembling document signatures locally without requiring the ADSS Server. Ascertia can also provide a version of the Go>Sign applet which allows PDF documents to be viewed locally within the secure applet viewer. Furthermore, Ascertia can provide a version of the Go>Sign applet which uses roaming credentials (i.e. a secure key container delivered to the applet from the ADSS Server) to provide the ability to sign from any machine without need for a physical smartcard/token. For more details regarding different Go>Sign applet versions, please contact info@ascertia.com.
Watched Folder Signing - Using the Auto File Processor (AFP) Client Application
For more details on ADSS AFP application, please see the separate manual for this product. Please note the supported signature formats are PDF signatures, PKCS#7/CMS and XML DigSig. For PKCS#7/CMS and XML DigSig you can select whether the signature should be “enveloping” or “detached”. ADSS Server can also produce long-term signatures with embedded cryptographic timestamps and OCSP/CRL revocation information.
See also