Local signing with smartcards just got a little easier!

Posted by Liaquat Khan on 08-Feb-2016 13:35:58


Local signing  - i.e. where the signing key is held locally by the user on a Secure Signature Creation Device (SSCD) typically in the form of a tamper-resistant smartcard or USB token - had hit a serious roadblock in recent months.  

Local Signing with SmartCard

Well to be honest local signing has always had its difficulties. To start with for web applications to connect with these smartcards required Java applets to be downloaded into the user's browser - because internet browsers had no default way of speaking with smartcards.  Downloading of these applets was always quite complex for the average user with increasingly irritating pop-up messages warning about trusting of applets and the endless security holes requiring regular Java Runtime Environment (JRE) updates. The user also needed a card reader, never handy when you actually needed one and especially hard when using a mobile device.  Finally, the expense of deploying all this tech, especially to a large number of users, was not for the faint-hearted.  

Having said all that, of course, there were and are still many examples of large-scale smartcard use cases, mostly by governments, military and financial institutes - particularly where high security and non-reputable trust in digital transactions is paramount, with user-friendliness and cost taking a back seat. A classic example of this is the US Gov Personal Identity Verification (PIV) cards, which are used by all government employees and contractors for both physical access to buildings as well as logical access to systems (e.g. Windows logon) and document signing.

Latest Hurdle

So if things were not hard enough already, smartcard users were thrown another hurdle recently with browser vendors dropping support for Java plugins (actual plugin technology is called NPAPI, and all browser plugins which use this are blocked including Java). Chrome was the first to do this late last year, FireFox will do it by the end of 2016, and Microsoft's new browser Edge did not even support it from the beginning!  Even Oracle has now accepted that Java applets have had their day and will no longer be supplying Java plugins for browsers

So where does this leave the poor end-user applications which needed high-trust and relied on smartcard technology to deliver this? There are a few options on the horizon like Web Crypto - a set of standards for browser functionality such that they can natively access smartcards - however this still has some way to go before becoming implemented and even longer before mainstream for signing documents using smartcards.

Ascertia Solution - introducing "Go>Sign Desktop"

Our immediate solution to this problem is the release of our new product called "Go>Sign Desktop".  This is the same functionality as our ADSS Go>Sign Applet, but converted into a small desktop application which is pre-installed on the user's machine.  It can be invoked from the business application's web page using JavaScript and in most cases existing business applications which use Go>Sign Applet don't even need to make any changes in their code to integrate Go>Sign Desktop.

Go>Sign Desktop supports signing according to all common formats, including PAdES, XAdES and CAdES long-term signature profiles.  It even supports smartcard-based key generation and certification with an online CA if the smartcard needs to be personalised once provided to the user.

Go>Sign Desktop has been fully integrated with SigningHub v6.4 in both its Cloud and Enterprise versions (available end of February 2016) so that SigningHub users can now perform local signing using their smartcard/token without the need to download any applets.

Go>Sign Desktop can work with any browser and although currently only supported on Windows, a MacOS version is expected in the near future.  For further information or to book a demo;

Contact Us Today



Although local signing using smartcards has always had its complexities, the recent news by the browser vendors to block Java browser plugins was a deathblow to some.  In certain high-security environments the use of smartcard/USB tokens for signing is an essential requirement and to ease this Ascertia has launched its Go>Sign Desktop application - this allows any web application to get documents signed using smartcards/tokens without needing applets to be downloaded.  Go>Sign Desktop has been integrated into SigningHub (Cloud and Enterprise versions) and will be available from end of February 2016. 

SigningHub also supports server-side signing for those clients who want to do away with smartcards/tokens completely and manage user signing keys centrally in a secure HSM with strong multi-factor user authentication before signing and detailed logging of all actions on the server.



Recent Posts

Download this essential eBook

Choosing the right type of e-signature
for your business

Download your eBook