Local signing with smartcards just got a little easier

Posted by Liaquat Khan on 08-Feb-2016 13:35:58

Local signing with smartcards introduction

Local signing  - i.e. where the signing key is held locally by the user on a Secure Signature Creation Device (SSCD) typically in the form of a tamper-resistant smartcard or USB token - had hit a serious roadblock in recent months.  

Local Signing with SmartCard

To be completely honest, local signing has always had its difficulties. 

To start with, for web applications to connect with smartcards Java applets had to be downloaded into the user's browser. This was required because internet browsers had no default way of speaking with smartcards. 

Downloading these applets was always quite complex for the average user with increasingly irritating pop-up messages warning about trusting applets and the endless security holes requiring regular Java Runtime Environment (JRE) updates.

The user also needed a card reader, never handy when you actually needed one and especially hard when using a mobile device.  Finally, the expense of deploying all this tech, especially to a large number of users, was not for the faint-hearted.  

Of course, there were and are still many examples of large-scale smartcard use cases. These are primarily used by governments, military and financial institutes - particularly where high security and non-reputable trust in digital transactions is paramount, with user-friendliness and cost taking a back seat.

A classic example of this is the US Government's Personal Identity Verification (PIV) cards. These cards are used by all government employees and contractors for physical access to buildings, as well as logical access to systems (e.g. Windows log on) and document signing.

Latest hurdle

As if things were not hard enough already, smartcard users were thrown another hurdle recently with browser vendors dropping support for Java plugins. Actual plugin technology is called NPAPI, and all browser plugins which use this are blocked including Java.

Chrome was the first to do this late last year, FireFox will do it by the end of 2016, and Microsoft's new Edge browser did not even support it from the beginning.  Even Oracle has now accepted that Java applets have had their day and will no longer be supplying Java plugins for browsers

Where does this leave the poor end-user applications which require high-trust and rely on smartcard technology to deliver this?

There are a few options on the horizon, such as Web Crypto - a set of standards for browser functionality such that they can natively access smartcards. However, this still has some way to go before being implemented and even longer before mainstream for signing documents using smartcards.

Introducing Ascertia's Go>Sign Desktop

Our immediate solution for local signing with smart cards, is the release of our latest product, "Go>Sign Desktop".  It is the same functionality as our ADSS Go>Sign Applet, but has been converted into a small desktop application. It needs to be pre-installed on the user's machine. 

Go>Sign Desktop can be invoked from the business application's web page using JavaScript. In most cases, existing business applications which use Go>Sign Applet won't need to make any code changes to integrate Go>Sign Desktop.

Go>Sign Desktop supports signing in all common formats, including PAdES, XAdES and CAdES long-term signature profiles.  It even supports smartcard-based key generation and certification with an online CA, if the smartcard needs to be personalised once provided to the user.

Go>Sign Desktop has been fully integrated with SigningHub v6.4 in its Cloud and Enterprise versions (available end of February 2016). This will enable SigningHub users to perform local signing using their smartcard/token without the need to download any applets.

Go>Sign Desktop can work with any browser and although currently only supported on Windows, a MacOS version is expected in the near future.  For further information or to book a demo;

Contact Us Today

 



Conclusion

Although local signing using smartcards has always had its complexities, the recent news by the browser vendors to block Java browser plugins was a deathblow to some. 

In certain high-security environments, the use of smartcard/USB tokens for signing is an essential requirement. To ease this, Ascertia has launched its Go>Sign Desktop application.

It allows any web application to get documents signed using smartcards/tokens without needing applets to be downloaded.  Go>Sign Desktop has been integrated into SigningHub (Cloud and Enterprise versions) and will be available from end of February 2016. 

SigningHub also supports server-side signing for clients who want to do away with smartcards/tokens completely and manage user signing keys centrally in a secure HSM. A HSM ensures strong multi-factor user authentication before signing and provides detailed logging of all actions on the server.

 



 

Recent Posts

Download this essential eBook

Choosing the right type of e-signature
for your business

Download your eBook