Using eID for digital signatures and a paperless office

Allikas: eid.eesti.ee

Using eID for digital signatures and a paperless office

Overview

In addition to authentication, the second main application area of ID card and mobile ID is digital signining of documents. This enables savings by avoiding paper documents:

  • minimizing the need to meet for signing or post documents
  • sometimes increasing the speed of the signing process itself.

The main potential gain stems from the situation where an employee should regularly print agreements and sign these together with a client: this process often takes a lot of time. Digital signatures make it possible to send the agreement to the client; the employee does not need to wait until the client reads the document, signs, etc. Additionally, eID enables simple and convenient way to encrypt documents, important for emailing confidential materials.

For the wider uptake of digitally signed documents it is highly important to consider different usage scenarios, find suitable cases for digital signing and decide upon the document management / archiving issues. In most cases there is no need to design and implement specialized software: the existing and widely used software suits for eID cover the needs of most use cases.

For details, see an application example: SEB paperless office


The goals

When we speak about digital documents in this guide, we really mean digitally signed documents, not just documents-as-files. The ordinary goals of using digital documents are the following:

  • Eliminating the need to either meet just for signing or to send documents via paper mail, thus eliminating significant waste of time.
  • Minimizing the time spent to regularly physically sign large amounts of documents.
  • Minimizing the amount of time spent on storing or archiving documents.
  • Protecting from falsifications: digital signatures cannot be faked.
  • Ceating the possibility to make arbitrary authentic, verifiable copies of a document.
  • Encrypt the document to make it unreadable for third parties.

Depending on the concrete business needs, in different situations some of these goals may be more important than others. In some scenarios it may turn out that none of these goals are very important and the drawbacks explained later will negate the possible gains.

The solutions

There are several ways to implement digital signing. However, in normal cases it makes sense to use wide-spread standard solutions: we skip the need for development work, avoid additional costs and avoid the need to regularly update our solutions.

Standard solutions for digital signatures

In normal cases the sensible standard solutions for eID are as follows:

  • Use the freely available desktop application DigiDoc, downloadable from the web page https://installer.id.ee/ . The DigiDoc application implements the full set of necessary functionalities: digitally signining with both an ID card and Mobile ID, verifying existing signatures, encrypting a file for a concrete addressee, decrypting. The DigiDoc application is available for both Windows, (Mac) OS X and Ubuntu Linux. Installing the DigiDoc application to other Linux distributions may fail or turn out to be fairly complex. There exists an analogous DigiDoc app for both Android and iOS: find it from GooglePlay or AppStore.
  • Sign documents using a web browser and a portal https://www.dokobit.com/en . The portal enables the user to sign documents with both an ID card and a Mobile ID, to verify signatures and to distribute documents to other parties for signing. The last functionality is very convenient in case the document must be signed by a large number of people. As an alternative to https://www.dokobit.com/en one can use the portal https://id.signwise.me/ with a somewhat different functionality and cost.
  • Use the portal http://eesti.ee ("Minu asjad" from the upper menu and then "Minu dokumendid" from the left menu).
  • Use a special digital stamp of an organization, suitable for automatically signing massive amounts of documents. The digital stamp can be purchased from a certification authority (AS Sertifitseerimiskeskus in Estonia). The stamp can be obtained on a special device: it is not stored on an ID card. As said, the stamp is particularly useful in case the number of documents to be signed regularly is high and each document must be in a separate container. To facilitate convenient use of the digital stamp there exists a special application TempelPlus. For example, using TempelPlus you can skip entering PIN2 for each new document.

Obvserve that digital signing is not entirely free. There is a restriction of ten free signatures per month, both the DigiDoc application and the https://www.dokobit.com/en and https://id.signwise.me/ portals. The signatures given during internet banking do not count towards these ten free signatures. In case there arises a need to give more signatures per month, you have to sign an agreement and pay a monthly fee, see the pricelist.

As an important exception, the http://eesti.ee portal does not have a restriction on a number of free signatures per month.

Custom solutions for digital signatures

The need for custom solutions may arise in a situation where an organisation has a very large number of clients who have to regularly sign documents created by your organisation. Banks are a prime example of this category. Digital signatures are used by internet banking to confirm payments in web and some banks (currently SEB) use digital signatures in offices to sign various agreements.

In normal cases the organization does not need to install special hardware for custom signing solutions, although there are exceptions: for serving a large number of clients in offices it may be beneficial to install additional touch-sensitive screens an PIN-pad-equipped smart card readers. Such hardware makes it easier for clients to create, check and sign a document together with a clerk.

In contrast to using standard solutions described before, developing custom solutions for digital signing involves a rather significant amount of work. Before embarking on the development path, it is highly important to analyze and compare possible gains to estimated development costs. In particular, consider the following:

  • An implementation using an ID card differs significantly from an implementation using a mobile ID.
  • Digitally signing by a desktop applications differs from digitally signing via a browser.
  • Several old ID-card libraries, utilities and guides are available on the web: take care to use only new and supported libraries and utilities.

In order to implement a custom solution, you have to use existing libraries or command line utilities as the core of your application. As mentioned before, there exist numerous different libraries/utilities/guides for both the ID card and the mobile ID: however, the majority of these are out of date and thus not recommended for new developments. The main reason: the ID card infrastructure itself is regularly updated, in particular, new file formats not supported by old tools are being introduced.

Considering libraries: we strongly recommend to use the libraries and guides from the page, in particular, the newest version of the Java library digidoc4j or c++ library libdigidocpp.

Quite possibly the easiest way to use the library is via the provided command line utility. See the chapter "Utility program overview" in the document http://open-eid.github.io/digidoc4j/ and the chapter "Libdigidocpp utility program" http://open-eid.github.io/libdigidocpp/manual.html#utility .

As for development guides and examples, we recommend to check out the following:

Archiving digital documents

Inevitably the digital documents have to be stored, searched for, backupped etc: in other words they have to be archived and managed. All this is inevitable regardless of whether we use standard or custom solutions for digital signing.

While designing the archiving procedures we have to consider a need to manage paper documents in parallel to digital documents. Two separate document management systems are less convenient to use than a single system. In other words, it is a good idea to manage both paper documents and digital documents in the same system.

A simple approach is to register the location and main meta-information of each paper document in the same system and just like a digital document, using, for example, a small meta-info file for each paper document.

In case a management system of paper documents has been already introduced in the organisation, it is probably easiest - assuming it is technically possible - to add management of digital documents to the same system.

While considering possible solutions, try to understand whether an existing and already used software is also suitable for managing digital documents or whether standard procedures of managing and backupping files are perhaps suitable for digital documents as well.

The following approaches are worth considering:

  • Keep digital documents as ordinary files in the file system, grouping them chronologically into folders (by year or by month) and encoding critical metainformation - like the name of the client - into the file name. This approach is suitable in case the number of digital documents is relatively small.
  • Keep and manage digital documents in a CRM-system, attached/grouped by clients.
  • Use a special e-mail account for digital documents: everybody sends all digital documents to this email along with a small accompanying letter containing crucial metainformation.
  • Use an existing specialized archiving software.
  • Develop custom archiving software for your organization.

For all these approaches we assume that backup copies are made regularly.

In future to ensure the the long-time validity of BDOC format it is possible to add BDOC an archive timestamp. This mechanism builds on notion “let’s secure what may be weak”. Successive timestamps protect the whole material against vulnerable hashing algorithms or the breaking of the cryptographic material or algorithms.

Problems

As a rule, the main problems are fairly different between the small-scale (few documents) and large-scale (massive amounts of documents) use cases.

In both of these cases we have to take into account that not all clients or partners have an ID card or mobile ID, hence the use of paper documents in parallel to digital documents has to be maintained. Paper documents can be eliminated in rare special cases, for example, in case the organization regularly creates documents signed only by the organization itself.

Considering small-scale use - internal documents and digital agreements with not-too-numerous partners and clients - the typical problems are:

  • Using a computer, ID card and passwords is an additional effort which may take quite more time than physical signing and is not well suited for outdoors use. On the other hand, digital signing is more convenient than organizing a special meeting for signing or sending the documents by paper mail.
  • The timestamp automatically and necessarily added to the signed document may be unwanted in some situations: everybody looking at the documents will see the actual time of signing.

Considering large-scale use, the typical problems are:

  • A significant amount of analysis and development work coming up in case standard solutions are insufficient and custom solutions are needed.
  • Necessity to sign an agreement with an organization providing suitable certification services (in Estonia currently just one: AS Sertifitseerimiskeskus) and to pay a monthly bill for the OCSP service: not too expensive, though, see the pricelist.

Action plan

The work effort estimates below are given for a mid-size company in the Estonian context. Companies with very large client bases should expect more work, mostly due to a large number of complex business processes. On the other hand, in cases where the standard software suffices, the work effort may turn out to be surprisingly low.

The main parts and steps of implementation could be summarize as follows:

  • Mapping, selecting, describing and analyzing business processes suitable for the paperless alternative. The work effort is estimated from a few days to half a year, depending on the organization and the complexity of the task.
  • Planning, designing and developing the core software (digital signatures). In case standard software suffices, no effort is spent here. Developing custom software is estimated to take a work effort from one month to half a year.
  • Planning, designing and implementing archival software for digital documents. In case a suitable software system is being used already, the step may take just a few days. In case a new software system is procured or developed, the work estimate is estimated between a few months and half a year.
  • Educating users and spreading information. Depends mostly on the number of users.

There exists a useful tool http://eturundus.eu/digiallkirja-kalkulaator/ for estimating financial gains from using digital documents. The largest gains are achieved in the situation where a clerk has to regularly print and sign agreements together with a client: the customary process is very slow. Digital signatures make it possible to send an agreement to the client, hence the clerk does not have to wait until the client reads, checks and signs the agreement.