Blog: Introduction to digital seals

john-erik-photo-2014-07

Identity Architect – John Erik Setsaas

One of the trust services addressed by eIDAS (EU regulation 2014/910) is electronic seals. This post will describe what electronic seals are, and how they can be used.

Electronic seals have the same encryption as electronic signatures, and the result is in both cases a protected document. When a document is sealed, it is possible to verify the origin of the document, as well as detecting if changes have been done to the document after the seal was added. Many people think that if you save a document as a PDF, this document cannot be modified. This is unfortunately not true – a PDF document can be easily edited in Adobe Acrobat and other PDF editors. However, if a seal is added to the PDF document, Adobe Reader (and possibly other PDF readers) will report if the document has been tampered with.

signature-vs-sealSo what is the difference between an electronic signature and an electronic seal? The simple answer is that a signature is added by a person, while a seal is added by an organization.

A little more complex answer is that an electronic signature is added by a natural person, i.e. a human being, and that the signature is added by this person performs some action when adding the signature. This action typically involves some sort of authentication, where the user proves that she is who she claims to be. An electronic seal is added by a legal person, for example an organization. There is typically no human action involved in this, which makes electronic seals easy to include in existing business processes.

When do you want to use an electronic seal and not an electronic signature? If your organization is producing documents that are sent to other parties, and you want to ensure the integrity of these documents, electronic seals can be a good solution. The sealing of the documents can be integrated into the business process, ensuring that all produced documents are automatically sealed, without any human interaction.

add-digital-seal

It is equally simple to include verification of received documents in the business process. This could then automatically reject documents where the seal is not valid, or start a manual verification if there are any doubts about the signature.

verify-digital-seal

One use case for using electronic seals is an auditor. The result of an audit is a report, which is used to prove to a 3rd party that some requirements are fulfilled. The auditor generates a report, which is sent to the organization and this is then forwarded as a proof of conformance. Sealing this report, ensures that nobody can tamper with the report, and that the document is produced by the auditor, and not by somebody else.

Universities produce diplomas for students, which can typically be downloaded as PDF. This makes it very easy for a student to modify the diploma and alter anything from grades to subjects. It is also very simple to create fake diplomas. A quick Google search for “fake diploma” returns more then 350.000 hits. The consequence of this is that an employer may hire under-qualified workers, which is at best a business risk, and at worst lethal in businesses such as healthcare. By electronically sealing the diplomas, it is simple to verify that these are genuine, that they originate from the correct university and that it is not tampered with. An automatic check of diplomas when screening incoming job applications, could discard any diplomas which are fake.

Electronic seals could also be used for securing the integrity of bank statements, employment confirmation, identity papers, deeds, policy documents, training certificates, tax statements, and many others.

Signicat offers simple-to-use APIs, both for adding seals to documents and for verifying electronic seals. A document can be sealed by including a web-service call which is connected to a business process. Signicat will add the electronic seal, and return the sealed document, which then can be distributed.

To verify a received document, a web-service call will return the health of the sealed document, including a simple “traffic light” status. A check of this traffic light can be included in the business process, to reject obviously tampered-with documents, and approve verified documents. Questionable documents can be forwarded to a manual check.

Posted in Blog.