Qualified Trust Service Provider – So what?

Signicat has recently (2018-11) been approved as a QTSP – Qualified Trust Service Provider, and the qualified service is the QTSA – Qualified Time Stamp Authority.

So what is the big deal, and who needs time stamps anyway?
A trusted time stamp is needed to ensure that the signature can be validated after the certificate expires. To check the validity of a signed or sealed document, you must be able to trust the time when the document was signed or sealed, as all validity checks on certificates is based on the time. The time stamp must be added in a way which makes it extremely hard to forge.

So what does the QTSA do?
It is obvious that if this time is taken from a local clock on your machine, this cannot be trusted, as it is very simple to set a different time. What if the service provider does this, it would be OK, right? It really depends on the service. Can you be confident that the clocks on the servers are running correctly? And that it is not possible for somebody working there to tamper with the time, to make a forgery? And if you check the document in a few years, are you confident that you can still trust the time it was signed.

How do you synchronize the clock?
You cannot just pick up the time from any NTP (Network Time Protocol) server, which gives no guarantee or liability for the time which is returned. This means that the clock must be synchronized with an authorized time source. Signicat’s QTSA service is using the Norwegian Metrology Service (https://www.justervesenet.no/en/), which provides a legal certified time. In addition, a separate server continuously monitors the derived time from the main server, and if any deviation is found, an alarm is set off, and the service is stopped.

Having a trusted time on the signed and sealed documents is one important aspect of long-term validation (LTV). If you have requirements to validate the document in the future, after the signing certificate has expired, or even long into the future (for example for contracts regarding properties which can be for 50 years or more), there must be some way of validating that the process of signing followed certain standards. One way of doing this is using LVT information embedded into the document, which gives the advantage that everything is embedded in the document. The LTV information contains all the certificates in the certificate path, all the certificate statuses, and the very important trusted time stamp. Every 3 to 5 years, the document is re-validated using this information, and a new time-stamp is added. Without the trusted time-stamps, you will not be able to have confidence in *when* the document was signed, nor when it was validated, and you may lose trust in the signed document.

Finally, there is the need for a QTSP – Qualified Trust Service Provider – which is the organization which binds this together. To become a QTSP, there are a lot of standards to follow, a lot of controls to implement, and any important configuration changes are done using dual-control, meaning that at least two people must be involved in the changes. The setup has dedicated hardware with strict physical and logical access control, including auditing of everything which is done. All of this would make it, if not impossible, at least extremely difficult to tamper with the system.

Each year, independent auditors scrutinize the service and the organization, delivering their report to the national notification authorities. The system is anchored in the legislation in all EU/EEA countries, and is the same as we know from the EU qualification of certificate authorities.

I have already mentioned that the service is operated under dual-control. This is just one of many controls which is required to get a QTSP status. Others are procedures for reporting incidents, insurance for handling closure of the service (for any reason), periodic internal and external audits. All this is done according to ETSI standard, which dictate how it should be done, and it is audited by an accredited external auditor (we were audited by BSI group https://www.bsigroup.com/en-GB/), and approved by the national accreditation body (in our case NKOM (https://www.nkom.no/), as we are based in Norway), which then added us to the EU trust list (https://webgate.ec.europa.eu/tl-browser/#/), where you can see all the QTSPs in Europe.

Read press release: Signicat named as Qualified Trust Service Provider

Blog post by John Erik Setsaas, VP of Identity & Innovation, Signicat

Introducing improved mobile support for Swedish BankID

Sweden’s BankID recently introduced a function where users can scan a QR code as part of an authentication, using Swedish Mobile BankID, providing enhanced security by reducing the geographical distance between the web browser on the desktop and the Mobile BankID client. This means that the desktop computer and the user with the Mobile BankID app are in the same place.

The user obtains a QR code on the website, and then scans this QR code using the Mobile BankID app. This eliminates the need to type in a personnummer (Swedish national identification number), which reduces the likelihood of social engineering attacks.

Signicat has now implemented support for this new QR code functionality. Signicat has also made improvements to the user interface of the BankID method in this new release. A method can be configured to support the new user interface and/ or QR code functionality.

To learn more, visit our developer pages.

For existing customers, contact our support team to take advantage of this new functionality.

If you are not a customer and wish to learn more, contact us.

Signicat granted EU Quality Trust Mark for security and quality of services

Trondheim, Norway, 12 November 2018 – Signicat, a leader in verified digital identity and electronic signature solutions, has been granted the status of Qualified Trust Service Provider (QTSP) by the Norwegian communications authority, NKOM. With this status, Signicat becomes one of the few companies that can use the EU Trustmark, and is now part of the EU Trustlist.

QTSP status is defined by internal procedures meeting the strict standards defined by eIDAS regulation and is audited by an external body, in this case the British Standards Institute (BSI). Having satisfied the external auditors and also met the approval of NKOM, Signicat can now use the EU Trustmark to indicate that it meets the standards demanded by the EU, and delivers the highest levels of security and quality of service.

Signicat QTSP status is specifically due to being Qualified Time Stamp Authority, enabling digital documents to be certified as existing at a certain point of time, without the possibility of backdating. This means that the authenticity of digital documents certified by Signicat can be trusted for even the most sensitive of uses. Time stamping is an essential part of document preservation, ensuring that documents can be validated and known to have existed at a particular time—not just now, but far into the future.

“We’re delighted to have our hard work and expertise recognised by both the auditors and the communications authority,” said John Erik Setsaas, VP of Identity and Innovation, Signicat. “The EU Trustmark lets our customers know at a glance that we meet the very high standards laid down by the EU, and that we can help to build mutual digital trust with the consumers they serve.”

Signicat’s status as a QTSP follows its announcement last month that it has joined the European Telecommunications Standards Institute (ETSI), the recognised standards body for electronic communications.

About Signicat

Based in Trondheim, Norway, and founded in 2007, Signicat is a Qualified Trust Service Provider operating the largest Digital Identity Hub in the world, offering the only complete identity platform in the market and trusted to reduce the burden of compliance in highly regulated markets.

With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than a burden. By ditching manual, paper-based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Signicat’s Identity Hub is a complete solution to that offers compliance and a route to better customer engagement.

Signicat has over 500 financial services organisations as clients, connects to more than 20 schemes globally and verifies more than 10m identities per month.

Media Contacts:
CCgroup for Signicat:
Signicat@ccgrouppr.com
+44(0) 203 824 9200

Signicat introduces Signicat Business Signature, digitising business to business document signing

Trondheim, Norway, 7 November 2018 – Signicat, a leader in verified digital identity and electronic signature solutions, has today announced an electronic signing solution specifically for business to business interactions. The Signicat Business Signature product facilitates a flexible and secure business to business document signing process that minimises manual operations and keeps evidence of signature in the same document.

With the digitising of consumer markets, and the ability to sign legal documents online, businesses are increasingly looking to take advantage of the cost and time savings of electronic signatures. However, electronic signing in business to business transactions requires an additional level of security to ensure that the business is the correct legal entity and that the signatory is allowed to act on its behalf.

To support this, Signicat Business Signature allows document recipients to forward a sign order internally within their company to a single person authorised to sign, or to obtain multiple signatures when no single person is authorised to sign alone (sign and forward).

As well as the processes used to on-board consumers, the Signicat Business Signature includes additional checks of business registers ensuring that the business is the correct legal entity and the signatory is allowed to act on its behalf. The document is then signed using, for example, an electronic identity or eID (such as Norway’s BankID), a one-time password via SMS or scanning of ID documents.

The Electronic Seal functionality protects and preserves documents such as invoices, diplomas and certificates. By electronically sealing documents, Signicat Business Signature helps prevent fraud and ensures the document cannot be tampered with.

“Businesses are increasingly looking to take advantage of consumer technology to drive efficiency and to improve manual processes, and the move to e-signatures are a logical step. By doing away with physical documentation and enabling instant contract signing, Signicat is helping to enable digital transformation across Europe,” said Gunnar Nordseth, CEO, Signicat.

Electronic signing brings benefits including the assurance of signature validity through ID verification and signing authority lookups, capability for cross-border signatures, the option for signers to sign multiple documents in one process and the long-term verification of a signer’s identity. The solution is currently live in Norway and Denmark and is being rolled out across additional countries as business registry information becomes available.

Learn more about Signicat Business Signature here:

-Ends-

About Signicat
Based in Trondheim, Norway, and founded in 2007, Signicat operates the largest Digital Identity Hub in the world, offering the only complete identity platform in the market and trusted to reduce the burden of compliance in highly regulated markets.

With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than a burden. By ditching manual, paper-based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Signicat’s Identity Hub is a complete solution to that offers compliance and a route to better customer engagement.

Signicat has over 500 financial services organisations as clients, connects to more than 20 schemes globally and verifies more than 15m identities per month.
For more information, visit: https://www.signicat.com/contact/

Media Contacts:

CCgroup for Signicat:
Alice Pedder
Signicat@ccgrouppr.com
+44(0) 203 824 9200

Signicat digitises in-store signing of credit agreements for Resurs Bank retail partners

Three in every four in-store credit agreements now signed digitally using electronic IDs

Trondheim, Norway 28th November 2018 Signicat, a leader in verified digital identity solutions, today announced it has been selected by Resurs Bank to provide instant mobile signing of credit agreements. Resurs Bank is the leader in retail finance in the Nordic region with more than 1,000 retail partners, serving more than 35,000 stores.

Customers signing a credit agreement in stores served by Resurs Bank no longer have to sign physical paperwork – instead, they can sign using their eID and create a digital agreement. All paperwork is shared digitally, so in-store purchases of high value items requiring a credit agreement are therefore as fast, secure, and convenient as any online transaction.

The agreement is signed using a combination of Signicat Sign and an approved electronic ID (eID), such as BankID. The customer can easily accept the terms and conditions and sign using their mobile device.

A pilot programme in Sweden was an instant success, with 76% of customers choosing to sign credit agreements using Mobile BankID. The service has now been rolled out to all retailers served by Resurs Bank in Norway, Denmark, Sweden and Finland.

“This technology means that traditional stores can better compete with their online rivals—while they offer superior customer service they need to combine this with the convenience of online shopping,” said Marcus Lennerhov, Product Manager at Resurs Bank. “Thanks to Signicat, the majority of our retail credit agreements are now signed digitally using a mobile device giving customers the security and ease they are used to online.”

“In ditching paper, electronic signatures offer a frictionless and instant customer experience, and gives retailers a trusted and scalable way to deal with growing demand while improving conversion,” said Gunner Nordseth, CEO, Signicat. “Working with Resurs Bank to provide digital signing to over 35,000 stores is another milestone for digital identity in the Nordics, a model for the rest of the world to emulate.”

About Signicat

Based in Trondheim, Norway, and founded in 2007, Signicat operates the largest Digital Identity Hub in the world, offering the only complete identity platform in the market and trusted to reduce the burden of compliance in highly regulated markets.

With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than a burden. By ditching manual, paper based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Signicat’s Identity Hub is a complete solution to that offers compliance and a route to better customer engagement.

Signicat has over 500 financial services organisations as clients, connects to more than 20 schemes globally and verifies more than 10m identities per month.

For more information, visit: https://www.signicat.com/contact/

Media Contacts
CCgroup for Signicat
signicat@ccgrouppr.com
+44 203 824 9200

 

About Resurs Holding:

Resurs Holding (Resurs), which operates through the subsidiaries Resurs Bank and Solid Försäkring, is the leader in retail finance in the Nordic region, offering payment solutions, consumer loans and niche insurance products. Since its start in 1977, Resurs Bank has established itself as a leading partner for sales-driven payment and loyalty solutions in retail and e-commerce, and Resurs has thus built a customer base of approximately 5.5 million private customers in the Nordics. Resurs Bank has had a banking licence since 2001 and is under the supervision of the Swedish Financial Supervisory Authority. The Resurs Group operates in Sweden, Denmark, Norway and Finland. At the end of the second quarter of 2017, the Group had 742 employees and a loan portfolio of SEK 22.3 billion. Resurs is listed on Nasdaq Stockholm, Large Cap.

Preserving Electronic Signatures – Are you taking care of your signed documents?

Did you know that an electronic signature does not last forever? Just like old pieces of art, it needs to be periodically maintained to ensure its freshness. Some contracts need to be valid for a long time. This would typically be contracts for properties, which may even be inherited to the next generation.

So what happens with the signed document, you may ask. Are bits and bytes from the document disappearing? Of course not. The signed document itself has to be preserved to maintain its availability and integrity but when this is taken care of, the structure of the document itself does not change. But the world revolving around the document does.

I will be touching on three issues:

  • Certificates have an expiry date.
  • Validation information is needed to verify a certificate.
  • The strength of the cryptographic algorithms vanishes over time.

For one, the certificates (including all intermediate certificates up to the root) used for generating the signature have an expiry date. After this date, the certificate is no longer valid, which also means that if you try to validate a signature, this validation will fail.

Another issue in validating a signature is the need for validation data. A certificate may be revoked, i.e. declared invalid, before its expiry date, in the worst case because the certificate has been compromised. Thus, all certificate issuers offer services to establish the validity of certificates, typically as revocation lists (CRLs) or online status verification (OCSP).When validating a signature, one is obliged to check the validation data in addition to checking the expiry date of certificates. But a certificate issuer and its validation data may not live forever (remember DigiNotar?) Without access to the validation data, you cannot validate the signature. Note also that OCSP always returns current status, meaning validation after the certificate has been revoked will fail, even if the certificate was valid at the time of signing.

In addition to the expiry dates and access to validation information, the cryptographic algorithms that are used to add the signatures must be considered. These algorithms are basically math, and it is possible to calculate how much computing power is required to break one of these algorithms, say that you would need 20 years or 200 years to break it. However, this does not take into account breakthroughs in mathematics or in technology. Take quantum computing for example, which uses a completely different approach to problem solving, and may break the existing algorithms in minutes or seconds. In addition, there may be advances in mathematics, which renders existing algorithms invalid. As an example, old hashing algorithms (like SHA1 or MD5) are no longer considered secure, and are being replaced.

Preservation means:

  1. Validate the signature (or all signatures on a document) when certificates are still valid.
  2. Collect the evidences used in validation.
  3. Protect signatures and evidences by a “proof of existence”, making it possible to prove the signatures’ validity status at the time when the proof was created.

To address this issue, documents signed by Signicat contains what is called long term validation (LTV) information. The LTV contains all the results from the validations, so it is possible to verify what the data looked like at the time of signing.The evidence is protected by a time-stamp from Signicat’s time-stamp service proving the time when validation was done and at the same time protecting the integrity of all evidence.

This process needs to be repeated, as the certificates supporting the proofs of existence and time-stamps also have an expiry date, may be revoked, and the mechanisms may involve cryptography that may become weak over time.

To address all of these issues, Signicat offers a secure archive, where documents are periodically verified and re-sealed with updated proofs and time-stamps. This means adding a new layer of security, with updated algorithms.

Did anybody mention blockchain? Yes, you could store the hash (or signature) of the document on a distributed ledger. But that does not change any of the above. Blockchain promises that data cannot be deleted or modified. But that assumes the current mathematics and algorithms. Breakthroughs will make blockchain vulnerable. And you would still have to access validation information, in case of compromised data.  

Signicat Preserve is the Signicat solution to ensure that your signature can be validated 5, 50 or 500 years from now.

And even if Signicat may not be around 500 years from now (who knows?), the preservation follows open standards, so it is possible for others to take over the preservation process.

By John Erik Setsaas

Senior Java developer, Trondheim Norway

You will be a part of a dedicated and friendly development team where you will build integrations and features, services and products that run on the Signicat e-identity and digital signature platform.

You will be building features from start to finish, working on the backend to build APIs and microservices that are part of the Signicat platform. You will be using third-party SDKs and APIs along with your own skills and contributions in order to build applications that enable a range of identity and signature related features. You’re a quick learner, and you would like to have freedom under responsibility. You’re good at demonstrating and explaining what you’ve created, and you like to do it.

You have several years of experience as an allround developer — you are comfortable at the command line, you can read specifications and implement them accordingly, you understand the web as well as being comfortable writing modern server applications using Java.

You’ve got a knack for devops, you know Jenkins, Puppet and Salt (or similar), because continuous deployment and infrastructure as code is something that resonates with you. You like to build solid stuff and watch it roll out painlessly.

Essential

  • 5+ years of industry experience
  • Curiosity and interest
  • You’re security aware.
  • You stay updated on languages, frameworks and platforms, you know what’s coming next and you like to be knowledgeable and good at what you do.
  • You write clean code and you know how to make your stuff testable and tested.
  • You think coding is fun, you like helping people out and you ask for help yourself when you need it.

Desirable

  • Knowledge or awareness of authentication and authorization protocols.
  • The ability to write proper technical documentation.
  • Cryptographic (PKI) competence.

Perks

  • Nice office location in central Trondheim. We’ve got a very relaxed working environment. No dress code, no business cards unless you really want one.
  • This is an opportunity to become a part of a passionate development team within an international company which is growing fast across Europe. The organization is flat and informal, and the job comes with lots of freedom and an equal amount of responsibility and accountability. There will be travel and other international opportunities for the right person, if you’d like that.
  • You may choose your equipment freely, you’ll have the opportunity to affect your own office environment, and you’ll be working with other nice people in order to build great stuff to power the international expansion of Signicat.
  • Kid-, mom- and dad-friendly.
  • Insurance and pension plan
  • Employee social activities (music, sports, board games)
  • For international moves to Norway, immigration assistance and relocation services provided

About Signicat

Signicat is a Digital Identity Service Provider (DISP) and is one of the leading providers of electronic identity and signature solutions in Europe/globally. Our security solutions are used at all financial levels from government and big banks to small business—and everywhere in between.

We continue to be leaders in innovative security solutions, reducing risk while providing a smart and intuitive user experience. Signicat has earned the trust of institutions and businesses by providing user authentication, electronic signing, identity proofing and document preservation.

We are a fast-growing company that has track record of success as one of the most complete providers of electronic identification services for the Nordic and European markets. While enjoying continued growth we have kept the best of our ‘startup’ ethos, encouraging creativity, initiative and independence to get things done. We value the well-being of each employee and all work together to create a supportive and inspiring work environment.

Signicat has more than 100 employees at offices in Trondheim (headquarters), Oslo, Copenhagen, Helsinki, Stockholm, Amsterdam, London and Lisbon. Our focus is security and professionalism and we are constantly working to improve our product and ourselves. If you want to be part of our highly talented, professional and creative team then we want to hear from you!

For more information about the position and applications, please contact Lars Klemetsaune, the Development Manager, at lars.klemetsaune@signicat.com

Hackathon proof of concept: Business Vendor On-boarding Platform with verified digital identity

Together with our customer and partner Anva, we participated in the recent hackathon from B-Hive. The challenge was to “Know your Vendor” and, well, we’re pretty proud of our result.

What we built:

We created an easy-to-use platform for vendors to register once, and then being able to submit to multiple RFPs/RFIs using the same registration data. To verify the correctness, eligibility and validity of the submitting party, the vendor representative had to connect the account to LinkedIn as well as Belgium’s Itsme Electronic Identity. Based on this data, we then implemented company information lookup into Dun & Bradstreet APIs, and finally the end user could upload certificates (eg: ISO27001) and additional documents.

Furthermore, we also integrated the portal with ANVA Safebay platform for confidential messaging, and we had an AI chatbot that would automatically generate an NDA based on the ongoing conversation. Once signed by both parties (and verified using eIDs), these NDAs would then be Signicat sealed and put into our archive.

Here’s a more detailed video from our own Peter Feijen:

 

Press Release: Signicat joins ETSI team guiding digital signature standards

Trondheim, Norway, 27 September 2018Signicat, a leader in trusted digital identity, has joined the European Telecommunications Standards Institute (ETSI), the recognised standards body for electronic communications. As part of the technical committee on Electronic Signatures and Infrastructure (ESI), Signicat will help create and shape the standards for digital signatures and trust services.

ETSI is officially recognised by the EU as one of three European Standards Organisations (ESO), with a focus on broadcasting, telecommunications and other electronic communications networks and services. ETSI produces “harmonised standards” that support European regulation and enable manufacturers and suppliers to prove that their products and services meet these regulations.

ESI is the technical committee responsible for the standardisation of European digital signature and trust services. The standards produced by ESI are designed to meet the demands of eIDAS regulation, ensuring interoperability across borders, and be applicable beyond Europe.

Signicat—already standards-compliant—will be able to share its experience and knowledge of electronic signatures and digital identity to help guide the development of these standards. Currently in development are standards for signature validation services, which specify how a signed document will be sent to a trusted service, returning a signature validation report.

“The work of ETSI, ESI and eIDAS is solving the fragmentation that currently exists across Europe, and will make using digital trust services across the continent simple,” said John Erik Setsaas, VP of Identity and Innovation, Signicat. “Our membership of the technical committee that drives the creation of these standards gives us an opportunity to influence their development, bringing our first-hand experience of creating trust services that work across borders.”

For more detail on the ongoing work of the technical committee and its roadmap, read Signicat’s blog post: https://www.signicat.com/blog/signicat-joins-etsi-for-standardisation-of-digital-signatures-and-trust-services/

About Signicat
Based in Trondheim, Norway, and founded in 2007, Signicat operates the largest Digital Identity Hub in the world, offering the only complete identity platform in the market and trusted to reduce the burden of compliance in highly regulated markets.

With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than a burden. By ditching manual, paper-based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Signicat’s Identity Hub is a complete solution to that offers compliance and a route to better customer engagement.

Signicat has over 400 financial services organisations as clients, connects to more than 20 schemes globally and verifies more than 10m identities per month.

For more information, visit: https://www.signicat.com/contact/

Media Contacts:

CCgroup for Signicat:

Alan Miller, Alice Pedder

Signicat@ccgrouppr.com

Hotels: Do you really Know Your Customer?

The regulation known as Know Your Customer (KYC) is as important as ever before for the prevention of identity theft and financial fraud, including money laundering and terrorist financing and is a widely used acronym in banking and FinTech. But why would a hotel need to KYC? More and more countries demand that the hotel has a copy of a guest’s passport. and this of course leads to increased time per check-in and a lower Revenue Per Available Room (RevPAR).

The KYC is the process of verifying the user’s identity, and is typically done by a number of mechanisms such as passport or ID paper upload, electronic ID verification, face recognition etc.

As hotels move towards online and kiosk check-ins, it makes this process more difficult. Wouldn’t it be great for customers to provide their passport and ID information ahead of time, including a scan of the passport and a picture of the guest? This information can be stored in the hotel’s Property Management Software (PMS) before the guest arrives?

Financial institutions in the Nordic region, Spain and Germany are reporting huge savings and increased attractiveness of their services since implementing an Electronic ID (eID)-based KYC process became available three years ago.

Here at Signicat we are able to provide secure guest on-boarding, as well as authentication and electronic signing services. We make it easy for hotels and others in the hospitality industry to use electronic IDs (a full list of supported eIDs here), as well as passport and ID card scanning services. We’re able to receive necessary information from passports, copy the documents, and securely store and preserve documents and signed agreements in our preservation archive.

What is an electronic ID? Electronic identification is electronic systems for legitimizing users on the Internet or other computer systems. Using an electronic identity, users can identify, sign in and sign contracts and approve transactions on different websites, such as banks and public portals.

Once onboarded, guests can then quickly access their loyalty program information as well. If an eID is used, there is no need to worry about remembering a username and login as authentication is provided by the eID.

Signicat has more than 10 years’ history of working with companies dealing with both complex regulatory compliance issues, as well as ensuring seamless user experiences to on-board and keep customers. Our APIs provide everything a hotel or PMS provider needs to quickly get up and running.

Afterall, for the hospitality industry wouldn’t it be great to Know Your Guest?

Contact us if you want to learn more!