Spanish children will not be able to use digital signature

Spain’s Government has approved a law for the protection of children using the Internet. It allows the accreditation of the children’s identity , through the use of digital certificates, as the spanish ID Card – , but not the use of electronic signatures. The spanish electronic ID card contains two digital certificates : one that enables identification, and another for electronic signature.

According to the Government , from now on the activation of electronic identification is valid for adults and children , but activation of the electronic signature is only available for adults.

The delivery of a document with active electronic identification certificate will protect children in social networks (if the site requires the digital certificate to the user).

It also introduces technical amendments to the fingerprinting . In those cases where fingerprints can not be performed on the forefingers , because of mutilating or physical defect, it will be replaced by another fingers.

Furthermore, as  physical changes in minors appearance are very fast, the ID-Card validity will be reduced from 5 to 2 years.

Posted in Digital certificate practices, Digital signature success stories | Leave a comment

Panama announces digital signature

Roberto Henriquez, Presidency Minister, anonnunced las Saturday on his Twitter account, that next Thursday will start digital signature project, with the purpose of reducing the paperwork and increasing efficiency.

“Another unforgivable National Government fulfilled”, said the Minister.

Henriquez Minister also announced that he will visit the sites of the three new zones that are under construction in Pedregal, Torrijos, carter and El Parador. These ones complete 10 of the 21 planed by the Government. The last one was Cabima.

Posted in Digital signature success stories | Leave a comment

Digital signature as a crises antidote

scissors to save moneyIn these times, most problems for businesses begin in the difficulty to get sales. This problem is difficult to solve, since it originates in the lack of purchasing power on the part of the consumer, and spreads quickly to other companies. At this point, a company in which sales fall to the point of ceasing to be sustainable, it’s only solution is to reduce costs.

A known way to reduce costs is to automate processes. No one disputes that its application to the production processes is absolutely essential, however, companies continue to resist or ignore the possibility of automating administrative processes. We’ll see that this is a very simple to deploy solution, specially when contracted in SaaS mode.

Note: If the production processes are those necessary to carry out the main activity of our company, the administrative processes would be those that we implemented to support the control and management of the core business.

Administrative processes required to generate and move large amount of documents with data about the activities and participants. In many cases, participants must sign these documents as an evidence of consent, participation or authorship.

When these documents are multiplied, shipment, archiving and subsequent localization become very tedious task, which leads to people who work with them, to lose unnecessary time. Therefore, what is involved is to remove the paper. Is there anything easier to cut than a paper?

We can assume that all businesses are managed using computers, so that production of most documents is digitally performed. However, many are still printed documents, and in many cases only due to the need to apply one or more handwritten signatures. As explained in the previous paragraph, this is wasted time.

The solution is to send, sign and store these documents in digital media. With this, the company staff will stop losing precious time on administrative tasks and will be able to devote to more productive tasks such as sales prospecting for example.

We might think that the implementation of the technology is expensive, and requires an investment we can not afford, but it is not. iSigma’s proposal is to access the technology by paying for use, which means that we allow the company to benefit from the savings, before paying for the technology.

How to check if this is as simple as we explain? Just create an account at <a href=”http://www.portasigma.com/en”> PortaSigma </ a> completely free, and just start digitally signing your companie’s documents.

Do you think this is an interesting post? Just help us sharing it by clicking one of the buttons below.

Posted in paperless business | Leave a comment

Increasing efficiency in Staffing Agencies

Digital signature is, like email, a cross-sector technology, that is, industries as diverse as the vet (ES) or staffing agencies can benefit from its advantages.

For its part, the electronic signature is an also cross-sector and any other activity legal concept which, in its qualified version has functional equivalence (for legal purposes, see Law 59/2003 of 19 December on the electronic signature, Article 3.4 –ES-), with the handwritten signature (if you are unsure about the differences between electronic signature and digital signature, we made clear here and here, unfortunately both in Spanish –ES-)

Lots of signatures!

Lots of signatures!

However being cross-sector, both the technology and the legal concept, not all activities benefit equally from its advantages. Consider what activities might benefit more: of course, those in which the number of handwritten signatures carried out daily is very high. Obviously there may be other considerations, such as whether these signatures are made in key processes, the legal burden of these signatures, etc … but the mere fact that we made many handwritten signatures daily will allow big savings in costs, time (ES) and other benefits of the electronic signature (ES).

No doubt that a staffing agency (SA) performs many handwritten signatures daily. Both CMAs (Contracts for the Making Available) and the very contract the worker signs also are key processes in these companies. So iSigma collaborates with the Staffing Agencies National Association (ES).

With 63% of Spanish companies using electronic signatures and 30 million Electronic National ID cards issued (ES) more than half of the potential customers of a SA could make the proceedings entirely in an electronic way.
With a cloud solution like PortaSigma, within minutes you can start signing and asking to sign (ES) CMAs and sign other contracts without either party having to travel, no initial investment and without the need for your clients to be registered in any systems.

Are you a SA and do not have an electronic signature solution? Who are you going to contact now?
If you think this information can help other companies become more efficient and agile, feel free to share it using any of the buttons below. Thank you!

Posted in Digital signature success stories, opinion | Tagged , , , , , , , | Leave a comment

NDA Digital signature

Non-Disclosure-Agreement (NDA)How many times we have found that a project was paused some days, because an NDA (Non-Disclosure-Agreement) was needed for information exchange?

This problem is especially relevant when companies are located in diferent countries, and will be more critical as far from each other the countries are.

If the document is signed and sent without leaving the digital environment, both parts will be able to sign the NDA instantly, without delay. This is one of those use cases in which the digital signature application most improves the process.

It might seem that deploying the necessary technology is difficult and expensive, but it’s not. PortaSigma is easy to use and cheap. Thanks to digital signature, and cloud computing benefits, digitally signing an NDA using PortaSigma is as easy as shown in the following steps:

  1. One of the parts uploads the contract in PortaSigma.
  2. The signer’s data is informed
  3. Indica los datos de los contactos / representantes que deben firmar el documento
  4. The parts are notified by mail, including a link to the document
  5. Each part will access the document at the chosen moment, and sign it online
  6. Finally, the document will be signed by both parts, and available for them

For the digital signature to be legal, it is necessary the usage of digital certificates. Most companies already have their own digital certificates. Most are being used in authentication services but not for digital signature.

In this post we explained the European regulation for the crossboarding usage of digital certificates.

If you believe this information might help other companies being more efficients, please share this post by clicking on any of the buttons below. Thanks!!

Posted in Digital signature success stories | Tagged | Leave a comment

PDF Signature

PDF digital signatureAlways, when we need to get the signature of one or more persons in a document, there are printed as many copies as people have to sign, and each one puts the handwritten signature in the document. This operation is done for each copy of  the document.

Most people is getting used to digital documents. These ones are produced by software applications, stored in hard disks, and shared using telematic communications.

When a document is printed, a paper instance is created, which content will not be modified. The print action gives us the security, and also that anyone who receives the document, will be able to read it.

In order to keep the security, without needing to print the document, we must transform it to a format which we know it won’t be modified, and anyone will be able to read. Currently, this security is given by PDF format.

Moreover, experience tells us that to consolidate a technological innovation, the compatibility with previous technologies is a key issue. Because of this, most PDF conversion tools are created as a printer spooler.

As a result, when we listen about digital signature, it is common to think in PDF documents.  It is the most compatible with the previous technology, digital signature experience.

How to sign a PDF?

Since version 1.5, the PDF format supports embedded digital signatures. These signatures are formatted in the document following PKCS#7 standard.

To sign a PDF document, it is required to have a digital identifier. Digital Identifiers are components that we can install at our computer, or keep in a Smartcard, or a cryptographic token. A digital identifier has a pirvate key, which can only be used by ourselves, and a public one, which is used by others to verify our identity. The public part is the digital certificate.  With a qualified digital certificate, we will be able to sign documents, with the same legal security as handwritten signatures.

If we already have digital identifier, to sign a PDF we only need the signature tool. Let’s explain how to sign  a PDF using our application ClickSign.

ClickSign can be downloaded from here. This is the signature process:

  1. Choose your PDF document using Windows Explorer
  2. Clickover the document with your mouse right button, and the ClickSign menu will appear
  3. In the ClickSign menu, shoose the “Signature” option
  4. We will be asked to choose the digital certificate with which we want to sign
  5. We will be asked for the PIN, if it is required by the digital certificate’s security setup
  6. Finally, a new PDF document will appear in the same path, with the same name than the original and extension “.signed”

Digital signature offers the following improvements over the handwritten signature:

  • More security, since it prevents the manipulation of the signed document, or the impersonation of the signer
  • Storing digital documents is much cheaper than paper ones
  • The time required to sign a document, since the signature is requested, untill the signature is much shorter if it can be done telematically
  • The time needed to find a digital document is much shorter than to find a paper one
  • Moreover, the PDF format supports information related to the meaning of the signature, which can’t be done with handwritten signature

So the only question should be done:

Why should be keep using handwritten signature?

If you enjoyed this post, I will be happy if you share it

Si te ha gustado esta entrada, you’ll do a great favour by sharing it with any of the buttons bellow.

Posted in Digital Signature Software, Digital signature success stories | Tagged , , | Leave a comment

Bad image for SSL digital certificates and appropriate countermeasures

Last year 2011 was a bad year for the image of the Certification Service Providers.

There were several security incidents with much media attention, the most notable of which were Comodo,  DigiNotar and the GlobalSign cases (the latter, much less severe.)

To summarize, some of the weaknesses and vulnerabilities exploited were:

  1. The most critical servers contained malicious software that can usually be detected by an antivirus.
  2. All CA servers belonged to the same Windows domain, making it possible to access them all with a single username / password.
  3. The admin password was not robust and easy to obtain by brute force.
  4. Software installed on the public Web server was outdated and had not applied the appropriate patches.
  5. There was no antivirus protection on the investigated servers.
  6. The certificate issuing system is fully automated without human intervention.

It should be noted that the attacks are focused on the issuance of  SSL certificates, and not the qualified certificates that allow the hacker to carry out electronic signatures with legal binding.

The big fishes move …

After the incidents, both Microsoft and the Mozilla Foundation contacted with the Certification Service Providers whose certificates are distributed, to:

  • Inform of amendments to the certificate distribution agreements, tightening controls to be performed for SSL certificate issuance
  • Inquire about whether they have detected any abnormal behavior or attempted intrusion into their systems.

In addition, previous players and Adobe (EN) stop distributing certificates from providers affected by the attacks.

These measures affect all companies and entities that had issued SSL certificates with Comodo or DigiNotar, becoming invalid (revoked) certificates, and therefore, useless. For the rest, just had an internet a little safer, because the Certificates Providers who did not do things right, were no longer valid

…. and lobby …

padlock

One more turn of SSL security

The CA/Browser Forum is “a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications.” The members include Microsoft, Mozilla Foundation, Apple, Google, Thawte, Entrust, Comodo (?!), etc …

From this lobby were defined, in June 2007, the requirements and controls for the issuance of EV SSL certificates (Extended Validation), which, roughly, are SSL certificates that have passed more controls for their issuance, so are safer starting.

But the incidents of Comodo, DigiNotar and Globalsign, did not affect EV certificates, which represent barely a tiny minority of SSL certificates that populate the Internet, so somethins had to be done for the issuance and admission of “usual” SSL certificates. And so, in December 2011 the CA/Browser Forum released the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.0, enforceable by the Certification Service Providers before next July 1, 2011 (in two weeks, come on) if they want the Internet browser manufacturers association members continue to distribute their certificates marked as “trusted” to establish SSL connections.

Will they (CSP) miss the hook?

… and finally, the competent authority

In Spain, the General Directorate of Services of the Information Society, in the exercise of their supervisory and control powers conferred by law, have urged the Certification Service Providers who have made the communication referred to in Article 30.2 of Law 59/2003 the Ministry of Industry, Energy and Tourism to inform him of the measures taken from the cases that open this post.

We do not know (at least me) is what will be considered “adequate and appropriate measures”, if according to any international standard, for example or the previously mentioned Baseline Requirements for bla bla …

Conclusion

The fact is that, from my point of view, big players and the authority has acted in a timely manner, diligently and with the strength needed for having today a safer Internet than early 2011.

You know, if you liked this post, you will make us a great favor if you share it using any of the buttons below. Thank you!

Posted in opinion | Tagged , , , , , , | 1 Comment

A light of hope for electronic signatures … based on digital certificates!

EU Lighthouse

Brussels guide us on the use of electronic signature

Yes, at a time when it began to question the feasibility of the authentication mechanisms and expression of will in the electronic world based on electronic certificates, in some cases by objective reasons and in others for interested reasons, in the time  it poured criticism of the DNIe (ES) (well, have it had some time off?), at the time that electronic certificates had their image of invulnerability damaged by Comodo and DigiNotar cases, at that very moment, the European Commission approves a proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on electronic identification and trust services for electronic transactions in the internal market. Electronic transactions based, of course, in the media that offer more guarantees, ie the electronic identity card of the different European countries (ergo digital certificates and Secure Signature-Creation Devices – SSCD.) Specifically, Brussels proposes “that people and businesses can use their electronic ID and nationals digital signatures in other EU countries normally and effectively”

Effects

The statement has two immediate effects:

  1. gives a nod to the electronic ID card (already in use in Spain, Estonia, Finland, Belgium, Italy, Portugal and Germany) versus other mechanisms of electronic signature
  2. encourages countries without an electronic ID card or not even a DNI to the develop

The development and implementation of the regulation has a number of obvious benefits, such as facilitating access to studies and work in other European Union countries, the business and contractual relations, the acceos to public tenders in other countries, access to medical records. .. generally facilitate the mobility of the citizens among the different European member states.Another side benefit is an impulse to the use of Smart Cards (DNIe, for example, or a mobile phone SIM is a smartcard), where European companies like Gemalto Giesecke & Devrient and are the major players worldwide. Or have we thought that the use of closure devices Signature Insurance Building considerasiones only due to legal and security?

Besides, the development and implementation of the regulation has a number of obvious benefits, such as facilitating access to studies and work in other European Union countries, the business and contractual relations, the access to public tenders in other countries, access to medical records. .. generally facilitate the mobility of the citizens among the different European member states.

Finally, another side benefit is an impulse to the use of Smart Cards (DNIe, for example, or a mobile phone SIM is a smartcard), where European companies like Giesecke & Devrient or Gemalto are major players worldwide. Or have we thought that the stubbornness on the use of Secure Signature-Creation Devices was only built on security and legal considerations?.

Conclusion

Brussels calls for boosting the use of electronic signatures based on qualified certificates on Secure Signature-Creation Devices as a means to facilitate the mobility of European citizens among member states, giving a boost and more value to our (Spanish) electronic ID (DNIe), and I am glad for it!

If you enjoyed this post, please share it using the buttons below.

Posted in Digital certificate practices, Digital signature success stories | Tagged , , , | 1 Comment

Growing Certificate Policies (CP)

CrowdSome time ago I want to create a post on the growing number of certificate policies (CP) that populate the landscape of Spanish Certification Service Providers (CSP).

Assuming that a CP, simplifying a lot, is “What must be met to manage the certificate life-cycle” and the certification practices statement (CPS) are the “how I do it to meet the CP”, it seems clear that each Certification Services Provider must have a CPS, but that the CPs could be cross-Certification Services Provider, at least a very specific CP with a very clear purpose (e.g. legal representative of a company), promoted by the government.

From my point of view, this is especially relevant in two cases:

  1. If the Certification Services Provider has a hierarchy with multiple subordinate or intermediate CAs, depending on the focus of the hierarchy, can be very interesting to define the entire CP cross hierarchy.
  2. Certificates of Spanish Law 11/2007. Profiles are defined with a great level of detail and too much information (looking for interoperability, I suppose) and we were on the verge of these profiles become CPs and providers do not have to create new CPs, with their OIDs, all identical, to comply with these profiles.

What do you think? Is there room to simplify the number of certificate policies? Do they have meaning independent certificate policies (transverse to) the Certification Services Provider?

To try to supplement this entry, I have discussed the topic at LinkedIn, discovering a heated group discussion (restricted) Electronic Signature Group.

Participated in the debate Laszlo Szentirmai – Policy administrator at  NetLock Kft., first Hungarian Certification Authority issuing qualified certificates, Charles Moore – CEO and founder of  VillageMall – and Vojtech Kment – ICT consultant, lawyer specialized in electronic document security and CEO of axonNet – the latter two very active members of the LinkedIn groups.
Hungary seems to have a similar situation, and more than spewing light on the subject, raises new questions, showing concern especially for the certificate policies not covered by the European Directive and national laws, such as SSL, for example.

Meanwhile, Charles is shown quite critical of which involves the electronic signature with comments like “One takes a simple zero cost process where no-one is disadvantaged, i.e even the poorest and least educated can place a X on a bit of paper, and we try and replace this with a system that no one understands, cost an absolute fortune” and simplifies the issue by arguing that, ultimately a PC is nothing more than an agreement, something with which I agree, but the problem is not what it is, but the high number to manage. I do not think that a simplification of nature reduces this problem.
Of course, Charles is not shown in favor of a PC government.

To Vojtech, the issue is more complex, he detailed the difficulties that a PC can have and which implies the high number.

Finally the debate ended focusing more on just what a CP is and how one shpuld develop it than if one should to minimize their number and whether it would be a development of CP’s from the Public Administration.

What do you think? Is there room to simplify the number of certificate policies? Do they have meaning independent certificate policies (transverse to) the Certification Services Providers?

And you know, if you liked this entry, or you think may be helpful to others, please share it via the buttons you’ll find below.

Posted in Digital certificate practices | Tagged | Leave a comment

Firmaprofesional, isigma and 21 CFR of the FDA

The 21 CFR

What is 21 CFR?

It is the section of the Code of Federal Regulations of the Food and Drug Administration (FDA) on electronic records and electronic signatures in the United States.

Part 11 of the 21 CFR, as it is commonly referred, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable and equivalent to paper records.

In what areas apply?

In practical terms it applies to those actors operating in the United States, as:

  • Manufacturers of drugs and medical devicesPills
  • Manufacturers of biotechnology
  • Developers of biological products
  • Research groups

Is it necessary to be enforced?

Yes, the FDA conducts regular audits of companies with a presence in the U.S. market, as dictated by the Federal Food, Drug and Cosmetic Act and the Public Health Service.

How can an electronic signature solution to help in its fulfillment?

By signing a document electronically, provides a range of evidence that guarantee the basic principles of traceability, auditing, integrity and non repudiation of documents generated in an electronic environment.

The solution

The solution is a combination of the application of electronic signatures and digital certificates suitable for the purpose at hand, which is to meet the 21 CFR. For this purpose we set ClickSign of isigma, plus Corporate Certificates of Natural Person (Spanish), from  Firmaprofesional (Spanish). Other Corporate Qualified Certificates, for instance, collegiate, would also be valid.

ClickSign

ClickSign is a product of isigma, design to perform electronic signatures in desktop computer.

ClickSign, along with a Corporate Certificate Natural Person in Secure Signature Creation Device generates qualified electronic signatures under Spanish law, specifically Law 59/2003 of 19 December on Electronic Signature (LFE -Spanish-).
It necessary to recall that “The electronic signature will have on data in electronic form the same value as a handwritten signature on paper,” according to Article 3.4 of the Act.

ClickSign apply electronic signatures to documents created with other applications, whether office automation, document management, graphics, etc. (PDF, Word, XML, images, video, audio, …), staying away from the production of documents prior to signature.

Firmaprofesional Certificates

An important part of ensuring the reliability of the system are the digital certificates used. In this case certificates from Certification Authority (hereinafter AC) Firmaprofesional, that complies with Spanish legislation on electronic certification and therefore the EU Directive 1999/93/EC, are to be used.

The document that describes how the AC Firmaprofesional operates and has been approved by the MINETUR (Ministry of Industry, Energy and Tourism, former Ministry of Industry, Tourism and Trade -MITyC-) is the Certification Practices Statement (CPS.) The certificate profile and special conditions are set out in the Certificate Policy (CP -Spanish-).

Alignment of the solution with the requirements of 21 CFR

Given the scope of ClickSign and Firmaprofesional certificates, alignment with 21CFR focuses on the following sections of the standard:

Sec. 11.50 Signature manifestations.
(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

The best way to ensure this is to ensure that the signed document itself contains this information, particularly the limitations imposed by paragraph (b).

It is recalled that the certificates provided by Firmaprofesional contain the signer information (name, ID number) and signature embedded in PDF includes information on the date and time of signature, from the signer’s computer.

Notwithstanding the foregoing, and as additional technical measure that provides greater legal guarantees, we recommend the use of Firmaprofesional Time-Stamping (Spanish) service, which supports ClickSign.

Sec. 11.70 Signature/record linking.
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

ClickSign performes PDF- embedded signatures, among other formats. In this way the signature is linked with the signed document from an information standpoint.

On the other hand, the signature is based on asymmetric or public key cryptography, so technically it ensures the link between signature and signer’s identity and document signed by the very nature of the algorithm.

The signature algorithm used is sha1WithRsaEncryption, a standardized algorithm and accepted by the community that guarantees non-falsification or manipulation of data.

Sec. 11.100 General requirements.
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations, 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.

(a) The1.024-bit RSA keypair used to produce electronic signatures is generated in the card itself or secure-signature creation device (SSCD), one of whose functions is to ensure “that data used for signature generation can occur only once and their secrecy is reasonably assured” as required in Article 24.3.a of LFE
(b)Firmaprofesional verifies the identity of each signer to whom issues a certificate in accordance with the requirements of Article 12.a) of the LFE (“To check the identity and personal circumstances of applicants under the provisions of the following article. “.) For details, refer to the Certificate Policy (Spanish).
(c) By the very definition of electronic signature (LFE, Article 3.4), the electronic signature generated by ClickSign and Firmaprofesional certificates has recognized functional equivalence to a handwritten signature.

Sec. 11.200 Electronic signature components and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

(1) The solution is based on asymmetric cryptography, with a private key (signature creation data) stored on a smart card and it is necessary to enter a PIN (activation data) to use it, so one uses two authentication mechanisms, namely:

  1. something that I have (the card)
  2. something you know (the PIN)

(i) The electronic signature is made in the chip of the card, so if you retire it, you could not continue to produce electronic signatures.
(ii) After removing the card, if you re-enter and you want to sign again, you must enter yourPIN again.
(2) Guaranteed by the two authentication mechanisms explained above.
(3) The card is locked to the third incorrect PIN attempt. The procedures for issuance of Firmaprofesional ensure that a single person can not issue a certificate on behalf of another.

Sec. 11.300 Controls for identification codes/passwords.
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Being a solution based on asymmetric cryptography, public key infrastructure(PKI)-digital certificates, and smart cards, not using personal identification codes, this section does not apply.

Conclusion

Taking into account the requirements of 21CFR and the functional scope of the product ClickSign, and certificates issued by the CA Firmaprofesional, the proposed solution meets the requirements specified in the regulations.

If you liked this entry, or you think may be helpful to others, please share it via the buttons you’ll find below.

Posted in Digital certificate practices, Digital Signature Software, Digital signature success stories | Tagged , , , , | Leave a comment