Changes

no edit summary
Line 60: Line 60:  
[[File:Word_sign1.PNG|center]]
 
[[File:Word_sign1.PNG|center]]
   −
We won’t go into detail here about how to set these up, as each technology choice could be a blog post on its own, but there are pros and cons to each of the choices that would have to be weighed by the business owner for the specific situation. The major takeaway is that each of these options can be used today by GC officials needing to sign documents as well as those verifying the signatures. Note that this latter step of verifying signatures is not always performed with physical, ink signatures, so the digital replacement using PKI has additional benefits. GC PKI credentials using soft tokens (epf files), which is the majority of such credentials within the GC, achieve an LoA 2. See [https://www.cse-cst.gc.ca/en/node/2454/html/28582 CSE ITSP.30.031 V3] for more details. GC PKI credentials using hard tokens and a rigorous identity-proofing process may achieve LoA 3 or even 4, if implemented in accordance with the level 4 requirements identified in the e-signature guidance document. In addition, GC PKI credentials come with strong LoA 2 identity-proofing baked in at a minimum (higher for many).
+
We won’t go into detail here about how to set these up, as each technology choice could be a blog post on its own, but there are pros and cons to each of the choices that would have to be weighed by the business owner for the specific situation. The major takeaway is that each of these options can be used today by GC officials needing to sign documents as well as those verifying the signatures. Note that this latter step of verifying signatures is not always performed with physical, ink signatures, so the digital replacement using PKI has additional benefits. GC PKI credentials using soft tokens (epf files), which is the majority of such credentials within the GC, achieve an LoA 2. See [https://www.cse-cst.gc.ca/en/node/2454/html/28582 CSE ITSP.30.031 V3] for more details. GC PKI credentials using hard tokens and a rigorous identity-proofing process may achieve LoA 3 or even 4, if implemented in accordance with the level 4 requirements identified in the [https://www.canada.ca/en/government/system/digital-government/online-security-privacy/government-canada-guidance-using-electronic-signatures.html e-signature guidance] document. In addition, GC PKI credentials come with strong LoA 2 identity-proofing baked in at a minimum (higher for many).
    
=== Within the GC - Where the User is Associated with an Account ===
 
=== Within the GC - Where the User is Associated with an Account ===
Line 98: Line 98:     
== Secure Electronic Signature ==
 
== Secure Electronic Signature ==
As mentioned in the e-signature guidance, the Personal Information Protection and Electronic Documents Act (PIPEDA) and other federal legislation refer to the concept of a “Secure Electronic Signature” (SES).  What constitutes an SES is governed by PIPEDA and the technology process described in the Secure Electronic Signature Regulations (SESR).  Although PIPEDA mandates the use of SES in certain circumstances (e.g. federal legislative and regulatory requirements for witnessed signatures, statements declaring truth etc.), most of these do not apply unless a department has taken positive steps to have the provisions in question apply. Consult your DLSU for further information. At this point we would suggest that implementing Secure Electronic Signature is a challenging task that may not be fully achievable for some applications.  
+
As mentioned in the [https://www.canada.ca/en/government/system/digital-government/online-security-privacy/government-canada-guidance-using-electronic-signatures.html e-signature guidance], the Personal Information Protection and Electronic Documents Act (PIPEDA) and other federal legislation refer to the concept of a “Secure Electronic Signature” (SES).  What constitutes an SES is governed by PIPEDA and the technology process described in the Secure Electronic Signature Regulations (SESR).  Although PIPEDA mandates the use of SES in certain circumstances (e.g. federal legislative and regulatory requirements for witnessed signatures, statements declaring truth etc.), most of these do not apply unless a department has taken positive steps to have the provisions in question apply. Consult your DLSU for further information. At this point we would suggest that implementing Secure Electronic Signature is a challenging task that may not be fully achievable for some applications.  
    
At this time it is not clear if TBS can recognize external CAs in order to provide the certificates required to apply secure electronic signatures to documents such that they could be verified by members of the public. Even for internal use, not many users outside of RCMP and DND have access to certificates that have been enrolled with a suitable face to face procedure and have the private signing key stored on an approved FIPS 140-2 security token.
 
At this time it is not clear if TBS can recognize external CAs in order to provide the certificates required to apply secure electronic signatures to documents such that they could be verified by members of the public. Even for internal use, not many users outside of RCMP and DND have access to certificates that have been enrolled with a suitable face to face procedure and have the private signing key stored on an approved FIPS 140-2 security token.