95
edits
Changes
E-signature Options 2020-04 (view source)
Revision as of 21:03, 29 April 2020
, 21:03, 29 April 2020no edit summary
[[File:Word_sign1.PNG]]
[[File:Word_sign1.PNG]]
We won’t go into detail here about how to set these up, as each technology choice could be a blog post on its own, but there are pros and cons to each of the choices that would have to be weighed by the business owner for the specific situation. The major takeaway is that each of these options can be used today by GC officials needing to sign documents as well as those verifying the signatures. Note that this latter step of verifying signatures is not always performed with physical, ink signatures, so the digital replacement using PKI has additional benefits. GC PKI credentials using soft tokens (epf files), which is the majority of such credentials within the GC, achieve an LoA 2. See CSE ITSP.30.031 V3 for more details. GC PKI credentials using hard tokens and a rigorous identity-proofing process may achieve LoA 3 or even 4, if implemented in accordance with the level 4 requirements identified in the e-signature guidance document. In addition, GC PKI credentials come with strong LoA 2 identity-proofing baked in at a minimum (higher for many).
We won’t go into detail here about how to set these up, as each technology choice could be a blog post on its own, but there are pros and cons to each of the choices that would have to be weighed by the business owner for the specific situation. The major takeaway is that each of these options can be used today by GC officials needing to sign documents as well as those verifying the signatures. Note that this latter step of verifying signatures is not always performed with physical, ink signatures, so the digital replacement using PKI has additional benefits. GC PKI credentials using soft tokens (epf files), which is the majority of such credentials within the GC, achieve an LoA 2. See [https://www.cse-cst.gc.ca/en/node/2454/html/28582 CSE ITSP.30.031 V3] for more details. GC PKI credentials using hard tokens and a rigorous identity-proofing process may achieve LoA 3 or even 4, if implemented in accordance with the level 4 requirements identified in the e-signature guidance document. In addition, GC PKI credentials come with strong LoA 2 identity-proofing baked in at a minimum (higher for many).
=== Within the GC - Where the User is Associated with an Account ===
=== Within the GC - Where the User is Associated with an Account ===
=== Outside the GC - Where the User is Associated with an Account ===
=== Outside the GC - Where the User is Associated with an Account ===
As above, if the external user can log in to an account using an LoA 2 authentication, a simple approach is to have the user log in and “click to sign”. The CRA process for adding a child for child benefits is an example of an e-signature where a user outside the GC is associated with an account. In these cases, the LoA of the e-signature is largely determined by the LoA of the authentication process used for logging in to the account. This is an example of LoA 2 because the credentials used to log in to those accounts are LoA 2. You can find more details on this in the e-signature guidance.
As above, if the external user can log in to an account using an LoA 2 authentication, a simple approach is to have the user log in and “click to sign”. The CRA process for adding a child for child benefits within [https://www.canada.ca/en/revenue-agency/services/e-services/e-services-individuals/account-individuals.html My Account for Individuals] is an example of an e-signature where a user outside the GC is associated with an account. In these cases, the LoA of the e-signature is largely determined by the LoA of the authentication process used for logging in to the account. This is an example of LoA 2 because the credentials used to log in to those accounts are LoA 2. You can find more details on this in the e-signature guidance.
[[File:CRA_signature_example.png]]
[[File:CRA_signature_example.png]]
There are a number of technical details for another discussion, but be prepared to do a careful investigation into how you would use this technology. For example, things such as long-term validation of documents need to be considered.
There are a number of technical details for another discussion, but be prepared to do a careful investigation into how you would use this technology. For example, things such as long-term validation of documents need to be considered.
On the AATL Member List there is one Canadian CA and another that the GC has used for many years as a PKI vendor.
On the [https://helpx.adobe.com/ca/acrobat/kb/approved-trust-list1.html AATL Member List] there is one Canadian CA and another that the GC has used for many years as a PKI vendor.
This technology is in many ways close to what was originally envisioned for Canada’s Secure Electronic Signature (see below), though at this time we are still investigating how or if TBS could recognize external CAs for this purpose.
This technology is in many ways close to what was originally envisioned for Canada’s Secure Electronic Signature (see below), though at this time we are still investigating how or if TBS could recognize external CAs for this purpose.