Changes

<multilang>  

<multilang>  

@en|__NOTOC__

@en|__NOTOC__

At LoA 1, a user can type her name at the bottom of an email or doc. ument to indicate acceptance of conditions described above in the document or authorization for some purpose. We would recommend that the typed name be marked specially and that the context provided by the wording preceding the signature help make the purpose of the signature clear. Some jurisdictions have adopted a unique format to the typed signature such as

At LoA 1, a user can type her name at the bottom of an email or doc. ument to indicate acceptance of conditions described above in the document or authorization for some purpose. We would recommend that the typed name be marked specially and that the context provided by the wording preceding the signature help make the purpose of the signature clear. Some jurisdictions have adopted a unique format to the typed signature such as

 

/s/ Michael Brownlie (described here: [https://www.cand.uscourts.gov/cases-e-filing/cm-ecf/preparing-my-filing/signatures-on-e-filed-documents/ United States District Court (Northern California)])

/s/ Michael Brownlie</code>    (described here: [https://www.cand.uscourts.gov/cases-e-filing/cm-ecf/preparing-my-filing/signatures-on-e-filed-documents/ United States District Court (Northern California)])

Or

Or

 

/Michael Brownlie/ (examples here: [https://www.uspto.gov/sites/default/files/documents/sigexamples_alt_text.pdf USPTO examples])

/Michael Brownlie/</code> (examples here: [https://www.uspto.gov/sites/default/files/documents/sigexamples_alt_text.pdf USPTO examples])

If you wish to improve the level of assurance of the LoA 1 e-signature, it could be associated with an email address. For example, a business process could be designed that causes an email containing something unique and unpredictable to be sent to the chosen email address, and the signer could respond, including the text that was sent to them, with a signature following one of the formats above or something similar designed for the purpose. Such a process would show the intent to sign, accepting the conditions described, and the signature would be associated with the email address that the request was sent to, at least establishing that the e-signature was made by a person with control over the email address chosen.

If you wish to improve the level of assurance of the LoA 1 e-signature, it could be associated with an email address. For example, a business process could be designed that causes an email containing something unique and unpredictable to be sent to the chosen email address, and the signer could respond, including the text that was sent to them, with a signature following one of the formats above or something similar designed for the purpose. Such a process would show the intent to sign, accepting the conditions described, and the signature would be associated with the email address that the request was sent to, at least establishing that the e-signature was made by a person with control over the email address chosen.

1. Emails

1. Emails

[[File:Email_sign1.PNG]]

[[File:Email_sign1.PNG|center]]

Above example is when sending the email. Note the use of /s/ to show intent to sign, though this may or may not be necessary and we are not implying that it is required in a signed email.

Above example is when sending the email. Note the use of /s/ to show intent to sign, though this may or may not be necessary and we are not implying that it is required in a signed email.

[[File:Email_sign2.PNG]]

[[File:Email_sign2b_annotated.png|center]]

Above shows the Inbox of the recipient including a red icon to indicate digital signature.

Above shows the Inbox of the recipient including a red icon to indicate digital signature.

[[File:Email_sign3.PNG]]

[[File:Email_sign3.PNG|center]]

Above is as the email will appear to the recipient when opened.

Above is as the email will appear to the recipient when opened.

2. PDF documents

2. PDF documents

[[File:Pdf_sign1.PNG]]

[[Image:Pdf_sign1.PNG|center]]

3. Microsoft Word documents

3. Microsoft Word documents

[[File:Word_sign1.PNG]]

[[File:Word_sign1.PNG|center]]

We won’t go into detail here about how to set these up, as each technology choice could be a blog post on its own, but there are pros and cons to each of the choices that would have to be weighed by the business owner for the specific situation. The major takeaway is that each of these options can be used today by GC officials needing to sign documents as well as those verifying the signatures. Note that this latter step of verifying signatures is not always performed with physical, ink signatures, so the digital replacement using PKI has additional benefits. GC PKI credentials using soft tokens (epf files), which is the majority of such credentials within the GC, achieve an LoA 2. See [https://www.cse-cst.gc.ca/en/node/2454/html/28582 CSE ITSP.30.031 V3] for more details. GC PKI credentials using hard tokens and a rigorous identity-proofing process may achieve LoA 3 or even 4, if implemented in accordance with the level 4 requirements identified in the e-signature guidance document. In addition, GC PKI credentials come with strong LoA 2 identity-proofing baked in at a minimum (higher for many).

We won’t go into detail here about how to set these up, as each technology choice could be a blog post on its own, but there are pros and cons to each of the choices that would have to be weighed by the business owner for the specific situation. The major takeaway is that each of these options can be used today by GC officials needing to sign documents as well as those verifying the signatures. Note that this latter step of verifying signatures is not always performed with physical, ink signatures, so the digital replacement using PKI has additional benefits. GC PKI credentials using soft tokens (epf files), which is the majority of such credentials within the GC, achieve an LoA 2. See [https://www.cse-cst.gc.ca/en/node/2454/html/28582 CSE ITSP.30.031 V3] for more details. GC PKI credentials using hard tokens and a rigorous identity-proofing process may achieve LoA 3 or even 4, if implemented in accordance with the level 4 requirements identified in the [https://www.canada.ca/en/government/system/digital-government/online-security-privacy/government-canada-guidance-using-electronic-signatures.html e-signature guidance] document. In addition, GC PKI credentials come with strong LoA 2 identity-proofing baked in at a minimum (higher for many).

=== Within the GC - Where the User is Associated with an Account ===

=== Within the GC - Where the User is Associated with an Account ===

If the user can log in to an account using an LoA 2 authentication, a straightforward option is to have the user log in and “click to sign”. There should be well-described consequences of the signing action so that the user is aware that she is performing a signing action. This option is already in wide use. An example from the GC is the e-signatures applied by both manager and employee as part of the Performance Management process.

If the user can log in to an account using an LoA 2 authentication, a straightforward option is to have the user log in and “click to sign”. There should be well-described consequences of the signing action so that the user is aware that she is performing a signing action. This option is already in wide use. An example from the GC is the e-signatures applied by both manager and employee as part of the Performance Management process.

[[File:PSPM sign3.png]]

[[Image:PSPM sign3.png|center]]

=== Outside the GC - PKI-based E-Signature Solutions ===

=== Outside the GC - PKI-based E-Signature Solutions ===

As above, if the external user can log in to an account using an LoA 2 authentication, a simple approach is to have the user log in and “click to sign”. The CRA process for adding a child for child benefits within [https://www.canada.ca/en/revenue-agency/services/e-services/e-services-individuals/account-individuals.html My Account for Individuals] is an example of an e-signature where a user outside the GC is associated with an account. In these cases, the LoA of the e-signature is largely determined by the LoA of the authentication process used for logging in to the account. This is an example of LoA 2 because the credentials used to log in to those accounts are LoA 2. You can find more details on this in the e-signature guidance.

As above, if the external user can log in to an account using an LoA 2 authentication, a simple approach is to have the user log in and “click to sign”. The CRA process for adding a child for child benefits within [https://www.canada.ca/en/revenue-agency/services/e-services/e-services-individuals/account-individuals.html My Account for Individuals] is an example of an e-signature where a user outside the GC is associated with an account. In these cases, the LoA of the e-signature is largely determined by the LoA of the authentication process used for logging in to the account. This is an example of LoA 2 because the credentials used to log in to those accounts are LoA 2. You can find more details on this in the e-signature guidance.

[[File:CRA_signature_example.png]]

[[File:CRA_signature_example.png|center]]

== Level of Assurance (LoA) 3: ==

== Level of Assurance (LoA) 3: ==

== Secure Electronic Signature ==

== Secure Electronic Signature ==

As mentioned in the e-signature guidance, the Personal Information Protection and Electronic Documents Act (PIPEDA) and other federal legislation refer to the concept of a “Secure Electronic Signature” (SES).  What constitutes an SES is governed by PIPEDA and the technology process described in the Secure Electronic Signature Regulations (SESR).  Although PIPEDA mandates the use of SES in certain circumstances (e.g. federal legislative and regulatory requirements for witnessed signatures, statements declaring truth etc.), most of these do not apply unless a department has taken positive steps to have the provisions in question apply. Consult your DLSU for further information. At this point we would suggest that implementing Secure Electronic Signature is a challenging task that may not be fully achievable for some applications.  

As mentioned in the [https://www.canada.ca/en/government/system/digital-government/online-security-privacy/government-canada-guidance-using-electronic-signatures.html e-signature guidance], the Personal Information Protection and Electronic Documents Act (PIPEDA) and other federal legislation refer to the concept of a “Secure Electronic Signature” (SES).  What constitutes an SES is governed by PIPEDA and the technology process described in the Secure Electronic Signature Regulations (SESR).  Although PIPEDA mandates the use of SES in certain circumstances (e.g. federal legislative and regulatory requirements for witnessed signatures, statements declaring truth etc.), most of these do not apply unless a department has taken positive steps to have the provisions in question apply. Consult your DLSU for further information. At this point we would suggest that implementing Secure Electronic Signature is a challenging task that may not be fully achievable for some applications.  

At this time it is not clear if TBS can recognize external CAs in order to provide the certificates required to apply secure electronic signatures to documents such that they could be verified by members of the public. Even for internal use, not many users outside of RCMP and DND have access to certificates that have been enrolled with a suitable face to face procedure and have the private signing key stored on an approved FIPS 140-2 security token.

At this time it is not clear if TBS can recognize external CAs in order to provide the certificates required to apply secure electronic signatures to documents such that they could be verified by members of the public. Even for internal use, not many users outside of RCMP and DND have access to certificates that have been enrolled with a suitable face to face procedure and have the private signing key stored on an approved FIPS 140-2 security token.

The purpose of this blog has been to present some possible technical approaches for e-signatures that are already available for use. We are interested in having a dialog with practitioners and hope that you will contact us or comment here on the blog in order to expand the dialog and speed up digital government initiatives.

The purpose of this blog has been to present some possible technical approaches for e-signatures that are already available for use. We are interested in having a dialog with practitioners and hope that you will contact us or comment here on the blog in order to expand the dialog and speed up digital government initiatives.

<br>

For questions and other enquiries please email [mailto:ZZTBSCYBERS@tbs-sct.gc.ca TBS-Cyber Security].<br>

Les Règles locales civiles de la Cour de district des États-Unis, District du nord de la Californie

Les Règles locales civiles de la Cour de district des États-Unis, District du nord de la Californie

/s/ Michael Brownlie  (décrit ici : [https://www.cand.uscourts.gov/cases-e-filing/cm-ecf/preparing-my-filing/signatures-on-e-filed-documents/ Cour de district des États-Unis, District du nord de la Californie])

/s/ Michael Brownlie</pre>  (décrit ici : [https://www.cand.uscourts.gov/cases-e-filing/cm-ecf/preparing-my-filing/signatures-on-e-filed-documents/ Cour de district des États-Unis, District du nord de la Californie])

Ou

Ou

Le « ''Code of Federal Regulations'' (CFR)» 37 1.4 - ''Code américain des règlements fédéraux''  qui inclut des exigences de signature pour la correspondance avec l’Office américain des marques et brevets (USPTO)

Le « ''Code of Federal Regulations'' (CFR)» 37 1.4 - ''Code américain des règlements fédéraux''  qui inclut des exigences de signature pour la correspondance avec l’Office américain des marques et brevets (USPTO)

/Michael Brownlie/     (exemples ici : [https://www.uspto.gov/sites/default/files/documents/sigexamples_alt_text.pdf exemples du USPTO])

/Michael Brownlie/</pre>     (exemples ici : [https://www.uspto.gov/sites/default/files/documents/sigexamples_alt_text.pdf exemples du USPTO])

Si vous souhaitez améliorer le degré d’assurance de la signature électronique DA 1, cette dernière pourrait être associée à une adresse de courriel. Par exemple, un processus opérationnel pourrait être conçu de sorte qu’un courriel au contenu unique et imprévisible soit envoyé à l’adresse de courriel choisie, à partir d’où le signataire peut y répondre, en incluant le texte qui lui a été envoyé, avec une signature suivant l’un des formats ci-dessus ou quelque chose de semblable ayant été conçu à cette fin. Un tel processus montrerait l’intention de signer, en acceptant les conditions décrites, et la signature serait associée à l’adresse de courriel à laquelle la demande a été envoyée, établissant au moins que la signature électronique a été faite par une personne qui contrôle l’adresse de courriel choisie.

Si vous souhaitez améliorer le degré d’assurance de la signature électronique DA 1, cette dernière pourrait être associée à une adresse de courriel. Par exemple, un processus opérationnel pourrait être conçu de sorte qu’un courriel au contenu unique et imprévisible soit envoyé à l’adresse de courriel choisie, à partir d’où le signataire peut y répondre, en incluant le texte qui lui a été envoyé, avec une signature suivant l’un des formats ci-dessus ou quelque chose de semblable ayant été conçu à cette fin. Un tel processus montrerait l’intention de signer, en acceptant les conditions décrites, et la signature serait associée à l’adresse de courriel à laquelle la demande a été envoyée, établissant au moins que la signature électronique a été faite par une personne qui contrôle l’adresse de courriel choisie.

Ce blogue avait pour but de présenter certaines approches techniques possibles pour les signatures électroniques qui sont déjà disponibles. Nous souhaitons avoir un dialogue avec les praticiens et nous espérons que vous communiquerez avec nous ou formulerez des commentaires ici sur le blogue afin d’élargir la discussion et d’accélérer les initiatives du gouvernement numérique.

Ce blogue avait pour but de présenter certaines approches techniques possibles pour les signatures électroniques qui sont déjà disponibles. Nous souhaitons avoir un dialogue avec les praticiens et nous espérons que vous communiquerez avec nous ou formulerez des commentaires ici sur le blogue afin d’élargir la discussion et d’accélérer les initiatives du gouvernement numérique.

==Questions et  Informations de Contact==

Pour des questions et des autres demandes de renseignements, veuillez envoyer un courriel à [mailto:ZZTBSCYBERS@tbs-sct.gc.ca SCT-Cyber Securité].<br>

Pour participer à une discussion au sein gu GC, suivre [https://gccollab.ca/discussion/view/4619705/enblog-on-e-signature-options-available-today-to-gc-departmentsfr discussion GCcollab].

== <small>Notes de bas de page</small> ==

¹ Nous nous attendons à ce que le besoin de signatures électroniques de niveau 4 soit rare (p. ex., transactions de très grande valeur), et le lecteur devrait consulter le document d’Orientation du gouvernement du Canada sur les signatures électroniques pour obtenir de plus amples renseignements.

<br>

² À titre de rappel, on doit toujours prendre la sécurité en considération, surtout lorsqu’on traite avec des parties externes au gouvernement du Canada qui n’ont peut-être pas de moyens de communication ou d’entreposage sécuritaires. Comme il est mentionné dans le document d’orientation sur la signature électronique, les signatures électroniques n’assurent pas toujours la confidentialité. S’ils communiquent par moyen non sécurisé comme le courriel, Microsoft Word ou des documents PDF avec le public, les ministères doivent tenir compte des politiques pertinentes et applicables. En particulier, l’annexe B de la Directive sur la gestion de la sécurité stipule que l’on doit avoir recours au chiffrement et à des mesures de protection des réseaux pour assurer la confidentialité des données sensibles transmises sur les réseaux publics, les réseaux sans fil ou tout autre réseau où il y a risque d’accès non autorisé aux données. (B.2.3.6.3). Bien que la Directive ne contienne aucune définition de ce qui constitue des renseignements sensibles, la Politique sur la sécurité du gouvernement définit les « renseignements sensibles » comme des « informations ou biens qui devraient raisonnablement causer un préjudice s’ils sont compromis. Cela comprend tous les renseignements qui répondent aux critères d’exemption ou d’exclusion en vertu de la Loi sur l’accès à l’information et de la Loi sur la protection des renseignements personnels. Y sont également compris les marchandises contrôlées et d’autres renseignements et biens qui font l’objet d’interdictions et de mesures réglementaires ou légales ». En tant que telle, la communication par courriel public peut ne pas être appropriée dans de nombreuses circonstances en raison des risques pour la sécurité.

</multilang>

</multilang>