If your organization has multiple employees working with documents, it would be very useful to know who created a document and whether the person had the proper authority. When changes are made, you would like to know who made the changes and who reviewed those changes. Document signing can be a very effective way to control your document management. Letting your signing credentials fall into the wrong hands on the contrary, could have fatal consequences.
Each organization creates numerous documents, used in the business process. Some of these documents contain important company information and details of business and financial transactions. It is important to treat these as official documents, knowing who created them and who edited the content. Examples of document management systems using document signing are Adobe Sign, OpenOffice, LibreOffice, DocuSign, or PrimeKey SignServer. Each software handles the process of generating the documents, processing the digital signatures, and storing those documents. The software also produces the hash value, which is a unique numerical value that identifies the contents of the file, and uses the certificate/private key of the organization to sign the document. The recipient of the document knows that it was created by that specific organization when they verify the signature with the organization’s public key.
In the specific case of commercial invoices, the invoice needs to be signed with the officially issued certificate of the tax or banking authority. In some jurisdiction, all purchase orders need to be registered for tax compliance purposes. This is done using one´s tax ID. When a company sells a product to a customer, then that invoice must reflect the actual cost basis for tax purposes. It is necessary to be certain that only that company can create these invoices and that they cannot be forged, creating liability to the organization.
Document signing can include signing and optional timestamping. The document would first receive a timestamp which establishes the official time when the document was created. This is important when creating contracts or issuing invoices. The creation time of the document is as important as who created the document.
If your organization does not use an HSM, the certificates and keys would be stored on your server in a file folder or database. When the document signing software needs to sign a document, it would retrieve the certificates and keys from the folder or database and complete the signing operation on the server. Now if someone discovered these certificates and keys they could make copies and subsequently create documents signed with your key. They would have effectively stolen your organizations identity and could create documents and invoices that appear to have originated from you.
Utimaco provides the “Root of Trust” securely storing your cryptographic identity used to sign and timestamp your official documents. That identity resides inside the Utimaco HSM. All signing operations are performed within the secure boundary of the HSM so that the key material is not visible in the clear anywhere outside of the HSM. If you are using a Utimaco HSM then the document content is passed into the Utimaco HSM where the securely stored official certificate is used to sign the document after a hash value of the document is created and attached to the document. This process proves the document was created by you and has not been changed.
Furthermore, Utimaco provides a specially configured HSM that serves as the Timestamping Authority (TSA) for your organization. This special case HSM will contain a copy of your company’s or organization’s timestamp certificate. Timestamping is useful for establishing the document creation date/time and handling any revisions made to that document. If it is a warranty document, then the time of creation can be used to determine the validity of a warranty claim within the agreed period. If a new document is issued as a replacement for an earlier document, then we can be certain that the new document is the currently valid document. Deploying TimestampServer and SecurityServer requires two HSM devices – one configured as a TimestampServer and the other one configured as a “regular” HSM.