I have heard interesting stories from some European countries, which use digital signatures to verify authenticity of legal documents. Stories about companies, which want to manage signing securely and reliably, but depend on off-the-shelf smart-card readers, which inherently feature high failure rates.
There are basically two main use-cases for eIDAS digital signing:
- citizens want easy but secure communication with central and local governments;
- companies want secure communication with governments, but also with their customers and partners.
The first use-case depends on USB smart-card readers. These solutions have been around for a long time and they work. Although they are still incredibly complicated to set up on an arbitrary computer.
The second use-case doesn’t really have any good solution at the moment. Some companies plug large numbers of smart cards to racks of servers (particularly because operating systems don’t support more than 10 to 16 smart cards), or on HSM-based solutions.
You may think that HSMs are the right choice – they are expensive, hard to use – the proper hard-core security. Unfortunately, because of a history of successful attacks on their APIs, auditors may require them to be hosted in high-security environments. This increases operating costs, as well as initial development and integration costs.
I personally love smart-cards, but I hate the way they are being handled by computers. So why don’t we simply remove the complicated legacy application stack and simply connect smart cards to a RESTful API, so we can use them just like any other secure cloud service, with any additional protection I, you, or a company may see appropriate.
And that’s exactly what we have done. Smart cards are the primary bearer of signing keys supported by all trusted eIDAS providers so the hardware integration is relatively straightforward.
We have created a separate proxy, which gives us enough flexibility for different network configurations, and added a new “REMOTE” signature provider to JSignPDF (at SourceForge).
The additional proxy also allowed us to use the exact same architecture to integrate with Windows applications, which expect a local USB smart card.
And if you don’t like graphical interface, you can just simply sign your documents from command line.
java -jar JSignPdf.jar -kp <PIN> -kst remote -ksf localhost:4001 -ka Dan my_legal_will.pdf
If you find this solution of interest, please do drop me a line at [email protected], or let us know via our new support system: