What is Adobe announcing?
On July 1st, the European Union’s new Regulation on Identification and Trust Services (eIDAS) will take effect, setting new rigorous requirements for secure signatures in a way that is expected to influence the entire global industry. In order to make it simple for EU businesses and government entities to successfully comply with this new regulation, Adobe and twelve other industry-leading organizations are announcing the Cloud Signature Consortium.
What is the Cloud Signature Consortium?
The Cloud Signature Consortium is a group of industry and academic organizations committed to building a new standard for cloud-based digital signatures that will support web and mobile applications and comply with the most demanding electronic signature regulations in the world. The goal is to provide a common technical specification that will make solutions interoperable and suitable for uniform adoption in the global market. This effort was inspired by the need to meet the highest level requirements of the European Union’s Regulation on Identification and Trust Services (eIDAS), but its impact is expected to be global as demand for highly secure digital solutions continues to rise.
What problem does the Consortium solve?
With over 7B mobile devices on the planet and cyber-threats at an all-time high, there is increasing market demand for highly secure digital solutions that also provide great user experiences. New regulations – like eIDAS – amplify that demand by creating higher standards for electronic signature compliance.
By providing a common protocol for cloud-based Digital Signatures, the Cloud Signature Consortium will make it possible for industry providers to build experiences that span desktop, mobile and web – and meet market expectations to sign documents anytime, anywhere, and in any application.
Why is the Consortium important to the industry?
Compelling digital experiences are changing the way we interact, entertain, work, and relate to the world around us. Consumers and businesses alike not only expect – but demand – simple and engaging products and services from the technology industry. They want to acquire new capabilities quickly and easily, use them without extensive training, and work with them wherever they are. Unfortunately, today’s most secure methods for signing documents digitally don’t meet these expectations.
With digital signatures, document signing requires the use of a digital ID issued by a trusted certificate provider – which are sometimes delivered online, but more often requires an in-person visit. The key for that digital ID is stored on a secure signature creation device, such as a smart card or USB token that plugs into a desktop computer or laptop. The signing process not only requires specifically-installed software, but is often complicated to use – and can’t be done at all if the signer’s computer or key aren’t immediately available. And because smart cards and tokens can’t easily be used with web applications or mobile devices, choices are extremely limited when it comes to working with popular enterprise web applications (such as Salesforce or Workday), or empowering mobile workers.
Recent regulations – like eIDAS in the European Union – make the need for addressing this gap a critical priority. eIDAS demonstrates a clear preference for digital signatures using these more secure methods. With today’s solutions though, compliant processes can only be built by sacrificing user experience, working with a limited number of business applications, or deploying proprietary solutions that may cause interoperability problems in the future.
The Cloud Signature Consortium was specifically convened to address these shortcomings. Inspired by the eIDAS Regulation, which introduces the idea of “remote signatures”, the Consortium’s goal is to create an actionable specification that turns vision into reality. Remote signature creation devices would replace personal devices under the physical control of the user with a cloud-based service offered and managed by a trusted service provider. While still maintaining the highest levels of security and control, this more flexible approach would make it easy for users to enroll and use certificates online. It would also let providers build elegant, easy-to-use experiences that span desktop, web, and mobile usage so participants can complete signing processes anytime, anywhere, and in any application.
How does the Consortium add value to eIDAS?
The European Commission has worked hard to bring eIDAS to life. And yet, they realize that enabling broad adoption of digital signatures in Europe will take more than just a regulation. To be successful, they need a complete ecosystem of solutions, technology, and trust service providers that are fully aligned in support of eIDAS requirements. The Consortium’s leadership in developing this standard demonstrates critical industry commitment to the success of digital transformation in Europe as a single digital market.
Why is a standard required for cloud-based digital signatures?
Digital signatures use Public Key cryptography, which relies on three types of providers to deliver the required technologies and services: solution, technology, and service providers. Solution providers deliver signature platforms and document solutions. Technology providers deliver essential components like authentication technologies, mobile apps, and hardware security modules (HSMs). Service providers act as certificate, registration, or timestamp authorities and assist with compliance validation.
Without a standard, all of these providers are required to build their own proprietary interfaces and protocols. Doing so, creates a dizzying array of compatibility questions and deployment limitations. For digital signatures to gain wide acceptance in the marketplace, users need to be able to initiate – and participate in – signing processes across a broad range of experiences, e.g. productivity applications like Adobe Acrobat Reader and Office applications, and enterprise applications like Salesforce, Workday, Microsoft Dynamics CRM, Ariba, or signature workflow applications. They also need to be able engage through desktop, web, or mobile devices. A cloud-based digital signature standard ensures that providers across the industry can create consistent, interoperable experiences across the full range of user applications and devices.