Electronic signatures again - testing Yousign

aclassen

So, we are currently testing the Yousign integration, without having actually any Yousign digital signature certificate (those of us needing an advanced or qualified signature are still using tokens and sign with edit-from-my-pc).

We still have a big issue that we are obliged to get qualified e-signatures, not just advanced, and are waiting for Yousign's decision to implement that or not - The No would be a deal-breaker. But we think that we could work with CEO-Vision to get their API to talk with a different certificate provider, which would not in principle change the user experience a lot.

As a result, a started by testing on Ceo-Vision's own GoFAST server, testing to sign documents with their Yousign integration.

Here is a number of questions, partly about the overall experience, partly clarifying what is a result of us using the Ceo-Vision server.

Let me start with something visual:

There is still a lot of French creeping up when using signatures, for example in emails, but also with labels

Functional questions

• I do not have a certificate with Yousign, so the signature is done with a test certificate server. Does that depend on my personal certificate status or is it a setting CEO-Vision made somewhere? I see the response comes from a Yousign staging server. I am asking because this is coming from the Ceo-Vison server where I know Ceo-Vision themselves are using signatures

• If I was to create a personal certificate with yousign, would that automatically enable my signing in your CEO-Vision platform? I mean, really, validly?

• In particular, what about that question if the user was an established user on your side with a valid certificate. Then the signature would be not form the test cert server? Automatically?
  *What would be the situations for “contacts” to sign (not utilisateurs)? What if the contact has a Yousign certificate? What if the contact has a different provider’s certificate?

• For the advanced signature, I had to sign a request and upload an ID card copy. I had to do that every time I tried an advanced signature. Is that always the case, or would that be different in a production setting, with real certificates?

• What is the process/intention to work with the proof…zip files? Are they only generated when contacts are involved in the signature?

sjeandroz

hello @aclassen ,

Thanks to participate to our community by asking your questions publicly!

For the french texts, we will fix the bug soon, so don't worry about that

Concerning all your questions about the Yousign certificate, I just want to add a small explaination:

The Yousign signatures ( classic and advanced ) doesn't use a personnal key to identify the user who sign, this is done using the mail and the SMS validation code ( and the ID card in case of Advanced signature )
For the futur "qualified" signature, we don't know yet the exact technical details so I prefere to not send you responses while I'm not sur

Have a nice day

Best

cpotter

Dear @aclassen,

Some additional comments to Sylvain reply.

For Advanced Signature, the certificate (in the PDF) is the certificate of the Trust service provider (TSP), Yousign in this case.

We anticipate that in case of the Qualified Signature, it is the certificate of the person signing. It is not even clear for us in the FAQ of the European Commission https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/eSignature+FAQ

For the Qualified seal creation device or QSCD (smartcards, SIM cards, USB sticks,...), it can be physical or 'remote'

A QSCD is not necessarily in the physical possession of the signatory/creator of the seal but can also be remotely managed by a qualified trust service provider (QTSP). This kind of QSCD is known as “remote QSCD”. Those remote QSCD offer an improved user experience while maintaining the legal certainty offered by qualified electronic signatures/seals.

There is a important document about all these topics "Security guidelines on the appropriate use of qualified electronic signatures" from ENISA (European Union Agency for Network and Information Security) https://www.enisa.europa.eu/publications/security-guidelines-on-the-appropriate-use-of-qualified-electronic-signatures

Studying all these in details with require a very lengthy and expensive consulting mission, in my opinion it is better to ask the TSP.

On a side note, i am even wondering about the added value of signing with a TSP when someone have a physical trusted certificate device, like the one i have to sign public bids (or other important documents), and i do that directly from GoFAST by opening in Acrobat, inserting my USB Stick + PIN. But there must be a reason Perhaps to have a third party like a 'online' notarian involved in the process.

aclassen

Thanks for this answer. I still remain puzzled

@sjeandroz said in Electronic signatures again - testing Yousign:

The Yousign signatures ( classic and advanced ) doesn't use a personnal key to identify the user who sign, this is done using the mail and the SMS validation code ( and the ID card in case of Advanced signature )

What does that mean? So with a Yousign subscription you do not have individual certificates? And that means the signature stamp is really only the printed name? And one has to upload an id card for each advanced signature?

For us, that is not very useful. OK, we could use the simple electronic signature to have day-to-day signatures for internal documents without using "edit from my pc", but that is of limited benefit.

For official use, for the moment notwithstanding we do want qualified signatures, the idea of our Director just signing with a printed name does not look professional, and when signing twelve letters one after the other, always needing to upload his ID card and sign off the yousign terms of usage twelve times will definitely Not Work.

I am also wondering: Looking at the Yousign price list, if you do not get individual certificates, why is the price "per month and user"

I am sure that in your experience and in some of your customers the Yousign integration is really helpful, but at the moment I do not understand how.

aclassen

@cpotter - yes, we do have physical tokens for a small number of colleagues in management, and they can and do sign the PDF, but the token management is clumsy if you think about having this for all users. The order process is complicated, the training and hand-over and management not easy - I do not know about you, but the number of lost or broken pieces of equipment is incredible.
So, we do have the plan to offer the qualified signatures for all colleagues who might have to sign anything, and rather than buying tokens, taking care of handing them out to them and showing them individually how to use them, we rather want to use a qualified-e-signature-in-cloud-option.

We could do that anyway, without integration in GoFAST, signing the PDF with the certificate-that-comes-from-the-cloud. That would be the same what you are doing when using your token.

The question is really if it is possible to have that service supported in GoFAST, beyond creating a new published PDF version with the signature after editing the PDF.

One issue I see with your approach is that if I decide to update the original and publish the document again, it would overwrite the signed version, or what don't I see here?

cpotter

Dear @aclassen

What does that mean? So with a Yousign subscription you do not have individual certificates? And that means the signature stamp is really only the printed name? And one has to upload an id card for each advanced signature?

Yousign for Advanced Signature does not provide individual certificate, i am not sure they have even the authority to do so. The 'proof' is based on the token received by SMS (opening a phone line requires an ID).

For us, that is not very useful. OK, we could use the simple electronic signature to have day-to-day signatures for internal documents without using "edit from my pc", but that is of limited benefit.

In Acrobat and other PDF readers (or XolidoSign for batch signing), you have 'simple' manuscript signature and PaDES digital signatures (including with hardware token), see screenshot below.

Both work with GoFAST.

For official use, for the moment notwithstanding we do want qualified signatures, the idea of our Director just signing with a printed name does not look professional, and when signing twelve letters one after the other, always needing to upload his ID card and sign off the Yousign terms of usage twelve times will definitely Not Work.

The fact is that the more secure signature one wants, the more constraints you will get. From what i recall, Yousign does not have the authority to store IDs and they never developed the improvement to be able to have a manuscript stamp instead of the typewriter string.

I am also wondering: Looking at the Yousign price list, if you do not get individual certificates, why is the price "per month and user"

It is their pricing model, however they have volume related costs (SMS, ...).

I am sure that in your experience and in some of your customers the Yousign integration is really helpful, but at the moment I do not understand how.

To our understanding, Yousign is not a certificate provider.

Correct, IMHO it is a TSP.

cpotter

Dear @aclassen

yes, we do have physical tokens for a small number of colleagues in management, and they can and do sign the PDF, but the token management is clumsy if you think about having this for all users. The order process is complicated, the training and hand-over and management not easy - I do not know about you, but the number of lost or broken pieces of equipment is incredible.

As i said, QES (Qualified Seal) could require a QSCD (physical or remote) per person/individual. I am not a specialist please better to check with legal or EC eiDAS team.

So, we do have the plan to offer the qualified signatures for all colleagues who might have to sign anything, and rather than buying tokens, taking care of handing them out to them and showing them individually how to use them, we rather want to use a qualified-e-signature-in-cloud-option.

See my answer previously, i am not sure but QES could require a QSCD per person.

We could do that anyway, without integration in GoFAST, signing the PDF with the certificate-that-comes-from-the-cloud. That would be the same what you are doing when using your token.

Currently and to my knowledge i am not authorized in France to sign public tender offer with Advanced Signature. I use my token delivered face to face.

The question is really if it is possible to have that service supported in GoFAST, beyond creating a new published PDF version with the signature after editing the PDF.

One issue I see with your approach is that if I decide to update the original and publish the document again, it would overwrite the signed version, or what don't I see here?

I have to check internally but when GoFAST Status is "SIGNED" it should be in read-only mode.

Having signature integrated to GoFAST has a huge benefit, it is in a formal signature workflow, usually with prior approval from deputies or head of units before the real signature from CEO/GM.

aclassen

@cpotter Thank you for your responses!

Currently and to my knowledge i am not authorized in France to sign public tender offer with Advanced Signature. I use my token delivered face to face.

I agree, you need a qualified e-signature, which until recently you could only get in person/with a token.

However, there are cloud providers who manage this without in-person acquisition of the certificate, and without a token. Among the providers who do that are zealid.com, digitalsign.pt, and others. The in-cloud tokenless qualified e-signatures used by the European Commission (currently at the certificate repository/authority at Digitalsign ) were used to sign an agreement with the World Bank already in 2020.

cpotter

@aclassen said in Electronic signatures again - testing Yousign:

However, there are cloud providers who manage this without in-person acquisition of the certificate, and without a token. Among the providers who do that are zealid.com, digitalsign.pt, and others. The in-cloud tokenless qualified e-signatures used by the European Commission (currently at the certificate repository/authority at Digitalsign ) were used to sign an agreement with the World Bank already in 2020.

From our research all qualified signatures need a QSCD which protects the private key (hardware or remote/virtual), see below :

Qualified signature creation device
With regard to the QSCD, the signatory may opt for a device in his/her hand, within his/her own
environment, or remotely managed by a TSP. When the QSCD is managed by a TSP, the device and the TSP
must be qualified. The way to verify that the provider is duly qualified is to check its presence in the trusted
list of the member state where it is established. The way to verify that the device is duly qualified is to check
its presence in the EC list of certified devices.

In your case, the EC signature was therefore done with a Virtual/Remote QSCD (stored by the QTSP). And to add some confusion, we found some references (including EU public e-procurement initiative) where Qualified signature with Remote QSCD had not the same legal value than with a physical token, see some references with ETSI 101 456 + SSCD (homologated QSCD) versus ETSI 101 456, see https://joinup.ec.europa.eu/sites/default/files/document/2014-12/d1-1-part-7-eid-and-esignature-quality-classification_0_0.pdf

Hope this will help,

aclassen

@cpotter Thank you. For us, remote QSCD is definitely appropriate as it is widely used for many types of legal transactions by EU Institutions

cpotter

@aclassen by the way, Zealid created this interesting comparative table : https://www.zealid.com/hubfs/ZealiD_lentelė-pdf.svg