Electronic Sealing via customer-owned digital certificate

Išči

Zadnja posodobitev 6. sep. 2024

Overview

Electronic seals (e-seals) provide the same legal validity as a company rubber stamp on paper, where no individual signer authenticity is conveyed. The main difference between a seal and a signature is that a signature is meant for individuals (natural persons), whereas a seal is used by a legal entity (business or organization). E-seals can be applied by more than one person or system under the control or supervision of the legal entity.

The electronic sealing feature in Adobe Acrobat Sign allows organizations to apply e-seals using digital certificates issued to their legal entity to help convey the integrity and authenticity of invoices, statements, or other official documents. Seals can be placed using only a graphic, a text block containing the subject, reason, date, and time of the seal, or a combination of both the graphical seal and text.

Users are assigned specific privileges to automatically apply an e-seal for their organization to a document using a digital certificate obtained from a Trust Service Provider (TSP) with a Cloud Signature Consortium (CSC) API integration with OAuth 2.0 Client Credential authorization flow. The following providers currently support this feature:

Prerequisites

An enterprise-tier account is required to access the API and configure the seal.
Acquire the following from your Trust Service Provider (see above for TSP options)
- OAuth 2.0 client_id and client_secret: Adobe uses these values to generate an access token which is used to make remote signing calls to the TSP. The access token is generated by calling the oauth2/token endpoint with a grant_type of "client_credentials." Please see section 8.3.3 of https://cloudsignatureconsortium.org/wp-content/uploads/2020/01/CSC_API_V1_1.0.4.0.pdf for details.
- Credential ID: An Identifier associated with the credentials of a given user for the TSP provider. A credential is a cryptographic object with related data used to support a remote digital signature over the Internet. It consists of the combination of a public/private key pair (also named "signing key" in CEN EN 419 241-1 [i.5]) and an X.509 public-key certificate managed by a remote signing service provider on behalf of a user. The credential is used as the entity with which the electronic seal is associated.
- Credential PIN: A pin code is used to secure access to a given TSP credential.

Configuration

Availability:

Electronic Seals are available for enterprise license plans.

Configuration scope:

The feature can be enabled at the account and group levels.

The controls for this feature can be assessed by navigating to the Electronic Seals tab of the admin menu

Three settings must be configured to expose the e-seal options on the user's Send page.

Allow electronic seals as a recipient role.
Enable the account/group for senders to mark recipients with an electronic sealer role.
Authorize user(s) to add electronic seals to their agreements, either by the account/group level setting or individually through the user's profile.

To allow your senders to use the e-seal role, you must enable it in the group from which the agreement will be sent.

Enable the role at the account level and allow the group's default inheritance of the setting.
Explicitly enable the role in the individual group's settings.

To enable the electronic seal recipient role, navigate to: Account Settings > Send Settings > Allowed Recipient Roles

Navigate to the recipient roles controls

Opomba:

If the option to allow electronic sealers is not enabled for the group in which the agreement is configured, the Add Electronic Seal link will not be exposed.

The default status for users to include e-seals in their agreements can be configured at the account and group levels.

For most accounts, the recommendation is to disable access at the account level and explicitly enable groups where appropriate. Accounts that have Users in Multiple Groups enabled may find dedicated groups for agreements that demand e-seals useful in limiting e-seal access at the group level.

The options are:

By default, anyone in the group can use e-seals.
By default, no one in the group can use e-seals.

In either case, individual users can be explicitly configured to override the group-level settings. (See Authorize individual users to add electronic seals below.)

Opomba:

If the option to add electronic seals is not enabled for the user creating the agreement, the Add Electronic Seal link will not be exposed.

Account-level administrators can edit the user profile of individual users to explicitly enable/disable their authority to include electronic seals in their agreements.

This authority is applied to the user directly, which overrides the group level settings for all groups in which the user is a member.

It is recommended that user-level enablement only be done when the expectation is that the whole of the account will have access to e-seals disabled, and only specialized userIDs will initiate agreements that exploit e-seals (such as API-driven workflows/technical accounts).

To explicitly enable/disable access to apply e-seals:

Navigate to Users > [individual user] > Edit User Detail.
Select/deselect the User can electronically seal documents checkbox.
Save the user profile.

Create a new e-seal

At least one e-seal must be configured, active, and available to the group from which the agreement is being sent. Otherwise, the option to add the e-seal isn't exposed on the page.

Creating an e-seal requires that you first obtain a digital certificate from a TSP with a CSC API integration. (See the Prerequisites)

Once you have the certificate, you can configure the e-seal:

Navigate to Account Settings > Electronic Seals.
Click the plus icon with a circle around it .
The interface to configure the new e-seal opens.

Enter the e-seal parameters using the information provided by your TSP:
- Name - Enter an intuitive name for the e-seal. This name is presented to the senders on the Send page.
- Cloud Signature Provider - Select the provider that issued the certificate.
  
  OAuth Client ID - Enter the client ID obtained from your TSP.
  
  OAuth Client Secret - Enter the client secret obtained from your TSP.
  
  Credential ID - Enter the credential ID obtained from your TSP.
  
  Credential PIN - Enter the credential PIN obtained from your TSP.
- Reason - Provide some text that identifies the reason for the e-seal application. This string is displayed in the e-seal on the document and in the audit report.
- Group -Select the group for which the e-seal is available.
- Graphic appearance - One or both of the blow options must be enabled for the seal to be successfully saved and used:
  
  Display Subject, Reason, Date, Time and Acrobat logo - When enabled, the text components of the seal are applied in the signature. If not enabled, only the seal graphic is used.
  
  Upload a graphic file to customize the appearance of this Seal - When an image is uploaded, it is applied to the signature. If no image is uploaded, only the text is used.
- Display email - Provide an email address that should be associated with the e-seal. This email is displayed in the email template as the address for the e-seal recipient.
Select Save when done.

The configured e-seal is created in Active status and displays on the Electronic Seals page in the list of seals.

The e-seal is ready to be applied to agreements immediately.