Entrust Remote Signing Engine
A more convenient and secure way to sign documents
Entrust Remote Signing Engine is an on-premises solution for Trust Services Providers, for the deployment of a legally compliant cloud-based signing service, easily accessible through a Web API. Signing keys are centrally protected within an HSM, and document signatures are approved remotely by users from their device, without the need for a hardware or software token.
Benefits of Entrust Remote Signing Engine
Entrust Remote Signing Engine is aligned with eIDAS standards and performs signing operations on a Qualified Signature Creation Device (QSCD).
The platform provides a very high level of trust and interoperability with the industry products that require digital signatures.
The onboarding and signing process, does not require specific knowledge, and can be done from any device.
How it works
- Architecture
- Operation
- Technical Specifications
- Optional Modules
Architecture
Entrust Remote Signing Engine provides remote signing and 2FA-based signature activation options via web services operated by a Trust Service Provider. The following figure illustrates the interactions between Entrust Remote Signing Engine, the optional Mobile ID module, and your infrastructure – the IdP is not represented:
Operation
Entrust Remote Signing Engine acts as a server-based signature provider, allowing users to authenticate in order to activate their keys and authorize the signature of documents or document hashes.
Electronic signature provider (eSigP)
PKI material for enrolled users is managed as identity attributes in a secure HSM-based repository. Each user can have one or more digital certificates to sign documents remotely once authenticated.
Signing functions are available through a web API or optionally via the TrustedX Desktop Virtual Card (VC) component.
Identity provider (IdP)
The platform is designed to leverage an existing federated Identity Provider, but it can also act as an IdP for some use cases. Consult us for more information about supported third-party IdPs.
Entrust Remote Signing Engine includes 2FA authentication methods such as SMS/Email OTP and TrustedX Mobile ID.
More authenticators can be incorporated thanks to the integration with Entrust's IntelliTrust or IdentityGuard, or with existing IdPs using our SAML 2.0 connector.
Technical Specifications
- Format: Virtual or hardware appliance. Hardware appliance is required for the Signature Activation Module. Contact us for more information about supported hardware or virtual machines.
- Signature Activation Module (SAM): Entrust Remote Signing Engine v4.2 implements a SAM conforming to CEN EN 419 241-2: Protection Profile for QSCD for Server Signing.
- Authentication standards: OASIS SAML 2.0 and OAuth 2.0/OpenID Connect.
- Native authentication methods: Passwords, digital certificates, SMS/email OTP, TrustedX Mobile ID.
- Extending authenticators: Integration with Entrust's IntelliTrust or IdentityGuard products, or with third-party IdP using the provided SAML 2.0 connector or a custom connector.
- Authentication classification: eIDAS’s levels of assurance (LoA), NIST’s authenticator assurance levels (AALs), ITU-T X.1254, ISO/IEC 29115.
- Electronic signature standards: PAdES (ETSI TS 103 172 and ETSI EN 319 142), XAdES (ETSI TS 103 171 and ETSI EN 319 132), CAdES (ETSI TS 103 173 and ETSI EN 319 122), RSA PKCS#1 and Cloud Signature Consortium/ETSI TS 119 432.
- External TSA and OCSPs: Entrust's TSA and OCSP products or IETF TSA and IETF OCSP compatible servers to create LTV signatures with extended lifetime up to TSA certificate validity.
- External PKI services: Entrust's PKI or third-party PKI using the provided mechanism of custom connectors.
- HSM support: nShield Connect+ and nShield Connect XC. The available functions may vary depending on the model chosen (nShield Connect XC is required for the SAM).
- Event monitoring: Simple Network Management Protocol (SNMP). Syslog and raw format for processing with an external SIEM.
- Database systems: Oracle, Microsoft SQL Server, and PostgreSQL. Consult us for other databases support.
- SMS/Email gateway: An SMS Gateway and/or SMTP server is required for OTP methods.
Optional Modules
An optional module that enables signature activation using a mobile device. It comes either as a dedicated app or as an SDK to integrate to your own app.
A light plug-in installed on the user’s computer, which enables them to sign documents directly from the computer using remote keys securely stored in the Entrust Remote Signing Engine platform.
Antel builds secure nationwide electronic identity and signing infrastructure for Uruguayans to use and access from different devices, using Entrust’s PKI and digital signing solutions.