Let’s talk about digital identity with Magnus Kardell, Product Owner for SignPort, Knowit.

In episode 90, Oscar is joined by Magnus Kardell, Product Owner for SignPort at Knowit, to explore digital signatures in Sweden – including the main challenges that public and private organisations face when looking for a digital signature solution, how to solve these challenges and what regulations signatures solutions need to comply with in Sweden.

[Transcript below]

“It’s demand for high availability, and demand for high level automation. That means you need to be able to validate the document electronically to the person who has signed it.”

Guest: Magnus Kardell PhotoMagnus Kardell is the Product Owner for SignPort, an IP product developed by Knowit enabling high-security e-identification and e-signatures. He is a specialist in identification and signing services, with a focus on IAM, and SSO federations. Magnus started his career in this field in 2013 and has since gained extensive experience in the public sector, catering to clients with high-security standards and needs. With a strong background in the industry, Magnus is dedicated to delivering innovative and secure solutions to his clients through SignPort.

To continue the conversation or to find out more, visit SignPort – signature service, reach out to Magnus via email or connect with him on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thank you for joining us. As the years have been passing, I have noticed actually that, digital signatures are becoming more and more common. At a time when we need to sign some agreements, electronically or Internet services. So, let’s take some time today and hear what is going on, what the trends are, in the European Union, but particularly, in Sweden, where today’s guest is coming from.

So, our guest today is Magnus Kardell. He is the product owner of SignPort, a product developed by Knowit, enabling high security, e-identification and e-signatures. He is a specialist in identification and signing services, with a focus on IAM and SSO Federations. Magnus started his career in this field in 2013 and has since then gained extensive experience in the public sector, catering to clients with high security standards and needs. With a strong background in the industry, Magnus is dedicated to delivering innovative and secure solutions to his clients through SignPort.

Hello, Magnus.

Magnus Kardell: Yes, hello. Hello, Oscar.

Oscar: Welcome. It’s great having you. We are going to talk about signatures. But let’s get started. Let’s talk about digital identity. First of all, we want to hear about our guest, so we want to hear about you. Tell us a bit about your journey to this world of identity.

Magnus: Thank you. Yeah, Magnus Kardell is my name, and I work at Knowit Secure Solutions, as Oscar mentioned, and I’m product owner for SignPort, which is an identification and signing service. I started roughly 10 years ago with IT security and at the time we were having, and working with, identity and access management. Providing single sign on and federations between different organisations, and soon after that, we were adding also signature services.

In Sweden, there is a technical framework provided by the Swedish agency, DIGG, the agency for digital government. We have always complied to that standard, and that’s where we built our services. It’s mainly targeting public sector, but it’s also good for private sector. And I think in 2016, we made the first signatures, doing it this way and according to this standard. So, we were first with that one. And I’ve been a project manager for establishing about 40 customers in Sweden, in different configurations, and they are mainly government agencies and large municipalities.

So that’s basically my journey and where I got my experience in this.

Oscar: Sounds great. So magnus, what would you say are the main challenges that organisations, we talk about public and private, these organisations’ face, when they ask you for a digital signature solution?

Magnus: When it comes to public sector, you have to consider many things, maybe more than for a private company. For example, to start with, you need to be able to connect to different eID issuers. So, you can’t only have one.

In Sweden, BankID is the most common, but you need to be able to connect to different, both for identification and also signing. And also, there is a request for dividing into what we call private eID issuers where we use your personal number, which is more private. But that can also be as an employee at an organisation. So, you have that kind of – maybe you don’t want to mix your private entity and your employee entity, so you have to consider that. And also, international, so you can also identify yourself and sign with an eID issuer that is from another country. So that’s one of the things.

The most common eID issuer is BankID, of course, but there is also Freja e-ID, Freja org ID, which is for employees more, and foreign e-ID, that is international. So those are examples, but there are more. So, you need to cope with that, and you need to be able to connect to those.

They are also high security when it comes to signatures. It’s level three, which basically means that you need a hardware secure module, where you do the actual signing. So that’s also a bit higher in security than the general need.

A signed document must be self-supporting over time. So, you can’t rely on our service later on, it has to be self-supporting. And the supplier of the signature service must be replaceable. That’s not good for us, but it’s good that we are, because well, all companies, they are not forever. So, it’s, we should be able to replace as a supplier. So that would be in our system cemeteries that our customers that they, that the document itself is self-sustaining. And you have different things, in some cases, the documents to be signed are really sensitive, or the content is delicate, so you need to be able to sign the document without the document itself leaving the customer’s IT environment. But some requirements also on the signature service.

There are also, in some cases, you need a pure e-service, like signing portal. But in some other cases, the customer probably has their own platform that we would like to connect to our, how to say – signing engine. So, we have to provide APIs for our customers’ e-services– sometimes you have a simple signing portal, and in other cases, you let the customers e-platforms connect to our signing service. So, these are things that they need.

And then, of course, going into public sector, there can be really high volumes, when citizens in the country are using the service. It’s demand for high availability, and there is also a demand for high level automation. That means that the signatures need to be – you need to be able to validate the document electronically to the person who has signed it. If you look into the electronic signature of the PDF and read, signed by the supplier of the service, that is a no go, because then you can’t electronically extract what person who has actually signed the document.

So, this also put some specific requirements, and this is about the journey to digitalisation, and we’re not there yet. We may be in the beginning, of course, so far, when we sign a document on, electronically, like a PDF, that’s good. But often, it’s human reading it, at the end, at the other end anyway. So, we have replaced the paper, which is good. It’s much smoother. That’s very good. But still, it isn’t, the flow isn’t really digitalised. And if looking at these challenges that our customers have, they need to be able to do this high level of automation, at least have it further on.

And then, of course, there are requests for sustainable operations. For example, excess heat in the operation centre should be fed back into the district heating network. So, this kind of, you don’t really think of them, but if looking at society, you need to think about those things to be sustainable. Those requirements I mentioned now, or the challenges there were, these organisations have. Of course, they’re mainly for government authorities or municipalities, but, I mean, it could apply also for private companies. It’s not bad, it’s really good things. So that’s about the challenges.

Oscar: Yeah, I can see quite many, different types. As you mentioned, some are purely security, some more like usability, what the user is going to face. What else? And the last one, you mentioned actually, the sustainability side. So yeah, different – and some are, yeah, legal. So yeah, different for different fronts, there are these type of requirements for signature services. And when it’s great that our solutions that, yeah, fix all these together and give a great product to, for us, for the users.

So, I would like to hear now, how are you solving some of these challenges? What are the main use cases? Just, if you can illustrate some of those use cases, hot use cases, let’s say?

Magnus: Signature service that we provide, SignPort is following the, I mentioned before, DIGG, the agency for digital government in Sweden they put up a framework for how to solve these issues. But there is also architecture or reference architecture for how to cope with these challenges. So, we follow that. And if looking at our service, it’s split up in four different components, mainly, four different components, and it’s a Signing Portal, Support Service, a Digital Signing Service, and Identification Service. So, these are the four different components.

And the Signing Portal is like a web page that is an e-service, a service provider. The only thing you can do is to just create a signing assignment. Just to, for example, take a PDF document, drag and drop, and then you apply the email address to the signers, and you send it away, and create the sign message, so that’s how it works. It’s a very simple, but useful tool for just keeping the, having a web interface to the users.

Then we have a Support Service. And the support service is basically calculating the hash of the document to be signed, and then the hash is sent further on to the digital signing service.

Digital Signing Service is a bit more – has the highest security, it contains these hardware secure modules, etc. That are creating those signings with the highest security.

And then we have the Identification Service, which is actually different identity providers connecting to each e-ID issuer. And we’re splitting this up, you can facilitate several things, because the signing portal and the support service is – those are the only components that are hit by the document to be signed, and they are done in a way that they can be installed in our customers’ operations. So, by doing it that way, the document to be signed is never leaving our customers’ IT departments. So, they stay at our customer. That is one thing. And by splitting up, so you have an API towards the support service, you also facilitate the possibility that the customer has other e-services that also would like to use an API for signing documents.

Those two parts, the signing portal and support service are rather easy components, that doesn’t contain any hardware or anything like that. So, it’s easy for the customers to install and operate themselves. Some other customers might – doesn’t have that requirement. They want the software as a service solution, and we can provide that as well. So, that’s possible to do it that way.

The Digital Signing Service, containing the hardware secure modules, and everything around that, that we always operate ourselves, but that part is never hit by the documents to be signed. And then we have the Identification Service, which is basically SAML 2.0 IDP connecting to, to different. It can be used as a pure identification service only for logging into it, and e-service, for example, but not in this case, also for signing. So that’s how our service is split up with those four different components, and how we can meet all these requirements that we have from the customer. But it is possible to do it this way.

And for the signing portal, we – it is a rather simple web page, and it has a basic structure, but we can customise it for our customers. So, if a municipality use that, we can customise it for that municipality; so it states the name and everything. So, the user feels that they are in the same. But when connecting to the support service then the – our customers can fully integrate and have everything that is shown to the users and the e-service that the agency provide. So that’s a little bit how it works and how it’s set up.

Oscar: Excellent. Actually, one topic, I think you mentioned a little bit, maybe to understand even better is the self-supporting signed document. Right? So, you said – tell us a bit more about that, how it works.

Magnus: If taking a PDF, for example, the standard we use are PDF advanced electronic signatures. When I say that agency for digital government, the technical framework is based on eIDAS. So, it’s international standards that is based on. And when I say self-sustaining, then I mean that it should be able to validate the document to the person who has signed it, using only the document.

It isn’t really through, but you don’t need SignPort in order to validate it. You just need the public key from our signing service. And that’s the only thing you need, then you can validate the signature to the person who has signed the document. And the public key is – it can be downloaded, it can be stored, so that you have it. But it’s public service, so it’s, once it’s out, it is possible to achieve later on. But if you have that, you can validate the document to the person.

And then you can do, for example, if a government, an agency received a signed document, you can validate it and extract the person, electronically, that has signed a document provided that you rely on our public key. But then you also include the verification list in the document, so you can see that when it was signed, the identity wasn’t revoked. So, it’s sustainable also over time, together with a signed timestamp as well. So, basically, that makes it, self-supporting.

There might be other ways to do this onwards, the standards aren’t really set yet. But this is how we do it, in order to achieve this. Possibilities there are very replaceable, but it’s a good thing, I guess, if looking at.

Oscar: Yes. You have mentioned also that, a big part of your requirements come from the public service, and you’re following what needs to be comply in Sweden. So, let’s focus on that. So, what are signature service must comply in Sweden?

Magnus: It is for the public sector. In Sweden, the agency for digital government, they have set up a technical framework and a normative specification, and this setup addresses all the requirements that I listed above. So, it’s not a requirement on the public sector in Sweden, but it is the recommendation. And if following it, it will be much easier when, for example, different agencies collaborate and send documents between each other, if the signed documents follow the standard, the same standard. And there is also a requirement to connect to foreign eID, eIDAS.

So, for example, if you – it isn’t that many countries that is connected foreign eID yet. But, for example, if someone from Germany would like to use e-services in Sweden, it’s possible. Also, Denmark and several other countries, and there are more upcoming. So, there is a possibility to use also within Europe, both for identification and signing.

For the private sector, it isn’t – of course, there are requirements that the service has to be easy to use. I think that’s the main thing. But otherwise, there aren’t that, must have requirements as I believe on, when it comes to security or sustainability, and so on that. Maybe companies would like such things, but it isn’t a real requirement. So, you can use more or less whatever signing service you like. And there are many, and that’s OK. So, what we’ve seen in private sector is mainly, we have some customers, but they are mainly connected to either health care or law, when you’re more close to the public sector. So that’s what we’ve seen.

Oscar: All right, perfect. Definitely a good overview how signatures have being applied in Sweden. I would like to ask a final question. So, for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agenda today?

Magnus: Yeah. I think if you do not yet have a digital signature service, get one. It’s so much more efficient and sustainable than paper. So, if you don’t have one, get one. And when getting one, think about the future, how is the validity of the signed document proven over time? What happens in collaboration with other parties? And also, what happens when replacing the supplier, what’s next? I think those things you should consider when choosing a signature service.

Oscar: All right, excellent. Excellent, Magnus, for this final recommendation. So please, yeah, let us know if someone would like to follow the conversation with you, or follow the work you’re doing. What are the best ways for that?

Magnus: If you want to reach me, I think it’s easiest on an email address, which is [email protected], M-A-G-N-U-S dot K-A-R-D-E-L-L @knowit.sc. So, you can reach me there. And I believe we’ll set up a home page for SignPort, there is one, but I think we will update it soon.

Oscar: All right, perfect. Again, thank you, Magnus, for this conversation, and all the best.

Magnus: Yeah, thanks a lot.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.