Seal Server Qualified HSM
Appendix revision date: March 1, 2018.
APPENDIX: DESCRIPTION OF THE K.SIGN SEAL SERVER QUALIFIED HSM SERVICE
DocuSign France offers a K.Sign Seal Server Qualified HSM Service in response to specific operations related to the electronic seals of documents on behalf of the Legal Entity.
1. Technical Contact and Authorized Representative
What the Technical Contact and Authorized Representative will have access to:
- Registration Portal for filling the Certificate Requests;
- DocuSign Signature Web Portal to sign submitted Certificate Requests when appropriate;
- Certificate to be loaded onto the HSM that generated the Key-pair associated with the Certificate;
- Publication of the CRL (Certificate Revocation List);
- Access to an Online Certificate Status Protocol (OCSP) for the Certificate validation service; and
- Recognition of the Certificate Authority in Adobe Reader software (version 9 and upwards) enabling automatic validation of signatures made with the Certificate.
2. Customer and DRA Central Operators
The K.Sign Seal Server Qualified HSM Service allows a DRA Central Operator to manage Certificate Requests for issuing, renewing, and revoking Certificates. As part of the K.Sign Seal Server Qualified HSM Service, DocuSign France shall provide the following:
- Authentication of Certificate Requests originating from a DRA and sent by a DRA Central Operator;
- Authentication of Revocation Requests originating from a DRA and sent by a DRA Central Operator;
- Validation of the Technical Contact’s Legal Entity entered in the Certificate Request sent by a DRA Central Operator;
- Verification of completeness of registration applications sent by a DRA Operator;
- When key management is delegated to DocuSign France: generation of the Key-pair on cryptographic HSM resource that complies with ANSSI French “Qualifié Renforcé” qualified product as a minimum;
- Issuance of K.Sign Seal Server Qualified HSM Certificates for the benefit of the Technical Contact designated in the Certificate Requests sent by a DRA Central Operator;
- Delivery of the Certificate to the Technical Contact, or Certificate deployment in appropriate platform when key management is delegated to DocuSign France;
- Access to Customer Support using https://support.docusign.com/en/acct1login and account credential received at login creation by DocuSign France;
- Revocation of Certificates; and
- Access to an OCSP Certificate validation service.
Digitized management of Certificate Requests through a Registration Portal interface will be made available to the Authorized Users by DocuSign France. This Registration Portal may be used and accessed for the following purposes:
- To enable Authorized Users to fulfill and submit Certificate Requests;
- To enable Authorized Users to follow up on the status of their Certificate Request progress towards verification and signature by all Parties;
- To enable the DRA Central Operator to have dedicated authenticated access;
- To enable the DRA Central Operator to manage the Certificate Request for the purpose of:
- Notifying the Parties for signature;
- Following the status of the Certificate Request at DocuSign France until its issuance; and
- Having a complete situation of all the Certificate Requests ongoing and completed or canceled.
- To enable the DRA to make available the list of the Certificates they manage as incorporated into the Agreement.
Under the K.Sign Seal Server Qualified HSM Service, DocuSign France delivers Certificates that comply with the requirements of the Regulation:
- Certificate OID: 220.127.116.11.4.1.2218.104.22.168.17
- French regulation compliancy: version 2.0 of "Référentiel Général de Sécurité", and its appendix A3 Certification Policy Type "Certificats électroniques de services applicatifs", Version 3.0 from February 27, 2014, Level **
- eIDAS regulation compliancy: ETSI 319 411 – 2 QCP-L eIDAS compliancy: ETSI 319 411 – 1 LCP
In this regard, the digitized workflow for Certificate Request management shall be defined by DocuSign France in accordance with audited issuing procedures described in the Certification Policy for Seal Server Certificates that can be found at the following URL: https://www.docusign.fr/societe/politiques-de-certifications
4. Service Setup
During the K.Sign Seal Server Qualified HSM Service setup, the following are delivered:
- Training of DRA Central Operators;
- Customization of the Registration Portal and enablement of the DRA workspace with the Certificate type;
- Provisioning of the DRA Central Operator’s account in the DocuSign Signature Web Portal; and
- The authentication certificate for a maximum of three (3) DRA Central Operators; additional authentication certificates can be procured.
5. Training of DRA Central Operators
This training is performed in a form of remote presentation of the Registration Portal and DocuSign Signature Web Portal. This session includes:
- Training of DRA Central Operators including technical training on the provided tools - Registration Portal and DocuSign Signature Web Portal for managing the Certificate Requests;
- Security training with regards to the duties associated with the DRA role and described in the Agreement; and
- A Training attendance sheet that is signed by each DRA Central Operator.
Presentation material is delivered to the DRA Central Operator.
6. Authenticated access of DRA Central Operators
In order to access the Registration Portal, each DRA Central Operator will need to complete a Certificate Request for K.Sign Office Certificate.
To access the DocuSign Signature Web Portal, the DRA Central Operator is provisioned with a login and password.
In this regard, the Customer is solely responsible for any damaging consequences that may result from the use of the DocuSign Signature Web Portal by an unauthorized third party following a fault or an act of negligence by an individual acting under the security of his/her password received via SMS or email and of the login and/or password provided to him/her by the DRA Central Operator.