This article applies only to DocuWare Windows Client. There is no support for electronic signature within the Web Client!
What are the conditions of use for electronic signatures?
The conditions of use for electronic signatures described below refer to Germany and the German Signature Act. Conditions of use in other countries may be similar. Please be sure to observe the legal provisions pertaining in the country in which you wish to use electronic signatures.
All devices used as chip card terminals must be verified and confirmed chip card terminals under the terms of the Signature Act and Signature Ordinance and must implement the Microsoft Crypto API.
Under the terms of the Signature Act and Signature Ordinance, only signature creation devices that have been verified and confirmed as secure may be used as personalized chip cards.
Administrative conditions of use
When Qualified Electronic Signatures are being used, the administrator must follow the following security guidelines:
The DocuWare 5 client must be installed on a dedicated computer. The DocuWare 5 server must also be installed on a dedicated computer. The individual components can be installed either on a single computer (single-mobile installation) or on different computers. For a detailed description of the different types of installation, see the DocuWare Installation Manual. If you are using a network installation, the administrator must ensure that the clients and servers communicate with one another over secure lines within a protected environment.
Access to the computer in question from another computer within the local network must be prevented by means of a locally installed packet filter mechanism. The opening of connections by applications on the computer itself must be restricted to the IP addresses, ports and protocols it requires for operation.
The computer on which the client and/or servers are installed must be located in a room that can only be entered by authorized personnel. Before installation and during operation of the product it must be ensured that the security of the computer and of the installed operating system have not been and are not compromised. The DocuWare software itself is signed and cannot be started if this is manipulated, as the signature will then be broken. The operating system installed on the computer must be kept up to date by installing security fixes and updates as they become available. No other operating system must be active at runtime (no virtual machines).
Access to the DocuWare storage structure must be reserved for DocuWare servers only (DocuWare Content Server). No other users may have access to it. This can be ensured using the Windows rights structure.
DocuWare workstations that are used to create Qualified Electronic Signatures must be run on an internal network that is protected against external attack by a firewall. Access from public networks to the local network on which the computer resides must be prevented by a router that has been appropriately configured. In addition, an up-to-date virus scanner must be installed on the workstation.
The chip card terminals used must be directly connected to the computer on which the DocuWare client is installed and run (no KIOSK systems).
The system clock on the computer on which DocuWare Authentication Server is installed must be accurate. We recommend synchronizing the system clock using a suitable time reference (NTP).
Chip card terminals with their own keyboard, secure signature creation devices (signature cards) that implement the Microsoft Crypto API, and qualified certificates must be used to create Qualified Electronic Signatures; the suitability of these terminals must also be verified and confirmed under the terms of the Signature Act and the Signature Ordinance.
The organization administrator must ensure that only authorized persons can create signature stamps, and that only authorized persons can use signature stamps that generate Qualified Electronic Signatures. We recommend always assigning signature stamps that generate Qualified Electronic Signatures directly to users of the product. The administrator should ensure that it is impossible for signature stamps to be assigned through profiles, roles, or groups.
The organization administrator must ensure the following conditions apply to all persons authorized to use signature stamps or create Qualified Electronic Signatures: these persons must have access only to baskets in DocuWare 5 mode, not in DocuWare 4 mode, and they must not have the right to administer baskets.
The administrator must ensure that only up-to-date certificates are imported into the Windows certificate store of the computer on which the DocuWare client is installed. The administrator must also ensure that only up-to-date blacklists are imported into the Windows certificate store of the computer on which the DocuWare client is installed. You can ensure this using the functionalities of the Windows operating system (Windows certificate store).
If signed documents are exported from DocuWare, users must ensure that they are protected against unauthorized access.
Baskets used for mass signatures may only be used by authorized persons. This must be ensured by means of Windows security mechanisms.
Use of system resources
DocuWare creates the signature using the Crypto API, a component of Microsoft Windows operating systems. The software used by the signature creation device must implement this interface.
The hash values are created using the accessible .net classes in the System.Security.Cryptography namespace. The hash value is generated in a two-stage process in accordance with the XML Digital Signature standard.
When a user creates a signature, the entire certificate chain, from the user’s own certificate through to the associated root certificate, must be saved in the Window certificate store. The Windows certificate store is a component of the supported Windows operating systems.
When the signature is checked, the entire certificate chain must also be save in the Windows certificate store of the computer in question. The user certificate can also be saved in the signature if required. In this case, it must not exist in the Windows certificate store of the personal computer on which it is checked.