Posted in Vessel Registration, Electronic Certificates
The tech community has seen a significant surge from businesses around the world wanting to issue digitally signed electronic documents in the wake of coronavirus. We’ve seen first-hand the impact of transitioning entire workforces into full remote-working setups and are providing this guide to assist with transitioning to issuing fully digital documentation.
For our customers, one of the key reference documents is the IMO’s FAL.5/Circ.39/Rev.2: Guidelines For The Use Of Electronic Certificates which outlines the following features required to be present:
4.1 Administrations that use electronic certificates should ensure that these certificates have the following features
4.2 Administrations that use websites for online viewing or verifying electronic certificates should ensure that these sites are constructed and managed in accordance with established information security standards for access control, fraud prevention, resistance to cyberattacks and resilience to man-made and natural disasters.
4.3 Shipowners, operators and crews on ships that carry and use electronic certificates should ensure that these certificates are controlled through the safety management system, as described in section 11 of the International Safety Management Code.
4.4 Electronic signatures applied to electronic certificates should meet authentication standards, as adopted by the Administration.
To gain clarity on how we can handle these requirements, here is how OHQ Cloud handles each component part.
4.1: Certificate templates are aligned with the relevant convention requirements and committed into our Version Control System to protect the templates from modification.
When a certificate is issued, it is done so in a way that encrypts the PDF output and sets restrictions on how the file can be used. This includes implementing PDF encryption (password protection and permissions) as specified in the PDF Reference, version 1.3, section 3.5 "Encryption" and defining permissions for opening, printing, copying contents and modifying annotations.
Every document produced also includes a unique tracking number (sometimes also referred to as a barcode, CCN or Unique ID), so we're covering off 4.1.3 too.
As for printable and visible symbols that confirm the source of issuance, this is typically the logo of the Maritime Administration or Flag State as well as an area for a 'wet signature' to be placed and a seal to be stamped.
So far, everything is aligning nicely and we don't see any hazards.
4.2: At Oceans, we've seen several approaches to online verification websites, but the easiest way to achieve this is to turn on Frontier as we handle all of the security requirements and integrations with backend systems such as Vessel HQ, Seafarer HQ and Nucleus.
If you're running your own marketing website (most likely), you want to ensure that customers feel confident knowing they are interacting with you, so you can setup Frontier on your own subdomain - for example https://portal.atlantisregistry.com to have a consistent web presence delivered over SSL. This way, you also remove the need to have data duplicated into a database on your marketing website's hosting provider.
4.3: You'll be referring to section 11 of the International Safety Management Code and ensuring shipowners have an approved safety management system that includes specifications for handling electronic documents.
4.4: You can choose between encrypted electronic certificates, digital certificates or a combination depending on your requirements. OHQ Cloud has the flexibility to cater to your requirements out-of-the-box.
However, when we get to Feature 4.4, this is where we are seeing people face several challenges. Lets review 4.4:
"Electronic signatures applied to electronic certificates should meet authentication standards, as adopted by the Administration."
We regularly get asked questions on how to meet this requirement of the FAL convention. Here are a few of the questions we get asked.
An electronic signature, or e-signature, refers to data in electronic form, which is logically associated with other data in electronic form and which is used by the signatory to sign. This type of signature provides the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation it was created under (e.g., eIDAS in the European Union, NIST-DSS in the USA or ZertES in Switzerland).
Electronic signatures are a legal concept distinct from digital signatures. The concept of an electronic signature itself is not new, with common law jurisdictions having recognised telegraph signatures as far back as the mid-19th century and faxed signatures since the 1980s.
Here’s an example of Lara Croft Tomb Raider’s electronic signature:
To go into more detail, check out the full Wikipedia article on electronic signatures.
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).
Digital signatures are a standard element of most cryptographic protocol suites, and are commonly used for software distribution, financial transactions, contract management, and in other cases where it is important to detect forgery or tampering.
Digital signatures are often used to implement electronic signatures, which includes any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures. In some countries, including South Africa, the United States, Algeria, Turkey, India, Brazil, Indonesia, Mexico, Saudi Arabia, Uruguay, Switzerland, Chile and the countries of the European Union, electronic signatures have legal significance.
Here’s an example of what a digital signature would look like to a recipient if they opened a digitally signed PDF document using Adobe Acrobat:
To go into more detail, check out the full Wikipedia article on digital signatures.
Electronic signatures are a legal concept distinct from digital signatures. A digital signature is a cryptographic mechanism often used to implement electronic signatures, whereas an electronic signature can be as simple as an image of a scanned signature or a name entered in an electronic document.
Digital signatures are increasingly used in e-commerce and in regulatory filings to implement electronic signatures in a cryptographically protected way. Standardisation agencies like NIST or ETSI provide standards for their implementation.
Each signatory can have a copy of their ‘hand-signed’ signature associated with their user profile. This is a manual task that does require our development team to get involved with as we need to ensure the electronic signature images version controlled. Loading electronic signatures for a specific user is always free of charge.
When each user has their electronic signature in the system, we then manage an Organisation Level digital certificate that is issued to your organisation or sub-department.
Taking the Lara Croft example from above, imagine she works for Atlantis Ship Registry - Seafarers Division. In this example, the digital signature would be issued to “Atlantis Ship Registry, Seafarers Division” with the relevant organisational email address such as firstname.lastname@example.org.
If Lord Richard Croft also worked in this division, any digital signature applied would be tied to “Atlantis Ship Registry, Seafarers Division”. The only difference would be in the visual output on the PDF itself where instead of Lara Croft’s electronic signature (the image of her hand-signed signature), it would show Lord Richard Croft’s electronic signature image.
Get your IT department involved to see if there are any higher level policies or direction that you should be following. If there are no higher level policies, it’s up to you to decide on how you want to implement electronic signatures as per the FAL convention requirements.
The requirement is suitably vague to enable you to be pragmatic in your approach and choose the option that works best for your organisation.
Should you want to just use basic electronically signed, encrypted PDFs, these are catered for during the onboarding process as part of your certificate loading phase at no additional charge. If you need to enable electronic certificates at a later date, there will be an additional cost at our standard day rate.
If you decide to move forward with digital certificates, there is a per-certificate charge as the PDFs you are issuing will need to be signed and validated by a 3rd party such as GlobalSign. Depending on the volume of digitally signed certificates you are going to be processing, prices scale so the more you issue, the cheaper it becomes per signed certificate.
Capture, process and analyse your Maritime Administration's data while ensuring compliance with international regulations.
© 2020 Oceans HQ Ltd. All rights reserved. Registered in England and Wales under 08486423.
Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. VAT Registration: GB168617573