Secure crypto – SigningHub supports latest cryptographic algorithms endorsed by governments and the banking industry; SigningHub can use either RSA or ECDSA signing, with industry-leading large key sizes e.g. 2048-bit+ for RSA keys. For hashing, the SHA-2 family of algorithms are supported, including SHA-256, SHA-384 and SHA-512. For data privacy we use AES 256-bit encryption
Full certificate validation – SigningHub performs full validation of the signer’s certificate chain and extensions, following the rules of IETF PKIX RFC5280. Our certificate validation engine has been independently evaluated and certified against the latest PKITS test suite
Dynamic path discovery – In complex PKI environments such as the US Federal Bridge PKI, and other bridge CA initiatives, there is a requirement to dynamically build certificate paths for the signer since all the different PKIs are not expected to be pre-registered. To support this SigningHub can perform dynamic path building using a number of standard protocols and has been independently certified as compliant with the US Path Discovery and Validation (PD-VAL) program for its SCVP protocol. This allows US Government issued PIV cards to be used with SigningHub
Online Certificate Status Checking (RFC 6960) – SigningHub supports the real-time checking of the signer’s certificate status to ensure the signer’s identity, role or signing key has not been revoked at the time of signing. The OCSP response is then embedded into the signature for long-term validation. Offline CRLs are also supported (including delta, indirect and partitioned CRLs)
Trusted Timestamping (RFC3161) – As part of each user’s digital signature, SigningHub embeds a digitally-signed timestamp from a Time Stamp Authority (TSA) to independently prove when the document was signed. Multiple external TSAs including qualified TSAs can be configured or the SigningHub internal TSA service module can be used.