Slashdot Mirror
Business-Suitable Document Authentication System?
ram.loss writes "The company I work for has decided to go paperless for all memos and internal correspondence. In addition to the central administration, the company has three more or less autonomous, physically separated divisions; that means we do not have a common IT infrastructure across all of them. Since I am the only resemblance we have to an IT department at my division, I have been commissioned with evaluating the available technology to manage and authenticate all correspondence, although it is not my area of expertise (I have a CompSci degree, but for many years have specialized in transportation modeling software). My initial thought was to use a document management system like Plone (this is the system I'm familiar with); from what I have read, that would take care of the management part, but what about authentication? We need each document to be signed, and a fully auditable system that keeps track of who signed what document, who received it and when. It also must take into account the handling of external correspondence in the future, where a recipient outside the company must have the means to return an authenticated document as a response. I'm aware that I'm leaving out a lot of details, like how the documents will be signed, the legal implications, etc., but for the time being I'm only interested in the experiences of the Slashdot crowd with such systems, and hopefully finding out enough information to hand over the matter to (or hiring) somebody more qualified, once I know what to look for. Has anybody out there used a similar system? Am I in way over my head?"
Microsoft SharePoint can handle most of what you need out of box, and you can configure and customize what you need for the rest, I believe.
How about iButton crypto cufflinks?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Try Knowledgetree - It's open source, has workflow and it is fully audited: http://www.knowledgetree.com/solutions/industry-solutions We use it in our law firm (I manage it - we are relatively small http://1p.com.au/ and it runs without any specific expertise. I have previously tried other solutions without success. We also really appreciate knowledgetree's ability to interact seamlessly with MSOffice etc. Good luck
Am I crazy for suggesting email? It's trivial to lock it down to a LAN if needed, and if some documents need signed and passing out to the real world, that sounds like PDF to me. You know, because PDF is portable.
Yes, I know you need a "history." And there are so many email archiving systems out there, that one of them must be good for actually going through that data.
Sounds like you have serious requirement overload. You need to go back and ask them what they ACTUALLY want.
For example, what is a "document?" Who is signing it? How long should the audit trail be? How many millions are you investing in this needlessly complex internal system?
What you're after simply doesn't exist and likely never will. Even if it did implementing it would be hugely expensive and time consuming.
What I don't understand is how this can replacing a paper system? Paper systems lack almost all of the features you requested... So clearly do do not NEED this stuff and thus we came around full circle to requirement overload.
If this is a large company, don't cheap out there. Budget the right amount of money and buy what's available and implement it properly. That means baking it in seamlessly with the business process
It's okay to do that y'know. Sometimes saving money costs the company too much money.
For the internal case, a bulletin board style web-based system's PM facility will provide you with delivery and confirmation of receipt. Or you could go the whole hog and install PDM software like Agile... but I doubt you want to do that ;)
For the external case, I suggest using fillable PDF documents, with a secure signature generated by the addressee (this is instant and free in Adobe Reader).
It's not free but it is a nice system with strong permission controls and customizable workflows.
http://www.altec-inc.com/products/doc-link/index.html
"Keep at least 3-6 full bottles of hard alcohol on hand, a 2 week resignation notice,..." - Poetmatt
Lotus Notes/Domino by IBM takes care of all that...including external branches, ditigital signatures, track of who has been reading it, who where the previous readers etc etc... etc...we have been using it extensively and provides everything you just described.....
Famous last words:"but...."
Give every a copy of PGP or gnupg and use your favorite collaboration program to store and version the documents. I would consider just signing the docs and not encrypting them when they are not sensitive, encryption just adds risk that you could lose data more easily. Its really important to know that it really was the comptroller who authorized the PO for that new delivery van but its not a secret the company purchased a new truck.
This should also give you some flexibility going forward. If you don't like the work flow solution you don't have to change the authentication solution or the other way around.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Look at https://www.uspsepm.com/ document integrity and authentication. https://my.inscrybe.com/ supports workflow and multiple signings and incorporates the epm.
But couldn't something like Postini do the trick for you?
Sent from your iPad.
OpenOffice.org directly supports digital signatures:
Digital Signing of documents
Try posting this on the LOPSA mailing list. It's an excellent resource, with lots of sysadmins in different environments hanging out. If you're not a member, email me (aardvark atsign saintaardvarkthecarpeted dot com) if you'd like me to post to the list on your behalf. You might also want to try the IRC channel #lopsa on Freenode.
Membership is only $50/year, and access to the mailing list alone is worth every penny. I'm a member, and it's saved my butt on occasion. Even if you're not a sysadmin, this is definitely a sysadmin-type question, and I think you'd benefit from being able to ask questions on the list.
Carousel is a lie!
Since I am the only resemblance we have to an IT department at my division, I have been commissioned with evaluating the available technology to manage and authenticate all correspondence, although it is not my area of expertise (I have a CompSci degree, but for many years have specialized in transportation modeling software).
From what you say, I can conclude that your company's staffing is anaemic in the IT department. Because of this, I suggest that you abandon this project for the time being as you build up man power and expertise in IT. Hire more folks so that they can get to know the business logic and flow of information at your company then kick start this project.
Take a clue from Munich with its Linux migration efforts.
Bottom line: A drastic change in the way you work will create lots of headache for you given that as you say, "...Since I am the only resemblance we have to an IT department at my division...".
I worried for you, but wish you the best at the same time.
You'll need to elaborate on two things to get good answers:
- What is a document? Rich text, or scanned paper, physical paper, or something else?
- What is authentication? Tracking electronic versions from creation, through revisions, to finalization, or something different like confirming that physical document "A" is the same as physical document "B"?
I know of solutions for the case where documents are soft copy rich text with images and and attached scanned documents. A Lotus Notes database can be easily created to track such documents, prevent over-writes, track revision histories, etc. I work for a pretty big consulting firm, and we use Domino-based systems for things like this all the time.
Some caveats -
- Domino's is easily setup, but requires product knowledge to perform well and scale. How big is your firm?
- Users will need to have Notes IDs to work with the system, as ID (certificate) + password based PKI is the foundation of Domino's authentication mechanism.
Some benefits -
- Depending upon the setup, users will be able to work with documents via your corporate intranet.
- Depending upon the setup, replication (think synchronization) can enable users to keep local copies of this data, for access while they are outside of the intranet.
Access for outsiders is more complex.
- If the outsiders are trusted (e.g. auditors,) the solution may be to give them Notes IDs and grant them access to the intranet and this system.
- If the outsiders are end-users (e.g. E&Y clients submitting their 2010 US tax forms,) then you may be into custom application space. I'll skip the plug for my company.
Beware: I believe all are created equal, and have the right to life, liberty, and the pursuit of happiness.
I have been looking at http://www.alfresco.com./ Looks like it will be included in Ubuntu soon.
I second the "Alfresco" suggestion. It has Records Management capabilities that satisfy the Government Records keeping requirements (5015.2). SharePoint is another option that has similar record keeping functionality that can be added.
...but everyone is ignoring the pink elephant in the room.
No common IT infrastructure? I'd tell them to attack that before implementing anything new company wide. Without a common IT infrastructure you'd have to get a poll for exactly what each division has (does each division have a common infrastructure, I hope so) and pray that each division has standardized on something whether it be *Nix, Windows, Mac or whatever. Once you have that, getting an electronic document handling system will be much easier as you'll have only to worry about file formats from one office suite (and possibly PDFs).
As for signing of documents, PDF is the only format that handles that internally, though I guess you could get people to get their own PGP keys, though I think the hassle would not be welcome.
To summarize: /.ers :p
1. Get company to implement standard IT infrastructure company wide
2. Get IT department to implement EDHS
3. ???
4. Profit! --- very important to companies, apparently less so to
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
I recently got some data from a health agency, and they sent it using Voltage SecureMail.
Not sure of the exact specifics, but it seems that when they send an email with a secure attachment the file is stripped, stuffed on a repository, then I get a link. I have to register and sign in, then I can download the attachment. Personally I'd rather all attachments worked this way rather than people sending individual multi-megabyte files over SMTP to multiple recipients, most of which wont bother reading them... But I digress.
So I had a look at the Voltage web site and it seems they may be a solution provider who can synergise your workflow experience management:
http://www.voltage.com/products/
I'm sure they'll love to hear from you.
Sense/net, SharePoint, OpenText, Interwoven ordered by cost. My personal favorite is Interwoven TeamSite as it hooks directly into Office.
Documentum is awesome but so is the price...
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
But no real authentication systems that accomplish the goals you lay out. Even PGP (if you can convince people to use it and educate people on how it works) only accomplishes signing. It will not track these documents in the manner you describe.
And PGP has significant problems. People understand what passwords are. They do not have a clue what a 'private key' is, or what it means to use one. This requires significant education effort. And unfortunately the user interfaces surrounding products that use PGP do little to help this educational process. Most of them seem to be designed by crypto-geeks who assume that everybody already knows these things and just wants a convenient way to manage them.
And, unfortunately, PGP is not widely supported in email clients outside of the GNU/Linux sphere. Even Thunderbird requires a plugin for adequate support. Everybody else seems to have assumed that the bletcherous, ugly, stupid mess that is an X.509 certificate is what people will use, if they use anything at all.
In my opinion, this state of affairs is ripe for some kind of solution. It was one of the problems I meant to address when I started CAKE years ago. But that project has stalled out because of time and a the general fact that unless I'm being paid, I tend to drop things as soon as I prove to myself that they work.
Need a Python, C++, Unix, Linux develop
...but I assume in your case you should probably have a look at something backed by a commercial company which will take the hassle to certify the system and your workflows. Have a look at Alfresco (alfresco.com) which already has some certifications (e.g. http://www.alfresco.com/media/releases/2009/10/records-management/).
Alfresco can be a pain to get setup the first time, (though they have improved it a lot) it has user and group based access that can reference Active directory using NTLM, Kerberos or LDAP and single sign on is an option (so it pickups desktop credentials so you never use a username and password). you can have windows file shares through CIFS/SMP that you transparently sign on to from windows.
it even has the SharePoint protocol support so you dont have to download a document to edit it....you can edit online.
it also has document conversions, workflows, rules, can receive and file documents via email, and has a robust api
the "who recieved it when bit" is not built in but you could easily extend it its functionality. it will though keep track of any modifications. It does have auditing that i have never explored and may keep greater track of things than i am aware
Plone and the other suggestions here are all much better at these two than any system built on e-mail.
The requirements are uselessly fuzzy. Neither searchability nor workflow are specifically mentioned, though searchability is implied in "management".
It sounds to me like even MS Exchange with public folders (and therefore just about any IMAP server) could handle the requirements as
specified. Signing, authentication, tracking, indexed searching are all bog standard features of any modern email system.
You typically won't get it all in one box with OSS (but could assemble your own) but Microsoft (exchange), IBM (Notes) and a host of others have prepackaged groupware systems based round a core of email. 99% of users never use the encryption, key management, signing, tracking features, but there you go.
The primary benefit is the network effect. Email works everywhere.
Deleted
The question I have is what you mean by 'signing' a document.
If you mean that a piece of paper has been physically signed by someone and then scanned and an image retained, then you need a document imaging system.
If you mean to go paperless and can get people to fill out online forms, you can make the case that they are doing the electronic equivalent of signing when they log into the system with their own username and password AND they click on a given button (eg. "Submit" or "Apply Signature") and perhaps type in their initials into a small text field.
There are at least two ways you can handle online forms with Plone: PloneFormGen or custom content types via Archetypes. If you use custom content types, the History tab shows you changes to the content item (who, when), and if you have a workflow assigned to it, the workflow history is retained as well, showing when the item was transitioned to, say, the "signed" state and by whom. If you use PloneFormGen, simply include in the form two hidden and/or non-user-editable fields (datetime with default value the current date/time, and username with default value the currently logged in user).
http://indorse-tech.com/ -- the have a software product that signs your documents and can track when people open and view them via a "Call Home" technology. Runs on top of sharepoint or stand alone, iirc. Tracks Microsoft Office, PDF, etc...
I realize your company may not make it easy to do so, or the other departments may not help but ...
Have you considered, since you're the only one in your portion that asking them for help may useful?
I'm making a lot of assumptions about an ideal situation that may not apply to you, I realize that, so it may not be possible for you.
If it were though, you might find that you can save yourself a lot of time just by working with the other groups.
You could also very well create a new position for yourself, pull all 3 divisions together and save some money in IT and you might end up in charge of all of them. (if you want to do that, personally I still prefer to be in the trenches).
Either way, you may find that they've already done this research and found something that didn't work for them, but might work for you, OR might work for everyone if you all got together to do it, versus not being cost effective for one group to do it.
A company I worked for was bought out a long time ago, we basically continued to operate as 2 companies under one name for a long time. Then our IT department started pushing to integrate, taking the best parts of both companies and merging into a better structure overall. We ended up saving a lot of money.
Interestingly enough, our IT was killed off and released shortly after we suggested that moving the web servers that had a window view of wall street to somewhere that we could run them for 10 years for the same cost as single day in their current data center ... So you may want to be careful what you suggest.
Another interesting twist was that shortly after we got 'released', the company was bought once again, by a company near Atlanta, which promptly closed all the offices on Manhattan, including the one that was chosen over us. Senior management from our original company passed along the word that the new buyers made it clear that stupid choices like killing our data center and keeping one in Manhattan is exactly why they were now going to be looking for new jobs themselves.
We were vindicated, but some of us were still unemployed unfortunately. Either way, it may still be worth your while to try.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
If you're looking for a paid-for solution, you might go talk to Oracle. They have some interesting options in content management. Not sure if it's the right fit for your case though.
PharmaReady has a DMS system that should be able to do what you ask provided you have the webserver available outside your intranet. Instead of passing documents via email, authorized users would upload them themselves and then pass a link. The system is designed with FDA regulations in mind and keeps an audit trail of all activities and has well defined users and user permissions.
"DENIAL"-How an optimist keeps from becoming a pessimist- \ \
Open Text FirstClass & Social Media are easy to manage secure messaging, document management, and online communication and collaboration solutions that can do what you need without large IT infrastructure.
What you are looking for is similar to what is used in GLP/GMP validation. You are in over your head. There is software that does what you need, but in order to get it set up so that it is legally binding requires a specialized knowledge set.
It is not that it would be impossible, or even ridiculously difficult, for you to set this up. However, if your company wants to do this in any sort of reasonable time frame (less than a year), you will need to work on this as your primary task. You will, also, need the authority to demand responses from a lot of different people in the company. If you don't have somebody who has the authority to fire anybody in the company backing it (by backing it, I mean insisting on updates every so often and leaning on whoever you are waiting for a response from) , it won't happen. Basically, the story is, this is something that requires company-wide buy in.
The truth is that all men having power ought to be mistrusted. James Madison
Perhaps I am misunderstanding the inquiry but it sound like you are asking about enterprise content management.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
https://www.sendside.com
Secure document management, electronic signatures, and many other features, using a SaaS model like Salesforce
Take a look at NetDocuments. It's SaaS, so you don't have to maintain servers, and sharing documents between multiple offices is trivial. It includes digital signature functionality.
We found that Sharepoint didn't offer the level of document authentication that we needed for the FDA-inspected laboratory in our organization. NextDocs is a 'bolt-on' to Sharepoint that offers an electronic signature feature. We're rolling that out now and it seems pretty useful. So if you go the Sharepoint route and it isn't enough, this is worth checking out. Also, you get to say 'bolt-on' in conversation, with maybe an accidental 'strap-on' now and then.
what's this "You failed to confirm you are a human. Please start from the beginning and try again. If you are a human, we apologize for the inconvenience" thing ?
Adobe Acrobat will do some of this, if not all. It does not require a central document repository and works across platforms - at least, as I recall, documents can be signed and verified on Linux though must at present be created in Distiller on Windows. As PDF is a somewhat open standard there is at least the possibility of other tools supporting the digital signatures.
A document may have multiple signatures placed in the document body in a natural way - i.e. where you might have an ink signature box. You need a certificate authority of your own to issue certificates to signers - after all, anyone can get a Verisign certificate, and who's to say that Joe Bloggs, even he is the real Joe with passport to prove it, can sign off on your reactor design ?
There are some options to set when the document is created that control whether it can be signed by the free cross-platform reader or only by the paid-for Distiller.
Drawbacks vs. GPG digital signatures - only works on PDF files, must be created on Windows.
Advantages - natural signing/verification mechanism built into the reader.
Comment removed based on user account deletion
English is not my native language but I’ll do my best. I agree with the people here that told you to find out more about what the company really needs, and maybe your company should think about getting a common IT infrastructure first. In general it would be a good idea to try to document your processes (what is supposed to happen when we receive this and that type of document? and what will you need to do with these documents? Just store them? or are the documents meant to be edited by multiple sub contractors? For some companies it makes sense to have systems that functions as both crm and document control system. It might also be nice to be link to other types of systems and that is why you would be better off if you have a common it infrastructure. There are many big vendors - some are "general purpose" systems and some focus on specific industries. In the plant/ oil and gas industry contractors and oil companies use systems which can handle documents in ways required be local government. You should check out if your company needs to follow state rules regarding how to handle documentation. Some systems are really good at handling cad files - the best of them got support for reference drawings and revisions as well as functionally needed for controlling documents linked to each other per project. They might also have support for setting up the cad application to follow a drawing standard per project (a type of super template). People here mentioned Documentum and Sharepoint, and there are of course many more and I can add 2 to the list: Bentley Systems (Projectwise) and Software Innovation (Proarc).
Lotus Forms (not to be confused with Lotus Notes or LotusLive Forms Turbo) is a XForms implementation that has an XML extension for pixel perfect form rendering (there's an add-on that even allows you to scan your empty paper forms for conversion. It can run off a forms server or even without a connection using a forms client. It allows for overlapping digital signatures (you sign your stuff, I cross sign, so you can't change your mind) including signing of attachments. Two aspects are remarkable: Since the form is kept in every file you always will see the original as filled in (so both form and data is signed). Since data is stored in an XForms instance extraction of data is easy using XPath. Disclaimer: I work for IBM.
You can try to make a solution for your problem by using Runa-WFE http://wf.runa.ru/About
It's free software, and, as far as I know, can handle your tasks.
Also you can try to look to http://www.nuxeo.org/xwiki/bin/view/Main/
Both products are based on Jboss
I must admit I'm not terribly familiar with the problem, but consider XAdES (XML Advanced Electronic Signatures) wikipedia) as requirement of signing your documents, because it seems a reasonably well backed standard if ETSI standardized it since 2002 and the EU encourages it for intergovernmental correspondence. It also seems future-proof if it has the signing algorithm as a parameter instead of predefined.
Also, the upcoming ODF 1.2 supports it (see ODF spec part 3 chapter 4).
To be, or not to be: isn't that quite logical, Slashdot Beta?
Sounds like you're looking for an Information Compliance solution. Take a look at http://www.nextlabs.com
As others have mentioned you will want to look an an Enterprise Content Management platform. For a .NET centric show SharePoint can be a good fit. However, stick to basic document management and workflow with SharePoint. Building scalable ECM systems in SharePoint has it share of challeges. Particulary with all content stored in SQL. If you require additional features such as workflow, BPM, Retention, E-Discovery, and Digital Asset Management then look toward Filenet (IBM) or Documentum (EMC).
Documentum is very scalable driven by a SOA/J2EE backend and JBOSS, so there is quite a bit you can do under the hood. That of course comes at a price as with any Enterprise System. Also, having a strong business case and metrics for sucesss is critical. Just going paperless is not always enough. Think savings of FTE in Accounts Payable with process automation or Contracts Management. Think controls and compliance...
Ok shameless plug but we have a ton of stuff on your blog on both SharePoint and Documentum www.capps-llc.com/blog (slashdotted here we go)... :)
If you're talking about an eSignature implementation that would work inside and outside your intranet then you are attempting something too ambitious. If you need eSignature type functionality I would suggest something like DocuSign.com. You definitely want to use an SaaS solution if you need external users in a future release. DocuSign now has a feature that allows document attachments btw. If you're just looking for a way to post documents and track viewing then I would suggest something like Acrobat Pro generated and eSigned PDFs that are posted on an Apache HTTP server. Turn extended access.log logging on and for intranet you could implement something like CA's SiteMinder for NTLM authentication and log the NTLM username/domain in access.log.
You're not really looking for full-blown document management. You're looking for electronic approvals (usually called eSignatures).
The simplest way to do it is embed the eSignature (approval) in the word document or in a pdf.
Look at silanis for embedding in word documents
http://www.silanis.com/solutions/e-signatures-desktop.html
Look toward adobe for embedding in pdf.
http://www.adobe.com/products/livecycle/digitalsignatures/
I would only use these for the important approvals that legally require signatures. For anything that's just an out-of-date internal process, consider something simpler. (eg. email approval is good enough).
Are you saying that Microsoft is sometimes evil??
you may want to try OWL http://owl.anytimecomm.com/.. it has hashing of records and the resulting hashes are stored of the record..also includes pdf watermarking etc GPL...
How and what needs 'proven signature' usual ratio is 90% unproven signature, 10% or less needs proven signature.
How do you prove at present?
Do you check every signature against a secured proven typical signature mandate card? If not then you do not need to do it electronically as you do not do it manually. Ask 'boss' how he proves his signature on any document he signs!
Old Comecon Banks used to have a photograph taken at point of signature for 'foreign exchange' and appended it to logged file (also took fingerprint) much office filling but good proof for any court case thereafter. Do you need this standard of proof?
Regards Eion MacDonald
Given that you have worked with Plone already, and it satisfies most of your requirements, it will probably make most sense to stick with Plone and possibly have it customised to any particular content signing needs.