How does Adobe EchoSign work?

Question

I want to use EchoSign as a third party software to sign the contracts that my app generates using itext.

My app creates contracts, the way it works is the following:

1. The app creates the contract using iText
2. The app sends the contract to the approver
3. The approver logs in the app and sign the PDF by pressing an approval button.
4. The PDF is created again by the app but now including the approval.
5. The PDF is stored in the database.

We want to implement EchoSign to manage the approvals. So far I know that EchoSign provides an API to work with and I think that is possible to implement this in my app.

I have read so much stuff about EchoSign and seems that all the PDF's are stored and managed by EchoSign servers. We dont want to do that.

The question is: Does the app needs to rely on EchoSign servers availability to send and receive information from the created docs by the application?

Thanks in advance.

Answer 1

Yes, the app needs to rely on EchoSign servers because the PDF is signed using a private key owned by Adobe EchoSign. This private key is stored on a Hardware Security Module (HSM) on Adobe's side and is never transferred to the client (for obvious reasons).

You also depend on EchoSign servers because that's where the user management is done: EchoSign needs a trail to identify each user: credentials, IP-address, login-time,...

If you don't want to depend on an external server, you have two options:

• each user owns a token or a smart card and uses that token or smart card to sign (for instance: in Belgium, every citizen owns an eID, which is an identity card with a chip that contains a couple of private keys)
• you have a server with a HSM, you manage your users on that server and sign with the private key on the HSM.

Read more about this here: http://itextpdf.com/book/digitalsignatures