Julien SternDuring the Lightening Talks at Nuxeo World 2011, Julien Stern, CEO & Founder of Cryptolog took a few minutes to share how Cryptolog’s set of tools and services can be integrated into a comprehensive ECM strategy. Today, we have a chance to delve into this subject a little deeper and learn more about how document security plays a pivotal role in the future of content management and go one on one with a man who has helped raise the bar for document data integrity.

CG: Your company provides electronic signature, timestamping and cryptographic archiving solutions. Can you tell us a little about how customers use your solutions? Is it a direct solution-based method between Cryptolog and them or do you provide technology to be integrated into a comprehensive ECM architecture, with components such as document management, digital asset management or content management? In short, do you sell more to IT people or business people? Who are the buyers for digital signing, timestamping and encrypted archives?

The primary thing is that we sell tools; tools to perform electronic signature, timestamping, and cryptographic archiving. We also sell services, but these need to be integrated in one way or another. We can sell either to IT or business people, but in the end we will always have to interact with IT people so they can integrate our solutions. We frequently go through partners to sell our solutions so that the partner can integrate the solution with their own applications or with the existing tools a customer may have. As for the kind of customers that use our solutions…it’s very very broad. We have customers in all sectors: telecommunications, banking, the food industry, institutions, government, etc. The tools we provide allow customers to sign many different types of documents. It’s very horizontal in that respect, and so can be applied to countless industries and user scenarios.

CG: Your discipline is a very technical one, where security algorithms, encryption and trust are key, but also a very regulated one where lawyers and other non-technical authorities dictate a lot of the requirements. How would you describe the challenges you face, are they primarily technological or legal and business ones?

The short answer here is that the challenges we face are primarily in legal and business, but this is because we’ve invested years into R&D in regards to the technological aspects. But the real answer is a bit more complex—the greatest challenge we have is setting the bar at precisely the right level between technology, legal, and business. One of the hardest things with the electronic signature is finding the right balance between the exact security you want to have. There’s a huge range…you can opt for the highest level of security at greater cost or choose something lower, but then you can end up at risk on the legal front. This is especially true when you start crossing geographic boundaries, things get much more complex. So, to address these challenges you must have a system that is flexible enough to allow you to set the right tolerance level that meets the customer’s expectation and complies with third-party regulations.

CG: Are certain customers more demanding?

They’re all extremely different. Actually, the type of system we recommend to a given customer really depends on the underlying goal that the application is meant to enforce. Let’s take a simple example:

Say you insure your house and sign the insurance contract electronically. Five years later (unfortunately) your house burns down. In this case, you typically wouldn’t claim that you never signed the contract, that wouldn’t be in your interest, but what you might claim is that the contract on file is not exactly the same one that you signed—that its words have been modified, you were supposed to get more money, etc. So, in this situation it’s not a matter of whether the signing happened, it’s a matter of challenging the integrity of the content of the document. This is totally different than just a transactional type of signing to initiate the next step in a process, so the technology that we use in these cases is very different.

CG: In your domain, regulation is very local, at the country or state level. How do you deal with these differences and how can you expand your market to offer your solutions outside of your own country?

Let’s be honest, it’s tough because regulations vary. In Europe, it’s not so bad since regulations don’t vary quite as much, and if they do, they are often still in the same spirit. However, other geographies are vastly different…I could even say opposite at times. This is a great challenge. However, being that we’re a European company, we’re in a fairly good position as we face the most demanding legislation regarding respect of private information as well as the level of security required to perform e-signature and qualified timestamps (timestamps with real values). Additionally, the two countries which have even stricter sub-regulations within Europe are France and Germany, and our software has been compliant with these countries for quite some time. When you have to make your products and services strong enough for the places in the world with the toughest regulations, then it’s very likely that you’ll have covered the requirements for the rest of the world as well.

So, expanding to the rest of the world isn’t a legal problem, it’s more a cost and a pricing issue. In countries where regulations don’t require as much security, you build solutions that are less strict and then end up competing with solutions that have a lower price point.

CG: How much does your company deal with the US market?

Hmm….there’s some strange wall in the middle of the Atlantic ocean in regards to the US and e-signature. [laughs] In Europe, the law says that for your e-signature to be legally valid you have to do x, y, z… In the US, they say, “Okay, you can do e-signature and then we’ll see you in court.” Of course, this is really a simplification of the issue, but in general there’s much more freedom of interpretation in regards to whether an e-signature can have legal value in the US than what is established in Europe. The two markets have taken radically different approaches.

CG: Can you say a word on how laws and regulations are evolving?

Well, it’s a great time to be in this business. In 2009 the European Commission launched Mandate 460, which is aimed at harmonizing all active e-signature systems throughout Europe. This means also synchronizing a number of the technologies which are strongly related to e-signature, but may not have been covered well enough in the previous rounds of legislation, such as timestamping, e-archiving and the like. So hopefully we’ll soon have a more consistent framework throughout Europe. And, I’m happy to say that Cryptolog is heavily participating in all of these activities. I’ve been in this field close to 15 years and from a practical and business standpoint the industry has never been as active as it is today, and this is mainly due to this strong European push.

CG: Do you think the market is maturing and getting ready for browser-based solutions?

It really depends on what you call browser-based solutions. At the time being to obtain an e-signature with the highest possible legal value that is defined, you need to use a smart card or USB token, but we do offer a number of solutions that allow companies to have their customers sign contracts on the web quite easily, but it’s definitely an area that’s still evolving.

Realistically, the issue of browser-based solutions is a far more in-depth subject as there are two radically different solutions: one in which you use a browser, but you use either an ActiveX or Java applet, in which case the browser acts as a medium to transfer an application which then runs locally, while the other solutions we get into involve doing signing in the cloud and there’s still a lot of countries debating the value and issues related to this. But, this is an over-simplification of this issue. Actually, we recently published a white paper on the various legal values associated with e-signature and how it relates to current regulations and market trends. You can find it on our web site, it’s called Contractualisation en ligne : réussir son projet de signature électronique, currently only available in French.

CG: How have you seen the public’s perception of this technology change in the last 10-15 years as far as them trusting it, accepting it and then making it part of their workflow?

In the last 10 years we’ve seen major growth in electronic exchanges, major growth in cyber attacks as well as growth in consumer awareness and mindshare. These aspects are pushing our industry to increase electronic security and utilize e-signature more and more. A vast majority of documents that we use on a daily basis today never exist in paper form—they are generated on a computer and so will never be scanned. They are transferred and archived electronically; so, in fact, the entire life cycle takes place electronically. It would be a waste of time and a waste of paper to have to print these documents out only to sign and rescan. Plus that would then require you to archive the original paper document with the signature. I think that the growing need of e-signature and timestamping is very clear. Ten years ago people did not see the value of e-signature or they saw it as too complex. Today, the cost of having an e-signature project has reached a level where even SMEs can implement it. The market has definitely matured here, that’s my take, but I also think that this is just the way history is supposed to move forward.

CG: Your solutions also share some similarities with DRM solutions. How would you relate these technologies to each other in the context of what your company does?

I spent a lot of time studying DRM solutions when I was doing my PhD, and although the underlying technology has a basis in cryptology, they are very different. DRM is a vertical application that can rely on a number of technical tools, such as low level e-signature, low level encryption, and timestamping, but I wouldn’t qualify what we do as DRM and none of our customers use our tools in this manner. The difference is that with signature and timestamping we add value to documents, we enable you to enrich a document by adding an e-signature, time value, and secure the document, but we don’t perform any kind of access control on the document itself.

CG: We met you at Nuxeo World and know you are working with Nuxeo on a connector to integrate your solution into the Nuxeo Platform. What’s your take on ECM solutions? Do you have any predictions or ideas on the future of ECM and what we can expect?

I’m not an expert on ECM, but in regards to how it relates to my field, I’m pretty sure all ECMs will have more security features and specifically that ECMs will allow timestamping and e-signature of documents—this is a natural progression. ECM manages the life cycle of a document and the Nuxeo platform is one of the most flexible solutions that I’ve seen in regards to life cycle management. In real life, the document life cycle means that sometimes you sign and sometimes you want to archive a document in a safe way, for instance, a notarized document or a document that we might want to put it in a sealed envelope so no one touches it. We need electronic equivalents of this, so to me it seems very natural for ECM to include e-signature and timestamping as a strategic component.

Nuxeo is the first platform that we’re starting deeper integration with. As software companies we share a lot in common: culture, being committed to the standards in our various fields, we’re both technically oriented without forgetting the business aspects of what we’re trying to achieve, and we both believe that flexible tools are often more important than creating a vertical product.