Jun 26, 2023
DSS is GlobalSign’s highly scalable, cloud-based Digital Signing Service. DSS is available through a RESTful API, therefore allowing anyone with a DSS Account (and credentials for authentication) to submit hash values for signature. The signature information returned from DSS is based on information that has been verified by GlobalSign. DSS will return signed hash values, and when those are embedded correctly into documents (for example .pdf) a publicly trusted signature will be rendered, guaranteeing the integrity of the document and the authenticity of the signature. DSS can also return timestamp tokens, which can be embedded into the signature to verify the time of signing and secure the document with Long-Term Validity (LTV).
DSS in itself provides the cryptographic core components for your digital signatures based on trusted identities. However, for the most common use case of document signatures, a few other steps are necessary.
A document that should be digitally signed needs to be submitted through the DSS API as a hash value. Hashing the document has to be done on the client side, either by leveraging a compatible digital signature application or by setting up and possibly writing a properly configured application.
The signed hash and timestamp tokens returned by DSS need to be embedded into the document. Once again, this has to be done on the client side, either by leveraging a compatible digital signature application or by setting up and possibly writing a properly configured application.
For further questions on how to use DSS to its full extent, please contact our Sales Team at: https://www.globalsign.com/en/company/contact
DSS does not provide private keys to end users. Rather than that, a private key is created when the /identity API call is used, together with a certificate containing the requested subject information (as long as those are within the validation policy). This private key is then used for the signature of the SHA-256 hash submitted with the sign API call. The signed hash is then part of the API response, but the private key never leaves the secure GlobalSign environment.
As many GlobalSign CAs are part of the Adobe Approved Trust List (AATL), all certificates issued by or building a chain to any of those CAs will be trusted in Adobe Products or any software using the AATL as a trust store.
Depending on the way you intend to consume DSS, the registration process may vary. Since May 2020, we have started to offer the Atlas Portal to DSS customers, allowing the set-up and management of DSS subscriptions through a web-based GUI. However, the onboarding process may vary depending on your use case. Either way, your best option is to reach out to one of our local Sales Team, who will gladly assist you: https://www.globalsign.com/en/company/contact.
Setting up DSS through the Atlas Portal involves a few simple steps.
Managing DSS works differently depending on whether or not you're making use of the Atlas Portal.
Atlas Portal Users:
Managing your Service subscription, identities, API credentials, or mTLS certificates can all be done via the Atlas Portal. Log in to your account and navigate to the corresponding section. If the functionalities of the portal don't meet your requirements, you may use the built-in button on the right to request additional support.
Please contact the account manager or Sales Engineer who assisted you in setting up your account. You can also reach out to our Support Team at: https://www.globalsign.com/en/company/contact
Below are the default rates for a DSS Account. (Note: Default rates can be adjusted, depending on use case and requirements.)
Signature Rate Limit: 5/second
Timestamping Rate Limit: 5/second
Identity creation (issuance): 1/second
Signature Subscription: Your signature subscription quota depends on the number of signatures that has been purchased through the Atlas Portal (or manual onboarding process). A signature subscription is valid for one year, meaning, from the date of Account setup, you have 365 days to consume the maximum number of signatures associated with your DSS subscription.
This error message is only relevant for non Portal users and it means that you have reached the signature subscription (or time stamping) quota that you previously purchased. You can check the usage of signatures and timestamps by using the API calls counters/signatures or counters/timestamps respectively.
Note: If you are using the Atlas Portal, you can check signature usage on the "Service tile". Atlas Portal users also have a signature overage concept built-in, where you can exceed your signature quota and begin to pay per signature.
As a publicly trusted CA, GlobalSign serves as a "trust anchor". Any digital identity signed as valid by GlobalSign will be displayed as valid by most software and applications. Therefore, GlobalSign will have to verify the identity of your organization before activating your DSS Account.
DSS currently supports signing with employee or organization/department-level identities. Depending on the setup of your DSS account, the Common Name (the name that will be displayed together with your signature) for your signatures is either fixed or can be dynamically applied by submitting a /identity API call and then referencing that identity when using /sign.
Atlas Portal Users:
Navigate to the "API Credentials" tab in your account and create a new set of credentials. You'll be once again asked to associate a service and an identity. Once the API credentials are created, they are displayed and available for download.
Non Portal Users:
Please contact the account manager or Sales Engineer who assisted you in setting up your account. Or you can reach out to our Support team: https://www.globalsign.com/en/company/contact
Non portal users that receive an encrypted file from GlobalSign, containing the API credentials, can refer to the following guide: https://support.globalsign.com/ssl/api-plugins/how-obtain-globalsign-restful-api-account-credentials
Note: This is not relevant for Atlas Portal users.
Digital Signatures are sometimes called approval signatures and expedite an organization's approval procedure by capturing the approvals made by individuals or departments and embedding them within the actual PDF. They do exactly what the name implies, prove that you and/or other signers, have approved the content of the document.
Certifying a document is sometimes referred to as sealing the document. Unlike approval signatures mentioned above, you can only certify a document once and you cannot certify if the document already has a digital signature. This means certifying is usually done by the author or creator of the document, before it's published or sent for additional signatures or form fill-ins.
Note: As of now, you can only certify using Adobe Acrobat. Adobe Reader doesn't support this function. For more information, please see our AATL Document Signing FAQs: https://support.globalsign.com/aatl-document/aatl-document-signing-faqs
GlobalSign’s Digital Signing Service is already integrated with leading document work flow providers including Adobe Acrobat Sign and DocuSign. This provides customers with an easy way to add legally accepted and publicly trusted digital signatures to Adobe Acrobat Sign and DocuSign workflows. Once an organization’s DSS account is set up, employees can start digitally signing within these applications.