Why upgrade to DBsign 4.0?

Much has changed in the computer industry since DBsign 3.0 was released in 2005. Windows XP has been replaced by Windows Vista and now Windows 7. 64-bit computing is now the norm. Other operating systems such as Mac OSX and Linux are much more prevalent. DBsign 4.0 not only keeps up with the times, but also adds many important new features. Of course, DBsign 4.0 is completely backward compatible with signatures made with DBsign 3.0, but there are many important reasons to upgrade.

(We only hit the highlights here. A full list of new features can be found in the DBsign 4.0 Release Notes.)

DBsign 3.0 End of Life Policy

Of course, one good reason to upgrade is that the End of Life (EOL) date for DBsign 3.0 is September 30, 2012. As of the EOL date, DBsign 3.0 products updates and Maintenance & Support contracts will no longer be available. For more information, see the DBsign 3.0 EOL Statement. Of course, the DBsign support team is always here to walk you through the upgrade process.

Platform Support and Interoperability

One of the most exciting features of DBsign 4.0 is our new signing client, the DBsign Universal Web Signer (or UWS). It's called the “Universal” Web Signer because it runs everywhere: Windows, Mac OSX and Linux. The DBsign 4.0 Server also supports more platforms: Windows Server, Linux, and Solaris (SPARC and x86). In addition to an expanded list of supported operating systems, DBsign 4.0 also includes many other platform/interoperability enhancements:

64-bit Support. Because of it's design and architecture, DBsign 3.0 was stuck in the 32-bit world. But, both the DBsign 4.0 UWS and the DBsign 4.0 Server have been redesigned to support both 32-bit and 64-bit systems on all their supported platforms.

No Client-side Installation. The DBsign 3.0 Web Signer required an installation on each end user workstation. This is problematic in many security conscious environment where users do not have permissions to install software. The DBsign UWS 4.0 does not require any client-side installation, so this is not a problem. This is especially important in DoD because the DBsign 3.0 Web Signer is being removed from many standard desktop configurations because many large DoD systems have already upgrade to the DBsign UWS.

Fully Compatible with Windows Vista/7. Over the past few years, operating systems have changed quite a bit and these changes have introduced some difficulties for users of the DBsign 3.0 Web Signer control/plug-in. The DBsign 4.0 UWS solves these client-side issues that are becoming increasingly problematic for DBsign 3.0 customers. In Windows Vista and Windows 7, Microsoft implemented two new security features: Protected Mode in the Internet Explorer browser and User Account Control (UAC) in the operating system. These new security features work together to restrict the capabilities of controls and plug-ins running within the Internet Explorer browser. Although the DBsign 3.0 Web Signer supports IE Protected Mode, the cryptographic system built into Windows (MS CryptoAPI) does not always operate correctly under Protected Mode. This issue has become the primary source of DBsign-related help desk calls from DBsign 3.0 users. The DBsign UWS 4.0 integrates with the browser in a completely different way so IE Protected Mode is not an issue. When an application upgrades to DBsign 4.0, DBsign-related help desk calls are greatly reduced.

Fully Scriptable in All Web Browsers. Browser scripting languages like Javascript have made web applications faster and more user friendly. The DBsign 4.0 UWS supports this trend by being fully scriptable in all supported browsers. The DBsign 3.0 Web Signer could only be scripted in Internet Explorer.

Paves the Way for Digital Signatures on Mobile Devices. More and more people are using their smart phones and mobile devices to access business applications. In DBsign 4.0, almost every part of the digital signature process has been moved to the DBsign Server. This is an important step in paving the way for DBsign signing clients on mobile devices such as BlackBerry, Apple iOS devices (iPhone, iPad), and Android powered devices. The DBsign team has already released the DBsign BlackBerry Web Signer (BBWS) a signing client for BlackBerry phones that can use DoD CAC/PIV cards via the BlackBerry Bluetooth smart card reader. Cryptographic and smart card support for Android and iOS platforms is just beginning to emerge, but the DBsign team is currently developing signing clients for these platforms also.

Cryptographic and Security Enhancements

In DBsign 4.0, both the DBsign UWS client and the DBsign Server benefit from a redesigned, multi-platform, high-performance cryptographic subsystem. Although the new cryptographic subsystem has features similar to the DBsign 3.0, the new system is even more efficient and much more flexible.

SHA-256 support. Currently, the SHA-1 message digest algorithm is being used during the issuing of digital certificates. However, many security conscious environments, including DoD, will soon start issuing certificates signed using SHA-256. Many PKI-based products, including DBsign 3.0, will not be able to use these new SHA-256 certificates. DBsign 4.0, however, fully supports SHA-256 and DBsign 3.0 users are encouraged to upgrade as soon as possible. Because of this government requirement, many DoD customers have already upgraded to DBsign 4.0.

FIPS 140-2 Validated Cryptography. DBsign 3.0 used a cryptographic module that was validated under FIPS 140-1. It is completely legal for government customers to use FIPS 140-1 validated modules, but some customers require FIPS 140-2. DBsign 4.0 has the ability to use a variety of FIPS 140-2 validated cryptographic modules including Microsoft Windows Cryptographic Service Providers, Apple OSX Keychains, Network Security Services (NSS, available on most popular operating systems), and DoD CAC and PIV cards.

NIAP Common Criteria Validated. The new cryptographic subsystem has been thoroughly tested and is in production use in DoD. DBsign 4.0 has also been through NIAP CCEVS Common Criteria Validation by the National Security Agency (NSA), ensuring that DBsign 4.0 operates correctly. DBsign is the first, and currently the only, digital signature product to achieve this level of certification, and DBsign is the first digital signature product to be evaluated against U.S. Government's Public Key Enabled Applications Protection Profile.

Performance Enhancements

DBsign is used in a wide variety of applications, but some of them are very large and have millions of users. The redesigned cryptographic subsystem in DBsign 4.0 is the engine that gives DBsign 4.0 it's performance gains. DBsign 4.0's performance gains are so significant that large applications are finding that they can consolidate all their DBsign 3.0 instances into a single DBsign 4.0 instance without performance degradation. DBsign 4.0 can handle over 200 concurrent requests per CPU core. This is much more throughput than even our largest customers require.

Greater Concurrency. Although most of the DBsign 3.0 Server was multi-threaded, it's cryptographic libraries were not, so it could only perform a single cryptographic operation (sign or verify) at a time. This meant that high load applications have to have several load balanced DBsign instances to get the required performance. DBsign 4.0 is fully multi-threaded and can efficiently handle thousands of concurrent requests.

More Efficient Revocation Status Checking. Revocation status checking is a necessary part of security best practices, but it is also an expensive operation from a performance perspective. DBsign 4.0 has optimized support for CRLs, OCSP, and CRL Distribution Points. This coupled with a redesigned certificate/CRL cache architecture yields significant performance increases. The new CRL Updater greatly reduces end user delays associated with accessing CRLs, and greatly enhances application control over CRL freshness. In addition, DBsign 4.0 introduces an important new feature called Certificate Status Caching (CSC). CSC allows systems to define a maximum frequency that a given certificate will undergo revocation status checking. This keeps DBsign from performing revocation checking more often than is needed, which can greatly increase performance in many circumstances. CSC is especially useful when using network intensive protocols such as OCSP


We look forward to hearing from you!