Cancel
What information transferred, how and why? – Security considerations – Firewall configuration rules
Summary
To activate, use and validate Notarius’ digital signature, four outbound communication flows to Notarius’ servers must be enabled. These flows are always initiated from the given workstation and use standard protocols. No information pertaining to your electronic documents is communicated to Notarius or any third party.
Notarius is the only public-key-infrastructure supplier to be certified ISO 27001 in North America (Information Security Management). Moreover, its infrastructure is subject to stringent security controls and periodic vulnerability testing. Several major companies operating in the engineering, transportation, aerospace, hydro-electricity and mining sectors authorize outbound communication flows to Notarius’ servers.
CertifiO, the trusted digital signature from Notarius, enables users to sign an electronic document with the same legal value as a handwritten signature on a printed document. It assures the document’s origin, integrity and authenticity. CertifiO for Professionals is the only digital signature recognized by 25 professional associations in Canada.
Some outbound communication flows are required to activate a digital signature, sign a document and guarantee its authenticity, and validate a third party’s signature (internal or external to your organization).
Is your organization using proxies? LDAP (tcp 389) and CMP (tcp 829) are not proxy friendly.
We have a solution that uses http and https only.
Service | Description | Port |
ConsignO licencing | Encrypted communication to manage ConsignO’s user rights. This includes a license file and the signatory’s public distinguished name (DN). Required to use ConsignO. |
tcp 443 (https) |
Digital signature generation | Encrypted communication to activate, update or recover a digital signature certificate. Includes all relevant information to create a trusted public/private key pair on the user’s computer. Uses CMP (Certificate Management Protocol). Ref: RFC 6712 Required to obtain a digital signature certificate. |
tcp 443 (https) tcp 829 (pkix-3-ca-ra) |
Timestamp authority | Add a certified timestamp token upon signature. Uses TSP (Time stamp protocol). Ref: RFC 3161 Required to ensure long-term document reliability. |
tcp 80 (http) |
OCSP responder | Add the proof of validity of the digital signature, and verify the authenticity of a document. The communication includes the signatory’s public distinguished name (DN). Uses OCSP (Online Certificate Status Protocol). Ref: RFC 6960 Required to ensure the document’s authenticity and long-term reliability. |
tcp 80 (http) |
Certificate Revocation List (CRL) | Add the proof of validity of the digital signature, and verify the authenticity of a document. Uses LDAP (Lightweight Directory Access Protocol). Ref: RFC 2251 Required to ensure the document’s authenticity and long-term reliability. |
tcp 80 (ldap over http) or tcp 389 (ldap)1 |
Digital signature enrollment, activation and management | Encrypted communication from the browser to management portal to enroll, activate, manage and invoice digital signatures. Required to obtain a digital signature. |
tcp 443 (https) |
Templates download | Unencrypted communication to ConsignO Desktop’s PDF and XML templates. | tcp 80 (http) |
Notifications | Encrypted communication to get the update notifications and “what’s new” notifications. | tcp 443 (https) |
CertifiO Manager | Light desktop application removing the need to install JAVA to access your account on the Notarius portal, to activate or recover your CertifiO digital signature and to sign in application such as ConsignO Cloud with it. | tcp 443, 24250 (https) |
CertifiO Manager – Serveur Edition | The Server Edition allows multiple users to use CertifiO Manager in a server or virtualized environment. | tcp 443, 24251- 24270 (https) |
1 Organizations who prefer to block port TCP 389 (ldap) can do so if port tcp 80 (http) is allowed to carry traffic from our servers. See details in the proxy configuration page.
These flows are always outbound: they are initiated from the client’s workstation to Notarius’ servers using standard protocols. No information pertaining to your electronic documents is communicated to Notarius or any third party. Notarius is the only public-key-infrastructure supplier to be certified ISO 27001 in North America (Information Security Management). Moreover, its infrastructure is subject to stringent security controls and periodic vulnerability testing.
Other than Notarius, the United Nations, the Government of Canada and the governments of several Canadian provinces and US states use Entrust certificate authority software and related technologies; all require that communication flow to their servers is authorized. These communication protocols are governed by stringent standards set by the IETF, ISO and NIST.
Several of Notarius’ clients have also assessed these considerations. Major companies operating in the engineering, transportation, aerospace, hydroelectricity and mining sectors authorize outbound communication flows to Notarius’ servers.
Our environments are redundant, distributed and scalable; the IP address of a service can vary at any time within the specified range.
IP range | Port |
206.55.89.0/27 | tcp 80 (http) tcp 443 (https) tcp 389 (ldap)1 tcp 829 (pkix-ca-ra) |
192.252.131.64/28 | tcp 80 (http) tcp 443 (https) tcp 389 (ldap)1 tcp 829 (pkix-ca-ra) |
Our download site and website require a DNS configuration.
DNS Entry | Port |
support.notarius.com | tcp 443 (https) |
download.notarius.com | tcp 80 (http) tcp 443 (https) |
Notes: