Advanced electronic signature

Last updated

An advanced electronic signature (AES or AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market. [1]

Contents

Description

eIDAS created standards for the use of electronic signatures so that they could be used in a secure manner when conducting business online, such as an electronic fund transfer or official business across borders with EU Member States. [2] The advanced electronic signature is one of the standards outlined in eIDAS.

For an electronic signature to be considered as advanced, it must meet several requirements: [3] [4]

  1. The signatory can be uniquely identified and linked to the signature
  2. The signatory must have sole control of the signature creation data (typically a private key) that was used to create the electronic signature
  3. The signature must be capable of identifying if its accompanying data has been tampered with after the message was signed
  4. In the event that the accompanying data has been changed, the signature must be invalidated

Advanced electronic signatures that are compliant with eIDAS may be technically implemented through the Ades Baseline Profiles that have been developed by the European Telecommunications Standards Institute (ETSI): [3]

Vision

The implementation of advanced electronic signatures under the specification of eIDAS serves several purposes. Business and public services processes, even those that go across borders can be safely expedited by using electronic signing. With eIDAS, EU States are required to establish “points of single contact” (PSCs) for trust services that ensure the electronic ID schemes can be used in public sector transactions that occur cross-borders, including access to healthcare information across borders. [3]

In the past, when signing a document or message, the signatory would sign it and then return it to its intended recipient through the postal service, via facsimile service, or by scanning and attaching it to an email. This could lead to delays and of course, the possibility that signatures could be forged and documents altered, especially when multiple signatures from different people located in different locations are required. The process of using an advanced electronic signature saves time, is legally binding and assures a high level of technical security. [3] [6]

Following Article 25 (1) of the eIDAS regulation, [3] an advanced electronic signature shall "not be denied legal effect and admissibility as evidence in legal proceedings". However it will reach a higher probative value when enhanced to the level of a qualified electronic signature. By adding a certificate that has been issued by a qualified trust service provider that attests to the authenticity of the qualified signature, the upgraded advanced signature then carries according to Article 24 (2) of the eIDAS Regulation [3] the same legal value as a handwritten signature. [1] However, this is only regulated in the European Union and similarly through ZertES in Switzerland. A qualified electronic signature is not defined in the United States. [7] [8]

Long-term validation

AdES formats are, from less quality to Long-term validation, with full juridic effects:

  1. Basic electronic signature (AdES BES).
  2. AdES T, adds TimeStamp.
  3. AdES C, includes references to the certificates and their conditions.
  4. AdES X, adds timestamps to the references in the previous step.
  5. AdES XL, includes revocation certification and information, for their long-term validation.
  6. AdES A, allows the addition of periodic timestamps to guarantee the integrity of the signature, stored for future verification.

See also

Related Research Articles

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

A Digital Postmark (DPM) is a technology that applies a trusted time stamp issued by a postal operator to an electronic document, validates electronic signatures, and stores and archives all non-repudiation data needed to support a potential court challenge. It guarantees the certainty of date and time of the postmarking. This global standard was renamed the Electronic Postal Certification Mark (EPCM) in 2007 shortly after a new iteration of the technology was developed by Microsoft and Poste Italiane. The key addition to the traditional postmarking technology was integrity of the electronically postmarked item, meaning any kind of falsification and tampering will be easily and definitely detected.

XAdES is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.

Worldwide, legislation concerning the effect and validity of electronic signatures, including, but not limited to, cryptographic digital signatures, includes:

Digital Signature Services (DSS) is an OASIS standard.

Trusted timestamping is the process of securely keeping track of the creation and modification time of a document. Security here means that no one—not even the owner of the document—should be able to change it once it has been recorded provided that the timestamper's integrity is never compromised.

CAdES is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures (AdES). This is published by ETSI as EN 319 142.

<span class="mw-page-title-main">DigiDoc</span> File format family

DigiDoc is a family of digital signature- and cryptographic computing file formats utilizing a public key infrastructure. It currently has three generations of sub formats, DDOC-, a later binary based BDOC and currently used ASiC-E format that is supposed to replace the previous generation formats. DigiDoc was created and is developed and maintained by RIA.

eIDAS EU electronic identification regulation

eIDAS is an EU regulation with the stated purpose of governing "electronic identification and trust services for electronic transactions". It passed in 2014 and its provisions came into effect between 2016 and 2018.

ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

Associated Signature Containers (ASiC) specifies the use of container structures to bind together one or more signed objects with either advanced electronic signatures or timestamp tokens into one single digital container.

<span class="mw-page-title-main">Qualified website authentication certificate</span>

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

  1. 1 2 Turner, Dawn M. "Advanced Electronic Signatures for eIDAS". Cryptomathic. Retrieved 12 May 2016.
  2. Forget, Guillaume. "The eIDAS regulation is coming. How can banks benefit from it?". Cryptomathic. Retrieved 12 May 2016.
  3. 1 2 3 4 5 6 The European Parliament and the Council of the European Union. "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. Retrieved 12 May 2016.
  4. Department for Business Innovation & Skills. "Electronic Signatures (Guide)" (PDF). The Government of the United Kingdom. Retrieved 12 May 2016.
  5. "Asic Baseline Profile" (PDF). etsi.org. Retrieved 23 May 2017.
  6. Mazzeo, Mirella. "Digital Signatures and European Laws". Symantec. Retrieved 12 May 2016.
  7. Tuner, Dawn M. "Is the NIST Digital Signature Standard DSS legally binding?". Cryptomathic. Retrieved 12 May 2016.
  8. Information Technology Laboratory National Institute of Standards and Technology. "FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS PUB 186 -4): Digital Signature Standard (DSS)" (PDF). Retrieved 12 May 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.