Qualified digital certificate

Last updated

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data. [1]

Contents

Description

eIDAS defines several tiers of electronic signatures that can be used in conducting public sector and private transactions within and across the borders of EU member states. A qualified digital certificate, in addition to other specific services provided by a qualified trust service provider, is required to elevate the status of an electronic signature to that of being considered a qualified electronic signature. Using cryptography, the digital certificate, also known as a public key certificate, contains information to link it to its owner and the digital signature of the trust entity that verifies the authenticity of the content that has been signed.

According to eIDAS, to be considered a qualified digital certificate, the certificate must meet the requirements provided in Annex I of Regulation (EU) No 910/2014, including, but not limited to: [1] [2]

Vision

The need for non-repudiation and authentication of electronic signatures was originally addressed in the Electronic Signatures Directive 1999/93/EC to help facilitate secure transactions, specifically those that occur across the borders of EU Member states. The eIDAS Regulation later replaced the Directive and defined the standards to be used in the creation of qualified digital certificates by trust service providers. [2]

Role of a qualified trust service provider

A qualified digital certificate can only be issued by a qualified trust service provider that has received authorization from their member state’s supervisory body to provide qualified trust services for creating qualified electronic signatures. The provider must be listed upon the EU Trust List; otherwise, they are not permitted to provide qualified digital certificates or other qualified trust services. The trust service provider is required to abide by the guidelines established under eIDAS for creating qualified digital certificate, which include: [3] [2]

In court, a qualified electronic signature provided the highest level of probative value, which makes it difficult to refute its authorship. A qualified electronic signature, along with its qualified certificate is given the same consideration as a handwritten signature when used as evidence in legal proceedings. The validity of a qualified electronic signature that has been created with a qualified certificate must be accepted by other EU member states regardless of which member state the signature was produced in. [4]

Global perspective

In other parts of the world, similar concepts have been created to define standards for electronic signatures. In Switzerland, the digital signing standard ZertES has comparable standards that address the conformity and regulation of trust service providers who product digital certificates. [5]

In the United States, the NIST Digital Signature Standard [6] (DSS) does not provide a comparable standard for regulating qualified certificates that would address non-repudiation of a signatory’s qualified certificate.[ citation needed ] An amendment to NIST DSS is currently being discussed that would be more in-line with how eIDAS and ZertES handle trusted services. [7] [8]

See also

Related Research Articles

Public key certificate Electronic document used to prove the ownership of a public key

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

XAdES is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.

Worldwide, legislation concerning the effect and validity of electronic signatures, including, but not limited to, cryptographic digital signatures, includes:

CAdES is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures. This is published by ETSI as EN 319 142.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

ARX is a digital security company headquartered in San Francisco, CA, with offices in the UK, the Netherlands, Australia and Israel. It is the creator of CoSign by ARX, a digital signature technology, along with related digital signature security technology products. ARX was acquired by DocuSign in May 2015. The acquisition builds on a three-year business partnership between DocuSign and ARX, bringing together ARX's CoSign digital signature technology with DocuSign's Digital Transaction Management (DTM) platform and broadens The DocuSign Global Trust Network.

eIDAS electronic IDentification, Authentication and trust Services

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repeals 1999/93/EC from 13 December 1999.

An advanced electronic signature (AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market.

ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

Banking as a service

Banking as a service (BaaS) is an end-to-end process ensuring the overall execution of a financial service provided over the web. Such a digital banking service is available on-demand and operates within a set time-frame.

Associated Signature Containers (ASiC) specifies the use of container structures to bind together one or more signed objects with either advanced electronic signatures or timestamp tokens into one single digital container.

Qualified website authentication certificate

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

  1. 1 2 Turner, Dawn M. "What is a Qualified Digital Certificate for Electronic Signatures in eIDAS" . Retrieved 10 August 2016.
  2. 1 2 3 The European Parliament and the Council of the European Union. "REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-LEx. Retrieved 10 August 2016.
  3. Turner, Dawn M. "Trust Service Providers According to eIDAS". Cryptomathic. Retrieved 10 August 2016.
  4. "What Are Qualified Electronic Signatures? Are They by Definition Better than Other Types of Electronic Signatures?". Time.Lex. Retrieved 13 June 2016.
  5. Swiss Federal Council. "Bundesgesetz über Zertifizierungsdienste im Bereich der elektronischen Signatur (Bundesgesetz über die elektronische Signatur, ZertES)". The Portal of the Swiss Government. Retrieved 10 August 2016.
  6. Information Technology Laboratory. "FIPS PUB 186-4 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS)" (PDF). National Institute of Standards and Technology. Retrieved 10 August 2016.
  7. Turner, Dawn M. "Is the NIST Digital Signature Standard DSS Legally Binding?". Cryptomathic. Retrieved 11 August 2016.
  8. Turner, Dawn M. "Major Standards and Compliance of Digital Signatures - A Worldwide Consideration". Cryptomathic. Retrieved 10 August 2016.