Qualified electronic signature

Last updated

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 (eIDAS Regulation) for electronic transactions within the internal European market. [1] It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures. [2]

Contents

Description

The purpose of eIDAS was to create a set of standards to ensure that electronic signatures could be used in a secure manner while conducting business online or while conducting official business across borders between EU member states. The qualified electronic signature is one such standard that has been outlined under eIDAS. [3] [4]

A qualified electronic signature is an advanced electronic signature with a qualified digital certificate that has been created by a qualified signature creation device (QSCD). For an electronic signature to be considered as a qualified electronic signature, it must meet three main requirements: First, the signatory must be linked and uniquely identified to the signature. The second point is that data used to create the signature must be under the sole control of the signatory. And last it must have the ability to identify if the data that accompanies the signature has been tampered with since the signing of the message. [1]

It is important to note that creating a qualified electronic signature is more than merely adding a qualified certificate to an advanced electronic signature. The signature must also be created using a qualified signature creation device (QSCD). This device is responsible for qualifying digital signatures by using specific hardware and software that ensures that only the signatory has control of their private key. In addition, a qualified trust service provider manages the signature creation data that is produced. The signature creation data must remain unique, confidential and protected from forgery. [3]

Qualified electronic signatures that comply with eIDAS may be technically implemented through three specific digital signature standards, that were developed by the European Telecommunications Standards Institute (ETSI) and then need to be complemented with a qualified digital certificate through the procedures described above: [1] ;

Qualified trust service providers

The qualified trust service provider has a crucial role in the process of qualified electronic signing. A trust service provider must receive qualified status from a supervisory governmental body that allows the entity to provide qualified trust services to be used in creating qualified electronic signatures. Regulated in eIDAS, the European Union published an EU Trust List with constitutive effect, meaning that a provider or service will only be qualified if it appears in the Trusted List. [5] Qualified trust service providers are required to abide by the strict guidelines outlined under the eIDAS Regulation, which include as part of the certificate creation process:

Vision and expected impact

Under eIDAS, the intent of the implementation of qualified electronic signatures is to serve several purposes, such as the facilitation of business and public services processes, including those that go across borders. These processes can be safely expedited using electronic signing. Under eIDAS, EU member states have been charged with establishing "points of single contact" (PSCs) for trust services to ensure that electronic ID schemes may be used in cross-border public sector transactions, such as exchanging and accessing healthcare information across borders. [4]

Previously, a signatory would sign a document or message and then return it to the intended recipient via the postal service, facsimile service, by hand or by scanning and then attaching it to an email. The issue with these methods is that they are not always secure or timely. Delays in delivery could occur, and there exists the possibility that signatures could be forged or the enclosed documents may be altered. The risk increases as multiple signatures are required from different people who may be located in different locations. These problems are alleviated by using qualified electronic signatures, which save time, are legally binding, and provide a higher level of technical security. [1]

The increased transparency in the electronic signing and transaction process and the enhanced interoperability are expected to spur innovation in the European internal market. [6]

eIDAS requires that no electronic signature should be denied legal effect or admissibility as evidence solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. [7] The qualified electronic signature shall have the equivalent legal effect as a handwritten signature. Its evidentiary value depends on the circumstances, but will normally be considered very high. [8] All EU member states are required to recognize a qualified electronic signature as valid, as long as it has been created with a qualified certificate that has been issued by another member state.

Under eIDAS Regulation, Article 27, Electronic signatures in public services, member states are prohibited from requesting signatures of a higher level than qualified electronic signature. Article 25 (2) of eIDAS allows a qualified electronic signature to carry the same legal weight as a handwritten signature. [1] [3] [9]

See also

Related Research Articles

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

XAdES is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.

Worldwide, legislation concerning the effect and validity of electronic signatures, including, but not limited to, cryptographic digital signatures, includes:

CAdES is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures. This is published by ETSI as EN 319 142.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

Electronic Signatures Directive EU directive

The Electronic Signatures Directive 1999/93/EC was a European Union directive on the use of electronic signatures (e-signatures) in electronic contracts within the European Union (EU).

ARX is a digital security company headquartered in San Francisco, CA, with offices in the UK, the Netherlands, Australia and Israel. It is the creator of CoSign by ARX, a digital signature technology, along with related digital signature security technology products. ARX was acquired by DocuSign in May 2015. The acquisition builds on a three-year business partnership between DocuSign and ARX, bringing together ARX's CoSign digital signature technology with DocuSign's Digital Transaction Management (DTM) platform and broadens The DocuSign Global Trust Network.

eIDAS Electronic IDentification, Authentication and trust Services

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repeals 1999/93/EC from 13 December 1999.

An advanced electronic signature (AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market.

ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

Banking as a service

Banking as a service (BaaS) is an end-to-end process ensuring the overall execution of a financial service provided over the web. Such a digital banking service is available on-demand and operates within a set time-frame.

Associated Signature Containers (ASiC) specifies the use of container structures to bind together one or more signed objects with either advanced electronic signatures or timestamp tokens into one single digital container.

Qualified website authentication certificate

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

  1. 1 2 3 4 5 Turner, Dawn M. "Qualified Electronic Signatures For eIDAS". Cryptomathic. Retrieved 13 June 2016.
  2. "Qualified Electronic Signature". Bundesnetzagentur. Retrieved 13 June 2016.
  3. 1 2 3 4 The European Parliament and the Council of the European Union. "REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC". Official Journal of the European Union. Retrieved 13 June 2016.
  4. 1 2 Turner, Dawn M. "Understanding eIDAS". Cryptomathic. Retrieved 13 June 2016.
  5. Forget, Guillaume. "The eIDAS Regulation Is Coming - How Can Banks Benefit From It". Cryptomathic. Retrieved 13 June 2016.
  6. J.A., Ashiq. "The eIDAS Agenda: Innovation, Interoperability and transparency". Cryptomathic. Retrieved 23 June 2016.
  7. eIDAS article 25
  8. eIDAS does not explicitly address the evidentiary value of qualified electronic certificates, but it states that qualified electronic seals should enjoy the presumption of the integrity of the data and of the correctness of the origin of that data to which the seal is linked (article 35 (2)). Qualified electronic signatures and seals are technically very similar.
  9. "What Are Qualified Electronic Signatures? Are They by Definition Better than Other Types of Electronic Signatures?". Time.Lex. Retrieved 13 June 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.