In our last two blogs, we gave a brief overview of the regulation (EU) No 910/2014, better known as eIDAS, we then spoke about eSignatures (outside of a compliance context) and looked at how to choose the right one for you.
In this blog, I would like to dive a little deeper into how eIDAS classifies electronic signatures by the level of assurance they offer. If you are looking to become compliant, this blog will help you decide which level of assurance you need.
What are the eSignatures Assurance Levels Under eIDAS?
Regulations such as eIDAS have developed their own eSignature classifications based on trust and assurance. These terms signify the level of assurance provided by different types of signatures as specified by the goals of the regulation.
The following classifications are the terms presented by eIDAS with the goal of creating a common foundation and framework for secure electronic signatures to enhance trust and facilitate interoperability and cross-border usage and acceptance.
eIDAS have also created an accreditation for delivering eSignatures with the highest level of assurance (qualified electronic signatures) and in doing so, they have changed the market for eSignatures in Europe. Let’s look into how they have done this.
Basic Level Electronic Signatures
According to eIDAS, at the basic level, an electronic signature can be defined as:
Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
We would interpret this to mean you can sign a document simply by scanning your signature or digitally ticking a box in a document. Technically, the data is in electronic form and attached to a file, but there are problems with this model which eIDAS is trying to address with this regulation.
Firstly, there is no way to tell, with utter certainty, that the file/document hasn’t been tampered with and secondly, there is no way of knowing the true identity of the person who has signed the document. These concerns are where the next classifications come in.
Advanced Electronic Signatures
Under eIDAS, an advanced electronic signature must meet the following requirements:
- Be uniquely linked to the signatory
- Capable of identifying the signatory
- Created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control.
- Linked to the data signed in such a way that any subsequent change in the data is detectable
In order to satisfy all of the above, you can use digital signatures based on PKI. Digital signatures are applied with a Digital Certificate, which is like an electronic version of a passport or driver’s license that is only issued after thorough verification of your identity by a trusted third party (called a Certificate Authority or CA). Digital Certificates and their resulting signatures, are unique to the individual and virtually impossible to spoof, achieving the first two requirements above.
Because the signatory is the sole holder of the private key which is used to apply the signature (see our article on Public Key Infrastructure to get an understanding of how public and private keypairs work), you can be assured that the signer is the person who they say they are. Finally, part of the signature verification process, which automatically occurs when a recipient opens the document, includes checking if any changes have been made to the document since it was signed.
Qualified Electronic Signatures
A qualified electronic signature is:
An advanced electronic signature that is created by a qualified signature creation device and which is based on a qualified certificate for electronic signatures.
First, let’s look at what a ‘qualified signature creation device’ is. According to eIDAS requirements,
- The device must ensure:
- The confidentiality of the electronic signature creation data
- The electronic signature creation data used for electronic signature creation can practically only occur once
- The electronic signature creation data used for signature creation cannot be derived and the signature is protected against forgery using current available technology
- The electronic signature creation data used for signature creation can be reliably protected by the legitimate signatory against use by others
- The device shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing
- Generating or managing signatory data on behalf of the signatory may only be done by a qualified trust service provider
- Without prejudice to point (d) of point 1, qualified trust service providers managing electronic signature creation data on behalf of the signatory may duplicate the electronic signature creation data only for back-up purposes provided the following requirements are met:
- The security of the duplicated datasets must be at the same level as for the original datasets
- The number of duplicated datasets shall not exceed the minimum needed to ensure continuity of the service
It might seem a bit vague (probably because they are covering themselves so as to stay in line with technological standards in the future), but what the regulation is saying is that if you are using a qualified electronic signature, you must be storing the creation and signature data on a highly reliable and assured device.
What hardware is reliable enough to do this? Our advice is to store this information in a HSM (Hardware Service Module) which can be stored in your organization in a secure place. For it to have all the security features mentioned above, you would need the HSM to be in line with FIPS 140-2 Level 3 at minimum, which is a security standard created for cryptographic modules like a HSM.
The next part of the definition for qualified electronic signatures says that data on the device must be based on a ‘qualified certificate for electronic signatures’. As opposed to advanced electronic signatures, which do not outright say you have to use a Digital Certificate, the definition for qualified says that a certificate is a must. A qualified certificate can only be purchased from a Certificate Authority who is also ISO 15408 accredited as per the regulation.
EU Member states are required to recognize the validity of a qualified electronic signature that has been created using a qualified certificate from another member state.
Electronic seals are similar to an electronic signature, but the difference is in the identity behind the signature. An eSeal will guarantee its origin and integrity in just the same way as an electronic signature would, but instead of signing a document as a person, you sign as an organization or entity.
eIDAS has mentioned them as used by EU member states, but you can also use them in any institution or organization. The question to ask in whether or not you need one is do you need to sign as an individual or entity and what volume do you think you will be signing at, as eSeals are more appropriate for automated or high volume signing needs.
Which Assurance Level do I Need to Comply With?
According to eIDAS Article 25:
An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is an electronic form or that it does not meet the requirements for qualified electronic signature.
You can interpret this to mean that if you want to prove the validity of your document in a legal setting, you need an advanced level or higher.
According to eIDAS, companies who require a high level of trust and assurance should be using advanced or qualified electronic signatures. For organizations in the finance industry, government bodies and EU member states, this is highly recommended.
If you are planning on using the document workflows for customer transactions, legal transactions or third party company transactions, be aware that the data/information in your documents is only as trustworthy as the procedures you take to secure them.
Finally, it is worth remembering that while eIDAS does not specify the use of Digital Certificates for advanced signatures, we recommend using them and purchasing them from a publicly trusted Certificate Authority. Public trust is essential if you want your signatures to be automatically verified and trusted in popular document software, such as Adobe or Microsoft. This way when you sign documents you will not only have compliance, but also a seamless user experience for the document recipient.