Editor’s Note: This blog was originally posted in Mach of 2017 and has been updated by GlobalSign Regional Product Manager Sebastian Schulz to include information on applying Advanced Electronic Signatures using GlobalSign’s cloud-based Digital Signing Service.
In one of our previous blogs we gave a brief overview of the regulation (EU) No 910/2014, better known as eIDAS. We have also covered eSignatures in general with a look at how to choose the right one for you.
In this blog however, we would like to dive a little deeper into how eIDAS classifies electronic signatures by the level of assurance they offer. If you are looking to adopt digital signatures, this blog will help you decide which level of assurance you need.
What are the eSignature Assurance Levels Under eIDAS?
There are many different signature regulations, often with distinct differences depending on country, industry, or intended usage. Each of those have developed their own eSignature classifications, reflecting the level of trust and assurance that can be placed in those signatures. The different levels of trust and assurance provided by different types of signatures mostly depend on the technical as well as regulatory setup for the signatures in question.
For this blog we will look at the terms presented by eIDAS. After all, eIDAS was introduced with the purpose of creating a common foundation and framework for secure electronic signatures. This should help enhance trust and facilitate interoperability and cross-border usage and acceptance.
eIDAS has also created an accreditation for delivering eSignatures with the highest level of assurance (qualified electronic signatures) and in doing so, they have changed the market for eSignatures in Europe. But before we get to that, let us look at the different levels of assurance individually.
Basic Level Electronic Signatures
According to eIDAS, at the basic level, an electronic signature can be defined as:
Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
Taking this definition literally, you can sign a document simply by scanning your signature or ticking a box in a document opened on your device of choice. Technically, the data is in electronic form and attached to a file, but there are problems with this model which eIDAS is trying to address.
As you might already have guessed, this isn’t covering the purpose of signing a document at all. The document can still be tampered with, and a “signature” can easily be forged (i.e., we cannot be sure who ticked the box to confirm the terms and conditions were accepted). To use the correct lingo: Neither integrity nor authenticity of the document are guaranteed.
Advanced Electronic Signatures (AES)
Under eIDAS, an AES must meet the following requirements:
- Be uniquely linked to the signatory
- Capable of identifying the signatory
- Created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control.
- Linked to the data signed in such a way that any subsequent change in the data is detectable
Using digital signatures based on Public Key Infrastructure (PKI) satisfies all of the above requirements. If you aren’t familiar with how that works: Digital signatures are applied with a digital certificate, which is like an electronic version of a passport or driver’s license that is only issued after thorough verification of your identity by a trusted third party (called a Certificate Authority or CA). Digital certificates, and their resulting signatures, are unique to the individual and virtually impossible to spoof, achieving the two requirements above.
Because the signatory is the sole holder of the private key which is used to apply the signature (see our article on Public Key Infrastructure to get an understanding of how public and private keypairs work), you can be assured that the signer is the person who they say they are. Finally, part of the signature verification process, which automatically occurs when a recipient opens the document, includes checking to see if any changes have been made to the document since it was signed.
To get back to the professional lingo: Integrity and authenticity are guaranteed if the requirements for AES are met. AES may not be legally dismissed just because they are electronic form, meaning that properly implemented AES are just as good as a traditional wet-ink signature (if not better). However, if the validity of AES is being questioned, the burden of proof that all necessary criteria has been met lies with the signatory.
PKI is what GlobalSign does best and therefore many of our products that existed even before eIDAS qualify for AES. Besides the traditionally secure deployment methods of certificates on USB Token, our cloud-based Digital Signing Service (DSS) helps you apply digital signatures that qualify as AES.
Qualified Electronic Signatures (QES)
A QES is:
An advanced electronic signature that is created by a qualified signature creation device and which is based on a qualified certificate for electronic signatures.
First, let us look at what a “qualified signature creation device” (or QSCD) is. According to eIDAS requirements, the device must ensure:
- The confidentiality of the electronic signature creation data
- The electronic signature creation data used for electronic signature creation can practically only occur once
- The electronic signature creation data used for signature creation cannot be derived and the signature is protected against forgery using current available technology
- The electronic signature creation data used for signature creation can be reliably protected by the legitimate signatory against use by others
- The device shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing
- Generating or managing signatory data on behalf of the signatory may only be done by a qualified trust service provider
- Without prejudice to point (d) of point 1, qualified trust service providers managing electronic signature creation data on behalf of the signatory may duplicate the electronic signature creation data only for back-up purposes provided the following requirements are met:
- The security of the duplicated datasets must be at the same level as for the original datasets
- The number of duplicated datasets shall not exceed the minimum needed to ensure continuity of the service
The regulation is saying that if you intend to use QES you must be storing the creation and signature data on a highly reliable and assured device, such as cryptographic USB Tokens or Hardware Security Modules (HSMs) in line with FIPS 140-2 Level 3 at minimum, which is a security standard created for cryptographic modules.
The next part of the definition for QES says that data on the device must be based on a “qualified certificate for electronic signatures”. A qualified certificate can only be purchased from a Certificate Authority that is accredited as a Qualified Trust Service Provider (QTSP) – such as GlobalSign! And to make sure the QSCD requirement is taken care of, we at GlobalSign offer an accredited QSCD in the form of a SafeNet USB Token together with the purchase of qualified certificates.
As the “gold standard” of digital signatures under eIDAS, Integrity and Authenticity are guaranteed by QES. EU Member states are required to recognize the validity of a QES that has been created using a qualified certificate from another member state. Furthermore, a QES can be considered to be the legal equivalent of the traditional wet-ink signature, unless there’s reason to suspect the misuse of the underlying certificates. The burden of proof would be with the party doubting the validity of the qualified signature.
Electronic seals are similar to an electronic signature, but the difference is in the identity behind the signature. An eSeal will guarantee integrity and authenticity in just the same way as an electronic signature would, but instead of an individual, a legal entity takes the place of the signatory.
eIDAS is mentioning them as used by EU member states, but you can also use them in your institution or organization. Whether or not you need one depends on whether you need to sign as an individual or legal entity. eSeals are generally more appropriate for automated or high-volume signing needs.
Which Assurance Level Do I Need to Comply With?
According to eIDAS Article 25:
An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is an electronic form or that it does not meet the requirements for qualified electronic signature.
It therefore makes sense to use at least AES for your electronic signature workflow, otherwise the signatures may be dismissed just because they are electronic. And electronic signatures not being valid is probably one of the most prominent concerns businesses have with the transition.
Both advanced and qualified electronic signatures offer a high level of trust and assurance. When switching from traditional signatures to electronic signatures, it is critical that those features of signatures are maintained. The critical difference is the burden of proof.
Are you planning to build a high-volume signing workflow? Then our Digital Signing Service might be what you are looking for. AES together with proof of a secure workflow and user authentication will guarantee trust and assurance for your signatures on a legally solid foundation.
Are QES explicitly required, for example because your CEO must sign documents for submission in a European tender? Getting a qualified certificate issued to the QSCD also provided by us will allow for the occasional signing of highly important documents, without having to worry too much about being able to prove security of the method itself.
Finally, it is worth remembering that while eIDAS does not specify the use of publicly trusted Digital Certificates, we recommend using them and purchasing them from a publicly trusted Certificate Authority. Public trust is essential if you want your signatures to be automatically verified and trusted in popular document signing platforms, such as Adobe Sign or DocuSign. This way when you sign documents you will not only have compliance, but also a seamless user experience for the document recipient.
If you would like to discuss an electronic signature solution for compliance with eIDAS, you can contact GlobalSign for more information.