3 min read

How Digital Signature Deployment Models Optimise eIDAS Implementation

Dawn M. Turner (guest) : 15. December 2021

Digital Signatures eIDAS Banking Non-Repudiation QSCD QES Trust Service Providers

How Digital Signature Deployment Models Optimise eIDAS Implementation

The eIDAS regulation provides both the technical and legal framework for electronic identification and digital signatures that the banking sector needs to fully digitalize its processes and go paperless.

When deploying eIDAS compliant digital signature services, Cryptomathic proposes three potential commercial models for financial service providers:

Full Trust Service Provider: Cryptomathic’s technology installed on-premise, where the financial institution becomes a fully Qualified Trust Service Provider (QTSP).
Trust Service Provider “light”: Provide remote signatures as a service, where Cryptomathic operates the back-end signature services under SLA on the institution's behalf, and the financial institution becomes a QTSP.
Signing Service Provider: For trust service provision where the financial institution receives access to an API for QES services and becomes a Registration Authority (RA).

This article focuses on the Signer Service Provider model, where the financial service provider merely operates as a registration authority. This has the advantage of significantly reducing the work involved and allows the financial institutions to focus improving the customer experience.

The general idea: Becoming a Signing Service Provider

This model delivers fully managed trust services, enabling the financial service provider to offer eIDAS compliant signing to their customers. The financial institution receives access to an API for QES services and maintains its existing liability as a Registration Authority (RA). The financial institution remains in control of all valuable customer data and is the single point of contact to the customer. Its legal liability is limited to RA. The Qualified Trust Service Provider is liable for the complete remainder of the signing process.

Signature-Creation-Application-Cryptomathic-Financial-Service-provider-as-Registration-Authority

Figure: Financial Service provider operating as Registration Authority, backed by a QTSP

For a deeper understanding of the remote signing process, please look at the article: eIDAS-compliant Remote Signing with EN 419 241-2 Certified Qualified Signature Creation Devices.

Obligations of Registration Authorities

As a Registration Authority, a financial service provider has the following obligations:

They must validate the identity and additional personal details of the certificate or information relevant to the purpose of the certificates according to associated procedures.
They must maintain all information and documentation concerning certificates and manage their issuance, renewal, revocation, and reactivation.
They must notify the CA of requests for certificate revocation.
They must inform the CA of all aspects of certificate management, including issuance, renewal, and reactivation requests.
They must validate with due diligence the reason for revocation that might affect the validity of the certificate.
They must perform its certificate management operations in compliance with procedures established by the Trust Service Providers and current laws.
Where applicable, they must make available to the subject the technical procedures used for signature creation data, for example, the private key, and electronic signature verification, for example, the public key.

Advantages of Being a Signature Service Provider & Registration Authority

Financial service providers will benefit from the following advantages when they operate merely as a Registration Authority:

Direct contact with their customers. (one face to the customer)
A significantly reduced workload as a Trust Service Provider takes care of eIDAS-compliant qualified signature creation in the back-end.
Reduced requirement for audits because under Article 20 of the eIDAS Regulation, once qualified status is granted, the Trust Service Provider will have to provide a new conformity assessment report to their Supervisory Body every 24 months or when requested by the Body to maintain their qualified status.

This is the typical choice of banks, which operate at a limited number of locations, wanting to focus on core competencies and end customer business.

Business relationship with Cryptomathic

Cryptomathic offers a qualified trust service, provided as-a-service, audited and ready to be integrated with the bank’s processes:

The financial service provider

gets access to an API and can leverage its legacy IT setup.
enforces the terms of the CP/CPS for eIDAS or other legislation
may connect to additional certificate service providers
operates the registration authority function

The appointed TSP(s)

are legally liable for the signature service
delegate the RA + Authentication to the financial service provider. This delegation will be assessed with respect to conformity by an external auditor

Comparison of the 3 available packages offered by Cryptomathic

The following infographic compares the 3 different packages offered by Cryptomathic based on their technical implementation.

Remote-signing-different-implementation-options

Figure: Implementation / Delivery Options

References

Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more

CEN/TC 224 - Trustworthy Systems Supporting Server Signing Part 2: Protection Profile for QSCD for Server Signing (05.2018), by AFNOR
Conformity assessment of Trust Service Providers - Technical guidelines on trust services (2017), by the European Agency for Cyber Security

Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, VERSION 3.0 (Jan, 2010), SOG-IS
Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224
About The Common Criteria (retrieved October 2020), by Common Criteria

Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma

Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma

Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council

Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
The European Interoperability Framework - Implementation Strategy (2017), by the European Commission

WHAT WE OFFER

KEY MANAGEMENT

Crypto Key Management and Crypto Service Gateway

MOBILE APPLICATION SECURITY

MASC

DIGITAL IDENTITIES & SIGNATURES

Signer

Managed Signing Services

PAYMENTS

CardInk

EMV CA

Payment Application Manager

PIN Manager

Transaction Manager

SERVICES

WHO WE ARE

STANDARDS

ESG

CAREERS

INSIGHTS

CUSTOMER STORIES

BLOG

RESOURCES