4 min read

Understanding ZertES, the Swiss Federal Law on Electronic Signatures

Understanding ZertES, the Swiss Federal Law on Electronic Signatures

 On December 19, 2003, ZertES, the Swiss Federal law regarding the use of certification services with electronic signatures was approved into law.
This legislation regulates the conditions in which trust service providers may use certification services with electronic signatures. Additionally, ZertES, provides a framework that specifies the provider’s rights and obligations when providing certification services.

Purpose of ZertES

The intent of ZertES is to promote the use of secure services for electronic certification to facilitate the use of qualified electronic signatures that carry the same legal implications as a handwritten signature. 

Acting in geographical proximity of the European Community, it is not surprising that ZertES is conceived similarly to eIDAS, in particular when looking at the tiered structure and legal value. ZertES has multiple assurance levels, the highest of which is the QES level equivalent to a handwritten one and mandatory for many official documents. 

Requirements for Electronic Signatures under ZertES

An electronic signature in the understanding of ZertES refers to data in electronic form, attached to or associated with other data in electronic form , serving to authenticate the former.

So far, ZertES does not further specify how electronic signatures shall be technically implemented. However, to facilitate the international use of electronic signatures and their legal recognition, the Swiss Federal Council made international agreements and notably accepts electronic signatures, technically implemented as digital signatures following the following standards: XAdES, PAdES, CAdES

Requirements for Advanced Electronic Signatures under ZertES

An advanced electronic signature, referred to as a Fortgeschrittene Elektronische Signatur  is required to meet the following requirements to prove its authenticity:

  • It is uniquely linked to its signatory
  • The signature allows for the identification of its signatory or holder
  • It has been created with means that remain under the sole control of the signatory
  • The signature is linked to the data or document in which it refers and is capable of identifying if the data has been changed or tampered with after signing

Requirements for Qualified Electronic Signatures under ZertES

Similarly to eIDAS, ZertES allows to enhance the advanced electronic signature and its legal implication through a qualified certificate. The enhanced version is called qualifizierte elektronische Signatur (qualified electronic signature). It needs to be produced with a secure signature creation device and to be attached to a qualified certificate, valid at the time of the production of the signature.

Requirements for Qualified Certificates

A qualified certificate must include:

  • A serial number that designates it as a qualified certificate
  • Name or pseudonym of the person who holds the signature verification
  • Signature verification
  • Length of validity period
  • Name, State where established and qualified electronic signature of issuer of certificate (Anbieterin von Zertifizierungsdiensten) and the name of the national or foreign accreditation body that accredited the issuer. 
  • Indication of recognition by certification services of certificate service provider
  • Specific attributes of the owner of the signature key to show they are authorized to use said key
  • Scope of certificate
  • Value of transactions in which the certificate may be used

Certificate service providers issuing qualified certificates need to undergo an audit through a conformity assessment body appointed by the Schweizerische Akkreditierungsstelle.

Requirements for Secure Signature Creation Devices:

The Federal Council is responsible for regulating signature generation and issuing Signature Verification Keys (Signaturprüfschlüssel) to qualified certificates under ZertES. Secure signature creation devices must ensure that the signature key that is used can:

  • Occur only once and its secrecy is reasonably assured
  • Be protected from counterfeiting using currently available technology
  • Is reliably protected by the signatory from being misappropriated by others

The following applies for the signature verification process:

  • Data used to verify the signature must correspond to the data provided to the verifier
  • The signature can be reliably verified and the verification result is correctly displayed
  • Contents of the signed data can be determined by the verifier when needed
  • The identity of the owner of the signature is displayed properly
  • Use of a pseudonym is clearly identified
  • Any tampering can be detected.

Requirements for Qualified Trust Service Providers

Qualified trust service providers must meet the requirements specified under ZertES to ensure the validity of their certificates issued for electronic signatures. A provider of certification services can be a naturalized or legal citizen who:

  • Registers in the commercial register
  • Has the ability to issue qualified certificates according to the specifications of ZertES
  • Employs staff that has been trained and possesses the experience and qualifications needed to process certificates
  • Possesses reliable and trustworthy computer equipment and software to be used in signature creation
  • Carries liability insurance or maintains sufficient financial resources to cover liabilities
  • Complies with all laws, including ZertES as they apply to electronic signatures

Foreign suppliers may also provide certification services under the provisions of ZertES provided:

  • They have already been recognized by a foreign recognition body under foreign law
  • The recognition and qualification provisions of that foreign law are comparable to the Swiss provisions
  • The foreign recognition body collaborates with the Swiss certification authority to monitor the service provider in Switzerland

Conclusion

New Call-to-action

ZertES allows to electronically sign documents in a legally binding way. It offers a tiered approach of advanced and qualified electronic signatures to allow for staged levels of complexity and legal value. Similarly to EU law (eIDAS), advanced electronic signatures assure legal bindingness, but the qualified electronic signatures (doted with a qualified certificate) brings legal admissibility to court.

In a European context, cross-border communication between the Swiss and EU areas of jurisdiction is a daily occurence. Switzerland accommodating the headquarters of many internationally active banks and companies is a major reason for this. Therefore ZertES and the EU-pendant eIDAS are comparably conceived in technical design as well as with respect to legal implications.

Cross-border transactions can be conceived in legal compliance to ZertES and eIDAS and this valid in both areas of jurisdiction.However compliance to the standarized digital signing process has to be made sure and errors in the implementation need to be avoided as they could lead to legal invalidity of the signature.

Critical points are the implementation of the electronic signature through a digital signature, the choice of accredited certification providers and accepted signature creation devices and the technical workflow itself.

Cryptomathic's SIGNER has been designed in compliance with ZertES and eIDAS. The Swiss Conformity Assessment has verified compliance of Signer against applicable standards and the Signer solution has been declared fit for purpose and can thereby be implemented as a Secure Signature Creation Device to issue Qualified Electronic Signatures. Cryptomathic's vast implementation experience in Switzerland as well as the EU will assure a rapid and error-free implementation and is accompanied by expert adivce.

ZertES is currently under review. Best contact Cryptomathic for an actual status and information on expected changes and modifications.

 New Call-to-action

References and Further Reading

Featured Image: "Swiss Flags" courtesy of Janet McKnight, Flickr (CC BY 2.0)