EIDAS COMPLIANT QUALIFIED ELECTRONIC SIGNATURES
How to integrate eSignature-as-a-service with identity schemes
IMPLEMENTING E-SIGNATURE AS A SERVICE (A FRAMEWORK)
This paper lays out the challenges of offering qualified electronic signatures (QES) as defined in the eIDAS regulation. Specifically, the paper focuses on the key questions and the needed considerations that eSignature platforms face when building their roadmaps towards offering legal certainty and non-repudiable electronic signatures in the EU region.
CHALLENGES OF QES SIGNATURE PLATFORMS
We offer advice, legal and technical definitions. Plus, we present and weigh in on the options you have in front of you to be able to serve your clients with qualified electronic signatures compliant with elDAS.
First things first. Your business is built on user confidence: Trust in the process and the solution you offer. This means your business must have two solid anchor points in place:
1. You are building a strong brand based on good business
2. You comply with the needed security and privacy regulations to prove you can be trusted
Any one of these two points is hard enough to get right. The second point even requires highly specialized legal and technical competencies, also to address the additional worries of audits, compliance, and many of the other challenges of operating in regulated space.
So, what if you could outsource the second point and focus more on business and less on regulations?
UNDERSTANDING YOUR OPTIONS TO OFFER QES
You do not have to become a qualified trust service provider yourself to serve qualified electronic signatures. You can do this with minimal regulatory burden on you - we take that off your hands.
And you need little additional infrastructure to manage the service. Just basic developer skills to hook up the API. This means our QES as a service offering comes with a minimal footprint in your IT infrastructure.
The branding and the user experience are up to you to get right, but we offer all the flexibility you want to own the entire customer relationship with no off-brand redirects or us getting in between the direct relationship between you and your customer.
Your business, your customer.
HOW OUR ESIGNATURE AS A SERVICE WORKS.
Our QES as a service model delivers fully managed qualified trust services, enabling your company to offer elDAS compliant signing to your customers. You receive access to an API for QES services which are integrated with your customer system and signature portal.
The QES service provides you with the means to issue and revoke certificates and to use a remote signing service. You will retain control of your customer base. For this to work you must ensure that your systems know your customers and that they can authenticate themselves within your company's systems. Your company will be the single point of contact for the customer.
INTEGRATING WITH IDENTITY
Before a qualified certificate can be issued, the user's identity (and maybe other attributes) must be verified. This requirement stems from the eIDAS regulation, which outlines several approaches on how this may be achieved. The most common approaches are:
- The user appears physically in front of a trained employee from your company
or
- The user interacts in a remote session with a system, optionally supported by a trained employee from your company
or
- The user already has an electronic identification
In order to obtain an electronic identification, the user proves their identity by presenting nationally recognized identification information, which is checked to be genuine and attributes and photo/biometric information are verified to represent the user.
In the case when the user already has an electronic identification, the user is asked to authenticate towards your company portal, and following a successful authentication, your company retrieves user information from the electronic identification system. It is a requirement that the electronic identification system has been scrutinized by auditors and the result is notified to the European Commission.
Your company records the supplied documentation and electronic information in its audit system and creates the user in the system. Once the user has proved their identity and it has been verified, your company can either issue an electronic identity to the user or rely on the electronic identification that the user already has. In any case, the user can now authenticate and have access to your company's signature portal.
INTERACTING WITH THE QUALIFIED ELECTRONIC SIGNATURE SERVICE
A qualified electronic signature requires a qualified certificate where the private key is highly protected against misuse. The elDAS regulation requires that the private key is generated, protected, and used on special certified devices, denoted qualified signature creation devices (QSCD), and the QES service provides access to such a QSCD remotely. The API to the QES service allows your company to have a key pair generated on the remote QSCD and have a qualified certificate issued. Your company will keep track of whether a user has a (valid) certificate or whether it has expired in which case a new one needs to be issued.
MANAGING CERTIFICATES
Since your company is the single point of contact to the user, your company will also be responsible for certificate revocation. There can be many reasons to revoke a certificate, with trivial ones like a change in the affiliation or change of name, or more dramatic reasons like identity fraud. The QES service provides an interface to revoke certificates. In case your company finds a reason for revocation or is being asked by the user, it must immediately invoke the interface and revoke the certificate.
CREATING QUALIFIED ELECTRONIC SIGNATURES FROM THE SERVICE
The final interface on the QES service is to start the signature creation operation. Users can use their electronic identification to create authentication data and earn access to your company's signature portal. By submitting the successful authentication issue data to the signature creation operation, the private key on the remote QSCD is activated and thus a signature can be generated.
Your company uses the QES service to issue certificates to the user. Since the qualified trust service provider has terms and conditions related to the use of certificates, your company must ensure that these terms and conditions are presented and accepted by the user when a certificate is issued. Typically, these are presented together with other terms and conditions related to usage of your company's portal.
OBLIGATIONS TO YOUR COMPANY
The requirement for the qualified trust service provider to verify the user's identity before a certificate is issued is regulated by the eIDAS regulation and is something the qualified trust service provider is audited to perform. Since these tasks are now conducted by your company, the qualified trust service provider requires that the implementation and procedures at your company are audited. However, this audit is significantly less burdensome than what the qualified trust service provider is subject to. Hence most of the audit is managed by our service and reduces your audit requirements.
Your audit covers:
- Detailed architecture describing your company system components
- Flows for user identity proofing and verification
- Flows for certificate issuance and presentation of terms and conditions - both from qualified trust service provider and company's own
- Flows for certificate revocation
- Signature flow Audit records
We can guide you through this step by step and act as the talking partner towards the auditor to reduce the regulatory burden even further.
BENEFITS FOR YOUR COMPANY
With QES as a Service, your company will benefit from the following advantages:
-
Clean and branded user experience
-
Full ownership of the customer relationship
-
A significantly reduced workload (as a qualified trust service provider takes care of elDAS compliant qualified electronic signature creation in the back-end)
-
Heavily reduced requirement for audits. The Qualified Trust Servicer Provider is obliged to perform regular audits to maintain its qualified status. While the elDAS regulation stipulates bi-yearly, the auditor often requires a bi-yearly surveillance audit as the minimum frequency
-
Minimal footprint in your IT infrastructure
SUMMARY
Cryptomathic's Managed Signing Services offer a fully managed, electronic signature service for those who needs the highest level of legal certainty.
Delivered in record time without a large IT footprint or audit burden. When you sign or manage high value documents, you want a signing solution that offers a high level of legal certainty.
If you're buying a loaf of bread, you may not care about legal certainty. But if you're buying the bakery, the stakes and the risks are higher. You will want the signed contract to support you in court if it ever comes to it.
Signature solutions that provide legal certainty often come with a large IT infrastructure footprint and a significant auditory burden. Some organizations understandably want to do things differently.
That's where our managed signing service comes in...
.svg)