The following content is an introduction to trust services and remote Qualified Electronic Signatures (QES) according to the eIDAS regulation and standards. This article is aimed at highlighting what a trust service provider (TSP) is and the valuable benefits of remote QES and other trust services.
So, what is a trust service?
Trust services extend a trusted framework allowing ongoing digital transaction relationships between EU member states, natural persons, and legal entities.
As the name implies, the trust service provider (TSP), which is closely related to a Certification Authority, is a commercial or governmental agency responsible for providing trust services.
In detail, a trust service is an electronic service facilitating the creation, issuance, revocation, and management of electronic certificates for at least one of the following trust services:
- Electronic registered delivery service enables parties to securely exchange electronic data by protecting the information from loss, theft, damage or unauthorized alteration. The service also provides proof of data handling, including proof of delivery and receipt.
- Electronic time stamp binds electronic data to a time to provide evidence that such data existed at that particular time.
- Advanced electronic signature (AdES) is a digital signature based on an advanced certificate that uniquely identifies the person who applied the signature. In other words, AdES is a collection of electronic data enabling a signatory to be identified. AdES ensures a the integrity of the data properties used to link the person to its signature. The signature is created in a way the ensure the signatory has sole control the signature data, and to determine whether such information has been subsequently altered.
What are Qualified Trust Services and what is their added value?
The security and legal assurance provided by an advanced e-signature is not always sufficient. In this case, the service must be elevated to a qualified trust service. A qualified certificate serves to prove that such requirements have been met. Qualified trust services include:
- Qualified Electronic Signature (QES) is the digital equivalent to a handwritten signature of a natural person, in terms of legal assurances. QES must meet all the requirements of an “advanced” e-signature, with additional requirements applied to the signature creation device by which it’s created. A qualified certificate is attached to attest for the authenticity and integrity of the signature.
- Qualified Certificate is a certified public key, which attests to the authenticity and integrity of electronic signatures, seals, timestamps, or websites and any data attached. The trust offered by the certificate allows for long-term verification and secure data exchange.
- Qualified Electronic Seal is the equivalent to a QES for legal persons (e.g. a business or an organization)
- Qualified Website Authentication Certificates secure the most reliable organizations' websites. The QWAC ensures the credibility of the website for its visitors and signifies an important safety attribute. QWAC certificates are configured to authenticate websites and to secure transmitted data via an asymmetric cryptographic SSL/TLS encryption protocol. Also, QWAC can also be used, for PSD2 projects.
Who provides Qualified Trust Services?
A qualified status can be granted to TSPs who undergo national accreditation with their regulator. This qualified status aims at providing a reliable standard for the European market that guarantees a high level of reliability when selecting a trust service provider.
Only a qualified trust service provider (QTSP) who has received authorisation from the supervising body of their EU Member State to provide qualified trust services for creating Qualified Electronic Signatures can issue a qualified digital certificate. A QTSP must be listed on the EU Trust List.
The advantages of remote QES
For the first time, remote electronic signatures can hold the same legal effect as handwritten signatures in the court of law within the EU. The EU eIDAS regulation legally recognizes remote signing, in a court of law, with Qualified Remote Signatures. With remote QES, instead of the signing keys being held locally by users (e.g on a smartcard), they are held securely in server-based systems or secure cloud services, making them usable from any connected device anywhere in the world.
A remote signature provider enables users to digitally sign legally binding documents or transactions without the need for locally installed software or hardware. The digital signing keys are held in the ‘cloud’ for, enabling a user with the freedom and security to sign from a smartphone, tablet, or any other connected device. This typically means all user keys are stored in a an encrypted database secured by a Hardware Security Module (HSM).
E-signatures are among the widely used trust services that are enabling digital transformation across the world. Thanks to eIDAS, we now have a secure framework with the highest legal assurance for remote signing services, which offer increased efficiency, extended mobility, and seamless user experiences for citizens and organizations.
References and Further Reading
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- eIDAS webinar 1: Using electronic Identification, Authentication and trust Services for Business (2018), by the European Commission
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council