The following content is an introduction to trust services and remote Qualified Electronic Signatures (QES) according to the eIDAS regulation and standards. This article is aimed at highlighting what a trust service provider (TSP) is and the valuable benefits of remote QES and other trust services.

So, what is a trust service?  

Trust services extend a trusted framework allowing ongoing digital transaction relationships between EU member states, natural persons, and legal entities.

As the name implies, the trust service provider (TSP), which is closely related to a Certification Authority, is a commercial or governmental agency responsible for providing trust services.

In detail, a trust service is an electronic service facilitating the creation, issuance, revocation, and management of electronic certificates for at least one of the following trust services:

  • Electronic registered delivery service enables parties to securely exchange electronic data by protecting the information from loss, theft, damage or unauthorized alteration. The service also provides proof of data handling, including proof of delivery and receipt.
  • Electronic time stamp binds electronic data to a time to provide evidence that such data existed at that particular time.New call-to-action
  • Advanced electronic signature (AdES) is a digital signature based on an advanced certificate that uniquely identifies the person who applied the signature. In other words, AdES is a collection of electronic data enabling a signatory to be identified. AdES ensures a the integrity of the data properties used to link the person to its signature. The signature is created in a way the ensure the signatory has sole control the signature data, and to determine whether such information has been subsequently altered.

What are Qualified Trust Services and what is their added value?

The security and legal assurance provided by an advanced e-signature is not always sufficient. In this case, the service must be elevated to a qualified trust service. A qualified certificate serves to prove that such requirements have been met. Qualified trust services include:

  • Qualified Electronic Signature (QES) is the digital equivalent to a handwritten signature of a natural person, in terms of legal assurances. QES must meet all the requirements of an “advanced” e-signature, with additional requirements applied to the signature creation device by which it’s created. A qualified certificate is attached to attest for the authenticity and integrity of the signature.
  • Qualified Certificate is a certified public key, which attests to the authenticity and integrity of electronic signatures, seals, timestamps, or websites and any data attached. The trust offered by the certificate allows for long-term verification and secure data exchange.
  • Qualified Electronic Seal is the equivalent to a QES for legal persons (e.g. a business or an organization)
  • Qualified Website Authentication Certificates secure the most reliable organizations' websites. The QWAC ensures the credibility of the website for its visitors and signifies an important safety attribute. QWAC certificates are configured to authenticate websites and to secure transmitted data via an asymmetric cryptographic SSL/TLS encryption protocol. Also, QWAC can also be used, for PSD2 projects.

Who provides Qualified Trust Services?

A qualified status can be granted to TSPs who undergo national accreditation with their regulator. This qualified status aims at providing a reliable standard for the European market that guarantees a high level of reliability when selecting a trust service provider.

Only a qualified trust service provider (QTSP) who has received authorisation from the supervising body of their EU Member State to provide qualified trust services for creating Qualified Electronic Signatures can issue a qualified digital certificate. A QTSP must be listed on the EU Trust List.

Cryptomathic partners with several QTSP across Europe to provide remote QES services to businesses and individuals. Such QTSPs include LuxTrust in Luxembourg and ZetesConfidens in Belgium.

The advantages of remote QES  

For the first time, remote electronic signatures can hold the same legal effect as handwritten signatures in the court of law within the EU. The EU eIDAS regulation legally recognizes remote signing, in a court of law, with Qualified Remote Signatures. With remote QES, instead of the signing keys being held locally by users (e.g on a smartcard), they are held securely in server-based systems or secure cloud services, making them usable from any connected device anywhere in the world.

A remote signature provider enables users to digitally sign legally binding documents or transactions without the need for locally installed software or hardware. The digital signing keys are held in the ‘cloud’ for, enabling a user with the freedom and security to sign from a smartphone, tablet, or any other connected device. This typically means all user keys are stored in a an encrypted database secured by a Hardware Security Module (HSM).

E-signatures are among the widely used trust services that are enabling digital transformation across the world. Thanks to eIDAS, we now have a secure framework with the highest legal assurance for remote signing services, which offer increased efficiency, extended mobility, and seamless user experiences for citizens and organizations.

 

Download white paper

References and Further Reading

Other Related Articles: # Digital Signatures # eIDAS

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.