The technology and terms that are involved with digital signing can be confusing. This article attempts to clarify meaning and implications of the major terms related to digital signatures.
Differentiating between Electronic Signatures and Digital Signatures
A common misconception is that electronic signatures and digital signatures are the same; however, electronic signatures have a broader scope than digital signatures.
An electronic signature acts as an electronic means of the person who is signing to acknowledge that they have written and signed the message that has been sent. By itself, an electronic signature does not offer a high level of security nor is it in general legally binding.
Legal admissibility comes with an implementation in compliance to international law (e.g., eIDAS in the European Union or NIST-DSS in the USA.
Electronic signatures can be considered to have the same legal status as a handwritten signature in the United States, the European Union and many other countries throughout the world, when implemented in compliance to the applicable electronic signature schemes and regulations.
Digital signatures are a secure and legally binding means to implement electronic signatures. Using asymmetric cryptography, a digital signature is secured and authenticated by using three algorithms:
- Key generating algorithm that randomly selects a private key and its corresponding public key
- Signing algorithm that produces the digital signature from the message and private key
- Signature verifying algorithm that uses the public key, message and digital signature to confirm the authenticity of the message.
Certificate for Electronic Signature
This certificate is an electronic attestation that links electronic signature validation data to its signatory and is able to confirm the identity of that person.
A trust service is an electronic service that is responsible for creating, verifying and validating electronic signatures, seals, time-stamps, delivery services and certificates that are used for those services, in addition to website authentication. It also is responsible for preserving those electronic signatures, seals or certificates.
Advanced Electronic Signature
Messages that have been signed with an advanced electronic signature are considered authentic. An electronic signature is called "advanced" when it meets the following requirements:
- It must be uniquely capable of identifying and linking its signatory.
- Only the signatory can have control of the data that is used for the electronic signature creation.
- It must be able to identify if the data is tampered with after the message has been signed.
- If signed data is change, the signature will become invalid.
Being defined in a European regulation (eIDAS), an advanced electronic signature is legally binding in the EU.
The EU recognized 3 different eIDAS-compliant implementations of advanced electronic signatures through digital signatures: XAdES, PAdES and CAdES.
Following Article 25 (1) of the eIDAS regulation, an advanced electronic signature shall “not be denied legal effect and admissibility as evidence in legal proceedings …” However it will reach a higher probative value when enhanced to a qualified electronic signature. Article 24 (2) of the eIDAS Regulation grants a qualified electronic signature the same legal effect as a handwritten signature.
Qualified Electronic Signature
A qualified electronic signature is an "advanced electronic signature with a digital certificate that has been encrypted by a secure signature creation device" (UK Government, 2014).
A qualified electronic signature is hence increasing the level of security given by an advanced electronic signature. It is therefore, by law, equivalent to a handwritten signature.
Provided the signature meets all the requirements set forth under eIDAS for qualified electronic signatures, it can be used in a court proceeding as evidence. All EU Member States must recognize this type of signature as valid if it has been produced with a qualified certificate issued from another Member State.
EIDAS is designed in a tiered approach to legal value, giving the qualified electronic signature a stronger legal standing than the advanced electronic signature, setting the qualified electronic signature on the same level than a handwritten signature. Article 27 (3) of eIDAS regulates that "Member States shall not request for cross-border use in an online service offered by a public sector body an electronic signature at a higher security level than the qualified electronic signature".
Qualified Certificate for Electronic Signature
A certificate that issued by a qualified trust service provider that is used to attest to the authenticity of a qualified electronic signature.
Bodies Involved with the Process of Digital Signing
- Conformity Assessment Body – a body that has been accredited according to Article 2 of Regulation (EC) No 765/2008 to assess the conformity of a qualified trust service provider and the trust services it provides.
- Trust Service Provider – an entity that provides trust services as a qualified or non-qualified trust service provider.
- Qualified Trust Service Provider – an entity that has been granted qualified status from the supervisory body to provide qualified trust services
Digital Signature Creation Devices
- Qualified Signature Creation Device (QSCD) – This device qualifies a digital signature through its software and hardware to ensure that the signatory has sole control over their private key, that the signature creation data is generated and managed by a qualified trust service provider, and that the signature creation data is unique, confidential and protected from forgery.
- Secure Signature Creating Device (SSCD) – This device must ensure that the signature-creation data involved in creating a signature is unique, protects against forgery and alteration after the signature has been created.
References and Further Reading
- Selected articles on Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and more
- Trust Services and eID (retrieved 11.01.2016) by the European Commission
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2014) by the European Parliament and the European Commission