The technology and terms that are involved with digital signing can be confusing. This article attempts to clarify meaning and implications of the major terms related to digital signatures.
A common misconception is that electronic signatures and digital signatures are the same; however, electronic signatures have a broader scope than digital signatures.
An electronic signature acts as an electronic means of the person who is signing to acknowledge that they have written and signed the message that has been sent. By itself, an electronic signature does not offer a high level of security nor is it in general legally binding.
Legal admissibility comes with an implementation in compliance to international law (e.g., eIDAS in the European Union or NIST-DSS in the USA.
Electronic signatures can be considered to have the same legal status as a handwritten signature in the United States, the European Union and many other countries throughout the world, when implemented in compliance to the applicable electronic signature schemes and regulations.
Digital signatures are a secure and legally binding means to implement electronic signatures. Using asymmetric cryptography, a digital signature is secured and authenticated by using three algorithms:
This certificate is an electronic attestation that links electronic signature validation data to its signatory and is able to confirm the identity of that person.
A trust service is an electronic service that is responsible for creating, verifying and validating electronic signatures, seals, time-stamps, delivery services and certificates that are used for those services, in addition to website authentication. It also is responsible for preserving those electronic signatures, seals or certificates.
Messages that have been signed with an advanced electronic signature are considered authentic. An electronic signature is called "advanced" when it meets the following requirements:
Being defined in a European regulation (eIDAS), an advanced electronic signature is legally binding in the EU.
Following Article 25 (1) of the eIDAS regulation, an advanced electronic signature shall “not be denied legal effect and admissibility as evidence in legal proceedings …” However it will reach a higher probative value when enhanced to a qualified electronic signature. Article 24 (2) of the eIDAS Regulation grants a qualified electronic signature the same legal effect as a handwritten signature.
A qualified electronic signature is an "advanced electronic signature with a digital certificate that has been encrypted by a secure signature creation device" (UK Government, 2014).
A qualified electronic signature is hence increasing the level of security given by an advanced electronic signature. It is therefore, by law, equivalent to a handwritten signature.
Provided the signature meets all the requirements set forth under eIDAS for qualified electronic signatures, it can be used in a court proceeding as evidence. All EU Member States must recognize this type of signature as valid if it has been produced with a qualified certificate issued from another Member State.
EIDAS is designed in a tiered approach to legal value, giving the qualified electronic signature a stronger legal standing than the advanced electronic signature, setting the qualified electronic signature on the same level than a handwritten signature. Article 27 (3) of eIDAS regulates that "Member States shall not request for cross-border use in an online service offered by a public sector body an electronic signature at a higher security level than the qualified electronic signature".
A certificate that issued by a qualified trust service provider that is used to attest to the authenticity of a qualified electronic signature.