This article explains what an electronic signature policy is from the perspective of a CISO or other person required to maintain information security.
In business, when parties conduct online transactions with one another, there needs to be an assurance that their business communications are secure. The transacting parties may need to assess the validity of digitally signed documents to ensure the signature can be considered binding. This necessitates the rules and conditions that will allow the sender and receiver to prove or check the validity of an electronic signature.
An electronic signature policy is a set of rules drafted into a single policy document that explains the terms and conditions under which an electronic signature can be created or validated.
Terms to Be Familiar With
It is useful to be familiar with the following terms in regards to electronic signature policies:
- Signature policy issuer – the party that defines both procedural and technical requirements to be used in creating and validating electronic signatures.
- Signature validation policy – a part of the policy that provides the technical requirements to the signer for creating a signature and to the verifier for validating a signature.
- Public key certificate – data that ties the identity of the public key subscriber to the private key issued by the certification authority.
Context of a Signature Policy
A signature policy is required to collect as much information that is available between the parties conducting the electronic transaction, and the transaction itself. In formal transactions, there needs to be binding proof of the signer’s intention for the transaction. A policy may specify where the policy will be mandatory. It may be possible to use a single signature policy for multiple types of transactions.
Signature Policy and PKI
Within a public key infrastructure (PKI) environment, the signer will need to indicate the specific intent of their digital signature. Their signature could mean they are committing to a specific action or it could be used as a challenge when additional authentication is needed to prove their identity.
Types of Signature Policies
Signature policies fall into two general categories:
- Single signature transactions - a transaction only includes one signer; the policy will indicate whether the single signature is valid or not
- Multiple party signatures - where multiple parties are participating in a transaction.
Roles under an Electronic Signature Policy
- Signature policy issuer – legal/natural persons or organizations that set the conditions under which the electronic signature is considered legally binding.
- Signature policy user – natural persons who act on their own behalf or under a business role in either one of two capacities:
- Signer – the creator of the electronic signature
- Verifier – ensures the authenticity of the policy and decides whether to accept or reject the signed transaction
Content of a Signature Policy
The policy will specify necessary technical and procedural elements that are required to create and validate signatures in regards to their business needs:
- Information regarding general signature policy:
- Signature policy issuer name
- Signature policy identifier
- Signing period
- Date of issue
- Field of application
- Signature validation where upon receipt the recipient is required to validate the signature before proceeding further
- Signature validation policy
- Common rules applied to all commitment types
- Commitment rules for certain commitment types
- Signature validation information that is appropriate for the signature validation policy
- Signature policy publication to make the policy available to users
- Signature policy archiving provides a means to verify electronic signatures where the validity of the policy has expired
Usage of Signature Policy
When referencing a signature policy, the signer is required to quote the policy’s identifier, which is the hash value and hash algorithm identifier that was used. The verifier will obtain the reference and obtain a copy of the policy. He will then compare the hash with the received policy with the hash of the policy that is to be used and make a decision whether to accept the electronic signature.
Consistency of Signature Policies
When using policies associated with XAdES or PAdES, they can be used to determine the consistency of validated electronic signatures. If the verifier uses the specified policy or the policy that has been implied by that data, they will receive a consistent result. However, if the signer or signed data has not specified the policy that has been used, the verifier could have an inconsistent result.
Legal Aspects of Electronic Signatures
Under the eIDAS regulation, electronic transactions are legally binding and will be treated in the same regard as if the document was signed on paper. This is if the standards that are specified within the electronic signature policy used to create and verify said signature meet specified standards under the law.
References and Further Reading
- Selected articles on Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen and Dawn M. Turner
- RFC: Electronic Signature Policies (2001) by J. Ross, D. Pinkas, N. Pope
- ETSI TR 102 041 V1.1.1 Signature Policies Report (2002), by the European Telecommunications Standards Institute ETSI
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2014) by the European Parliament and the European Commission