This article explains what an electronic signature policy is from the perspective of a CISO or other person required to maintain information security.
In business, when parties conduct online transactions with one another, there needs to be an assurance that their business communications are secure. The transacting parties may need to assess the validity of digitally signed documents to ensure the signature can be considered binding. This necessitates the rules and conditions that will allow the sender and receiver to prove or check the validity of an electronic signature.
An electronic signature policy is a set of rules drafted into a single policy document that explains the terms and conditions under which an electronic signature can be created or validated.
It is useful to be familiar with the following terms in regards to electronic signature policies:
A signature policy is required to collect as much information that is available between the parties conducting the electronic transaction, and the transaction itself. In formal transactions, there needs to be binding proof of the signer’s intention for the transaction. A policy may specify where the policy will be mandatory. It may be possible to use a single signature policy for multiple types of transactions.
Within a public key infrastructure (PKI) environment, the signer will need to indicate the specific intent of their digital signature. Their signature could mean they are committing to a specific action or it could be used as a challenge when additional authentication is needed to prove their identity.
Signature policies fall into two general categories:
The policy will specify necessary technical and procedural elements that are required to create and validate signatures in regards to their business needs:
When referencing a signature policy, the signer is required to quote the policy’s identifier, which is the hash value and hash algorithm identifier that was used. The verifier will obtain the reference and obtain a copy of the policy. He will then compare the hash with the received policy with the hash of the policy that is to be used and make a decision whether to accept the electronic signature.
When using policies associated with XAdES or PAdES, they can be used to determine the consistency of validated electronic signatures. If the verifier uses the specified policy or the policy that has been implied by that data, they will receive a consistent result. However, if the signer or signed data has not specified the policy that has been used, the verifier could have an inconsistent result.
Under the eIDAS regulation, electronic transactions are legally binding and will be treated in the same regard as if the document was signed on paper. This is if the standards that are specified within the electronic signature policy used to create and verify said signature meet specified standards under the law.