Blog - Cryptomathic

What Is An Electronic Signature Policy?

Written by Dawn M. Turner (guest) | 31. March 2016

This article explains what an electronic signature policy is from the perspective of a CISO or other person required to maintain information security.

In business, when parties conduct online transactions with one another, there needs to be an assurance that their business communications are secure. The transacting parties may need to assess the validity of digitally signed documents to ensure the signature can be considered binding. This necessitates the rules and conditions that will allow the sender and receiver to prove or check the validity of an electronic signature.

An electronic signature policy is a set of rules drafted into a single policy document that explains the terms and conditions under which an electronic signature can be created or validated.

Terms to Be Familiar With

It is useful to be familiar with the following terms in regards to electronic signature policies:

  • Signature policy issuer – the party that defines both procedural and technical requirements to be used in creating and validating electronic signatures.
  • Signature validation policy – a part of the policy that provides the technical requirements to the signer for creating a signature and to the verifier for validating a signature.
  • Public key certificate – data that ties the identity of the public key subscriber to the private key issued by the certification authority.

Context of a Signature Policy

A signature policy is required to collect as much information that is available between the parties conducting the electronic transaction, and the transaction itself. In formal transactions, there needs to be binding proof of the signer’s intention for the transaction. A policy may specify where the policy will be mandatory. It may be possible to use a single signature policy for multiple types of transactions.

Signature Policy and PKI

Within a public key infrastructure (PKI) environment, the signer will need to indicate the specific intent of their digital signature. Their signature could mean they are committing to a specific action or it could be used as a challenge when additional authentication is needed to prove their identity.

Types of Signature Policies

Signature policies fall into two general categories:

  • Single signature transactions - a transaction only includes one signer; the policy will indicate whether the single signature is valid or not
  • Multiple party signatures - where multiple parties are participating in a transaction.  

Roles under an Electronic Signature Policy

  • Signature policy issuer – legal/natural persons or organizations that set the conditions under which the electronic signature is considered legally binding.
  • Signature policy user – natural persons who act on their own behalf or under a business role in either one of two capacities:
  1. Signer – the creator of the electronic signature
  2. Verifier – ensures the authenticity of the policy and decides whether to accept or reject the signed transaction

Content of a Signature Policy

The policy will specify necessary technical and procedural elements that are required to create and validate signatures in regards to their business needs:

  • Information regarding general signature policy:
    • Signature policy issuer name
    • Signature policy identifier
    • Signing period
    • Date of issue
    • Field of application
  • Signature validation where upon receipt the recipient is required to validate the signature before proceeding further
  • Signature validation policy
    • Common rules applied to all commitment types
    • Commitment rules for certain commitment types
  • Signature validation information that is appropriate for the signature validation policy
  • Signature policy publication to make the policy available to users
  • Signature policy archiving provides a means to verify electronic signatures where the validity of the policy has expired

Usage of Signature Policy

When referencing a signature policy, the signer is required to quote the policy’s identifier, which is the hash value and hash algorithm identifier that was used. The verifier will obtain the reference and obtain a copy of the policy. He will then compare the hash with the received policy with the hash of the policy that is to be used and make a decision whether to accept the electronic signature.

Consistency of Signature Policies

When using policies associated with XAdES or PAdES, they can be used to determine the consistency of validated electronic signatures. If the verifier uses the specified policy or the policy that has been implied by that data, they will receive a consistent result. However, if the signer or signed data has not specified the policy that has been used, the verifier could have an inconsistent result.

Legal Aspects of Electronic Signatures

Under the eIDAS regulation, electronic transactions are legally binding and will be treated in the same regard as if the document was signed on paper. This is if the standards that are specified within the electronic signature policy used to create and verify said signature meet specified standards under the law.

References and Further Reading

Image: Cryptomathic