2 min read

Cloud-based Digital Signature Schemes Don't Require a Secure Element

- 25  March  2015

In excess of 10 million users across Denmark, Norway, Luxembourg and Austria are already successfully using remote server central signing;

European Commission's Framework for E-ID and Trust Services, intended to boost the use of Qualified Electronic Signatures by EU citizens, "should be technology-neutral", says Cryptomathic

Building trust

As the European Commission Directorate General prepares to mandate electronic identification and trust services (eIDAS) - to boost confidence in digital services and encourage more EU citizens to use e-signatures - Cryptomathic calls for new EU standards to recognise the success and prevalence of cloud-based digital signature schemes, which do not use a secure element (SE).

Cryptomathic has released a position paper requesting that the upcoming eIDAS regulation is technology-neutral. The paper calls for the new EU security standards to ensure that cloud-based central signing services, which allow users to remotely generate legally binding Qualified Electronic Signatures (QES) in dedicated tamper resistant hardware, are referenced within the eIDAS Framework and can be certified, according to Common Criteria, as Qualified Electronic Signature Creation Devices (QSCD).

In the paper, Cryptomathic highlights the successful use of such central signing schemes by over ten million users across several European countries including Denmark, Norway, Luxembourg and Austria and urges the eIDAS regulation to formally recognise these. Cryptomathic also notes that centralised signing systems leave secure logs during the signature generation process, which can be used in dispute cases, giving cloud-based server signing a considerable security advantage over alternative methods.

The paper goes on to state that the introduction of a secure element for end-user and data authentication prior to the generation of e-signatures through a remote signature server - as proposed by Eurosmart - would be at odds with the objectives of the regulation, which is to increase the use of e-signatures through lower costs and easier access and by leveraging existing successful implementations.

Guillaume Forget, Senior Vice President at Cryptomathic Europe, explains: "We agree with the vision set out by the European Commission; to build confidence and encourage the use of e-signatures across the union, we need a consistent framework that boosts user accessibility and convenience, while promoting technical interoperability and innovation.

"Eurosmart, the association that represents the smartcard security industry, has suggested that secure element technology should be a fundamental part of the criteria to certify a QSCD. Cryptomathic entirely disagrees with this view. Not only are digital signature deployments based on this technology scarce, but this approach would require the deployment of hardware microcontrollers, which could potentially drive up costs and impede user experience and mobility. This contradicts the aim of the regulation, which is to get European citizens using e-services through increased usability, lower costs and leveraging existing technology."

Guillaume concludes: "We hope that by releasing our position paper, we can encourage greater awareness and debate on the topic of QSCD certification. Our objective is to ensure a workable and scalable framework is created and ensure that it serves the interest of citizens across Europe, who simply want convenience combined with security and cost-efficiencies."


To download the position paper visit the Cryptomathic website. To find out more about the regulation visit the European Commission website.