After reviewing (here and here) six basic, common-sense behaviours to protect your electronic identity and use trust services and devices, we will now focus on the best practices when adopting and using electronic signature technology. In this article and the next one, we will go together through six recommendations as well as some practical pieces of advice which will ensure that your electronic signature remains valid and provides you with the right legal assurance for an extended period of time.
1. Use only standards-based electronic signature technology
In an emerging market such as the electronic signature one, vendors or providers come and go. Some of them thrive, others, after a while, decide to change their services or go out of business altogether. So, what do you do in any of these situations? How can you be sure that your electronic signature remains valid and accessible?
Technology standards are extremely important as they create a stable environment which favours technology neutrality. By using a technology based and developed on published and commonly recognised standards, you will be able to access and verify your electronically signed documents at any moment in the future using any available software, even in the most unfortunate of the scenarios. Opting from the beginning for a standards-based electronic signature technology also creates room for manoeuvre if, one day, you decide to change providers. It will enable a smother migration of systems which translates in lower transition costs and less unforeseen issues to deal with.
Furthermore, we should bear in mind that standards usually rely on regulatory requirements or are even imposed by authorities. So, documents signed electronically according to the standards in the industry are also compliant with the current regulation, at least in a higher degree than non-standardised e-signature means. In addition, electronic signatures created based on international standards are equipped with a set of features that offer higher protection against security threats and in case of litigation.
In the electronic signature creation field or closely related, there is already a wide array of standards published. Below you will find a non-exhaustive list of the most common standards and certifications to ask to your trust service provider, which also leads us to the second point.
- ETSI Electronic signature standards
- ISO standards (ISO 90012008, ISO 270012013, ISO 200002011, ISO 145332017 …)
- The European Committee for Standardization (CEN) standards (TS 419 261:2015…)
- The Internet Engineering Task Force (IETF) standards (IETF RFC 5280, ETF RFC 6960…)
- Certification Authority Browser Forum (CA/Browser Forum) baseline requirements
2. Collaborate only with trusted, certified providers
If the above standards refer mostly to the technology required to execute electronic signatures, they also go hand in hand with the certifications or formal recognition of the providers themselves. Any seasoned businessman knows the value due diligence, of asking for references and checking the portfolio of future business providers, so we will not insist here on these aspects. We would like to point out that certified trust service providers, unlike any other providers, must meet specific sets of stringent legal requirements in order to gain and maintain their statuses. They are regularly audited and controlled by independent regulatory bodies which assess and vouch for their service quality. Therefore, they present a higher level of trustworthiness, reliability and commitment towards excellence in the industry.
We detailed here the role of qualified trust service providers in creating eIDAS electronic signature with the highest level of assurance and how we can recognise them on the market. So, now it is time to get more practical. We will show you how to make sure that the e-signature you have created or seen is provided by accredited trust service providers in Europe. For this, open with Adobe Reader or Acrobat any PDF document that you want to sign. Go to Edit–>Preferences. In the new window opened, choose on the left side the Trust Manager sub-section. Then, make sure that in the Automatic Adobe Approved Trust List (AATL) updates and Automatic European Union Trusted List (EUTL) updates sections the “Load trusted certificates from an Adobe AATL/EUTL server” are checked, as shown below.
Why is this important?
To guarantee the security, authenticity and integrity of an electronic signature, Adobe created the Adobe Authorized Trust List (AATL). It is a collection of trusted certificates issued by certification authorities, businesses or governments from around the world. To be published on the list, these entities must submit an application that is verified and approved by Adobe. The list is regularly updated and the software is programmed to download it periodically. If the created electronic signature is linked to a digital certificate on the AATL, Adobe gives you the confirmation that the signature is valid and can be trusted.
Moreover, Adobe also created the Adobe European Union Trust List (EUTL). This list includes the European qualified trust service providers (QTSPs) published on the EU Trusted List. It is obviously a smaller list as it is limited only to the QTSPs and their qualified trust services acknowledged by EU Member States as being eIDAS compliant. It is very likely that some (if not all) QTSPs are also present in the AATL list, but for an increased level of assurance, select the EUTL list as well. You will get the guarantee that the e-signature you executed is valid and belongs to a provider acknowledged by independent EU bodies.
Working with certified trust service providers that propose services based on commonly recognised technology standards are sine qua non conditions. They ensure you take the innovation leap without compromising the long term safety and development of your company. In the next post, we will focus on four more best practices when using electronic signature technology. Stay tuned…