Electronic signatures intend to replace the paper-based process by pure electronic means in order to speed up the exchange of goods and services. For businesses to operate in a legal framework and exploit the potential of digital signatures it was necessary to establish a regulation: the European Union adopted eIDAS, which came into force on 1 July 2016.
In this context the key instrument of the new framework used for this purpose is the Advanced Electronic Signature (AdES). It replaces the paper-based signature and it’s main objective is to prevent tampering and fraud.
The implementation of digital signatures
The EU regulation defines a list of requirements, but the implementation is left open. Nevertheless a reference implementation has been published and is based on the Public Key Infrastructure (PKI), a cryptographic schema based on a public-private key pair and on a set of roles, algorithms, processes and policies.
The signatory generates a pair of cryptographic keys – based on specific cryptographic algorithms – that are tightly linked to one another: one key is kept private in a protected container which remains under the sole control of the signatory; the other key is public and can be shared with anybody. Revealing or computing the private key, even with knowledge of the public key, is not feasible within a realistic timeframe. The two linked keys can be employed to sign and validate electronic documents, or any electronic data.
By applying a dedicated cryptographic algorithm, the private key can be used by the signatory to create an AdES for an electronic document. The algorithm is usually integrated in a container that protects the key. The container can be a cryptographic smartcard or any other suitable hardware device, a software application or a cloud service that can be used remotely by the signatory employing a local authentication device or mobile app.
By applying a suitable reverse algorithm, a public key can be subsequently used by any relying party to validate an AdES for a given electronic document.
Read more about PKI.
Certificate Authorities act as independent and trusted third parties by signing the public key of a signatory, thus making sure that such keys are assigned to identified legal entities or private persons. Such authorities have also the prerogative to revoke or not renew the issued certificates.
An official list of each EU Member State – called the national Trusted List – is published and publicly available.
Qualified Electronic Signatures
eIDAS defines a further level of signatures with stricter requirements: devices that satisfy a particular set of requirements are called Qualified Signature Creation Devices (QSCD): they can issue a higher level of signatures, the Qualified Electronic Signatures (QES), which employ a Qualified Certificate (QC). Service Providers that can generate own a QC and generate QES are named Qualified Trust Service Providers (QTSP).
The eIDAS Regulation stipulates that a QES has the same legal effect as a handwritten signature and it must be recognized in all European Member States.
Many Service Providers, many potential implementations
An important requirement is interoperability: it is necessary that different implementations can be used independently of the underlying technology, especially across borders. A signature issued by a company should be verifiable by a third party.
ETSI has therefore defined a set of technical standards:
- XAdES, xml-based, that can be employed for signing any kind of electronic document or data (e.g., SEPA transactions, binary data PDF documents, images, etc.)
- PAdES, PDF-based, which only works with PDF document. Although limited to PDFs, for its relative simplicity and the quick adoption of major players, it is the most widely used mechanism, currently.
- CAdES, which applies to all documents and data, is currently less powerful that XAdES and does not offer particular advantages over it.