blog-local-vs-remote-signing-stage

Local vs. remote signing and sealing according to eIDAS

One of the eIDAS objectives is the creation of a European market for electronic trust services with the same legal status and validity as paper-based processes – consistently applied across all member states.

Two of these trust services we would like to highlight in this blog post are qualified / advanced electronic signatures and seals.

How to ensure trust, transparency and integrity of documents and transactions based on (qualified) electronic signatures & seals

Qualified electronic signatures and seals can be generated and applied locally, or remotely with a trust service provider creating the signature or seal on behalf of the signatory, i.e. the individual/company who signs/seals.

Digitization has created an exponential increase in electronic business transactions and online services, requiring strong security for every aspect of a transaction. Citizens, companies and government bodies all take benefit from the eIDAS regulation: less administrative burden due to more efficient processes, support for innovative digital services moving away from paper processes and a better user experience all along the line.

Introducing the qualified electronic seal under eIDAS

Since electronic signatures can only be created by individuals (natural persons), not companies or organizations, eIDAS introduced the concept of qualified electronic seals. These are created by legal entities to proof the origin and integrity of data and documents issued by them. The sealing requirements and processes are – other than that – very similar to what the paragraph about signing states here below.

The difference between qualified and advanced signatures (or seals)

  • An “electronic signature” is any digital form of a signature, e.g. simply the scan or picture of a handwritten signature. It is rather easy to forge or apply/replicate without the signatory’s consent.
  • An “advanced electronic signature” is a signature that meets the requirement set forward by the eIDAS regulation, e.g. that only the signatory is able to create it.
  • The most secure form is the “qualified electronic signature” which in addition is based on a qualified certificate and requires a QSCD for its creation.

Local signing versus remote signature creation (server signing)

The eIDAS regulation introduces the concept of remote signing / server signing as opposed to local signing. While local signing uses cryptographic keys stored on the user’s device to create a signature, server signing relies on a trust service provider (TSP) to remotely generate and manage the signing keys on the signatory’s behalf. This eases the burden for users to securely manage their own keys and transfers this responsibility to an expert in the field.

Under eIDAS, Qualified Signature or Seal Creation Devices (QSCD) are required for issuing qualified certificates and for using qualified certificates, i.e. for the generation of electronic signatures and seals. In the case of server signing, a so-called Signature Activation Module (SAM) is part of the QSCD. It must be Common Criteria (CC) certified based on the eIDAS Protection Profile (PP) EN 419 241-2 “QSCD for Server Signing” to meet the requirements of such a QSCD.

The SAM in turn must interact with a Hardware Security Module that is CC-certified based on the eIDAS PP EN 419 221-5 “Cryptographic Module for Trust Services”.

Blog_local-vs-remote-signing-eIDAS-SAM-HSM-infographic

Source: Utimaco, based on the ETSI standard EN 419 241 and related PPs

In the past, no common certification framework existed, and alternative certification processes and test methods have been applied. With the eIDAS Protection Profiles EN 419 221-5 now available, this changes.

The Utimaco CryptoServer CP5 Hardware Security Module (HSM) has been certified according to this eIDAS Protection Profile EN 419 221-5 “Cryptographic Module for Trust Services”. Equipped with the certification, it creates the most flexible basis for developments of a SAM according to EN 419 241-2.

For evaluation and integration testing, please get in touch at hsm@utimaco.com to get access to the Utimaco eIDAS Hardware Security Module Simulator.

This blog was first published on August 22, 2018

References

To find more press releases related with below topics, click on one of the keywords:

Wie können wir Ihnen helfen?

Sprechen Sie mit einem unserer Spezialisten und erfahren Sie, wie Utimaco Sie unterstützen kann.
Sie haben zwei verschiedene Arten von Downloads ausgewählt, so dass Sie verschiedene Formulare absenden müssen, die Sie über die beiden Tabs auswählen können.

Ihre Download-Sammlung:

    Direkt nach dem Absenden des Formulars erhalten Sie die Links zu den von Ihnen ausgewählten Downloads.

    Ihre Download-Sammlung:

      Für diese Art von Dokumenten muss Ihre E-Mail Adresse verifiziert werden. Sie erhalten die Links für die von Ihnen ausgewählten Downloads per E-Mail, nachdem Sie das unten stehende Formular abgeschickt haben.

      Downloads von Utimaco

      Besuchen Sie unseren Download-Bereich und wählen Sie aus: Broschüren, Datenblätter, White-Papers und vieles mehr. 

      Fast alle können Sie direkt ansehen und speichern (indem Sie auf den Download-Button klicken).

      Für einige Dokumente muss zunächst Ihre E-Mail-Adresse verifiziert werden. Der Button enthält dann ein E-Mail-Symbol.

      Download via e-mail

       

      Der Klick auf einen solchen Button öffnet ein Online-Formular, das Sie bitte ausfüllen und abschicken. Sie können mehrere Downloads dieser Art sammeln und die Links per E-Mail erhalten, indem Sie nur ein Formular für alle gewählten Downloads ausfüllen. Ihre aktuelle Sammlung ist leer.