Definition: Remote signing, also known as server signing, refers to the process of digitally signing documents or files using a remote server or a trusted third-party service provider. It is a mechanism that eliminates the necessity for physical presence to securely sign documents by using a digital signature.
Remote signing/ Server signing explained
When signing remotely, the signing party utilizes a web-based application or a remote server to create a digital signature. The server or service provider typically maintains the private key necessary for generating the digital signature, while the signing party possesses the corresponding public key. This separation of keys ensures the security and integrity of the signing process.
The concept of remote signing was developed in response to eIDAS Regulation No. 910/2014 and allows the generation of Qualified Electronic Signatures (QES) and Advanced Electronic Signatures (AdES) using an electronic signature creation device that complies with the standards. A Trust Service Provider (TSP) acting on behalf of the signer (user) controls QES and AdES remotely. The user is solely responsible for maintaining the security of their signing key, and signature operations are done in a secure signature creation device - a hardware security module (HSM) on the server end.
Qualified Signature or Seal Creation Devices (QSCD) are required under eIDAS for issuing and using qualified certificates and seals. A Signature Activation Module (SAM), which is a component of the QSCD in the case of server signing, is required. A SAM must be Common Criteria (CC) certified based on the eIDAS Protection Profile (PP) EN 419 241-2 “QSCD for Server Signing” to meet the requirements of a QSCD.
Trust Service Providers play a pivotal role in maintaining trust in digital transactions for identities. In order to ensure that the environment for creating electronic signatures is reliable and used under the signatory's sole authority, they must implement certain management and administrative security procedures. The regulation also mandates the use of qualified electronic signature creation devices (QSCDs), which utilize software and hardware to ensure that users retain full control over their signing (private) keys.
Remote signing allows users complete mobility by enabling them to sign from any internet-connected device, including smartphones, computers, and tablets. It also provides an auditable trail of the signing process. It is particularly useful for remote collaboration, business transactions, legal agreements, contract signing, and other scenarios where document authenticity and integrity are essential.
