An electronic signature is a way of signing an electronic document, most often a PDF file. With a well-designed solution, it is easy for anyone to get secure information about who has signed the document and how. The EU regulation eIDAS defines rules for electronic signatures and their different trust levels.
An electronic signature is not the same thing as a digital signature – a digital signature is a cryptographic mechanism often used to implement electronic signatures, but an electronic signature can also be as simple as a scanned handwritten signature that is entered into an electronic document.
A digital signature is made with the user’s private key, and holds information such as who signed and when. The digital signature can be made locally in the end user’s device, using a PKI card or virtual smart card, for example. It can also be made centrally, in a so-called trusted service.
How remote signatures work
When the digital signature is made centrally, it is called a remote signature. The trusted service manages the signing keys very securely, so that the only thing the users need to do is authenticate themselves to the service, just like they do with any other online service.
One major advantage of remote signatures is that they provide a great deal of flexibility in which authentication method is used. Since the signature is made centrally, authentication can be made with a nation-wide eID such as Swedish BankID, Danish NemID or Indian Aadhaar eKYC, with an existing login system that the organization has, or with some other authentication method. This means that any device – such as a tablet, computer or mobile phone – can be used, while a traditional digital signature is often limited to a particular device.
How digitally signed documents are verified
The most common format for a digitally signed document is a PDF file. Applications such as Adobe Acrobat Reader can verify digital signatures, and anyone can see who signed, when, the authentication method used, and other secure information contained in the signing certificate. This information can be used if disputes about the signature occur later.
Some digital signing service providers also have verification services where you can upload and verify signed documents.
In the case of a dispute, information from the digitally signed document would be used along with other evidence, such as testimonies. In the case of handwritten signatures, there would be no such information, and it is therefore common that more emphasis is placed on other evidence should the dispute end up in court. Therefore, a so-called advanced digital signature (see below) may provide even better support than a handwritten signature.
What eIDAS says
The EU regulation on electronic identification and trust services for electronic transactions in the internal market, eIDAS, was adopted in 2014. It consists of two parts that deal with:
- Electronic identification.
- Trusted services, primarily for electronic signatures.
The idea is that eIDAS should provide rigorous definitions of how to address these fields throughout the EU.
The part of eIDAS that deals with electronic identification regulates cross-border authentication, such as when a citizen from Spain wants to log into a Swedish e-service. eIDAS also specifies different trust levels of identification depending on what security level the e-service wants to achieve. The trust level is primarily determined by how the authentication process is managed and how the identity is issued. The levels can be classified in different ways, but common terms are “low”, “substantial” or “high.” Sometimes, the ISO/IEC 29115:2013 standard and its four levels of assurance (LoAs) are also used.
The part of eIDAS that deals with trusted services, primarily electronic signatures, defines trust levels for electronic signatures in terms of “standard,” “advanced” or “qualified,” where the “standard” has the lowest trust level and “qualified” the highest. It also contains rules for how the different trust levels are to be viewed legally throughout the EU.
The “standard” trust level has very low requirements and a low legal standing, and includes signatures such as scanned handwritten signatures that are entered into an electronic document.
The “advanced” trust level requires that:
- There is a unique identifier and link to the person signing.
- The signature key only be accessed by this person and no one else.
- It is possible to prove that the document has not been modified after signing.
A signature at the “advanced” level is in most cases sufficient, since such a signature guarantees that you know who has signed and when, and that the document has not been altered.
According to eIDAS, the trust level “qualified” explicitly has the same legal standing throughout the EU as a handwritten signature, but there is currently no requirement for “qualified” signatures to be used. However, such requirements could arise in future implementations of cross-border services or collaborations.