In the context of Regulation (EU) No 910/2014 (
eIDAS
eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 ...
), a qualified digital certificate is a
public key certificate issued by a
trust service provider A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are q ...
which has government-issued qualifications. The certificate is designed to ensure the
authenticity
Authenticity or authentic may refer to:
* Authentication, the act of confirming the truth of an attribute
Arts and entertainment
* Authenticity in art, ways in which a work of art or an artistic performance may be considered authentic
Music
* A ...
and
data integrity
Data integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire life-cycle and is a critical aspect to the design, implementation, and usage of any system that stores, processes, or retrieves data. The ter ...
of an electronic signature and its accompanying message and/or attached data.
Description
eIDAS defines several tiers of
electronic signature
An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as i ...
s that can be used in conducting public sector and private transactions within and across the borders of
EU member states. A qualified digital certificate, in addition to other specific services provided by a qualified trust service provider, is required to elevate the status of an electronic signature to that of being considered a
qualified electronic signature A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 (eIDAS Regulation) for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in ...
. Using
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, the digital certificate, also known as a public key certificate, contains information to link it to its owner and the
digital signature of the trust entity that verifies the authenticity of the content that has been signed.
According to eIDAS, to be considered a qualified digital certificate, the certificate must meet the requirements provided in Annex I of Regulation (EU) No 910/2014, including, but not limited to:
* Identification that the certificate is a qualified certificate for electronic signature
* Identification of the qualified trust service provider who issued the qualified certificate, including such information
* Corresponding electronic signature validation data and electronic signature creation data
* Indication of the certificate's period of validity
* Unique certificate identity code of the trust service provider
* Qualified trust service provider's
advanced electronic signature
An advanced electronic signature (AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the Europe ...
or electronic
seal
Seal may refer to any of the following:
Common uses
* Pinniped, a diverse group of semi-aquatic marine mammals, many of which are commonly called seals, particularly:
** Earless seal, or "true seal"
** Fur seal
* Seal (emblem), a device to imp ...
Vision
The need for
non-repudiation Non-repudiation refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged ...
and authentication of electronic signatures was originally addressed in the
Electronic Signatures Directive
The Electronic Signatures Directive 1999/93/EC was a European Union directive on the use of electronic signatures (e-signatures) in electronic contracts within the European Union (EU).
It was repealed by the eIDAS regulation on 1 July 2016.
...
1999/93/EC to help facilitate secure transactions, specifically those that occur across the borders of EU Member states. The
eIDAS
eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 ...
Regulation later replaced the Directive and defined the standards to be used in the creation of qualified digital certificates by
trust service provider A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are q ...
s.
Role of a qualified trust service provider
A qualified digital certificate can only be issued by a qualified
trust service provider A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are q ...
that has received authorization from their member state's supervisory body to provide qualified trust services for creating qualified electronic signatures. The provider must be listed upon the EU Trust List; otherwise, they are not permitted to provide qualified digital certificates or other qualified trust services.
The trust service provider is required to abide by the guidelines established under eIDAS for creating qualified digital certificate, which include:
* Providing a valid date and time stamp of when the certificate was created,
* immediate revocation of any signature that has an expired certificate,
* providing appropriate training to all their employees who are involved with providing trust services,
* any equipment or software that is used for trust services must be trustworthy and capable of preventing certificates from being forged.
Legal implications of electronic signatures with qualified digital certificates
In court, a qualified electronic signature provided the highest level of
probative value
Relevance, in the common law of evidence, is the tendency of a given item of evidence to prove or disprove one of the legal elements of the case, or to have probative value to make one of the elements of the case likelier or not. Probative is a te ...
, which makes it difficult to refute its
authorship
An author is the writer of a book, article, play, mostly written work. A broader definition of the word "author" states:
"''An author is "the person who originated or gave existence to anything" and whose authorship determines responsibility f ...
. A qualified electronic signature, along with its qualified certificate is given the same consideration as a
handwritten signature when used as evidence in legal proceedings. The validity of a qualified electronic signature that has been created with a qualified certificate must be accepted by other EU member states regardless of which member state the signature was produced in.
Global perspective
In other parts of the world, similar concepts have been created to define standards for electronic signatures. In Switzerland, the digital signing standard
ZertES has comparable standards that address the conformity and regulation of trust service providers who product digital certificates.
In the United States, the
NIST Digital Signature Standard
The Digital Signature Standard (DSS) is a Federal Information Processing Standard specifying a suite of algorithms that can be used to generate digital signatures established by the U.S. National Institute of Standards and Technology (NIST) in 1994 ...
(DSS) does not provide a comparable standard for regulating qualified certificates that would address non-repudiation of a signatory's qualified certificate. An amendment to NIST DSS is currently being discussed that would be more in-line with how eIDAS and ZertES handle trusted services.
See also
*
Qualified website authentication certificate
A qualified website authentication certificate (QWAC certificate) is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.
A 2016 European Union Agency for Cybersecurity report proposed six strate ...
References
{{reflist
*
*
*
Authentication methods
Signature
Computer law
Cryptography standards