In the context of Regulation (EU) No 910/2014 (

eIDAS eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 ...

), a qualified digital certificate is a

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...

issued by a

trust service provider A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are q ...

which has government-issued qualifications. The certificate is designed to ensure the

authenticity Authenticity or authentic may refer to: * Authentication, the act of confirming the truth of an attribute Arts and entertainment * Authenticity in art, ways in which a work of art or an artistic performance may be considered authentic Music * ...

and

data integrity Data integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire life-cycle and is a critical aspect to the design, implementation, and usage of any system that stores, processes, or retrieves data. The ter ...

of an electronic signature and its accompanying message and/or attached data.

Description

eIDAS defines several tiers of

electronic signature An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as ...

s that can be used in conducting public sector and private transactions within and across the borders of

EU member states The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been de ...

. A qualified digital certificate, in addition to other specific services provided by a qualified trust service provider, is required to elevate the status of an electronic signature to that of being considered a qualified electronic signature. Using

cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...

, the digital certificate, also known as a public key certificate, contains information to link it to its owner and the

digital signature A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...

of the trust entity that verifies the authenticity of the content that has been signed. According to eIDAS, to be considered a qualified digital certificate, the certificate must meet the requirements provided in Annex I of Regulation (EU) No 910/2014, including, but not limited to: * Identification that the certificate is a qualified certificate for electronic signature * Identification of the qualified trust service provider who issued the qualified certificate, including such information * Corresponding electronic signature validation data and electronic signature creation data * Indication of the certificate's period of validity * Unique certificate identity code of the trust service provider * Qualified trust service provider's

advanced electronic signature An advanced electronic signature (AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 ( eIDAS-regulation) on electronic identification and trust services for electronic transactions in the Eur ...

or electronic

seal Seal may refer to any of the following: Common uses * Pinniped, a diverse group of semi-aquatic marine mammals, many of which are commonly called seals, particularly: ** Earless seal, or "true seal" ** Fur seal * Seal (emblem), a device to impr ...

Vision

The need for

non-repudiation Non-repudiation refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged ...

and authentication of electronic signatures was originally addressed in the Electronic Signatures Directive 1999/93/EC to help facilitate secure transactions, specifically those that occur across the borders of EU Member states. The

Regulation later replaced the Directive and defined the standards to be used in the creation of qualified digital certificates by

Role of a qualified trust service provider

A qualified digital certificate can only be issued by a qualified

that has received authorization from their member state's supervisory body to provide qualified trust services for creating qualified electronic signatures. The provider must be listed upon the EU Trust List; otherwise, they are not permitted to provide qualified digital certificates or other qualified trust services. The trust service provider is required to abide by the guidelines established under eIDAS for creating qualified digital certificate, which include: * Providing a valid date and time stamp of when the certificate was created, * immediate revocation of any signature that has an expired certificate, * providing appropriate training to all their employees who are involved with providing trust services, * any equipment or software that is used for trust services must be trustworthy and capable of preventing certificates from being forged.

Legal implications of electronic signatures with qualified digital certificates

In court, a qualified electronic signature provided the highest level of probative value, which makes it difficult to refute its

authorship An author is the writer of a book, article, play, mostly written work. A broader definition of the word "author" states: "''An author is "the person who originated or gave existence to anything" and whose authorship determines responsibility f ...

. A qualified electronic signature, along with its qualified certificate is given the same consideration as a handwritten signature when used as evidence in legal proceedings. The validity of a qualified electronic signature that has been created with a qualified certificate must be accepted by other EU member states regardless of which member state the signature was produced in.

Global perspective

In other parts of the world, similar concepts have been created to define standards for electronic signatures. In Switzerland, the digital signing standard ZertES has comparable standards that address the conformity and regulation of trust service providers who product digital certificates. In the United States, the

NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...

Digital Signature Standard (DSS) does not provide a comparable standard for regulating qualified certificates that would address non-repudiation of a signatory's qualified certificate. An amendment to NIST DSS is currently being discussed that would be more in-line with how eIDAS and ZertES handle trusted services.

References