Secure Signature Creation Device
   HOME

TheInfoList



Click Here for Items Related To - Secure Signature Creation Device
OR:
Secure Signature Creation Device on:   [Wikipedia]   [Google]   [Amazon]

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an
electronic signature An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as i ...
. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online
business processes A business process, business method or business function is a collection of related, structured activities or tasks by people or equipment in which a specific sequence produces a service or product (serves a particular business goal) for a parti ...
that save time and money with transactions made within the
public In public relations and communication science, publics are groups of individual people, and the public (a.k.a. the general public) is the totality of such groupings. This is a different concept to the sociological concept of the ''Öffentlichk ...
and
private sector The private sector is the part of the economy, sometimes referred to as the citizen sector, which is owned by private groups, usually as a means of establishment for profit or non profit, rather than being owned by the government. Employment The ...
s.


Description

The minimum requirements that must be met to elevate an electronic signature creation device to the level of a secure signature creation device are provided in Annex II of eIDAS. Through appropriate procedural and technical means, the device must reasonably assure the confidentiality of the data used to create an electronic signature. It further must ensure that the data used to create an electronic signature is unique and only used once. Lastly it shall only allow a
qualified trust service provider A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are q ...
or
certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...
to create or manage a signatory’s
electronic signature An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as i ...
data. To ensure security, signature creation data used by the SSCD to create an electronic signature must provide reasonable protection through current technology to prevent forgery or duplication of the signature. The creation data must remain under the sole control of its
signatory A signature (; from la, signare, "to sign") is a handwritten (and often stylized) depiction of someone's name, nickname, or even a simple "X" or other mark that a person writes on documents as a proof of identity and intent. The writer of a ...
to prevent unauthorized use. The SSCD itself is prohibited from altering the signature’s accompanying data. When a trust service provider or certificate authority places an SSCD into service, they must securely prepare the device according to Annex II of eIDAS in fully compliance to the following three conditions: # While in use or in storage, the SSCD must remain secure. # Further, a reactivation and deactivation of the SSCD must occur under secure conditions. # Any user activation data, include PIN codes be delivered separately from the SSCD after being prepared securely.


International security assurance requirements for SSCDs

The secure signature creation device must also meet the international standard for computer security certification, referred to as the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). This standard gives computer system users the ability to specify security requirements via Protection Profiles (PPs) for security functional requirements (SFRs) and security assurance requirements (SARs). The trust service provider or certificate authority is the required to implement the specified requirements and attest to their product’s security attributes. A third-party testing laboratory then evaluates the device to ensure that the level of security is as claimed by the provider.


Central authentication service

When a secure signature creation device is used as part of a central authentication service (CAS), it may act as a CAS server in multi-tier authentication scenarios. The CAS software protocol allows users to be authenticated when signing into a web application. The common scheme for a CAS protocol includes the client’s web browser, an application requesting authentication and the CAS server. When authentication is needed, the application will send a request to the CAS server. The server will then compare the user’s credentials against its database. If the information matches, the CAS will respond that the user has been authenticated.


Legal implications regarding secure signature creation devices

eIDAS has provided a tiered approach to determining the legal implications of electronic signatures. A signature that has been created with a secure signature creation device is considered to have the strongest
probative value Relevance, in the common law of evidence, is the tendency of a given item of evidence to prove or disprove one of the legal elements of the case, or to have probative value to make one of the elements of the case likelier or not. Probative is a te ...
. A document or message that has been signed with such a device is non-reputable, meaning the signatory cannot deny they are responsible for the creation of the signature. Regulation (EU) No 910/2014 (eIDAS) evolved from Directive 1999/93/EC, the
Electronic Signatures Directive The Electronic Signatures Directive 1999/93/EC was a European Union directive on the use of electronic signatures (e-signatures) in electronic contracts within the European Union (EU). It was repealed by the eIDAS regulation on 1 July 2016. ...
. The intent of the directive was to make EU Member States responsible for creating legislation that would allow for the creation of the European Union’s electronic signing system. The eIDAS
Regulation Regulation is the management of complex systems according to a set of rules and trends. In systems theory, these types of rules exist in various fields of biology and society, but the term has slightly different meanings according to context. Fo ...
required all Member States to follow its specifications for electronic signatures by its effective date of 1 July 2016.


References

{{Reflist


External links


www.iso.org/iso 22715:2006

www.eur-lex.europe.eu/eIDAS
Regulation Authentication methods Signature Computer law Cryptography standards