We have come a long way in the digital transformation journey. In little over a decade, identification and authentication solutions, paired with mobile phones and tablets now allow us to do many things on the move, including major purchases and other types of transactions that used to require physical presence and the formal signing of documents. Nevertheless, isolated pockets remain where an old fashion hand signature is still required, particularly for transactions needing legal recognition, and those conducted across borders. However, this is also changing, and in the European Union (EU), remote qualified signing is enabling more transactions than ever before.

In this blog, I examine how the evolving EU regulation on electronic identification and trust services (eIDAS) is establishing the model for legally binding cross-border transactions, not only in Europe, but also across the globe. I will also explain the concept of the root of trust, and describe why using certified hardware security modules (HSMs) is vital for organizations that serve the critical role of trust service providers (TSPs).

The eIDAS ecosystem and the role of TSPs

Let’s start with a quick background. The eIDAS regulation (EU 910/2014) came into effect in 2016 to establish a framework for electronic transactions, with the objective of enabling legally binding cross-border business throughout the EU. While electronic signatures were recognized as legally binding in some EU member states prior to eIDAS, lack of consistency deterred cross-border online business. In an effort to solve this challenge, eIDAS established the concept of qualified electronic signatures, offering strong validation and non-repudiation, and carrying the same legal status as their hand written equivalent.

To manage the delivery of signature services to users, state regulated TSPs issue the digital certificates, seals, and timestamps needed to ensure the integrity of the digital services offer to end-customers, and enable the protection of electronic transactions. Before eIDAS, the operation of signing services by TSPs was not standardized, and therefore there was no consistent way for users to securely authenticate and remotely control the signing process. To give users sole control of the remote signing process, eIDAS now requires TSPs to use remote qualified electronic signature and seal creation devices (QSCDs) in their cloud signing services. What does this all mean for TSPs? It means that, whether state-run or private, the use of QSCDs employing strong cryptography, is required to secure the services they offer, so users can confidently put their trust in them.

Why TSPs need a root of trust?

As more users remotely sign documents for business transactions from connected desktops, tablets, and mobile phones we all now carry, protecting private signing keys is critical. Signing keys underpin the security of the signing process and therefore must be given robust protection to ensure the trustworthiness of the service. To establish this root of trust, certified HSMs, deployed by TSPs on-premises or as a service, are required. HSMs are specialized platforms designed to safeguard and manage critical signing and encryption keys on behalf of applications such as signing services.

To add further security and ensure that remote signers are always in control of the signing process, the eIDAS regulation introduced the signature activation module (SAM). The use of a SAM, together with a certified HSM delivers the QSCD needed by TSPs to provide cloud signing services. The use of the SAM as a component of a certified remote QSCD will be a mandatory requirement with a new eIDAS implementation act. The future eIDAS implementation act is expected to also require the QSCD to be fully Common Criteria certified. TSPs currently offering or looking to offer customers cloud signing services, can easily enhance their offering, without changing the end-user application by adding the remote QSCD that includes a certified HSM with a SAM.

Cloud Signing Service

SAM and certified HSM delivers QSCD needed by TSPs to provide cloud signing services.

Way forward

With explosive growth in electronic commerce, the eIDAS framework has shown scaling challenges. To fulfill growing demand, a second generation of the regulation, often referred to as eIDAS2, is expected to make additional changes, including the expansion of TSP services beyond public agencies to private corporations, reinforcing data privacy, and strengthening national electronic identification frameworks. Common Criterial certification will also become a mandatory requirement for QSCDs.

With the launch of the Common Criteria EAL4+ certified Entrust Remote QSCD, Entrust is enabling TSPs and signing system integrators (SIs) to offer eIDAS certified remote signing services, compliant with the current eIDAS regulation and in line with future security requirements. The Entrust Remote QSCD combines the Entrust SAM with the Entrust nShield® Connect XC or Solo XC HSMs to establish the root of trust needed for a highly secure and future-proof remote signature and seal services.

Unlike other solutions in the market, the Entrust SAM runs separately from the nShield HSM. Hosted in a tamper-evident environment, the Entrust SAM verifies and authorizes the signing process for all signature requests, before they are sent to the Entrust nShield HSM to retrieve the key and execute the signature. The design approach enables the Entrust SAM, together with the nShield HSM, to achieve superior performance, scalability, and ease of integration with external user authorization systems.

Offering a one-stop shop for eIDAS certified products and as a service option, Entrust helps TSPs to reduce capital investments and deploy compliant and future-proof services to serve the growing remote signature market. Visit Entrust to learn more.