How identified signing can make a difference.
In this 2-part blog series we provide an overview of the problematics around digitization, specifically on the challenges with remote signatures and some of the options available to limit risks of fraud and increase confidence in your signing process.
We previously explained the challenges around remote signatures for business-critical process, and which options are available to ensure secure and identity-verified signing workflows. Two of these options are digital signatures and eID schemes.
Digital signing: high-assurance signatures from trusted authorities
A digital signature is a specific type of electronic signature; it is not just a visual mark on a PDF document, but a cryptographic operation that binds the signatory’s credentials – in the form of a digital certificate – with the document they are signing. Because a copy of the digital certificate is embedded into the electronic document that is being signed, anyone can verify the signature and identity data in the document, without the need for a separate audit trail.
Digital certificates are issued to individuals and organizations by publicly trusted certification authorities (CAs) – or qualified trust service providers (QTSPs) in the European Union – after these authorities have proceeded with a standardized identity verification process. These digital certificates embed the identity details that were verified. They are only considered “trusted” if they are issued by an authority that is trusted itself. Public CAs and QTSPs such as Entrust follow strict guidelines and go through audits and certifications to earn and maintain the relevant accreditations and remain trusted.
The beauty of digital signatures on documents is that they not only embed verified identity details of the signatory but also provide tamper evidence. A digital signature does indeed bind a digital certificate to the exact content that is signed. A single change in the signed document, even on its metadata, will break the signature. Finally, most CAs and QTSPs also provide a timestamping service, to affix the exact date and time of a signature. This helps to ensure that the existence of a document and the signature cannot be denied.
eIDs and the role of eIDAS in streamlining identity verification processes
eIDs are a growing alternative to identification services, whether from a software or a Certification Authority. An eID schemes consist in a database of verified identities of a specific population that enrolled for the scheme and went through an identity verification process. The most significant benefit of an eID scheme is that, once an eID is created, it can be re-used for a multiple of use-cases, which removes the need for further identity verifications.
To be recognized and accepted everywhere, eID schemes require strong standards and protocols to define, for example, how the identity is verified, how it is stored, how one requests access to some of this data, how a person consents to sharing their data, etc. This is why some regulations are emerging, and perhaps the most notable one is eIDAS.
If you are not familiar with eIDAS, it is the European Union’s regulation on the use of eID and electronic signatures across EU member countries, and it’s a global reference when it comes to eIDs and electronic signatures. eIDAS aims to encourage cross-border transactions by ensuring that all EU member countries have the same definition of electronic signatures – note the plural for signatures, because eIDAS doesn’t define one but three types of signatures based on the level of assurance they provide.
eIDAS was published in 2016, and since then all EU member countries have been relying on it for electronic signature standards, and because signatures are inherently linked to identity proving, eIDAS is also driving the deployment of eID schemes across industries and countries in the EU.
It’s worth knowing that there are “private” eID schemes, which are typically industry specific. For example, BankID is an eID scheme managed by a consortium of Scandinavian banks and recognized by governments. But more and more EU governments are also preparing or deploying their own national eID scheme, which allows citizens to enroll for a national eID that can be used to prove their identity online, and notably as part of a signing process.
Do you need help with deploying identified signing solutions?
Entrust is a publicly trusted CA and an EU qualified trust service provider. We have acquired a strong expertise in high-assurance signatures and remote signing, and we are building a strong ecosystem around electronic and digital signing workflows. The acquisition of Safelayer in 2016 and Evidos in 2022 is a testament to our commitment to providing best-in-class signing services. Learn more about our signing-related solutions here:
- Document Signing Certificates
- Digital Signing as a Service
- Electronic Signing from Evidos, an Entrust company