The digital signature – your electronic signature

In times of digital transitions, the whole world is counting on electronic formats: this ranges from emails to electronic invoices and beyond. Thanks to the digital signature and the eIDAS Regulation, which has been in force since 2016, we’re now getting the tools to digitally sign documents, emails, etc. in digital communications and thus remain on the right side of the law.

If you’re interested, the following article provides a summary of the basic problem and how it can be met and ultimately solved with digital signatures. It’s worth saying that what’s being described here at length is something that can be done in everyday work, without any interactions and with just a few clicks of a mouse. It’s easier to make an electronic signature than to reach for a pen.

To put it concisely: which challenges are solved by a digital signature?

One of the biggest challenges encountered in the digital world is that, in most cases, the people involved don’t know each other – at least, not in the sense of two people meeting each other to reach an agreement, e.g. to sign a contract and create facts. You might “know” each other online from a Skype session or an email conversation. The latter in particular can be easily falsified without any great effort (mail spoofing). Unfortunately, this isn’t usually apparent or immediately obvious. There’s good news, though: the “Internet” has come up with something to solve the problem – namely digital signatures. The use of signed emails or documents furnished with digital signatures makes it immediately apparent.

Digitale Signaturen im Einsatz - Illustration

Digital signatures make it possible – your electronic signature

However, just because something has been depicted on your screen – in this case, a digital signature – it doesn’t necessarily mean that it’s true.

Definition: What is a digital/electronic signature?

An electronic or digital signature is analogous to a signature made by hand. In principle, there are three different types of digital signatures, each meeting different requirements. See also: Types of digital/electronic signature – eIDAS Regulation.

However, this raises the question, where does trust in the digital signature come from? After all, this signature is only “drawn” on a screen.

Digital signatures ensure the integrity and authorship of a document

  • So, how can you guarantee that an email is still the same as it was when it was sent and hasn’t been altered during transmission? This concerns the integrity of the original message. This is also covered by the digital signature.
  • Who can you guarantee that an email was actually sent by the person? A “signature” typed into the email by the sender and the sender’s email address are certainly inadequate on their own. You can only provide certainty with a digital signature. This concerns the authorship of the original message.

To put it briefly: an application (an email client, a PDF viewer, etc.) cannot answer questions about the authorship and integrity of a document by itself. Digital signatures are all that is needed to respond to these question with valid, verifiable answers.

How do digital signatures work?

  • Just as certain authorities are tasked with issuing and verifying personal details in the real world, there are certain organizations and procedures for issuing and verifying the digital certificates from which digital signatures are generated in the digital world.
  • In the digital world, these institutions are known as Certificate Authorities (CA) and Trust Service Providers (TSPs).

If you want to acquire an electronic signature, you need to search for the Trust Service Providers just mentioned. The first step at such providers is usually digital personal identification, a process, perhaps via video identification, in which identification takes place for the purpose of confirming their identity. This process is suitable for qualified digital signatures.

The result of this process is a digital certificate from which an advanced electronic signature can be generated. The following information can be found in such digital certificates:

The digital zertificate - Illustration

The digital end-entity certificate– almost like your identity card

All the information required to confirm your identity can be found on the certificate. Likewise, the authenticity of the certificate is confirmed by the signature of the issuer, the certificate authority (CA) or Trust Service Provider. In this respect, the digital certificate which you use to generate your digital signature can be compared to your ID card.

The advanced digital signature in practice

After being issued with a digital certificate, you will have a pair of public/private keys.

  • The public key is linked to the digital certificate and is available to everyone.
  • The private key must be kept strictly confidential. It is used for generating a digital signature, i.e. for making your “digital signature”.

This pair of keys is a central component of an asymmetric cryptosystem. Anything which has been encrypted with your public key can only be decrypted with your private key. And anything you sign with your private key can be checked against your certificate and have its authenticity verified using your public key. That means it can be checked and verified by anyone.

Schematic process of signing and verification

  • In the first step, the checksum (hash) of the document, e-mail, etc. is determined.
  • In the second step, the checksum is signed with the private key, in a manner of speaking “encrypted”.

  • When the recipient arrives, the checksum (hash) is “decrypted” with the public key.
  • If this works, the authorship proves it.
  • Then the “decrypted” checksum is compared with the determined checksum of the document, e-mail etc.
  • If both checksums (hash values) are identical, the document, e-mail, etc. is not changed. This proves the integrity of the transmitted content.

More information about hash values, asymmetric cryptography can be found here and audiovisually (the latter examples explain the mathematical of background of an RSA-encryption).

Digital signatures/certificates and the chain of trust

What we do not know so far is the question of the validity of the “ID documents”, i.e. the digital certificates. And of course the “verifier” of a digital signature should not be imagined as a person as in the picture above. Instead, the so-called Chain of Trust comes into play. With its help, digital certificates and thus digital signatures can be verified with regard to their validity. Both the end certificate, intermediate certificate and root certificate refer to each other through the respective digital signature. The final certificate is valid because it is signed by the intermediate CA and can be verified with its public key; the intermediate certificate is valid because the signature of the intermediate certificate can be verified with the public key of the root certificate. Intermediate and root certificates belong to the “identification authorities”.

Chain of trust – digital signatures

Digital signatures: Functionality using a practical example

Say, for example, you receive a digitally-signed document from your colleague. How can you make sure that the document has actually be signed by your colleague, that they have actually digitally signed it?

  • Open the document with the appropriate application. A subroutine in the application looks at the certificate and compares both the name and digital signature of the issuing CA (trust services) and determines whether the certificate is valid. What will this information be compared with?
  • Two options: With the contents of the so-called “Trust Store” on your computer. The Trust Store contains digital certificates from recognised Certificate Authorities, the trust services. Either the Trust Store is supplied by the operating system or the respective application. If successful, the application will find the issuing CA’s digital certificate there, including its public key. With this, the digital certificate can now be checked for validity/authenticity. It is also possible to query the validation service of the public key infrastructure (PKI) of the trust service provider via the Certificate Status Protocol (OCSP) or via Server-based Certificate Validation Protocol (SCVP).

Public Key Infrastructure (PKI)

A public key infrastructure is one of the central system components of asymmetric cryptography: It issues, manages, distributes and verifies digital certificates. Common PKI elements include a Certificate Authority (CA), a Registration Authority (RA), a Certificate Revocation List (CRL), a Directory Service, and a Validation Service.

  • After the authenticity of the digital certificate has been verified, your colleague’s public key can be used to “decrypt” the contents of their document. The public key is on their certificate. If the key can be used to “decrypt” the document, the document can be considered unaltered. The same applies to the digital signature of the signatory verified in this step.

And that’s it in terms of how digital signatures work for signing documents electronically. Of course, the text only gave a rough description of how it works.

Legal background: the eIDAS Regulation and the electronic signature

The challenges of digital signatures from a legal perspective have been known for some time and there has been an appropriate reaction. The EU Regulation No. 910/2014, also known as the “eIDAS Regulation” (electronic IDentification, Authentication and trust Services), came into force on July 1, 2016. The eIDAS Regulation is compulsory for all EU Member States and is to be fully implemented. As such, it will take precedence over any national laws with which it conflicts. As such, it replaces Directive 1999/93/EC on electronic signatures. Thus, the eIDAS Regulation enables uniform legal foundations for digital signatures and redefined electronic “trust services” across the EU. The eIDAS map gives you an overview of existing EU-wide Trust Service Providers.

Although the term “electronic signatures” is used in this context, it is synonymous with the term “digital signatures” at least in everyday language. Nevertheless, the term electronic signatures originates from the legal domain, i.e. from the eIDAS Regulation and its predecessors. In this context, the requirements for electronic signatures are described in a technology-neutral way, whereas the digital signature describes a concrete cryptographic procedure. The eIDAS Regulation ensures that every type of electronic signature can be admitted to EU courts as evidence. That means that the legal effects of electronic signatures may not be denied just because they are in electronic format. “A qualified electronic signature shall have the equivalent legal effect of a handwritten signature

The three forms of digital signatures

Let us first get an overview of three common forms of digital signatures. These are called electronic signatures in the context of the eIDAS regulation.

Disclaimer: It is clear that no legal advice is given here; only the extensive situation is to be sensitised.

Simple electronic signature (SES)

The name says it all: it is among the simplest types of digital signature. In this case, “simple” means that it doesn’t need to follow any strict statutory regulations in terms of form of content. Its purpose is to indicate the author of a communication or message. It achieves this due to data being added to an electronic document to confirm the signature in the document.

Examples of uses of simple electronic signatures

A scanned signature which has been added at the bottom of a document, represents a good example for an electronic signature. This also includes signatures added to the end of an email. Simple electronic signatures are suitable for correspondence within a company and for formless agreements. In practice, this means that internal documents like purchase requisitions, arrangements for business trips, records, documentation, etc., are suitable for simple electronic signatures.

Disclaimer: It is clear that no legal advice is given here; only the extensive situation is to be sensitised.

Advanced electronic signature (AdES)

We’ve come to digital signatures: an advanced electronic signature must comply with stricter specifications. According to the eIDAS Regulation, the advanced electronic signature must meet four requirements:

  • it must be clearly related to the signatory
  • the digital signature must make it possible to identify the signatory
  • the advanced electronic signature is to be created using signature creation data. The signatory has sole control of the creation data.
  • the advanced digital signature must be linked with the data signed in this way so that retroactive changes to the data can be identified.

Read more about AdES

Examples of uses of advanced electronic signatures

The advanced digital signature is a signature which makes verification easier in the event of a dispute. Signatures of this kind are suitable for transactions entailing a moderate legal risk. This type of signature is suitable for B2B transactions, like contracts or quotations.

Disclaimer: It is clear that no legal advice is given here; only the extensive situation is to be sensitised.

Qualified electronic signature (QES)

In the digital world, a qualified electronic signature is equivalent to a handwritten signature. This type of digital signature makes it possible to verify the authorship of a document in the long term. “In electronic legal communication, qualified electronic signatures can be used wherever a handwritten signature is conventionally used.” This variety of digital signature fulfills four requirements:

  • The qualified digital signature can be clearly attributed to the signatory
  • The qualified digital signature makes it possible to identify the signatory
  • The qualified digital signature makes it possible to identify the signatory
  • Retroactive changes to the document can be identified due to the qualified digital signature
  • The qualified digital signature must be generated by using electronic signature creation data; the signatory has sole control of this data and it can only be used by the signatory in compliance with the highest standards of confidentiality

Further information can be found here

From experience: Examples of uses of qualified electronic signatures

Unless the law requires a written signature, a qualified electronic signature can be used wherever the user/signatory makes a point of doing so, and in cases of doubt as a secure means of evidence for the submission of an expression of intent.

Disclaimer: It is clear that no legal advice is given here; only the extensive situation is to be sensitised.

Digital signatures – and practice in the ECM?

If you’ve made it this far, you’re clearly interested in the subject of digital signatures. You’re not the only one. According to a study conducted in 2017 by Convios Consulting and commissioned by and 1und1, 74.9 % of the respondents think email encryption – which is closely linked with digital signatures – is important. However, exceedingly few (16 %) actually use it in practice. We can speculate about the reasons for this – for one thing, it’s a really vast subject, for another, using digital signatures may not be especially advantageous from the user’s perspective. In other words, client programs don’t make it easy for users to actually lay the foundations for signing and encrypting emails or other documents in the first place – regardless of whether it’s to do with X.509 certificates or PGP-based technologies (Web-of-trust-Modell).

We’ve understood here at EASY SOFTWARE, and we’re planning on providing the option for digital signatures in the EASY ECM product range – via an interface for Trust Service Providers. With just a few clicks of your mouse, you can have an electronic signature and a digitally-signed document, perhaps a contract in EASY Contract, our contract management software.

0/5 (0 Reviews)