Qualified digital certificate explained

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.[1]

Description

eIDAS defines several tiers of electronic signatures that can be used in conducting public sector and private transactions within and across the borders of EU member states. A qualified digital certificate, in addition to other specific services provided by a qualified trust service provider, is required to elevate the status of an electronic signature to that of being considered a qualified electronic signature. Using cryptography, the digital certificate, also known as a public key certificate, contains information to link it to its owner and the digital signature of the trust entity that verifies the authenticity of the content that has been signed.

According to eIDAS, to be considered a qualified digital certificate, the certificate must meet the requirements provided in Annex I of Regulation (EU) No 910/2014, including, but not limited to:[2]

Vision

The need for non-repudiation and authentication of electronic signatures was originally addressed in the Electronic Signatures Directive 1999/93/EC to help facilitate secure transactions, specifically those that occur across the borders of EU Member states. The eIDAS Regulation later replaced the Directive and defined the standards to be used in the creation of qualified digital certificates by trust service providers.

Role of a qualified trust service provider

A qualified digital certificate can only be issued by a qualified trust service provider that has received authorization from their member state's supervisory body to provide qualified trust services for creating qualified electronic signatures. The provider must be listed upon the EU Trust List; otherwise, they are not permitted to provide qualified digital certificates or other qualified trust services.The trust service provider is required to abide by the guidelines established under eIDAS for creating qualified digital certificate, which include:[3]

Legal implications of electronic signatures with qualified digital certificates

In court, a qualified electronic signature provided the highest level of probative value, which makes it difficult to refute its authorship. A qualified electronic signature, along with its qualified certificate is given the same consideration as a handwritten signature when used as evidence in legal proceedings. The validity of a qualified electronic signature that has been created with a qualified certificate must be accepted by other EU member states regardless of which member state the signature was produced in.[4]

Global perspective

In other parts of the world, similar concepts have been created to define standards for electronic signatures. In Switzerland, the digital signing standard ZertES has comparable standards that address the conformity and regulation of trust service providers who product digital certificates.[5]

In the United States, the NIST Digital Signature Standard[6] (DSS) does not provide a comparable standard for regulating qualified certificates that would address non-repudiation of a signatory's qualified certificate. An amendment to NIST DSS is currently being discussed that would be more in-line with how eIDAS and ZertES handle trusted services.[7] [8]

See also

Notes and References

  1. Web site: Turner. Dawn M.. What is a Qualified Digital Certificate for Electronic Signatures in eIDAS. 10 August 2016.
  2. Web site: The European Parliament and the Council of the European Union. REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. EUR-LEx. 10 August 2016.
  3. Web site: Turner. Dawn M.. Trust Service Providers According to eIDAS. Cryptomathic. 10 August 2016.
  4. Web site: What Are Qualified Electronic Signatures? Are They by Definition Better than Other Types of Electronic Signatures?. Time.Lex. 13 June 2016.
  5. Web site: Swiss Federal Council. Bundesgesetz über Zertifizierungsdienste im Bereich der elektronischen Signatur (Bundesgesetz über die elektronische Signatur, ZertES). The Portal of the Swiss Government. 10 August 2016.
  6. Web site: Information Technology Laboratory. FIPS PUB 186-4 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS). National Institute of Standards and Technology. 10 August 2016.
  7. Web site: Turner. Dawn M.. Is the NIST Digital Signature Standard DSS Legally Binding?. Cryptomathic. 11 August 2016.
  8. Web site: Turner. Dawn M.. Major Standards and Compliance of Digital Signatures - A Worldwide Consideration. Cryptomathic. 10 August 2016.