What is a digital certificate when it comes to QES?
Right now, there is a lot of talk about digital certificates. It took me a long time to figure out what they are, how they are used, and why they are important. However, understanding certificates is key if you want to make the right decisions about document signing and remote identification. In this article, I will present a simplified explanation of digital certificates.
What is a digital certificate and why should I care?
Digital certificates are of vital importance in the online world. This is because they facilitate online signatures, sign-in/authentication and registration processes, by verifying the identity of the user.
Therefore, most types of secure online transactions, whether they are between humans, machines, or a combination of both, will have certificates enabling these identity ‘expressions’.
To understand digital certificates, you first need to understand two fundamental things:
- On the internet, the ability to make confidential, encrypted messages, so that only designated senders and receivers can read and write them, is incredibly important.
- For encryption to work, a trust framework is required. This enables senders to encrypt a message; only the designated receivers of it can decrypt it. Trust frameworks need to be based on accepted technologies that, ideally, are supported by global standards and legislation.
What is the most important trust framework?
The most important such framework is Public Key Infrastructure (PKI). With a PKI, the sender of a message (let’s call her Alice) can encrypt her message using a private cryptographic key that is unique to her. In practice, the person will have access to software on a device (smartphone, code generator) to facilitate this encryption.
This means that, if Alice sends the encrypted message, such as a signed document, to a receiving party (let's call it Bob’s Company) Bob can decrypt the message using another key. This key is then known as “Alice’s public key”, and it is the only key that can unlock Alice’s message. The private and public keys are mathematically paired and, therefore, all parties can be sure that no other keys can be used to read this encrypted message.
So where does the certificate come into the picture?
The certificate is the electronic and legal mechanism that links Alice’s (private and public) key pair to her natural person’s identity. So when Bob wants to communicate with Alice, he just needs to find the certificate that contains Alice’s public key.
Verifying that the certificate is based on correct information
The trust framework defines roles and, more specifically, the many requirements to enable trust. Perhaps most important is the issuer of the digital certificate. All parties (including Alice and Bob), need to trust that the issuer of the certificate to Alice has performed two very important duties:
- Properly verified Alice’s identity, such that there can be no doubts that it is the exact Alice that Bob wants to communicate with,
- Provided a secure way of generating signatures from the certificate i.e., safeguarding the technical access to Alice’s private key.
So, in very simple terms, Alice’s digital identity has a very different shape and form than in the physical world. It can be called a certificate because it connects her natural person’s identity to a technical system, which enables secret communication and signing between Alice, and whoever wants to interact with her.
Digital processes are the way forward for those who wish to remotely perform secure activities - such as the signing of documents, registration processes, and more. Confirming a natural person’s identity is an important part of these online processes, and digital certificates (that are legally recognized) are key to that.