Top things to consider when choosing an advanced signature solution
What is an advanced signature?
ZealiD views the signature world from an eIDAS regulation and ETSI standards perspective. Advanced signatures in the meaning of eIDAS can be either advanced or qualified. The latter are the highest security and meet further requirements on certificate issuance and technology used for remote signature creation. The eIDAS standard definition of an advanced signature is one that:
- uniquely linked to the signatory;
- capable of identifying the signatory;
- created using means that the signatory can maintain under their sole control; and
- linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
What does this really mean?
In more simple terms, there are few things that need to be met with certain reliability: 1) that the signatory’s identity is verified at a robust level, 2) that the signatory is performing the actual signing, 3) that the document signed is the one the user is interacting with and 4) means of validating the document signature integrity.
What type of e-signature do you need?
Although eIDAS qualified signatures are always the most secure option you may be considering advanced signatures. Recent developments in computing and mobile smartphones make it as easy and affordable as less secure advanced options. But three things (forgetting price for now) should determine what e-signature type is used.
- Is there a legal requirement for a qualified esignature or is advanced enough?
In most cases, this is a simple assessment to make with the right compliance and legal advisory. If the law requires qualified you have no choice but to use it. If the law requires at least an advanced signature, you are free to use both types.
- Does your risk assessment allow for an advanced signature?
Even in a situation where there is no legal requirement for an advanced or qualified, proper risk assessment often leads regulated businesses to choose advanced and qualified. For example, if you have a digital agreement that represents a security worth 100K EUR, wouldn't it make sense to invest in an e-signature that cannot be effectively contested in court? For that advanced signature may not be strong enough.
- Does your use case allow for proper identity proofing of the signatory?
If you can choose between an advanced and qualified, and assuming you have opted for a proper compliant eIDAS certificate based signature, the third important factor is how much you are willing to ask the signatory for in terms of remote identification.
Some use cases simply cannot support proper identity verification processes because conversion becomes a major issue (<30%). So perhaps the best advice is to live with poor signatures and the litigation that follows from it. In ecommerce, where risk lies with the payment service provider, there is no need for identity proofing to higher levels.
But for most regulated industries identifying the user to an advanced level (certificate based) means proper identification.
So what does a good advanced signature look like?
The best advanced signatures are those that are based on eIDAS certificates. But because advanced can be everything from ad hoc blockchain solutions to certified solutions, it is best to choose one based on qualified certificates (full disclosure: ZealiD uses only qualified certificates). The advantages of using qualified certificate based advanced signatures are:
- Regulatory supervision including liability is placed only on qualified trust service providers
- Qualified certificates need to meet strict organizational, procedural, hardware and regulatory global standards (e.g. ETSI 319401)
- Guarantee that the information security environment meets strict personal data protection requirements (GDPR)
- An accepted global validation standard built in via EU trusted list and PAdES documents (supported by e.g. Adobe)
- The identity proofing of qualified certificates is regulated and you need not worry about risk assessing the compliance of what an advanced signature identity proofing process is. Qualified certificates need to follow state-of-the-art legislation in EU on remote identification.
- If your qualified trust service provider supports a qualified remote signature creation device - you will get some of the most secure and high quality advanced signatures around (full disclosure: ZealiD is certified for qualified remote signing via Smartphone)
Learn more about ZealiD Advanced Electronic Signature: