Not all signatures are the same
Unlike on paper, there are several ways to sign an on-line transaction. But they do not all benefit from the same level of security or have the same legal value. eIDAS provides a solution by defining three types of electronic signature.
The simple electronic signature
This is the one I use most often at the moment. For example, when I am asked to digitally tick a box in an on-line document. Or when I scan a document signed by hand. In this case, the ‘signature’ is attached to a file electronically, but there is no way of guaranteeing that the document has not been modified or of establishing the true identity of the person who signed.
The advanced electronic signature (AdES)
This second-level electronic signature must have the following four characteristics:
- be unambiguously linked to the signatory
- enable identification of the signatory
- be created by electronic signature creation data over which the signatory can be certain of keeping exclusive control
- be linked to data associated with the signature in such a way that any subsequent modification of the data can be detected.
Although it considerably raises the level of security, an advanced electronic signature cannot ensure optimal reliability. For example, because the identity verification and the production process and issuing of the signature certificate do not meet the most stringent requirements in terms of reliability.
The qualified electronic signature (QES)
Mainly intended for high-risk documents (life insurance or credit contract, element in a health dossier, etc.), the qualified electronic signature (QES) requires the highest levels of security. In legal terms, it is the equivalent of a manuscript signature.
And a QES recognized in one member state of the EU is recognised de facto in every other member state. It therefore facilitates the opening-up of the digital market throughout the European Union.
The QES binds the identity of the signatory to the signature with a qualified certificates issued by an accredited certification authority ("Qualified Certification Authority"). And the user’s signature key is managed by a Qualified electronic Signature Creation Device or QSCD. That device is responsible that:
- the signatory alone controls his personal key
- the signature creation data are unique, confidential and protected against counterfeiting.
Thanks to those additional measures, the qualified electronic signature is extremely reliable.
On 14.09.2018, itsme® has been recognised as Qualified Trust Service Provider.