eduSign

eduSign compliance with eIDAS

This page explains how the Sunet e-signature service eduSign meets the compliance with eIDAS regulation requirements for an advanced electronic signature.

Background

The property "Advanced Electronic Signature" from the Electronic Signature Directive 1999, and later adopted by the eIDAS regulation is on of the three properties of a Qualified Electronic signature. See current definition in eIDAS:

    ‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;

This means that the advanced electronic signature is NOT another security level of signatures that is "less secure" than qualified signature. Rather, it is one of the three required properties of a qualified signature.

The requirements for an advanced electronic signature focus on the structure and the technology used to create the signature and in simple terms, it attempts to describe with legal terminology a moderna PKI based signature with the following common features:

  • It binds the whole signed document to the signer
  • The signer's identity can be verified through the signature
  • It is created by means that only the identified signature can use

In legal wordings, this is expressed in eIDAS article 26 as:

An advanced electronic signature shall meet the following requirements:

(a) it is uniquely linked to the signatory;

(b) it is capable of identifying the signatory;

(c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and

(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

eduSign Compliance

eduSign complies with requirements a - d by the following means:

a) This is part of the standard PKI signature technology where the signer's identity and public key is certified by a Certification Authority (CA) and that key in turn proves that the signer's corresponding private key created the signature.

b) Through a), the signer identity carried in the certificate reveals the identity of the signer.

c) The private key that is linked to the signature certificate is never exposed to anyone outside of the well guarded signature service application. The signature creation data (being the private signing key) is created inside the signing service immediately before usage and is immediately erased after signature creation. This is more than enough to provide high level of confidence that no other person can access and abuse that signing key.

d) This is a standard feature of an electronic signature where it binds the signature data to a hash of the signed document that in turn binds the whole signed document to the signature. Any alterations of the signed document after signing will be detected.

  • No labels