By Margus Pala, Co-founder, eID Easy

Validating the identity of the party signing a document is an essential part of every secure digital signature. At the same time, it is also one of the highest costs and one of the areas with the most friction. However, it does not have to be a ‘high friction’ task because a growing number of users now have some kind of reusable digital identity app (eID) on their phones.

After initial onboarding the eID based identity proofing is significantly easier and faster than biometric passport scanning and selfies. For example, the Estonian government has a “once-only principle”, which means that if you have given your data to the government once then the same data should not be asked again. Similarly, we should not do biometric passport scanning over and over again if we have done it once already. Standards like ETSI 119 461 and WebTrust for Registration Authorities allow using eID-s for identity proofing to issue certificates and it is already used actively for example in Nordics in use cases where risk tolerance is lower. Yet we are still seeing a huge percentage of electronic signatures made in non-interoperable ways where providers are using their own ways of writing the signer information to the PDF that is not automatically processable nor independently verifiable.eID-s can also help with international recognition. If you have your eID from your home country bank, then why not use the same eID to issue certificates from another country and regulation certificate authority. 

There are 200 countries in the world with each having their own regulations. There are regions like the EU, Mercosur (Mercosur is composed of six sovereign member states: Argentina, Bolivia, Brazil, Paraguay, Uruguay and Venezuela (suspended since December 2016); six associated states: Suriname, Guyana, Colombia, Ecuador, Peru and Chile; plus two observer states: Mexico and New Zealand and some others that are already mutually recognizing local Certificate Authorities from member states and many such proposals are in the works. If worldwide mutual recognition is achieved, then it is even more important to make sure that the single eID app that you have would be enough for signing any document no matter where in the world it originates.

If you would like to discuss this further, get in touch with Margus Pala, margus.pala@eideasy.com.

By Mads Henrikveen, Trust Service Manager, Buypass AS

Buypass has recently added support for both Advanced (AdES) and Qualified Electronic Signature (QES) in Buypass Cloud Signature Services (BCSS). BCSS is a set of signing services based on the Cloud Signature Consortium (CSC) framework.

Buypass has supported Advanced Electronic Signature (AdES) in Norway for many years. Utilizing the CSC framework, a new way of providing electronic signatures has emerged that is well suited for remote signatures according to the eIDAS Regulation and the upcoming European Digital Identity Wallet (EUDIW) framework.

The new BCSS Person Signing service is a flexible remote signing service using one-time signing keys and short-term certificates. The Signer authenticates and authorizes the use of the private signing keys by using already existing eID means.

The service is designed according to relevant ETSI/CEN-standards to be compliant with QES as defined in the eIDAS Regulation, resulting in electronic signatures legally equivalent to handwritten signatures all over Europe.

The illustration below shows the main actors (service providers) participating in the service:

The Trust Service Provider (TSP) issuing certificates (CA) and the SSASP are always Buypass. The SCASP may be any signing Customer/Partner of Buypass who provides signing services supporting either QES or AdES. The Identity Proofing Service Provider (IPSP) is a service provider implementing identity proofing using eID means according to ETSI TS 119 461 as a service.

The main benefit of using this service is:

• No need for User/Signer onboarding/enrolment (utilizing existing eID means)
• The signed contents are anonymous – Buypass has no knowledge of the contents
• Any data can be signed, only the hash (DTBS/R) is sent to Buypass
• The signature requestor (the SCASP) can request either Qualified or Advanced Electronic Signatures

Buypass accepts any eID means satisfying eIDAS LoA High or Substantial if they are notified at such assurance levels in EU or in a national scheme. This gives flexibility and makes the signing service interesting for Partners supporting signing of documents across Europe. No long-term relationship between Buypass and the Signer is necessary.

The BCSS Person Signing services has been designed such that Buypass never have access to the document to be signed (only the DTBS/R). The management of documents, user experience and the signature formats are for the signing Partner (the SCASP) to handle.

The illustration below shows the main flows between the actors in the in service:

The Signer contacts a service provider to sign a document (1). BCSS Person Signing service receives a representation of the data to be signed (2), and a request for user authentication (3). When the user has performed an authentication (4), Buypass will validate the authentication (5) and create a signing key (6), issue the signing certificate (7), and generate the signature (8 & 9).  All this will happen “under the bonnet”.  The signature and some metadata are returned to the signature requestor (10).  

The signature requestor will then package the signature as needed, typically PAdES, JAdES or similar. The signing certificate is issued by Buypass using a CA registered on the EU Trusted List and accepted by Adobe, thus resulting in full validation in Adobe Acrobat applications. 

The service is well positioned to be used in the eIDAS 2.0 ecosystem around the EUDIW. The service will be explored for this purpose in EUDIW Large Scale Pilots together with our Partners.

The BCSS Person Signing service has been assessed and approved by accredited auditors and the service has been granted qualified status from the national supervisory body.

We’d be delighted to discuss this new service, and opportunities for collaboration with our CSC colleagues. Reach out to Mads Henrikveen, mads.henriksveen@buypass.no, if you would like to know more.

By Bindi Li, Sales VP – Asia, Ascertia

MSC Trustgate, a prominent Certification Authority (CA) based in Malaysia, has been a trusted provider of Public Key Infrastructure (PKI) solutions since 1999. As one of the four CAs in Malaysia certified by the Malaysian Communications and Multimedia Commission (MCMC), MSC Trustgate has the capability to issue and manage digital certificates.

In 2021, the company began collaborating with Ascertia to integrate its services with the Cloud Signature Consortium’s innovative API. This integration facilitates the seamless connection of digital signature solutions with Trust Service Providers (TSPs). This case study delves into why MSC Trustgate selected Ascertia as their digital signing partner.

Rising demand for secure, compliant digital signatures

With Malaysia’s regulatory landscape evolving, the demand for legally recognised and secure digital signatures was on the rise. This change was largely driven by regulations mandating businesses to implement compliant, secure, and legally valid signing solutions.

Additionally, as more organisations shifted to digital workflows, clients increasingly sought digital signing tools that were reliable, secure, and user-friendly. MSC Trustgate recognised the need for a flexible, scalable solution that could meet the diverse requirements of both public and private sector clients while adhering to Malaysian legal frameworks and global standards, including eIDAS.

Key selection criteria: What MSC Trustgate needed in a signing solution

When evaluating digital signature solutions, MSC Trustgate focused on several critical factors. Top of the list was security, as the solution had to offer advanced encryption to ensure robust protection for digital signatures. Equally important was compliance with both local and international regulations to guarantee the solution met all necessary legal requirements.

Integration was another priority. MSC Trustgate needed a solution that could seamlessly integrate with existing systems to avoid disruption to ongoing business operations.

Additionally, a user-friendly interface was essential for encouraging quick adoption across different business sectors. Finally, the ability to receive reliable technical support and a scalable partnership to accommodate future growth were also decisive factors.

After carefully considering various options, MSC Trustgate chose Ascertia’s solution, which met all these criteria while offering a high level of security and ease of use.

The solution: Ascertia’s SigningHub and Cloud Signature Consortium’s API

MSC Trustgate selected Ascertia’s SigningHub along with the Cloud Signature Consortium’s API to address their digital signing needs.

Ascertia’s solution stands out for its seamless integration capabilities, enabling MSC Trustgate to easily connect their digital signature applications with trusted signing services. This collaboration ensures that MSC Trustgate can provide a secure, compliant, and user-friendly signing solution for their clients across multiple industries.

Lo Nyan Tjing, CEO of MSC Trustgate, shared the company’s satisfaction with the partnership:

“Our collaboration with Ascertia has empowered us to offer a secure, reliable, and user-friendly digital signing service. Ascertia’s focus on security and effortless integration has allowed us to deliver trusted digital signature solutions that fully comply with regulatory requirements, while remaining easy to use for our clients.”

Building trust through seamless integration

By partnering with Ascertia, MSC Trustgate has successfully enhanced its digital signing offerings, providing a solution that is secure, compliant, and easy to implement. For organisations looking to improve their digital trust services, Ascertia’s signing solutions offer a proven approach to ensuring secure, legally compliant digital transactions.

If you’re interested in how Ascertia’s digital signing solutions can help your business strengthen security and build greater trust, contact Bindi Li, bindi.li@ascertia.com, to find out more.

Tokyo, Japan – May 2024 – The Cloud Signature Consortium (CSC) is delighted to announce the election of new Executive Board members at its Annual General Meeting during the CSC Tokyo Summit.

We are proud to welcome Digidentity, represented by Marcel Wendt, and PrimeSign, represented by Thomas Rössler, as the newest members of our Executive Board. Both companies have recently upgraded their membership to the Executive level, highlighting their commitment and support for CSC’s mission.

This development marks a significant milestone for the Consortium with our board now numbering the maximum of 12 members, reflecting the ongoing growth and collaborative spirit within our community.

For more information about our Executive Board and their contributions, please visit our website.