CSC based “Buypass Cloud Signature Services” now supports Qualified Electronic Signature

By |

By Mads Henrikveen, Trust Service Manager, Buypass AS

Buypass has recently added support for both Advanced (AdES) and Qualified Electronic Signature (QES) in Buypass Cloud Signature Services (BCSS). BCSS is a set of signing services based on the Cloud Signature Consortium (CSC) framework.

Buypass has supported Advanced Electronic Signature (AdES) in Norway for many years. Utilizing the CSC framework, a new way of providing electronic signatures has emerged that is well suited for remote signatures according to the eIDAS Regulation and the upcoming European Digital Identity Wallet (EUDIW) framework.

The new BCSS Person Signing service is a flexible remote signing service using one-time signing keys and short-term certificates. The Signer authenticates and authorizes the use of the private signing keys by using already existing eID means.

The service is designed according to relevant ETSI/CEN-standards to be compliant with QES as defined in the eIDAS Regulation, resulting in electronic signatures legally equivalent to handwritten signatures all over Europe.

The illustration below shows the main actors (service providers) participating in the service:

The Trust Service Provider (TSP) issuing certificates (CA) and the SSASP are always Buypass. The SCASP may be any signing Customer/Partner of Buypass who provides signing services supporting either QES or AdES. The Identity Proofing Service Provider (IPSP) is a service provider implementing identity proofing using eID means according to ETSI TS 119 461 as a service.

The main benefit of using this service is:

  • No need for User/Signer onboarding/enrolment (utilizing existing eID means)
  • The signed contents are anonymous – Buypass has no knowledge of the contents
  • Any data can be signed, only the hash (DTBS/R) is sent to Buypass
  • The signature requestor (the SCASP) can request either Qualified or Advanced Electronic Signatures

Buypass accepts any eID means satisfying eIDAS LoA High or Substantial if they are notified at such assurance levels in EU or in a national scheme. This gives flexibility and makes the signing service interesting for Partners supporting signing of documents across Europe. No long-term relationship between Buypass and the Signer is necessary.

The BCSS Person Signing services has been designed such that Buypass never have access to the document to be signed (only the DTBS/R). The management of documents, user experience and the signature formats are for the signing Partner (the SCASP) to handle.

The illustration below shows the main flows between the actors in the in service:

The Signer contacts a service provider to sign a document (1). BCSS Person Signing service receives a representation of the data to be signed (2), and a request for user authentication (3). When the user has performed an authentication (4), Buypass will validate the authentication (5) and create a signing key (6), issue the signing certificate (7), and generate the signature (8 & 9).  All this will happen “under the bonnet”.  The signature and some metadata are returned to the signature requestor (10).  

The signature requestor will then package the signature as needed, typically PAdES, JAdES or similar. The signing certificate is issued by Buypass using a CA registered on the EU Trusted List and accepted by Adobe, thus resulting in full validation in Adobe Acrobat applications. 

The service is well positioned to be used in the eIDAS 2.0 ecosystem around the EUDIW. The service will be explored for this purpose in EUDIW Large Scale Pilots together with our Partners.

The BCSS Person Signing service has been assessed and approved by accredited auditors and the service has been granted qualified status from the national supervisory body.

We’d be delighted to discuss this new service, and opportunities for collaboration with our CSC colleagues. Reach out to Mads Henrikveen, mads.henriksveen@buypass.no, if you would like to know more.