When you receive an electronically signed document, the first question is often: Can I trust this signature? The answer lies in how the signature was created, the systems involved, and compliance with standards.
To bring clarity to this, the European Telecommunications Standards Institute (ETSI) has established a technical committee for Electronic Signatures and Infrastructures (ESI). ETSI is a global organization that develops ICT-related standards—including those for digital signatures.
The Key Standard: ETSI TS 119 102-1
At eID Easy, we help create digital signatures that comply with ETSI TS 119 102-1, titled:
Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation
This standard outlines how advanced electronic signatures (AdES) should be created and validated.
Signature Creation Environment (SCE): Key Components
The signature creation process involves three main components:
- Signer – The person or system requesting the signature
- Driving Application (DA) – The business application or system the signer interacts with
- Signature Creation System (SCS) – The backend service that executes the signature creation
Signature creation may be either manual (human involvement) or automatic (e.g., e-seals).
The Role of the Signature Creation Device (SCD)
At the heart of the process is the Signature Creation Device (SCD), which holds the private key. This device can take various forms:
- HSM (Hardware Security Module)
- Smart card
- USB crypto token
- Smartphone app
- SIM card
Note: Private keys stored as unsecured files are highly discouraged and generally not accepted by reputable Trust Service Providers (TSPs).
How eID Easy Fits In
eID Easy functions as the Signature Creation System, offering the Signature Creation Application that interacts with the Signature Creation Device.
In practical terms, we:
- Receive the unsigned document
- Communicate with the SCD
- Request and manage signer authorization
- Return the fully signed file
We integrate with a wide range of devices, Trust Service Providers, and Certificate Authorities.
Who Uses eID Easy?
Our customers are typically Driving Applications—businesses and platforms that:
- Handle document generation or collection
- Manage user workflows for signing
- Drive the signing process end-to-end
- Store and distribute the final signed documents
Inside the Signature Creation System: How the Signature Is Made
Here’s what actually happens inside the Signature Creation System (SCS) and Application (SCA):
1. Input: Signer’s Document (SD)
2. Conversion to Hash:
- The SD is converted into Signer’s Document Representation (SDR)
- Uses SHA-256 to hash the document
- For XAdES, CAdES, and ASiC-E, the hash is made from the file(s) directly
- For PAdES, only specific
ByteRangebytes are hashed
3. Forming Data to Be Signed (DTBS):
DTBS includes:
- Hash of the document
- Signer’s public certificate
- Time of signing, etc.
4. Formatting (DTBSF):
DTBS must be serialized into a specific format and order, known as DTBSF
5. Hashing (DTBSR):
- DTBSF is hashed to create the Data to Be Signed Representation (DTBSR)
- This is the final digest that gets signed
6. Signing the Digest:
- The Signature Creation Application sends the DTBSR to the Signature Creation Device
- The SCD encrypts it using the private key
- The result is a raw signature that can be verified using the signer’s public key
Final Output: The Signed Data Object (SDO)
The raw signature alone isn’t useful—it’s just a binary array. To complete the process, it’s packaged into a Signed Data Object (SDO), which contains:
- The signed content
- Signature metadata
- Information about the signer
