Introduction
This Signature Creation Policy (SCP) describes the policies and procedures followed by our qualified electronic signature creation API service in creating qualified electronic signatures (QES) for our customers. This policy is in compliance with relevant laws and regulations, including but not limited to the eIDAS regulation (EU) 910/2014.
Abbreviations
- AATL – Adobe Approved Trust List
- AdES – Advanced Electronic Signature
- EUTL – European Union Trust List
- DTBSR – Data to be signed representation; hash of the data to be signed formatted, which is used to compute the digital signature value
- QES – Qualified Electronic Signature
- QTSP – Qualified Trust Service Provider
- OTP – One Time Password
- SD – Signer’s Document
- SCP – Signature creation policy
- SCD – Signature creation data
- DA – Driving application that is using eID Easy API to create signatures
Identity Verification
Our QES creation API service verifies the identity of the signatory through a secure and reliable identification process, which is compliant with the eIDAS regulation. This verification process follows QTSP designed or enabled steps.
Signature Creation Data
Our QES creation API service creates a signature that is based on signature creation data (SCD) that is uniquely linked to the signatory and to the data being signed. The SCD includes a secure digital certificate that identifies the signatory, the cryptographic hash of the signed data, and a timestamp from a trusted time-stamping authority.
Secure Signature Creation Environment
Our QES creation API service ensures that the signature creation environment is secure, and that only authorized personnel can access it. The signature creation environment includes secure hardware and software components that are tamper-evident and resistant to unauthorized access.
Cryptographic Suites
eID Easy uses cryptographic function according to ETSI TS 119 312 v1.4.2.
Hash functions for creation the signature can be following
- SHA-256
- SHA-384
- SHA-512
- SHA3-224
- SHA3-256
- SHA3-384
- SHA3-512
Digital signature algorithms can be following
- RSA-PSS
- RSA-PKCS1 v1.5
- ECDSA with NIST curves P-256, P-384 or P-521
- ECDSA with Brainpool curves brainpoolP256r1, brainpoolP384r1 or brainpoolP512r1
- ECDSA with FR curve FRP256v1
Qualified Certificate
Our QES creation API service uses qualified certificates issued by a qualified trust service provider (QTSP) that is recognized by the eIDAS regulation. The qualified certificate includes the signatory’s identity and the public key that is used to verify the signature.
Signature types
eID Easy application allows creation of following levels if signatures
- QES – qualified electronic signature, in accordance with eIDAS (EU 910/2014)
- non-eIDAS QES – nationally recognized qualified electronic signature outside EU/EEC
- AdES-QC – advanced electronic signature, based on a qualified certificate (according to eIDAS)
- AdES full – certificate-based advanced electronic signature, listed on EUTL or AATL
- AdES light – seal-based advanced electronic signature, based on strong authentication (LoA Substantial / LoA High) and a qualified electronic seal
- SES 2FA – simple electronic signature with two-factor authentication (SMS OTP code)
- SES – simple electronic signature
Signature creation process
eID Easy following signature formats with baseline profiles baseline-B, baseline-T, baseline-LT and baseline-LTA. Qualified timestamps are acquired from SK ID Solutions (EE) and Baltstanp (LT).
- XAdES Baseline Profile: ETSI TS 103171 v.2.1.1;
- CAdES Baseline Profile: ETSI TS 103173 v.2.2.1;
- PAdES Baseline Profile: ETSI TS 103172 v.2.2.2;
- ASiC Baseline Profile: ETSI TS 103174 v.2.2.1.
These signature formats shall contain signature certificates as part of the signed data. If a hash based signatures process is used then the driving application (DA) must create a signature in a format that includes a signature in a format that protects the signing certificate within the signature from undetected replacement after the signature has been created.
If complete files to be signed are available to eID Easy then eID Easy will show to the signer preview of the documents (SD) if they are in image or PDF format and allows downloading the SD before signing. eID Easy will ensure that the data to be signed representation (DTBSR) is correctly composed by calculating DTBSR and validating the signature for errors after the signature has been completed.
What You See Is What You Sign (WYSIWYS) is achieved by rendering PDF files in the browser using open source PDF.js Javascript library. Image file preview is rendered using HTML tag. Other content types will not be rendered and can only be downloaded to see the preview.
DTBSR will be calculated after the signer has seen DTBS or SD and it signature will include signed data timestamp.
When signer proceeds to signature confirmation then a signature creation process specific to chosen QTSP will be performed.
If more than one signing certificate is available to the signer then eID Easy will either choose the default selection or allow the signer to choose the signing certificate.
Signature commitment type is by default “I accept and approve the contents on this document”. If the commitment type is different then it will be embedded in the reason or role fields and it can be shown in PAdES signature widget.
DA can choose the commitment type or let the user type in the commitment type on his own during the signature creation process.
When signature has been completed then DA can delete all temporary data and signed files immediately after downloading the signed files or have data deleted within 7 days automatically.
Audit Trail
Our signature creation API service generates an audit trail as a separate document for non-qualified electronic signature creation activities, including the verified identity attributes of the signatory, and the timestamp of the signature. This audit trail is securely stored and is accessible only to authorized personnel.
For QES events are stored in the application logs that enable auditing of the signature creation process.
Signature Validation
Our QES creation API service provides mechanisms for signature validation to ensure that the signature is valid, and that it has not been tampered with. The signature validation process includes verification of the SCD, the qualified certificate, and the timestamp.
Conclusion
Our QES creation API service follows this SCP to ensure that the QES created using our API are compliant with relevant laws and regulations, and are secure and reliable. We are committed to maintaining the highest standards of security and trustworthiness in all our services.
Effective from: 06.03.2023
Previous versions: none
