What is an Electronic Signature?

The Electronic Signature and its applications

In this article we want to provide a useful guide to the recognition of the various types of Electronic Signature, and the related field of application

 

INTRODUCTION 

Although the Electronic Signature is a widely used tool, people are still unaware of the differences between, for example, an Electronic Signature and a Digital Signature. 

In this article I will try to provide as much clarity as possible, in a simple language, so that you can better understand what is meant by the following terms: 

• Electronic Signature; 
• Qualified Signature; 
• Qualified Electronic Signature; 
• Advanced Signature; 

together with the effectiveness and fields of application. 

 

Note: in order to promote a better comprehension, it is not the purpose of the article to provide all the technical details related to the treated subject matter, which might be misleading for the purpose of the objective. 

 

THE SIGNATURE AND ITS APPLICATIONS 

Usually in order to accept a contract, for example, or to validate or sign any document submitted to us, our personal signature placed on paper is required. The reason is related to the peculiarities of our personal signature, that is, its uniqueness, its nature and its recognition in the event of controversy. 

The term “signature” comes from the Latin word “signare“. 

The first attempt to unify the meaning and significance of the Electronic Signature at European level occurred with the Directive 1999/93/CE, which introduced its legal framework, with the declared final objective of simplifying its use and facilitating its legal recognition in all EU countries.  

In this directive it is clearly reported that an advanced eSignature based on a qualified certificate satisfies the legal requirements of a signature in relation to data in electronic form in the same way as a handwritten signature satisfies those requirements in relation to paper-based data.  

Certainly, with the advent of EU Regulation 910/2014 of 23 July 2014 (commonly known as eIDAS regulation), a decisive boost was then given to the purposes already present in the 1999 directive. This Regulation repealed 1999 directive. Today eIDAS represents a regulatory reference for all kinds of eSignature. 

 

But what is an Electronic Signature? Which are the differences with other kinds of eSignature? And where are they applicable? 

In order to explain that, we have to start with the definition of Electronic Signature that was already contained in the old aforementioned European directive (1999/93/EC): data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication. 

 

Sometimes it could occur to receive a document (perhaps a pdf, or a doc) in which we found an image of a personal signature of the subscriber, positioned in a specific point of this given document. Or maybe we can have another kind of document in which in the signature field it’s simply reported the name and surname of the subscriber. These are all examples of Electronic Signature, i.e., a type of signature which, to a minimal extent, is able to link a document with a person. 

As you can well imagine, an Electronic Signature made on such a premise is by its very nature weak, easily counterfeited; however, this type of signature could have the same legal standing as a handwritten signature as long as it complies with the requirements of the specific regulation under which it was created. Indeed, it is since the above-mentioned Directive that it has been stated that an electronic signature cannot be legally rejected as evidence in legal proceedings. eIDAS (Art. 25) also confirms that an electronic signature cannot be denied legal effect and admissibility as evidence in legal proceedings, merely because it is in electronic form or does not meet the requirements for qualified electronic signatures. 

It is important to keep in mind that this does not mean that it has immediate legal value, which instead must be proven in case of controversy. 

 

The Electronic signature is therefore a generic term, to which specific and simpler types of signatures can be related, as seen. But it also represents the concept of abstraction of other more specific (and also more secure) types of Electronic Signatures, which we are going to analyze. 

 

The advanced signature was also first introduced in the above-mentioned European Directive. 

The Advanced electronic signature must meet the following requirements: 

• it must be uniquely linked to the signatory; 
• it must be capable of identifying the signatory; 

• it must be created by means over which the signatory can preserve his or her exclusive control; 
• it must be linked to the electronic document to be authenticated. This is to ensure that any subsequent change in that document is detectable. 

 

The key, to understand what an Advanced Signature is, lies in the statement “being uniquely connected to the signatory“. 

The main difference with a simple electronic signature is first the identification of the signatory person. With the simple Electronic Signature, creating a signer identification pattern is not required, while in the Advanced Signature one it is an indispensable requirement. 

The stronger the mechanisms linking the signature to the subscriber, the greater the possibility of proving the unique connection with the signed document. The integrity of the signed content is its key feature, being this Advanced Signature the one that ensures that the signed document has not been modified or the signer’s identity has been changed. 

In order to achieve the requirement of “uniquely linked to the signatory”, in some specific cases of Advanced Signature, biometric data are used. In this case, adSignature requires the physical presence of the signer, because sometimes it is also required to sign on a specific tool (for example a Tablet). In this example technical biometric data, that identify the signer, are collected, such as pressure, speed, inclination and position of the pencil used at the time of signing.  

With an Advanced Signature, if the validity of the signature is questioned, it is up to the signatory to prove it is valid. The additional security provided instead by a Qualified Signature transfers this burden of proof to the party disputing the validity. 

eIDAS Regulation defines this kind of signature exactly as Qualified Electronic Signature; but sometimes the terms Qualified Electronic Signature and Qualified Signature are used interchangeably.  

In order to perform a Qualified Electronic Signature, it is necessary to own a Qualified Digital Certificate. The issue of this certificate is subject to verification of the identity of requester, by a Qualified Trust Service Provider (QTSP). Usually, a Qualified Certificate is subject to payment and has 3 years of validity. 

 

The issue of the certificate is accompanied by the delivery of security codes (in some cases, even a USB token or a smartcard). The security codes are strictly personal, generally produced using means that guarantee confidentiality (e.g., blind envelopes), and must never be shared with anyone. This is because they give access to the signature key, thus to the possibility of being able to sign any document in a Qualified manner, i.e. the highest level of existing guarantee (A qualified electronic signature shall have the equivalent legal effect of a handwritten signature (eIDAS Art. 25)). 

 

In order to perform a Qualified Signature, QTSPs generally provide signature application systems, through which it is possible to analyse and read the content of given document (generally in the common PDF and DOC formats) and sign it using the above-mentioned security codes. 

The list of European QTSP is published on the site 

https://eidas.ec.europa.eu/efda/tl-browser/#/screen/home  

 

CONCLUSIONS 

We have therefore seen the main types of Electronic Signature, their meaning, their value. 

As seen, the effectiveness of an Electronic Signature grows with the intrinsic security mechanisms of the various types of exposed signatures: an Electronic Signature, basically, doesn’t have any valid technical basis, even if the electronic signature must not be denied legal effect and admissibility as evidence in legal proceedings; instead an advanced signature, which has stronger criteria due to the use of authentication procedures and (in most cases) biometric data embedded (protected) within the document, useful to prove that the sign is uniquely linked to the signatory. For the Qualified Electronic Signature, the security assurance is guaranteed by strict requirements of tools and procedures under which all eIDAS QTSPs must adhere.  

 

At the same time, all QTSPs must share also an online verification tool, that must verify that a signature performed with a given Qualified Electronic Certificate comply with European regulation. Or not.  

In fact, it is very important to keep in mind that even if a given signature results valid after verification process, this could not be acceptable and could be rejected. This is because of the restrictions that could be applied to the signer digital certificate (also on the Qualified one), that could influence for example the content of the document itself (e.g., out of range monetary transactions), the kind of document, the kind of recipients.  

Therefore, it is very important to know the value of an Electronic Signature, its field of application, its value also in the face of a rigorous verification procedure that takes into account not only the result of the specific verification tool available, but also a subjective evaluation that the receiver will have to do in order to ascertain whether the signature is applicable to the context in which it is used.