2 min read
What is an eIDAS Qualified Certificate for Electronic Signatures?
Cryptomathic : 06. July 2016
Under the eIDAS Regulation (EU) No 910/2014, a qualified certificate for electronic signature refers to “a certificate for electronic signatures, that is issued by a qualified trust service provider” and meets the requirements specified within the regulation. To be a qualified trust service provider, the entity must receive qualified status from its member nation’s supervisory body that authorizes that entity to provide qualified trust services to be used in creating qualified electronic signatures.
The provider must be listed on the EU Trust List in order to be considered qualified.
The qualified trust service provider must abide by the strict guidelines of eIDAS while performing their duties. Included as part of the qualified certificate process:
- A valid date and time must be provided by the qualified trust service provider for creating certificates
- Immediate revocation of signatures with expired certificates
- Employees of the qualified trust service provider must receive appropriate training
- Service providers must use equipment and software that is trustworthy and able to prevent certificate forgery
Requirements for eIDAS Qualified Certificates
According to the requirements listed in Annex I, eIDAS qualified certificates for electronic signatures must contain:
- An indication, identifiable through automated processing, that the certificate is a qualified certificate for electronic signatures
- A data set that clearly represents the qualified trust service provider who issued the qualified certificate, including such information as the:
- Service provider’s Member State where the entity is established
- Name and registration number if the provider is a legal person
- Name of the provider if he or she is a natural person
- Name of the signatory or indication if a pseudonym is used
- Corresponding electronic signature validation data and electronic signature creation data
- Information identifying the certificate’s period of validity from start to finish
- Qualified trust service provider’s unique certificate identity code
- Issuing qualified trust service provider’s advanced electronic signature or electronic seal
- Location of where the certificate that supports the advanced electronic signature is available free of charge
- An indication, preferably in automated processing form, of where the electronic signature creation data associated to the electronic signature validation data is located in the qualified electronic signature creation device
Additional Specifications for eIDAS Qualified Certificates for Electronic Signatures
Qualified certificates for electronic signatures will not be subjected to mandatory requirements that exceed the requirements from Annex I listed above. Non-mandatory additional specific attributes may be included in a qualified certificate for electronic signatures, provided they do not interfere with the recognition or interoperability of qualified electronic signatures.
In cases where a qualified certificate for electronic signature is revoked after being initially activated, the certificate will lose its validity from the time of the revocation and cannot be reverted. EU member states may temporarily suspend a qualified certificate for electronic signature through national rule if:
- The qualified certificate for electronic signature loses its validity because it has been temporarily suspended
- This temporary suspension period must be clearly indicated within the certificate database and the suspension status must remain visible during the suspension period.
Further changes may be made by the European Commission by implementing acts to establish reference numbers of standards regarding qualified certificates for electronic signatures.
Legal Implications of a Qualified Certificate for Electronic Signatures
A qualified electronic signature offers the highest tier of probative value in court, making it very difficult to deny its authorship. Member states throughout the EU are required to recognize the validity of a qualified electronic signature that has been created using a qualified certificate from another member state.
A qualified electronic signature with an eIDAS qualified certificate carries the same weight as a handwritten signature in court.
References and Further Reading
- Trust Services and eID (retrieved 11.01.2016) by the European Commission
-
REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Selected articles on Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen and Dawn M. Turner