Qualified digital certificate

Under the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a qualified trust service provider that ensures the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.[1]

Description

eIDAS defines several tiers of electronic signatures that can be used in conducting public sector and private transactions within and across the borders of EU Member states. A qualified digital certificate, in addition to other specific services provided by a qualified trust service provider are required to elevate the status of an electronic signature to that of being considered a qualified electronic signature. Using cryptography, the digital certificate, also known as a public key certificate, contains information to link it to its owner and the digital signature of the trust entity that verifies the authenticity of the content that has been signed.

According to eIDAS, to be considered a qualified digital certificate, the certificate must meet the requirements provided in Annex I of Regulation (EU) No 910/2014, including, but not limited to:

Vision

The need for non-repudiation and authentication of electronic signatures was originally addressed in the Electronic Signatures Directive 1999/93/EC to help facilitate secure transactions, specifically those that occur across the borders of EU Member states. The eIDAS Regulation later replaced the Directive and defined the standards to be used in the creation of qualified digital certificates by trust service providers.[2]

Role of a Qualified Trust Service Provider

A qualified digital certificate can only be issued by a qualified trust service provider that has received authorization from their Member state’s supervisory body to provide qualified trust services for creating qualified electronic signatures. The provider must be listed upon the EU Trust List; otherwise, they are not permitted to provide qualified digital certificates or other qualified trust services. The trust service provider is required to abide by the guidelines established under eIDAS for creating qualified digital certificate, which include:

Legal Implications of Electronic Signatures with Qualified Digital Certificates

In court, a qualified electronic signature provided the highest level of probative value, which makes it difficult to refute its authorship. A qualified electronic signature, along with its qualified certificate is given the same consideration as a handwritten signature when used as evidence in legal proceedings. The validity of a qualified electronic signature that has been created with a qualified certificate must be accepted by other EU Member States regardless of what Member State the signature was produced in.[4]

Global Perspective

In other parts of the world, similar concepts have been created to define standards for electronic signatures. In Switzerland, the digital signing standard ZertES has comparable standards that address the conformity and regulation of trust service providers who product digital certificates.[5] However, in the United States, the current version NIST DSS (Digital Signature Standard) does not provide a comparable standard for regulating qualified certificates that would address non-repudiation of a signatory’s qualified certificate.[6] An amendment to NIST DSS is currently being discussed that would be more in-line with how eIDAS and ZertES handle trusted services.[7][8]

References

This article is issued from Wikipedia - version of the 9/18/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.