To be eIDAS ready in terms of work with electronic documents means in practice to be able to create, accept, and store on a long-term basis authentic electronic documents effective within the EU in own applications and information systems. The question is how to do it.
eIDAS defines 3 levels of the electronic signature and says that the highest level “qualified electronic signature“ is an equivalent of the autograph signature. It at the same time prescribes what means and procedures must be used and followed when creating the signature, and how to verify and store such signatures. For this purpose, trust-creating services are defined. For the qualified electronic signature, requirements for qualified trust-creating services are specified. Similarly, this applies also to electronic seals.
Qualified or “regular” service?
According to eIDA, to achieve the level of qualified electronic signature/seal, it is necessary to use a qualified certificate and a qualified instrument for its creation. It relates to the qualified service of “issuing qualified certificates”. In this case, there is no need to doubt about its purposefulness, justification, and even obligation to use it. The same applies to the qualified timestamp.
We can’t simply go without them. Where we can go without them is the verification of validity and storage of electronic signatures/seals/timestamps. It results unambiguously from eIDAS that validity verification of qualified electronic signatures/seals/timestamps and their storage may be done by dependent party alone. We may verify validity and store electronic signatures/seals/timestamps by means of a service, which is not qualified even for the highest “qualified” level.
It thus depends on the decision of specific organization, legal or physical entity what service is used. Whether it is beneficial and meaningful to use a qualified service and what actual guarantees and warranties it brings. Or I will just manage it with an “ordinary” service “only”, which I cannot go without anyway. In many cases and situations, the “ordinary” service and its applicability and outcomes are even more complex and useful than the qualified service.
The Act on trust-creating services for electronic transactions no. 297/2016 Coll. (ZoSVD) defines the term ‘recognized electronic signature’ that includes the “authentic electronic signature based on the qualified certificate” and the “qualified electronic signature”. By this, we at the same time expand also the equivalence of autograph signature beyond eIDAS (effective in the CR only).
ZoSVD defines also the minimum requirements for use of individual levels of the electronic signature/seal for various purposes and subjects (§5, §6, §8, §9, §11). To comply with legal obligations, it is thus necessary to also cope with verification and storage of other than qualified electronic signatures/seals. And this impossible through qualified services for validity verification and storage of qualified electronic signatures.
Developing modern paperless architectures
To develop modern paperless ‘eIDAS ready’ architectures, it is important to understand trust-creating services more than just as services provided by third party for reward. In particular within the meaning of service-oriented architectures.
To achieve the real and efficient status of ‘eIDAS ready’ in the area of work with electronic documents and their signatures, functional implementation of all following three services is necessary: Sign – Verify – Save. In the context of the above, implementation of own infrastructure of digital trust through acquisition of suitable technologies shows optimal. Such infrastructure provides operated systems and applications with standardized, universal, and highly available trust-creating services for creation, verification, and storage of electronic signatures/seals/timestamps on various trust levels. At the same time, it enables in specific cases for particular document types to use and consume outputs of the qualified service of validity verification or storage of qualified electronic signatures/seals. And this all in compliance with eIDAS.
This article was published in the magazine IT Systems (6/2017)