Signicat is pleased to announce we have formally become a member of ETSI (European Telecommunications Standards Institute) joining their technical committee on Electronic Signatures and Infrastructure (ESI). ESI is the standardisation body responsible for most European standards on digital signature and trust services; CEN TC 224 additionally produces some standards, notably on security evaluation.
Signicat’s electronic signature services are designed to be standards-compliant, and with Signicat becoming a qualified trust service provider according to the EU eIDAS Regulation, standards-compliance is increasingly important for us. The decision to join ETSI/ESI is a strategic move to not only use standards, but to also get first-hand knowledge of and influence on their development.
European standards on digital signature and trust services are grouped in six areas as shown in the figure below. The green ticks show standards that are done (only maintenance activities) while the rest are in progress. When completed, standards will cover all trust services defined by eIDAS. CEN (the European Committee for Standardization) covers area 2 while the rest of the standards are produced by ETSI.
Formally, standards are not mandatory to fulfil eIDAS requirements for qualified trust services. However, when interoperability is a goal, in practice the ETSI and CEN standards must be used. Currently, Signicat uses standards from area 1 for the Signicat Sign service, from area 4 for the qualified time-stamp service, and of course the recommendations on cryptography from area 2. As the service offering expands, more standards will come into play.
While the eIDAS Regulation sets the scope of the standards work, ETSI’s strategy is to produce technical standards that are globally applicable and not targeted at a specific legal environment. Notably, ETSI uses the technical term “digital signature”, a signature created by use of public key cryptography and PKI certificates, to distinguish from the in-principle technology neutral, legal terms “electronic signature” and “electronic seal” used by eIDAS. ETSI standards, together with a few core specifications on which ETSI has built the work, are referenced internationally as the state of the art standards in the area.
Of the ongoing work, standards to enable server-based (remote) creation of qualified and other signatures are especially important. CEN is about to publish Common Criteria (CC) security evaluation profiles for the equipment needed for such a service, such as “remote QSCD” (Qualified Signature Creation Device). ETSI will publish standards for the signing protocol towards the service and policy and security requirements to be applied by the service provider operating the signing service.
Standards for signature validation services is underway from ETSI, specifying how a signed document (or pairs of signatures and hash values) can be sent to a trusted service, returning a signature validation report that is also being standardised.
Registered delivery, i.e. transmission of documents and other message between parties in a reliable and secure way, is a trust service in eIDAS. A new ETSI standard in this area is about to be sent for national ballot, meaning that the national standardisation bodies of the ETSI member states will vote on its acceptance. In addition to the base standard, ETSI has revised the old Registered Electronic Mail (REM) specification for email-based registered delivery; the new REM version is also under national ballot.
Standards are being produced for long-term preservation of both signed and unsigned documents, using digital signature techniques to produce evidences of existence.
When qualified trust services are audited by a Conformity Assessment Body (CAB), the CAB must be nationally accredited for the job according to an ETSI standard.
Of miscellaneous other work, ETSI recently published standards for issuing of qualified web-site certificates and qualified electronic seal certificates to actors that are accredited for payment service provider roles according to the EU PSD2 directive.
All in all, as ETSI standards are the foundation of many of the services that Signicat provides or will provide in the future, keeping track of and influencing the development of standards is necessary to ensure that Signicat continues to deliver world-class signature and trust services.