In previous posts, I described
what is an e-signature according to the eIDAS and what are the types generally recognised as such ("simple", AES, QES),
how AES work from a tech point of view (asymmetric cryptography) and
how the identity of the signatory is guaranteed in AES (certificates).
But not all AES are made qual. It also depends on the certificate itself, or on who issued it.
Where is the catch?
I can easily create the certificate myself.
But it is clear that the credibility of such a certificate will not be particularly high. In such a case, the addressee must simply take my word for it that it was indeed myself who signed the document in question.
On the other hand, if the certificate is issued by a qualified trust service provider (certification authority), it shall have a higher credibility.
Certification authorities form one branch of the public key management and distribution infrastructure (PKI). The second branch is the so-called web of trust – a distributed system in which the credibility of the certificate, and the information contained therein, is weighed based on the interaction of users.
Various degrees of guarantee of electronic signatures
We can artificially distinguish between two levels of AES.
E-signatures that guarantee the identity of the signatory in at least some reasonable way; that is, for example, QES, AES based on a qualified certificate, or AES created with the cooperation of a relatively "solid"service provider after prior identification of the signatory, and
E-signatures that do not guarantee the identity of the signatory at all; usually based on a certificate created by the signatory himself.
Within the first category mentioned above, however, it is only the QES and the infamous “recognised electronic signatures“ based on a qualified certificate, that the current Czech laws favour and grant them a formally better legal status.
What about all those fairly trustworthy e-signatures?
On the other hand, AES created with the cooperation of a "solid" service provider after prior identification of the signatory, e.g. through a bank identity - such as, for example, SIGN from BankID, DigiSign and others - are formally considered "only" AES in the broadest sense of this definition.
Such signatures are formally on the same level as a signature created entirely by the signatory herself, and to which she attached certificates generated by herself. And this is despite the fact that for this type of AES created using these "solid" providers, some level of clearly set rules must have been at place as well as the identity of the signatory must have been verified in some manner.
Of course, it is possible to make differences in practice between the AES of the first and second category mentioned above, but more on that another time.
Do you use electronic signatures? Does that make sense to you?
Comments