In the first post of this set, we presented the essential definition of qualified remote signatures. Now we will dive deep in the detailed process of creating an e-signature without having to suffer with key management. Since the main aspects of qualified remote signatures have been introduced previously, it is time to get familiar with the broader details about the mechanisms behind it. To understand how it works, it is best to start with presenting the process which one goes through to create a qualified remote signature.

As it was mentioned in the previous post, to handle key management more safely, the end user entrusts a TSP (Trust Service Provider) to store and generate their private key. This way, even if the local environment which the client uses does not have the necessary safety measures, their key would not be stolen or hijacked, because it is kept in the environment of the TSP. Still, authentication is required to prevent unauthorized client-side usage.

The signer first meets a UI (user interface) which includes the SIC (Signer Interaction Component) that allows the user to select the documents to sign, the attributes signed together with the documents and the certificate to use. The SIC is also the platform to enter the authentication data to activate the signing key; then the consent of signing should be expressed, confirming that said action is not involuntary or accidental.

The basic idea behind remote signing

Source: https://www.cryptomathic.com

This, in practice means only a few clicks from the user. Then the request is forwarded to the TSP through the Signature Activation Data (SAD) and the Signature Activation Protocol (SAP), which provides the execution of secure signature authorization/activation to the (TSP-owned) remote server.

Everything that comes after, does not need any more action from the user, the TSP then handles the creation of the signature after running it through numerous security processes. These will be introduced in our next post, when we will present what it takes for a TSP to be compliant to create a remote signature that is considered qualified.

Introducing qualified remote e-signatures

Securing qualified remote e-signatures

References:

ETSI TS 119 432 V1.1.1 (2019-03)
https://www.etsi.org/deliver/etsi_ts/119400_119499/119432/01.01.01_60/ts_119432v010101p.pdf

ETSI TS 119 431-2 V1.1.1 (2018-12)
https://www.etsi.org/deliver/etsi_ts/119400_119499/11943102/01.01.01_60/ts_11943102v010101p.pdf

ETSI TS 119 431-1 V1.1.1 (2018-12)
https://www.etsi.org/deliver/etsi_ts/119400_119499/11943101/01.01.01_60/ts_11943101v010101p.pdf                                             

Cryptomathic: Introducing the Signature Activation Protocol for Remote Server Signing
https://www.cryptomathic.com/news-events/blog/introducing-the-signature-activation-protocol-for-remote-server-signing

Qatar CERT Qatar Public Key Infrastructure Section: Electronic Signature - Overview & Specification
https://www.qcert.org/sites/default/files/public/documents/electronic_signature_overview__specification_v1.0.pdf