Evidence - qualified electronic signature
Issue #1197
resolved
Is the list of evidence types in 4.1.1 prescriptive ? I am asking as I see that eIDAS qualified e-signatures are mentioned when they are very rarely used, but not the much more common eIDAS advanced e-signatures. Is this intentional?
Comments (14)
-
-
reporter
Yes they are - especially when they are based on an eIDAS qualified certificate.
-
Interesting, can you point me to references, pls?
-
reporter
See paragraph 6 of article CMF R561-5-2 making reference to eIDAS advanced e-signatures supported by qualified certificate for KYC purposes.
Apart from notaries, there is extremely limited use of eIDAS qualified e-signatures in France and virtually none in the banking sector.
Best.
Stéphane
-
agreement in the call on 17.6: Torsten reaches out to Jules to propose a more generlized support for eletronic signatures.
-
-
assigned issue to
Torsten Lodderstedt
-
assigned issue to
-
Suggestion to change evidence type to “electronic signature” and then have a type of “eIDAS qes”. This allows for many other types of certificate to be used as evidence.
-
- changed status to open
-
- changed milestone to Implementer's Draft 3
-
As discussed with @Torsten Lodderstedt it might still make sense to keep “qes” as a specific evidence as I am aware of some processes (e.g. the German De-Mail law - https://www.gesetze-im-internet.de/de-mail-g/BJNR066610011.html) which legally require a qualified electronic signature and where a “simple” electronic signature is not sufficient.
-
I think there’s a number of things that QES sweeps up that makes it hard to workout how to generalise this for other jurisdictions:. Its principally based on:
- Is the electronic signature recognised as being equivalent to hand written signature in law?
- Is the electronic signature bound to a single identifiable signatory?
- Is the provider regulated and supervised by the appropriate national authorities to ensure conformance to relevant standards?
- Does the provider accept liability if it intentionally or negligently issues a means for creating an electronic signature?
- In the instances where the provider issues a means for creating an electronic signature incorrectly, is it presumed that this was done intentionally or negligently and it's the provider’s responsibly to prove that they did not?
QES would answer yes to each of these. These could be written something like:
"electronic_signature": { "equivalence_to_handwritten": {"value":true/false} "unique_identifiable_signatory" {"value":true/false} "regulated_provider": {"value":true/false} "liable_for_negligence": {"value":true/false} "presumption_of_negligence": {"value":true/false} }Which might work for a wide range of signatures under different trust frameworks
Or we could just allow each trust framework to add its own signature type and assume that if you accept claims from the defined trust framework then you’ll understand what the values mean. So under eIDAS you would have types of AES,QES, e.g.
"electronic_signature": { "type": {"value":"QES"} }
-
Thanks for sharing your thoughts. I’m leaning towards the second option. A “simple” identifier for a certain type of electronic signature is inline with the trust framework identifier as an abstraction of the obligations fulfilled and processes conducted by a certain IDP wrt identity verification.
-
added new field `
signature_type`to electronic_signature in PR #41 -
- changed status to resolved
resolved by PR #41
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- –
- Milestone
- Implementer's Draft 3
- Votes
- 0
- Watchers
- 1
It’s not prescriptive.
Qualified signatures have been added to the spec since they are a means to identification in some jurisdictions (e.g. AML in DE). Are advanced signatures used as identification means as well?