Evidence - qualified electronic signature

Issue #1197 resolved
Stephane Mouy created an issue

Is the list of evidence types in 4.1.1 prescriptive ? I am asking as I see that eIDAS qualified e-signatures are mentioned when they are very rarely used, but not the much more common eIDAS advanced e-signatures. Is this intentional?

Comments (14)

  1. Torsten Lodderstedt

    It’s not prescriptive.

    Qualified signatures have been added to the spec since they are a means to identification in some jurisdictions (e.g. AML in DE). Are advanced signatures used as identification means as well?

  2. Stephane Mouy reporter

    See paragraph 6 of article CMF R561-5-2 making reference to eIDAS advanced e-signatures supported by qualified certificate for KYC purposes.

    Apart from notaries, there is extremely limited use of eIDAS qualified e-signatures in France and virtually none in the banking sector.



  3. Torsten Lodderstedt

    agreement in the call on 17.6: Torsten reaches out to Jules to propose a more generlized support for eletronic signatures.

  4. Mark Haine

    Suggestion to change evidence type to “electronic signature” and then have a type of “eIDAS qes”. This allows for many other types of certificate to be used as evidence.

  5. Julian White

    I think there’s a number of things that QES sweeps up that makes it hard to workout how to generalise this for other jurisdictions:. Its principally based on:

    1. Is the electronic signature recognised as being equivalent to hand written signature in law?
    2. Is the electronic signature bound to a single identifiable signatory?
    3. Is the provider regulated and supervised by the appropriate national authorities to ensure conformance to relevant standards?
    4. Does the provider accept liability if it intentionally or negligently issues a means for creating an electronic signature?
    5. In the instances where the provider issues a means for creating an electronic signature incorrectly, is it presumed that this was done intentionally or negligently and it's the provider’s responsibly to prove that they did not?

    QES would answer yes to each of these. These could be written something like:

    "electronic_signature": {
                "equivalence_to_handwritten": {"value":true/false}
                "unique_identifiable_signatory" {"value":true/false}
                "regulated_provider": {"value":true/false}
                "liable_for_negligence": {"value":true/false}
                "presumption_of_negligence": {"value":true/false}            

    Which might work for a wide range of signatures under different trust frameworks

    Or we could just allow each trust framework to add its own signature type and assume that if you accept claims from the defined trust framework then you’ll understand what the values mean. So under eIDAS you would have types of AES,QES, e.g.

    "electronic_signature": {
                "type": {"value":"QES"}

  6. Torsten Lodderstedt

    Thanks for sharing your thoughts. I’m leaning towards the second option. A “simple” identifier for a certain type of electronic signature is inline with the trust framework identifier as an abstraction of the obligations fulfilled and processes conducted by a certain IDP wrt identity verification.

  7. Log in to comment