A secure electronic signature or “digital signature” is a cryptographically based electronic signature Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digital signature complies with advanced electronic signature defined by European law (Directive 1999/93/EC of the European Parliament).
“Advanced electronic signature” means an electronic signature which meets the following requirements:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using means that the signatory can maintain under his sole control; and
(d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.”
Article 5 of Directive 1999/93/EC says:
“Legal effects of electronic signatures
1. Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device: (a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and
(b) are admissible as evidence in legal proceedings.
2. Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is:
- in electronic form, or
- not based upon a qualified certificate, or
- not based upon a qualified certificate issued by an accredited certification-service-provider, or
- not created by a secure signature-creation device.”
Digital Certificates are the electronic counterparts to identity, passports and membership cards. You can present a Digital Certificate electronically to prove your identity or your right to access information or services online.
Digital Certificates, also known as electronic certificates or digital IDs, bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. A Digital Certificate makes it possible to verify someone’s claim that they have the right to use a given key, helping to prevent people from using phony keys to impersonate other users. Used in conjunction with encryption, Digital Certificates provide a more complete security solution, assuring the identity of all parties involved in a transaction.
A Digital Certificate is mainly issued and digitally protected (signed) by a Certification Service Provider (CSP). Technically speaking a user can issue a self-signed certificate with appropriate software. In this case the user identity cannot be proved by a third party.
A Digital Certificate typically contains the:
- Owner’s public key
- Owner’s name
- Expiration date of the public key
- Name of the issuer (the CA that issued the Digital Certificate
- Serial number of the Digital Certificate
- Digital signature of the issuer
- The most widely accepted format for Digital Certificates is defined by the CCITT X.509 international standard; thus certificates can be read or written by any application complying with X.509.
Almetis through its Almetis Essential software, Almetis SignCenter and Almet Executive, has choose the digital signature standard PAdES. We aim at faciliting the use of electronic signatures, and so we decide to promote the simplest way to electronically sign documents. This principle born the concept WIPIWYS *.
*What Is Presented Is What You Sign!
The first step of signing is to create a “fingerprint” of the document. At the time of signature, an hash algorithm, MD5 or SHA type, produces a unique “fingerprint” of the document. When something changes in the document (even a pixel or a comma etc.) this algorithm is able to create a new unique fingerprint which differs from the initial one. The comparison of the two fingerprints is used to verify the integrity of the document. In addition and sometime mandatory, the signature must be used with a time stamp in order to certify the date by a trusted source other than the local time on your computer . Technically the timestamp, integrated in the document, is a signature created by a time server.
The second step is to bind the fingerprint of the document to the signatory by using signer’s cryptographic private key generated before or during signature creation. In most cases the signature software incorporates into the document all data needed for long-term validation of the electronic signature.
The validity of an electronically signed document is checked by a software or by a computer application that supports signature verification following steps:
The first step is to decipher the fingerprint of the document with the signer’s public key. The public key is attached to a digital certificate for the identification of the signatory.
The second step is to calculate fingerprint of the signed document, and compare it with the decrypted fingerprint in the first step. If the two fingerprints are identical, then the signed document has not been altered, and so its integrity was preserved. If fingerprints do not match, at least one change was made on the document after its signing.