Logo
Quali-Sign
A dedicated mobile app to capture Strong Customer Authentication for PSD2

Features > Electronic Signatures

Electronic Signatures:
To create a 'simple' electronic signature, a digest (i.e. data) is signed with a private key that is only in the possession of the signer. The signature can be verified with a corresponding public key, that can be shared with the recipients of the data.
Typically an electronic signature involves the signing of a payload, without indicating the purpose (commitment type) of the signature (e.g. approval or cancellation request). This makes the evidence incomplete.
Advanced Electronic Signatures:
With an advanced electronic signature, the signer must possess an X.509 certificate that contains his details and a copy of the public key that corresponds to their private key. Now the digest contains the following elements:
The payload (e.g. payment data)
A copy of the signer's X.509 certificate.
The mime-type of the data being signed.
A timestamp.
A commitment type (e.g. creation, delivery, receipt, approval, cancellationRequest, revocation).
A benefit of the Advanced Electronic Signature structure is that it packages all the information required for the recipient to verify the signature. The recipient can even use a 3rd party online tool to perform the verification.
Qualified Electronic Signatures:
In order for advanced electronic signatures to become 'Qualified':
The creation of the signature must be performed on a certified Qualified Signature Creation Device (QSCD)
And the signer's X.509 certificate must be issued by a Qualified Trust Services Provider (i.e. certificate authority)
Only these signatures are recognised as carrying the equivalent legal strength as a handwritten signature, in all the countries of the EU.
Note: The only devices that have so far been certified are smartcards.
Support for electronic signatures in the Quali-Sign app:
The Quali-Sign app supports all three flavours of Electronic Signature.
To date, the only smartcard that has been tested with the app is the Estonian eResidency smartcard (a certified QSCD). Other smartcards will be tested on request.
Links
CEF Digital : Signature Standards
XAdES Baseline Profile
Associated Signature Container (ASiC)
List of Commitment Types
ETSI Signature Conformance Checker
EU DSS signature validation tool
Alternative signature validation tool
Example Qualified Electronic Signatures
XAdES Basic (ASiC-E) : Approval
ASiC-E (zip)
Detailed Validation Report
How to validate a signature
Go to the EU's Digital Signature Service validation tool.
Select the unformatted file (example above) as the Signed File.
You do not need to select an Original File because the ASiC contains a copy of the original payment file.
Select a Validation level of 'Validation process for basic signatures'.
Press the Submit button.
Note: The report references the 'issuer-serial' attribute being absent. The specification clearly states that the IssuerSerialV2 tag must not be included.
How to interrogate the ASiC
An ASiC is a ZIP. You can unzip it with any ZIP tool
The order_data.xml file contains the data that is signed
The signatures XML files are located in the META-INF folder
How to view a X.509 Certificate
View a signatures file in the META-INF folder of the ASiC
Copy the contents of the 'X509Certificate' tag
Go to this X.509 decoder tool
Paste the contents between the 'BEGIN CERTIFICATE' and 'END CERTIFICATE' lines
Press the Decode botton.