The second blog in our series on the different types of eSignatures, this piece focuses on the differences between Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES).
Fundamentally, any mark on an electronic document that captures a signer’s intent to accept and/or approve the document’s contents can be classified as an eSignature.
What is essential about it is its integrity and ability to prove who made the mark and that no one made any changes after the mark was produced.
Different types of eSignatures: Advanced Electronic Signature and Advanced Digital Signature
What is an Advanced Electronic Signature?
Defined by the EU eIDAS regulation as Advanced Electronic Signatures (AES) or ‘digital signatures’, Advanced Electronic Signatures are electronic signatures that are also:
- Uniquely linked to and capable of identifying the signatory
- Created in a way that allows the signatory to retain control
- inked to the document in a way that any subsequent change of the data is detectable
Advanced Electronic Signatures bind the user’s identity within the document and ensures no one can alter the document in any way without breaking the signature.
Businesses who opt for Advanced Electronic Signatures can rest assured that their document’s signature contains the highest trust and assurance levels. This is thanks to the unique signing keys used for every user. The unique signing key directly links the user’s identity to the signed document such that anyone can verify it on their own using an industry-standard PDF reader.
How do I create an Advanced Electronic Signature?
First, we identify the security and trust requirements of an Advanced Electronic Signature. Advanced Electronic Signatures provide a high level of security, providing information about any changes after the document has been signed – and if anyone made any changes, the signature would be invalidated.
The signer has sole control of their unique signing key, meaning that the service provider cannot be held responsible for creating the signature. Users can be authenticated using single- or multi-factor identification options for even further security.
During the initial setup of an Advanced Electronic Signature, the user’s identity is captured and bound to their signing certificate and goes through robust credit checks with accredited identity providers. Certificates can be issued through a user’s own organisation or a trusted third-party Certificate Authority (CA).
What makes an Advanced Electronic Signature legal?
The high level of assurance provided by the stringent security measures used to set up Advanced Electronic Signatures has strong non-repudiation in a court of law. It’s incredibly hard for a signer to assert they’ve not signed a document when all required evidence is embedded directly into the document.
Advanced Electronic Signature evidence embedded into signed documents includes an independent timestamp from a timestamp authority and proof the signer’s certificate was not revoked at the time of signing.
What is a Qualified Electronic Signature?
Qualified Electronic Signatures (QES) are a special class of advanced electronic signatures. Built on the Advanced Electronic Signature format, Qualified Electronic Signatures have additional requirements but provide the highest level of security.
In addition to all the requirements for the standard Advanced Electronic Signature, Qualified Electronic Signatures also require:
- User’s certificate must be issued by a Qualified Certificate Authority which meets EU standard and is audited regularly
- User’s signing key must be stored in a tamper-resistant hardware device. This is referred to in EU eIDAS regulations as a Qualified Signature Creation Device (QSCD)
Where can I get a Qualified Certificate?
When you use SigningHub for your electronic signature requirements, we can help you source your Qualified Certificate from several sources. We work with Qualified Certificate Authority partners who can issue certificates automatically in real-time for remote signing.
For on-premise clients, SigningHub’s built-in CA can be used to set up your own Qualified CA. Additionally, certificates from any external Qualified CA can be used with SigningHub with local signing.
What makes a Qualified Electronic Signature legal?
A Qualified Electronic Signature offers the highest level of trust and is deemed equivalent or better than a hand-written signature in a court of law. If disputed, the burden of proof is on the signer to prove the signature is not theirs. Since all verification information is embedded into the document, the service provider’s logs are only required as a secondary level of evidence.
Long-term signature formats ensure that important business documents can be verified well into the future. It can often be a legal requirement for a document to be available for 10 years or more. Using standards such as ETSI PAdES Part 4 LTV with appropriate certificate lifetimes provides long-term validity.
Understanding different types of eSignatures can be complex. We recommend Advanced Electronic Signatures and Qualified Electronic Signatures when only the highest levels of trust and security will do. AES and QES offer the highest level of trust and security and will protect your business from any disputed signatures.
Both signature formats also provide good interoperability as they are based on industry standard digital signature techniques (ISO 32000, ISO 19005 and ETSI PAdES formats). It’s important to choose an eSignature solution that can support your current needs but is also flexible enough to support your business’s future requirements.
Want to learn more about the different types of eSignatures and which one is suitable for your business needs? Download our eBook, Choosing the Right Type of eSignature.
Comparison of different types of eSignatures