Corporate seals have been used by companies to protect paper documents from forgery for a long time. A document stamped with the company seal implied that it was officially from the company, i.e. the legal entity rather than a natural person such as the company director.
In today’s Internet age, with increasingly sophisticated phishing attacks, the need for companies to show that e-documents originated from them and can be trusted is even stronger than the paper world. Example documents include e-invoices, e-statements, e-bills and the like. In some cases, laws (e.g. VAT Regulations) demand the integrity and authenticity of such documents. At other times protecting the trustworthiness of the corporate brand from misuse is also important.
The simple answer is to just e-sign them! Well e-signatures, or to be more precise digital signatures based on cryptography, provide integrity and authentication services, but there is a lot more to it than just that…
Problems with eSigning before eIDAS
There are essentially four main hurdles:
- Corporates as legal entities need to be able to create secure and trustworthy signatures, just as much as natural persons
- The signed documents need to be verifiable across borders, as modern businesses interact with customers, suppliers and employees in multiple countries
- The security and trustworthiness of the legal entity’s signature needs to be clearly understood and legally accepted across all of these jurisdictions
- The signing process needs to handle large batches of documents e.g. one of our corporate clients issues a million e-invoices per month! This necessitates the use of automated signing of documents without human intervention.
Before eIDAS (EU Regulation 910/2014) there was no clear solution to meet these requirements. Each country had its own way of doing things and cross-border interoperability and trust suffered as a result.
How eIDAS helps
With the advent of eIDAS which repeals the old EU e-Signature Regulation from July 2016, a new type of electronic signature is introduced – the “Electronic Seal”. These are online signatures applied by a Legal Person rather than a Natural Person.
Often in business interactions, you are more interested in knowing whether the transacting company will abide by the agreement rather than the individual person who might be signing the agreement. In the business world, standards around electronic seals (eSeals) are significantly more important than natural person signatures which identify a citizen only.
eIDAS not only defines eSeals, but also “qualified electronic seals” – which can only be created using a qualified certificate issued to a legal person and signed using a Qualified Electronic Seal Creation Device (QESCD). Qualified eSeals have automatic presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked across all of the EU member states.
How to implement eIDAS Compliant Electronic Seals
Implementing qualified eSeals which are compliant with the eIDAS Regulation requires the following components:
- A qualified certificate for your company - we work with our trusted Qualified CA service provider partners to deliver these.
- A qualified electronic seal creation device (QESCD) - e.g. an appropriately certified Hardware Security Module (HSM) to manage the eSeal creation key and create eSeals using this.
- A secure electronic seal creation application - which can provide high-performance bulk signing of documents whilst ensuring the eSeal creation key (e.g. RSA private key) remains under the control of the signatory with a high degree of confidence.
The SigningHub security engine, known as Ascertia ADSS Signing Server, delivers exactly this. It is directly invoked by business applications using high-level web services APIs (in Java or .NET) to perform on-demand bulk eSealing of documents.
To provide a high level of trust for eIDAS compliance, ADSS Signing Server authenticates business applications initiating the batch run, checks that they are authorised to access the eSeal creating key inside the HSM and also asks for a real person who is responsible for the legal entity to provide a signed authorisation file.
The signed authorisation file proves the legal representative has given approval for the eSeal to be created. The signed authorisation file can be signed by one or more persons, and uses an M of N scheme, e.g. 3 out of 5 people are needed to authorise the batch run. The signed authorisation file also has a lifetime indicator so that it can be used for multiple batches, ensuring minimum manual overhead.
Contact us for further details on how we can help you to create eSeals which are trusted, compliant with eIDAS and interoperable cross-border.