Remote Signing

eIDAS-compliant Qualified Signatures for cross-border legal recognition

eIDAS & the Benefits of Remote Signing

The EU eIDAS Regulation enables qualified e-signatures to be legally accepted as equivalent to handwritten ones across the EU. Remote qualified signing refers to the fact that eIDAS also allows signatures to be created remotely with the user’s signing keys, also known as central signing, server-side signing or cloud signing.

There are many benefits of remote signing whether it’s for qualified, Adobe® AATL or any other type of signature:

No Hardware

No need to deploy specialist hardware devices (e.g. smartcards/tokens)

No Software

No need for users to install specialist software apps or plug-ins, just sign from any device, anywhere

Simplified Key Management

All crypto keys managed centrally and automatically without user involvement

Better Security

Security policy defined and controlled centrally

Detailed Audit Trail

All signing actions and authorisations are recorded centrally

Reduced Costs

Both capital and operational expenditure significantly reduced

Live Demo

No more lost or forgotten tokens, complex desktop software, weak security or lack of non-repudiation capability. Just strong high-trust signatures which are legally accepted across borders.
No more lost/forgotten tokens, complex desktop software, weak security, or no non-repudiation capability. Just strong, legal acceptable high-trust signatures which are legally acceptable across borders.

How it works

To deliver eIDAS-compliant remote qualified signatures, with strong non-repudiation in a court of law, requires proof that the centrally-held signing keys always remained under the sole control of the owning user.

SigningHub has an innovative approach to meeting this requirement as illustrated below.

Main Features

Virtual Smartcard

User signing keys and certificates are stored centrally, protected via a certified HSM (Common Criteria EAL4+ certified according to EN 419221-5 Protection Profile). No need to deploy expensive smartcards and readers, or even USB tokens. Users can easily sign using any device without installing specialist software.

Strong Authorisation

The signer is requested to authorise all signing transactions involving their signing key via notification to their mobile app. The signer authorises the transaction by using fingerprint authentication built into iOS and Android or mobile device PIN. The mobile app creates a digitally signed authorisation message which cryptographically binds the signed document, user’s ID and registered mobile device fingerprint.

The authorisation message is signed using a private key held in the mobile’s Secure Element tamper-resistant hardware chip. This key pair is created and certified by the relevant SigningHub CA when the user registers this mobile for authorisation purposes.

Device Locking

The user can only authorise transactions from their pre-registered devices. This device locking provides an extra layer of security and assurance.

Secure Logging

The signed authorisation response from the user’s mobile is logged by SigningHub as proof the user authorised the remote signing transaction.

Common Criteria

Our solution for authorised remote signing is undergoing a Common Criteria EAL4+ certification under the standard EN 419 241-2 Protection Profile. This is formal proof of compliance with the eIDAS Regulation for creating remote qualified signatures with “Sole control” Level of Assurance 2. This evaluation is being conducted by an independent lab and expected to complete early 2018.

Easy Integration

The authorised remote signing solution can be embedded into any third party business web application by making direct calls to the SigningHub engine. Alternatively the whole SigningHub application can be embedded as well through its REST/JSON API. Authorised remote signing is also available through our mobile browser, iOS/Android apps and through our popular 3rd party business application connectors.

Microsoft Integration

We are able to provide automatic integration with any Microsoft CAPI/CNG enabled applications such as Word, Edge, Outlook or third part Windows® applications. This is achieved by using our Virtual CSP component which hooks into the Windows® stack and allows user registration, generation of user signing keys centrally and their certification, as well as signing using authorisation from mobile apps.

Simple PKI

Use our complete built-in SigningHub PKI system (CA, OCSP, TSA and Archive Authority) or use an existing enterprise PKI or one of our global PKI service provider partners. Either way get automatic key generation, storage and certification – all done transparently without user’s involvment.

Solution Architecture

User initiates signing on SigningHub

User is notified on mobile device that a signing operation requires authorisation. User authorises via a crypto-protected “Signature Activation Protocol (SAP)”

The SAM module verifies the authorisation from the user before signing on the server

We have worked with Ascertia and their SigningHub solution for many years, offering it to our local customers in Norway. Their constant product evolution and focus on usability with an improved GUI and host of other new features are just some of the key reasons why we stay with SigningHub.

Kent Thoresen
Senior Consultant at Commfides Norge AS

We have worked with Ascertia and their SigningHub solution for many years, offering it to our local customers in Norway. Their constant product evolution and focus on usability with an improved GUI and host of other new features are just some of the key reasons why we stay with SigningHub.

Kent Thoresen
Senior Consultant at Commfides Norge AS

Bulk Remote Signing

With SigningHub authorising the bulk signing of multiple documents is easy and efficient. Just select all your pending documents and click “bulk sign”. You will be sent a single authorisation request identifying all the documents to your mobile app. A single fingerprint approval from you will create the signed authorisation response for the whole document list. The SigningHub server will verify the authorised list from you before bulk signing with your server-held signing key.