The EU eIDAS Regulation enables qualified e-signatures to be legally accepted as equivalent to handwritten ones across the EU. Remote qualified signing refers to the fact that eIDAS also allows signatures to be created remotely with the user’s signing keys, also known as central signing, server-side signing or cloud signing.
There are many benefits of remote signing whether it’s for qualified, Adobe® AATL or any other type of signature:
No need to deploy specialist hardware devices (e.g. smartcards/tokens)
No need for users to install specialist software apps or plug-ins, just sign from any device, anywhere
All crypto keys managed centrally and automatically without user involvement
Security policy defined and controlled centrally
All signing actions and authorisations are recorded centrally
Both capital and operational expenditure significantly reduced
To deliver eIDAS-compliant remote qualified signatures, with strong non-repudiation in a court of law, requires proof that the centrally-held signing keys always remained under the sole control of the owning user.
SigningHub has an innovative approach to meeting this requirement as illustrated below.
User signing keys and certificates are stored centrally, protected via a certified HSM (Common Criteria EAL4+ certified according to EN 419221-5 Protection Profile). No need to deploy expensive smartcards and readers, or even USB tokens. Users can easily sign using any device without installing specialist software.
The signer is requested to authorise all signing transactions involving their signing key via notification to their mobile app. The signer authorises the transaction by using fingerprint authentication built into iOS and Android or mobile device PIN. The mobile app creates a digitally signed authorisation message which cryptographically binds the signed document, user’s ID and registered mobile device fingerprint.
The authorisation message is signed using a private key held in the mobile’s Secure Element tamper-resistant hardware chip. This key pair is created and certified by the relevant SigningHub CA when the user registers this mobile for authorisation purposes.
The user can only authorise transactions from their pre-registered devices. This device locking provides an extra layer of security and assurance.
The signed authorisation response from the user’s mobile is logged by SigningHub as proof the user authorised the remote signing transaction.
Our solution for authorised remote signing is undergoing a Common Criteria EAL4+ certification under the standard EN 419 241-2 Protection Profile. This is formal proof of compliance with the eIDAS Regulation for creating remote qualified signatures with “Sole control” Level of Assurance 2. This evaluation is being conducted by an independent lab and expected to complete early 2018.
The authorised remote signing solution can be embedded into any third party business web application by making direct calls to the SigningHub engine. Alternatively the whole SigningHub application can be embedded as well through its REST/JSON API. Authorised remote signing is also available through our mobile browser, iOS/Android apps and through our popular 3rd party business application connectors.
We are able to provide automatic integration with any Microsoft CAPI/CNG enabled applications such as Word, Edge, Outlook or third part Windows® applications. This is achieved by using our Virtual CSP component which hooks into the Windows® stack and allows user registration, generation of user signing keys centrally and their certification, as well as signing using authorisation from mobile apps.
Use our complete built-in SigningHub PKI system (CA, OCSP, TSA and Archive Authority) or use an existing enterprise PKI or one of our global PKI service provider partners. Either way get automatic key generation, storage and certification – all done transparently without user’s involvment.
User initiates signing on SigningHub
User is notified on mobile device that a signing operation requires authorisation. User authorises via a crypto-protected “Signature Activation Protocol (SAP)”
The SAM module verifies the authorisation from the user before signing on the server
Senior Consultant at Commfides Norge AS
Senior Consultant at Commfides Norge AS
With SigningHub authorising the bulk signing of multiple documents is easy and efficient. Just select all your pending documents and click “bulk sign”. You will be sent a single authorisation request identifying all the documents to your mobile app. A single fingerprint approval from you will create the signed authorisation response for the whole document list. The SigningHub server will verify the authorised list from you before bulk signing with your server-held signing key.