ETSI releases three specifications for cloud-based digital signatures

Sophia Antipolis, 2 April 2019

The ETSI technical committee on Electronic Signature Infrastructure (TC ESI) has just released a set of three Technical Specifications for cloud-based digital signatures supporting mobile devices: ETSI TS 119 431-1, ETSI TS 119 431-2 and ETSI TS 119 432. This new set of standards supports the creation of digital signatures in the cloud, facilitating digital signature deployment by avoiding the need for specialized user software and secure devices.

The signer relies on a third-party trust service to manage its signing key and digitally sign documents under its control. To guarantee that the cloud-based signature creation environment is reliable and that the signing key is used under the control of the signer, the provider of the remote digital signature service has to apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels.

“This is an important step forward for security in deploying digital signatures which takes into account the move to cloud-based services and mobile devices. These standards enable a new way of implementing Trust Services which greatly simplifies their use and provides an important toolset to counter growing Internet fraud targeting online business and government”, says Nick Pope, ETSI TC ESI Vice Chair.

ETSI TS 119 431 parts 1 and 2 define those policy and security requirements which can be used by Conformity Assessment Bodies to certify that a trust service provider follows best practices for the operation of such cloud-based signature creation services, in particular in the context of the eIDAS Regulation (EU) 910/2014. ETSI’s work complements the CEN publications EN 419241-1:2018 (general requirements for trustworthy systems supporting server signing) and EN 419241-2:2019 (protection profile for a qualified electronic signature creation device (QSCD) for server signing), which provide the essential core of secure signing in the cloud.

ETSI TS 119 432 specifies the protocol allowing a client application to request the creation of a digital signature to a server. This specification establishes a protocol for secure communication between the different components needed to create a secure digital signature in the cloud, in line with the security standards laid down in the eIDAS Regulation. Two bindings are specified for this protocol: XML, which builds on the OASIS DSS-v2.0 specification, and JSON, which builds on the Cloud Signature Consortium (CSC) specification. ETSI collaborated with OASIS and CSC to produce its protocol specification.