Managing digital signatures in the cloud

• ETSI publishes new technical specs for cloud-based digital signatures supporting mobile devices
• Fights fraud while obviating the need for specialised user software and secure devices
• Ever more cloud-cloud based services becoming available on mobile devices
• European standards body is moving with the times

ETSI, the independent and not-for-profit European Telecommunications Standards Institute, has within it a variety of ISGs (Industry Specification Groups) and  Technical Committees. One such, TC ESI, focuses on Electronic Signature Infrastructure and has today published a set of three Technical Specifications for cloud-based digital signatures supporting mobile devices. They are ETSI TS 119 431-1, ETSI TS 119 431-2 and ETSI TS 119 432.

The new standards support the creation of digital signatures in the cloud which facilitates digital signature deployment by obviating need for specialised user software and secure devices. In the past, digital signatures have been called "the unsung heroes of the EU's Digital Single Market".

Under ETSI's newly-released technical specs the signer relies on a third-party trust service to manage its signing key and digitally sign documents under its control. To guarantee that the cloud-based signature creation environment is reliable and that the signing key is used under the control of the signer, the provider of the remote digital signature service has to apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels.

In essence, everything is based on electronic IDentification, Authentication and trust Services (eIDAS), an EU regulation constructed around a set of a standards for electronic identification and trust services for electronic transactions in the European Single Market. eIDAS also delineates how Trust Service Providers (TSPs) manage their authentication and non-repudiation functions.

eIDAS was designed to ease and expedite facilitate both public and business services, especially those carried out between parties across EU Member state borders. The intent was to ensure transactions could be quickly and safely managed via electronic signing and such services are guaranteed through a TSP responsible for ensuring the validity and integrity of electronic identification for signatories and services.

A TSP is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. TSPs are qualified certificate authorities required in the European Union and in Switzerland where electronic signing procedures are concerned.

A trust service in itself in an electronic service that can have one of three possible outcomes. First is the creation, verification or validation of electronic signatures, as well as time stamps or seals, electronically registered delivery services and the various certifications that are required with these services. The second is the creation, the verification as well as the validation of certificates that are used to authenticate websites and the third is the preservation of electronic signatures, seals and/or related certificates.

Commenting on today's release of the three new Technical Specifications, Nick Pope, the Vice Chairman of ETSI TC ESI commented, “This is an important step forward for security in deploying digital signatures which takes into account the move to cloud-based services and mobile devices. These standards enable a new way of implementing Trust Services which greatly simplifies their use and provides an important toolset to counter growing Internet fraud targeting online business and government."