Ion VACIU in dialogue with Costin BURDUN, ANSSI digitization expert

In Play

Digital Transformation Council, Revista COMUNICAŢII Mobile and initiate a series of video interviews with the Professionals, Leaders and Decision Makers of the ICT industry and of the convergent ones in order to reveal the multiple implications of the Digital Transformation.

On Wednesday, December 15, 2021, at 12.00, we invite you to a new Live interview (episode 10) conducted by Ion VACIU with COSTIN BURDUN, ANSSI Digitization Expert, on MYTHS ABOUT ELECTRONIC SIGNATURE AND ELECTRONIC IDENTITY.


Myths about electronic signature and electronic identity

by Costin Burdun

Myth 1: The EIDAS Regulation defines three separate categories of electronic signature

• “electronic signature” means data in electronic format, attached to or logically associated with other data in electronic format and used by the signatory to sign;
• “advanced electronic signature” means an electronic signature that meets the requirements set out in Article 26;
– a) refers exclusively to the signatory;
– b) allows the identification of the signatory;
– c) is created using electronic signature creation data that the signatory can use, with a high level of confidence, exclusively under his control; and
– d) is related to the data used for signing so that any subsequent modification of the data can be detected.

• “qualified electronic signature” means an advanced electronic signature that is created by a qualified electronic signature maker and is based on a qualified electronic signature certificate.


Myth 2: Any unqualified electronic signature is automatically an advanced electronic signature

• Meeting the 4 conditions in the advanced signature definition is not easy, so in many cases, in fact, very few types of unqualified electronic signatures are advanced.

Myth 3: The electronic signature is based on a unique technology

• “electronic signature” is an abstract concept, it does not refer to any specific technology, it can be achieved through different technologies, as seen in the examples below:

– simply specifying the name of the signatory at the end of an electronic document falls within the definition of an electronic signature, or

– attaching a picture of the handwritten signature, or even a picture of the signatory to a document, falls within the definition, or

– a scan after a handwritten document signed by the signatory attached to an e-mail falls within the definition

• An electronic signature cannot be evaluated / understood unless the technology (technical and procedural mechanisms) by which it is made is specified

• So a type of electronic signature is identified by the technology through which it is created, by technology understanding the technical and procedural mechanisms

Myth 4: The electronic signature is the same as the digital signature

• “electronic signature” is an abstract concept, it does not refer to any specific technology (technical and procedural mechanism)

• The digital signature is a technical mechanism for creating an electronic signature

• The digital signature is based on public key encryption generated using a Public Key Infrastructure (PKI).

• The digital signature attached to a document is actually the result of encrypting that document, more precisely a hash of it with a so-called private key that only the signer is supposed to have.

• This encryption can be decrypted with a unique public key associated with that key

• Due to its authentication, integrity and non-repudiation properties, the digital signature is the technical mechanism specified by the EIDAS Regulation for the creation of advanced and qualified electronic signatures.

Myth 5: Advanced electronic signature is based on a unique technology

• “advanced electronic signature” is an abstract concept, it does not refer to a specific technology, but can be achieved through different technologies (technical and procedural mechanisms) and these technologies must ensure the fulfillment of the 4 requirements of the definition of advanced electronic signature

• An advanced electronic signature type cannot be evaluated if it is advanced if the technology (technical and procedural mechanisms) by which the 4 conditions are met and demonstrated is not specified and demonstrated.

• It is correct that the advanced electronic signature is based on the digital signature as a technical mechanism

Myth 6: A qualified signature is not an advanced electronic signature

• The qualified electronic signature is an advanced signature clearly identified by the technology (technical and procedural mechanism) by which it is created, using the qualified certificate and the qualified signature creation device.

• This qualified signature creation technology is described and regulated in detail in the EIDAS Regulation, precisely in order to meet the 4 conditions of the advanced signature

• The qualified signature is the ONLY type of advanced signature for which Regulation 910/2014 fully specifies the technology (technical and procedural mechanisms) used for its creation

Myth 7: There are situations where a non-advanced (simple) electronic signature is sufficient to establish the signatory’s act of will

• A simple type of electronic signature, which does not meet the requirements for an advanced signature, may not be sufficient to establish the signatory’s deed of intent.

• The correct expression is: a certain technical mechanism for creating an electronic signature, used in a certain very well defined context, can lead to the creation of an advanced signature, thus proving to be the act of will of the signatory

• But if that context changes, the advanced signature quality is lost

Myth 8: There is a predefined list of types of advanced signatures other than qualified ones

• There is no such list at European or national level

• There is a list of technical mechanisms at European level that specify electronic signature formats for the advanced signature, but the procedural part is regulated in the Regulation only for the qualified signature

• The multitude of possible technologies (technical mechanisms + PROCEDURAL) for the creation of an electronic signature, make that, in the absence of clear regulations or standards, the advanced quality of an electronic signature cannot be established a priori

• Moreover, the same technology for creating an electronic signature, used in one context, may lead to advanced signature quality, and in another context it may not.

Myth 9: Qualified signature is more “bureaucratic” and more expensive than advanced unskilled signature

• The advanced signature is a category of types of objective target electronic signatures, which reflect the act of will of the signatory, if indeed the 4 conditions from art. 26 of the EIDAS Regulation

• Meeting these conditions is neither easy nor cheap, and it is a false impression that an unqualified advanced electronic signature is cheaper to make than a qualified signature, because the Regulation only details requirements for the qualified signature (always something very detailed seems much more complicated than something not detailed)

• Signatory identification requirements are the same for a non-qualified advanced electronic signature as for a qualified electronic signature

• After identifying the signatory, using the qualified electronic signature in the cloud, the qualified signing process is very easy and the cost of a transaction is less than 1 EUR for occasional signatures, reaching up to several tens of eurocents per transaction for large volumes of transactions by large organizations with many digitized processes

• Validation of a qualified signature by a third party is much cheaper than validation of unskilled advanced signatures, due to the heterogeneity of technologies for creating unskilled advanced signatures

Myth 10: Electronic identity is governed by the EIDAS Regulation

• Electronic identity or means of electronic identification is the association between a set of personal data and an authentication mechanism

• The EIDAS Regulation applies ONLY to electronic means of identification notified by Member States

• The regulation starts from the premise that Member States have their own legislation regulating the means of electronic identification with which online services are accessed.

• The purpose of the notification is to allow the use of an electronic means of identification to access any other online service provided by public bodies, from any other EU country, and which is already accessible through an electronic means of identification.

• For the purpose of notification, three levels of reference insurance are technically and procedurally defined

• Low level of insurance

• Substantial level of insurance

• High level of insurance

Myth 11: Video identification is an electronic identity

• We cannot have an electronic identity without identification

• Video identification is a way of remote identification, but it is not an electronic identity

• We care that the video identification solution we use is certified as equivalent to face-to-face identification

• Video identification must be regulated – ADR issued DECISION no. 564 of November 11, 2021 – “Rules regarding the regulation, recognition, approval or acceptance of the procedure for identifying the person remotely using video means”

Myth 12: Electronic identity and electronic signature mean the same thing

• The electronic identity belongs only to the natural person with whom it is associated

• The electronic signature is related to:

– An electronic document (data in electronic form) that is signed

as well as by

– The natural person of the signatory

• It is correct to say about an individual: “he has an electronic identity”

• But it is incorrect to say that an individual “has an electronic signature” (although it is widely used in everyday language…. “I bought an electronic signature”), because the electronic signature is not something you own, but it’s something you generate in connection with a particular electronic document

* Episode # 1 ELECTRONIC SIGNATURE (Definitions, Categories, Types, Analogies and Relevant Examples)