QWAC vs QSealC: What the Difference Is and How to Choose
Online fraud has been classified by Europol as one of the biggest criminal threats. According to the central hub for combating international and organized crime, billions in illegal profits are generated each year within the European Union alone. One of the primary targets for these criminals is the business world. Manipulating documents and spoofing websites enable access to personal data and company systems.
Fortunately, the eIDAS Regulation has introduced a list of trust services to counter such fraud, provided by Qualified Trust Service Providers (QTSP). A QTSP ensures the validity and security of electronic signatures, timestamps, and electronic certificates for websites, including Qualified Website Authentication Certificates and Qualified Seals.
But which variant does your organization need? This article will help you decide and provide insights into the compliance procedures for both.
QWAC vs. QSealC: Quick Comparison
| Aspect | QWAC | QSEALC |
|---|---|---|
| Purpose | Authenticate websites and ensure secure communication | Verify the origin and integrity of electronic documents |
| Functionality | SSL/TLS encryption, identity verification | Electronic sealing, verification of document integrity and origin |
| Primary Use | Securing websites and online transactions | Sealing electronic documents and data |
| Compliance | eIDAS Regulation | eIDAS Regulation |
| Key Benefits | Data security, fostering user trust, regulatory compliance | Securing documents, ensuring authenticity, legal validity |
| Indicators | Security indicators in the browser, such as the padlock icon | Digital seal on documents |
| Scope | Web-based communication | Broad, various document-based applications |
What is a Qualified Website Authentication Certificate (QWAC)?
A QWAC is a certificate that verifies websites and email addresses, ensuring users that they are interacting with a legitimate organization. It guarantees secure communication between browsers and website servers by verifying the site owner's identity, providing a high level of trust and security.
A QWAC contains information about the organization issuing the certificate, the recipient of the certificate, and the certificate itself.
Features and Benefits of QWAC
Key features of a QWAC include:
- SSL/TLS encryption to secure data in transit.
- Identity verification of the website or email address owner, to reassure visitors they are interacting with the correct party.
- Compliance with the eIDAS Regulation, ANNEX IV requirements for qualified certificates for website authentication, and the standards of the European Telecommunications Standards Institute (ETSI).
- Mandatory for payment services in the EU, under the Payment Services Directive (PSD II).
- The updated version of eIDAS—also known as eIDAS 2.0—could make QWAC integration mandatory for browsers.
- The padlock icon in the browser and “https” in the address bar indicate a secure connection.
How QWAC Differs from Standard SSL/TLS Certificates
A standard SSL/TLS certificate only encrypts data, whereas a QWAC verifies the website owner's information in a way that is legally recognized across the EU. Standard SSL/TLS certificates are issued at different assurance levels, which include Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV), in ascending order of trust. However, even the highest level (EV) falls short of QWAC’s level of security.
Use Cases for QWAC
Due to the extremely high-security level provided by a QWAC, PSD2 requirements mandate that all organizations within its scope must use them. This includes banks and payment service providers. They are also used by other organizations requiring a high degree of assurance, such as governments. In Spain, local law even mandates that all public service providers must use QWACs.
What is a Qualified Certificate for Seals (QSealC)?
QSealCs are used to ensure the integrity and authenticity of electronic documents and data. They can be seen as the digital equivalent of the classic wax seal, which indicates to the recipient that a document has not been altered if the seal remains intact. Qualified electronic seals offer the highest level of assurance among the three types of seals addressed in the eIDAS Regulation.
A QSealC is created by a QTSP using a Secure Signature Creation Device (SSCD). This process generates an encrypted seal, proving the integrity and origin of an electronic document.
Features and Benefits of QSealC
Key features of a QSealC include:
- Confirms the identity of the entity that created the electronic seal for the document.
- Ensures that no one can alter the contents of the sealed document without detection.
- Complies with the eIDAS Regulation, ensuring its legal recognition across the EU.
- Enables the secure transmission of digital documents and guarantees recipients they can trust the content.
- The automated process for applying seals in batches saves time.
- Reduces the risk of online fraud.
How QSealCs Differ from Electronic Signatures
An electronic seal, such as a QSeal, can be used by both businesses and individuals. Unlike an electronic signature, which signifies acceptance of a document’s content, a seal digitally binds the owner to the document. Additionally, the seal ensures that the document cannot be altered undetected after sealing.
Use Cases for QSealC
QSealCs provide assurance for organizations when creating employment contracts and sending them to new employees. They can also be used to protect intellectual property, such as patents and copyrights. Governments might use them for sealing permits and licenses, while healthcare organizations can deploy them to secure the content of medical records.
Compliance Requirements for QWAC and QSealC
eIDAS
Under the eIDAS Regulation, both QWACs and QSealCs must be issued by a QTSP. A QWAC must adhere to strict identification and verification processes to guarantee the authenticity and integrity of websites. QSealCs require the use of an SSCD, ensuring the integrity and origin of the sealed document. In both cases, the highest level of security applies.
PSD2
QWACs and QSealCs are mandatory under PSD2 legislation, specifically the Regulatory Technical Standards (RTS) outlined in Article 34. These standards require payment service providers to use qualified certificates for website authentication and electronic sealing.
The certificates must include information such as the payment service provider's role and the name of the competent authority where the company is registered, as customary in the financial sector.
FAQ
Can QWAC and QSealCs be used in combination with other types of digital certificates?
The use of a QWACs does not affect the use of other general certificates, such as SSL/TLS certificates. They can be used simultaneously, with a QWAC adding extra security measures. A document sealed with an electronic seal, such as a QSeal, can also include an electronic signature.
What should organizations consider before applying for a QWAC or QSealC?
Organizations should first select a QTSP to comply with the current eIDAS Regulation. Additionally, it is essential to determine the required security level. For payment services and online transactions, the highest security level is mandatory (QWAC and QSealCs). However, for simpler tasks with low risk, this may not be necessary.
What should organizations do if a certificate is compromised?
Organizations should revoke the compromised certificate and contact the national competent authority to report the situation.
Conclusion
The choice between a QWAC and QSealC depends on the purpose, with the possibility that your organization might be required to use both. If not, a QWAC will authenticate your website, while a QSealC ensures that a sent document remains in the same state as when it was sealed.
Entrust Signhost is a leading platform for digital identification and electronic signatures. They can help your organization streamline processes and better serve customers by leveraging convenient tools that automatically meet legal obligations. Start a free trial with Entrust Signhost today to see how their software can enhance your procedures.