How reliable is a digital signature?
The reliability of the process determines the evidential value.
There are three different types of digital signatures:
- The ordinary digital signature
- The advanced digital signature
- The qualified digital signature
According to the law all of these three forms are legally valid, but they have a different evidential value. With a scanned signature, for example, it remains difficult to prove in case of a disagreement that the sender is the person who actually put down their signature.
It is possible to establish this, though, when it concerns an ‘advanced digital signature’ or a ‘qualified digital signature’. In all cases, however, the evidential value is dependent upon the reliability of the underlying process.
The reliability of the process and the evidential value are determined by the following components:
- How strong are the identifying characteristics of the signatory and to what extent are these under his own explicit control?
- Has it been clearly established which process steps the user has gone through before signing?
- At what time was the document signed and can this be proven at a later point in time?
- • Does the document have the right format to demonstrate permanently that the document was signed digitally?
- How strong is the mechanism that was used to inseparably link the identifying data to the document (‘association’), the strength of the cryptography, so that this cannot be easily changed?
Strong identifying characteristics
Examples of identifying characteristics on the Internet include an email address, IP address, mobile phone number, DigiD, iDIN, eHerkenning or a qualified certificate. It’s also possible to ‘stack’ a number of identifying characteristics, whose combination ensures stronger identification. When signing the message, the signatory must have access to these resources. It’s important to take this into account. For example, the evidential value of a qualified certificate may be higher, but if end users don’t have access to it or the application process will take several days, the end user won’t be able to sign.
Process steps of the signing process
For the signing process it’s important that the signatory is aware of the document that he is about to sign. Which documents have been shown and is there an explicit moment that the signatory has deliberately signed the document (expression of intention)?
For the reliability of the signing process and the evidential value it’s important to also determine the time of signing in an independent manner and to include it in the signature. This ensures that no dispute can arise about the time of signing, or about whether the signature was placed at a different time.
Technische standard PADES – XADES
The standards for digital signatures and the eIDAS requirements mention the XADES or PADES format. In fact, this is the technical standard that specifies how a correct digital signature in the PDF or XML format can be inserted in the document. These standards ensure that the digital signatures can be checked in a standard way by various computer programmes, such as the Adobe PDF reader. The standard also ensures that the digital signatures in the documents can be checked in a good and reliable way in the future.
Attaching identifying characteristics to the document
A PKI key is used for attaching the identifying characteristics to the document. This process of attachment is sometimes referred to as association. If the user possesses a qualified certificate on a reliable means, this key can be used for the association. In other cases, the association can be performed with a general key. It’s important that this key is very well protected, for example on an electronic chip in a smart card, USB or hardware security module. If this key is not properly protected, unauthorized persons may also have carried out the association. The length of the key is also important: with a simple key, the association and seal can be broken more easily.
All electronic signatures can be legally valid and serve as evidence. The mere fact that they are electronic or don’t meet the requirements for qualified electronic signatures doesn’t change that. If the reliability of the process isn’t properly safeguarded, the evidential value may be low even if a qualified certificate is used. A good record of the reliability of the signing process is important for its assessment by an independent party, such as a court.
A few of our success stories:
“Errors are a thing of the past since the introduction of digital signing”
“Ondertekenen.nl immediately showed the willingness to adapt to our wishes”
“You must be able to determine with certainty who you’re dealing with and which bank account is used to take out a loan”