Cryptomathic calls for European Standards on E-ID and Trust Services to Recognise That Cloud-Based Digital Signature Schemes Do Not Require a Secure Element
March 2015 by Cryptomathic
As the European Commission Directorate General prepares to mandate electronic identification and trust services (eIDAS) - to boost confidence in digital services and encourage more EU citizens to use e-signatures - Cryptomathic calls for new EU standards to recognise the success and prevalence of cloud-based digital signature schemes, which do not use a secure element (SE).
Software security solution provider, Cryptomathic, has released a position paper requesting that the upcoming eIDAS regulation is technology-neutral. The paper calls for the new EU security standards to ensure that cloud-based central signing services, which allow users to remotely generate legally binding Qualified Electronic Signatures (QES) in dedicated tamper resistant hardware, are referenced within the eIDAS Framework and can be certified, according to Common Criteria, as Qualified Electronic Signature Creation Devices (QSCD).
In the paper, Cryptomathic highlights the successful use of such central signing schemes by over ten million users across several European countries including Denmark, Norway, Luxembourg and Austria and urges the eIDAS regulation to formally recognise these. Cryptomathic also notes that centralised signing systems leave secure logs during the signature generation process, which can be used in dispute cases, giving cloud-based server signing a considerable security advantage over alternative methods.
The paper goes on to state that the introduction of a secure element for end-user and data authentication prior to the generation of e-signatures through a remote signature server – as proposed by Eurosmart – would be at odds with the objectives of the regulation, which is to increase the use of e-signatures through lower costs and easier access and by leveraging existing successful implementations.
Guillaume Forget, Senior Vice President at Cryptomathic Europe, explains: “We agree with the vision set out by the European Commission; to build confidence and encourage the use of e-signatures across the union, we need a consistent framework that boosts user accessibility and convenience, while promoting technical interoperability and innovation.
“Eurosmart, the association that represents the smart security industry, has suggested that secure element technology should be a fundamental part of the criteria to certify a QSCD. Cryptomathic entirely disagrees with this view. Not only are digital signature deployments based on this technology scarce, but this approach would require the deployment of hardware microcontrollers, which could potentially drive up costs and impede user experience and mobility. This contradicts the aim of the regulation, which is to get European citizens using e-services through increased usability, lower costs and leveraging existing technology.”
Guillaume concludes: “We hope that by releasing our position paper, we can encourage greater awareness and debate on the topic of QSCD certification. Our objective is to ensure a workable and scalable framework is created and ensure that it serves the interest of citizens across Europe, who simply want convenience combined with security and cost-efficiencies.”