Allowing people to sign for themselves: Fixing Qualified Signatures
Sometimes it is hard not to think of the old quip “computers exist to solve problems we did not have before we had computers.” Especially when things are so much harder online. Like signing contracts. In real life you pick up a pen and sign your contract. Done.
Online you need eIDAS signatures, which mean you need to
- Get a Qualified Signature Creation Device (QSCD),
- Find and employ a qualified trust service provider to manage the signature creation data, and
- Provide a tamper-proof means of protecting the integrity of the signature.
And you can’t even sign for yourself. It’s always governmentally appointed and monitored for-profit companies that sign in your name. But you’re of course fully bound by that signature.
That sounds crazy to you? Allow us to explain.
Being able to sign contracts online from the convenience of your home, or while on the road, is extremely useful. Which is why the ability to sign electronically is something that all companies would like to have and most users would find very convenient. There is huge demand for this kind of technology and solution. So governments defined a process for how to sign electronically in a way that it is going to be treated equivalent to your physical signature on paper. They call it a “qualified electronic signature” and the way it works is actually pretty simple:
Looking under the hood of a “qualified signature”
So-called certificate providers, typically private companies, apply with the government to provide qualified electronic signatures to you. If you want to be able to sign electronically, you get yourself an account with such a provider or one of their partners. We love having to register for things all the time and have more accounts, so this is already fun!
Now, whenever you want to sign a contract, you ask the provider for a signature. Very often this involves second factor authentication, such as a code by text message the provider uses to verify it really is you. That text message code has never been defeated so it’s really secure. Of course it has. That was just sarcasm. We’re just pointing that out if, for some reason, you thought that this all sounds okay so far for security reasons. After that, the provider then creates your signature and provides it to the company that asked for it to attach it to the contract.
Considering this is your signature, representing the same level of legally binding commitment as a physical signature on paper, you aren’t really involved in the actual signature. Also, this process means the signature provider can impersonate you without your knowledge. Scary stuff, right?
Well, to make sure they don’t, governments appoint accreditation companies which are then hired by signature providers to have their internal processes and company structure audited to prove they make it adequately hard for any person to impersonate your signature. These audits need to be repeated in cycles of 1, 2, 3 years, depending on the kind of audit and the applicable laws.
Audit cycles are also an important reason why qualified electronic signatures have a limited validity. Because signature providers can fake signatures not only for the present, but also for the past. They can put your signature under a two year old contract in a way that is indistinguishable from your having signed it two years ago. So, signature providers are trusted not to do that for no more than a couple of years after a “large” audit. Which is why qualified electronic signatures are typically valid for three to a maximum of ten years only.
But even three years are a long time. It’s definitely time enough for bad things to happen and you are unable to respond. If you disagree, let me have signature authority for you for three years and let’s see what can happen…
You wouldn’t. And that’s the point.
The truth is that what is currently defined as qualified electronic signatures is a long way off from being equivalent to your personal signature on paper in security, convenience, privacy, longevity and also cost. Those audits cost hundreds of thousands of bucks each year. Only few companies can afford this kind of cost. So, the market for qualified electronic signatures is an oligopoly with only a very small number of providers. A recipe for artificially inflated cost borne by businesses and consumers alike. We need a revolution.
Have you ever wondered why electronic signatures have been around for a long time, but haven’t really caught on? This is why.
A digital signature that truly qualifies as yours
We need a digital signature that truly is personal and equivalent to our own signature.
The technical team at Vereign and our amazing advisers have been thinking about a better approach to this — and built it out into a prototype that you can try out at app.vereign.com. What we have built is the first electronic signature that truly will be equivalent to your physical signature on paper, and personally yours.
It starts with your identity and personal data, which remain on the devices you own and control using encryption to make sure they are truly yours. This is called a self-sovereign identity, and Vereign has built it so that it will incorporate multiple verifications of your identity by third parties…
Those can be digital identity providers, banks or even social media. Whenever you want to sign something, your device generates the signature, incorporating as much of your verified identity as necessary for this particular contract.
Each such signature is recorded in a public audit trail that allows to verify the signature is genuine, and when it was made. That audit trail is written to a distributed ledger in a way that it does not allow it to identify signatures or people. But given a signature, the way we’re updating the Certificate Authority ensures anyone can verify when this signature was made and that its original author did not contest its authenticity.
Each signature also leaves an entry in the personal audit trail of your identity, equally secured by the ledger. So, no interaction that involves your identity can be hidden from you even if a criminal somehow managed to get access to one of your devices. Combined, this approach prevents that anyone could impersonate you undetected — in which case you would revoke the signature immediately — and it makes back-dating signatures virtually impossible. At the same time anyone can independently verify the authenticity and integrity of a signature they received from a third party.
There is also no three-year expiry period for these signatures. The oldest ledger of this type implemented is a blockchain that has been attacked from many sides for over 10 years now. As much as we know, no-one has managed to modify historical data. The cryptography seems to hold, and if anyone were to discover issues, we could anchor the historical chain against a newer, more secure version.
All things considered it is a far more robust, secure approach in which your devices become the equivalent of your ballpoint pen — the signature is put in your hands.
So, no more need for a government appointed for-profit company to have online signature authority for you. You should be able to do that yourself. It’s time to make that a reality today.
This article is one of two (“Game of Keys: Too Much Information About Certificate Authorities” is the other one) which has been a co-production with our advisory board member Pete Herzog of ISECOM, following a great, productive workshop in Barcelona in October ‘19: