Remote signatures with the eID function

type: Article

Since 1 July 2016 Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) has been in effect in all member states, creating a standard framework for the cross-border use of electronic means of identification and trust services.

For detailed information about the eIDAS Regulation and the completed notification of the eID function and the electronic residence permit, please click here.

As a result of the Regulation, a qualified electronic signature created by a citizen in one EU member state has the same legal effect in all other member states as a written signature. This means that, for the first time, legally binding cross-border electronic communication is possible across Europe.

Card-based signatures

So far signature cards have been used to create qualified electronic signatures. The procedure’s security is ensured through the signature card and two-factor authentication when creating the signature: The private key on the signature card is protected from unauthorized access and can be used only with the authentication factors of knowledge (PIN) and possession (signature card).

Remote signatures

The eIDAS Regulation makes it possible for the first time to use remote signatures in Germany.

With the remote signature, a signature card is no longer needed to create a qualified electronic signature because a qualified trust service provider creates the signature on behalf of the signatory.

The advantage of this new procedure is that additional no technical equipment (signature card, card reader) is needed to create a qualified electronic signature. Instead, signatories must securely prove their identity to the trust service provider.

On-the-fly signature with the eID function

For creating a remote signature using the eID function, a suitable mobile phone with an NFC interface can be used as a card reader for electronic identification. This makes it possible to create a legally binding electronic signature with the mobile phone (mobile signature).

What sets this procedure apart from other procedures where identification (to issue a qualified electronic signature certificate) and authentication (to authorize the trust service provider to create a signature) are separate processes is that the eID function combines these two functions in one step.

The eID function enables an on-the-fly signature, i.e. a signatory can create a qualified electronic signature ad hoc and when needed without having to first register with a trust service provider.

This one-step procedure is particularly useful for people who create electronic signatures only occasionally.

The procedure fulfils all requirements for qualified electronic signatures under the eIDAS Regulation and all requirements for the trust service provider.

Results from the pilot

In 2019, the Federal Office for Information Security (BSI) carried out a pilot project to implement a prototype of the remote signature procedure using the eID function. The project was successfully completed in early 2020.

Technically, the "on-the-fly" signature with the German ID card is based on an extension of the eID function, which enables the ID card holder to authorize a transaction or a validation code (such as a hash of a document). This extension allows the service provider to verify that after successful identification using the ID card the validation code is equally present at the eID client of the user and at the eID server. As the process of online identification is only carried out after successful PIN entry, the eID server can ensure that the verification value has been authorized by the two authentication factors 'knowledge' and 'possession' - i.e. by the card holder himself. The eID server can then read the identity data of the ID card holder, enabling it to identify the card holder at the level of assurance required to issue a qualified signature certificate.

The pilot project initially confirmed that the procedure is compatible with all German electronic ID cards and residence permits already issued. Based on this, an eID client and an eID server were adapted to implement the extension of the eID function and to model a showcase for the generation of an electronic signature.

The prototype does not yet allow the creation of a legally effective remote signature, since according to the eIDAS regulation only a qualified trusted service provider (QTSP) may create it with a qualified signature creation device (QSCD).

Currently, no trusted service provider has integrated the results from the prototype into his own product. The prerequisites for such integration were created in the project.

Contact

Federal Ministry of the Interior and Community
Division DV I 4