What is a qualified electronic signature (QES) and how does it work?
A qualified electronic signature is a type of electronic signature that meets specific legal requirements and is often equivalent to a handwritten signature. It is based on advanced electronic signature technology and is issued by a qualified trust service provider (QTSP).
To obtain this type of signature, identity authentication is a prerequisite before the issuance of a digital certificate. Identity authentication requires ID or passport verification and video identification from the signer. The digital certificate proving identity is automatically attached to the signature, thus ensuring that the signer's identity is verified and supervised.
๐ Note: Tresorit uses third party Evrotrust to help identify the signer of a document. Evrotrust is listed as a European trust service provider: EU Trusted List.
Learn more about Evrotrust: Trust Service Provider - Evrotrust
What is the difference between the three different electronic signature levels?
Electronic signatures are categorized into three levels based on their security and assurance:
- Simple Electronic Signature (SES): This is the lowest level of electronic signature which does not require identity verification. It typically involves simple methods like typing your name or checking a box to complete the signing process.
- Advanced Electronic Signature (AES): AES offers a higher level of security compared to SES. It involves additional measures like using a unique identifier, password, or PIN to sign a document.
- Qualified Electronic Signature (QES): QES is the highest level of electronic signature which involves using a digital certificate issued by a Trust Services Provider (TSP). It ensures the signer's identity and the integrity of the signed document.
Which regulations govern the use of qualified electronic signatures?
The governing regulations may vary by jurisdiction, but the eIDAS Regulation in the European Union is a prominent standard.
Across all EU Member States, the legal effects of electronic signatures are laid down in Article 25 of eIDAS.
Is a Qualified Trust Service Provider (QTSP) listed in the Trusted List Browser acknowledged as a QTSP in all EU Member States?
The primary objective of the 'qualified' status is to attain cross-border interoperability and acknowledgment of electronic products and trust services throughout all EU Member States. Thus, a qualified product provided by a qualified trust service under a QTSP situated in any Member State will be recognized as qualified in all Member States.
When should one consider using qualified electronic signatures?
As a general rule, if a certain level of electronic signature (e.g. advanced signature) is required, a higher level will probably be accepted (qualified electronic signature).
Which types of ID documents can be used for identity verification?
Supported documents can vary depending on the signers' locations. The complete list of documents supported by Evrotrust can be found here.
Where can the signers find the document once all the required signatures are completed?
Signers can download the completed document from the original link which the requestor sent them. Although all parties will receive an email about the document completion it does not include this link for security reasons. If the original link is expired or revoked, the requestor can create a new link on the signed document in their Tresorit app and send it to the signers.
๐ Note: You can learn about link creation here: Share your content with links
Is the Trust Service Provider able to access the document that has been sent for signing?
No, Tresorit sends only the hash of the document to Evrotrust for signing. When signing something with a hash, the person is basically creating a unique digital secret code for that document or message. The idea of using a hash is that when the document changes - even slightly - the hash would also change, which in turn would make the signature invalid.