Remote Digital Signature: How It Works & It’s Advantages
What is a remote digital signature, the most used in India? To sign a document with legal value in seconds. Too many companies and too many professionals are still anchored to the use of paper. Many believe that the handwritten signature on a document is the only way to give it legal validity. This belief, unfortunately, remains rooted in many contexts.
A valid aid to dematerialize and eliminate the paper relying on an additional security level (a handwritten signature can be subjected to forgery attempts) comes from electronic and digital signatures. In another article, we have seen the main differences between the types of electronic signatures, clarifying that electronic and digital signatures are not synonyms and are, therefore, not terms that can be used with the same meaning.
Differences Between An Electronic Signature And A Digital Signature
First, we have seen three types of electronic signatures, as clarified in the Digital Administration Code and the eIDAS Regulation ( electronic IDentification Authentication and Signature; EU Reg. 910/2014). In this article, we limit ourselves to recalling that the advanced electronic signature (FEA) is the tool through which a signature placed on an electronic document (think, for example, of a PDF file) is uniquely connected to the owner.
The FEA is uniquely linked to the signatory, is capable of identifying the signatory, is created using data for the creation of an electronic signature which the signatory can, with a high level of security, use under his sole control, is linked to the data signed to allow the identification of any subsequent modification of such data (in other words, after the FEA has been affixed, it will be possible to recognize unauthorized modifications of a document made subsequently).
Qualified Electronic Signature ( FAQ) adds an extra layer of security over FEA. The signature must be based on a qualified certificate and generated by a secure device. The documents on which an FAQ has been affixed are recognized in any field, and probative effectiveness is ensured. In case of denial of the signing of the document, the same subject will dispute the affixing of the signature that must provide proof of his assertions.
For the management of the FAQ and the affixing of the signature, smart cards or USB tokens are used, issued by qualified trust service providers after verifying the applicant’s identity. These tools contain the qualified certificate the holder can then use to sign the documents and ensure their full legal value.
The digital signature is defined as ” a particular type of FEA based on a qualified certificate and a system of cryptographic keys, one public and one private, correlated to each other, which allows the holder through the private key and the recipient through the key public, respectively, to disclose and verify the origin and integrity of a computer document or a set of computer documents “.
What does it mean? An asymmetric cryptographic key pair is used for the digital signature. One key is public, while the other is private and remains under the exclusive control of the owner or holder of the signature. We have seen the differences between symmetric and asymmetric encryption in another article. As in the FAQ case, in the event of repudiation of the signature, the burden of proof rests with whoever made the dispute.
What Is A Remote Digital Signature, And How Does It Work
Examining the document published by AgID, which photographs the diffusion of qualified trust services, it is discovered that the remote digital signature is unquestionably the most widespread in Italy. During the first half of 2021, over 26 million qualified signature certificates were issued by eligible service providers, and 82% of these are remote digital signatures.
What is the success of the remote digital signature due to? First, its practicality and the fact that it allows you to speed up workflows. Instead of using smart cards, relative readers, or USB tokens in the case of remote digital signature, it is sufficient to use the classic signature software with a device on which an app is entitled to generate OTP ( one-time-password ) installed.
Instead of being stored locally, the signature certificate is, in this case, stored on a secure server managed by the qualified trust service provider. By entering your credentials and the OTP code generated on the signature holder’s mobile device (Android or iOS) in the signature application, the latter can authenticate and digitally sign documents and files from any location connected to the Internet without installing any hardware.
Instead of the app installed on your smartphone, you can use a token that generates OTP. Even in the case of remote signature, the document never leaves the user’s device: the locally installed client application calculates the hash of the file to be digitally signed. It is transmitted to the remote server of the qualified trust service provider.
The hash is a unique fingerprint that can be generated for any file using various algorithms. The document stored in the same form, without modifications, on different devices always has the same hash. In Windows, it is possible to calculate file hashes without additional programs.
The document hash is remotely digitally signed, and the result is sent to the client, which adds the digital signature to the document indicated by the user and produces a version with full legal value. The document obtained will be authentic, intact and legally valid.
Some certifiers make available specific APIs that developers can use to integrate the signing process with the applications already used in the company. With the remote digital signature, generally valid for three years from the moment of the request, you can sign all documents as if you had affixed your handwritten signature.
To obtain the remote digital signature, it is necessary to refer to the specific procedures established by the individual qualified trust service providers: however, it is usually sufficient to authenticate via SPID, therefore using a digital identity that can also be obtained free of charge, CIE ( Electronic Identity Card ), CNS, by video identification or using a traditional digital signature.
The remote digital signature fully satisfies the requirements imposed by the eIDAS Regulation, even though there are still no explicit references within the same legislation. The draft of the new Regulation speaks of creating a remote signature precisely to refer to the remote digital signature.