The final blog in our series on the different types of eSignatures, this deep dive focuses on cloud signatures for remote signing and the details around this eSignature solution.
Relatively new compared to other types of e-signatures, cloud signatures describe certificate-based digital signatures in the cloud. Cloud signatures enable remote signing via mobile or web devices with Advanced Electronic Signatures and Qualified Electronic Signatures backed by trusted and compliant certificates from Certificate Authorities (CA) and Trust Service Providers (TSP).
What is a remote signature?
A remote eSignature provides users with complete mobility, allowing people to sign from any internet-connected device, including mobile phones, laptops and tablets.
It sets businesses free from the need to install signing devices locally. Instead, it is a cloud-hosted signing service that provides a high-trust, eIDAS-compliant eSignature solution. eIDAS recognises remote signing and supports its use for creating Remote Qualified Signatures.
Remote signing differs from local signing in that a user must sign via a Secure Signature Creation Device (SSCD), which uses a secure smart card or token. Even in this case, users can utilise a cloud-based remote signature.
The user must have installed the SSCD local drivers and have a smartcard reader connected. Then, their cloud signature service provider can send the document or transaction to the SSCD for local signing.
This short video explains a remote signing workflow.
What is a Remote Signing Service Provider (RSSP)?
In most cases, a Remote Signing Service Provider is a Trust Service Provider or a Qualified Trust Service Provider. These RSSPs deliver hash signing operations via the Cloud Signature Consortium protocol.
When a user signs a document electronically, the e-signature solution sends a hash for signing via the Cloud Signature Consortium protocol to a RSSP.
The RSSP solution completes all required authorisation, signs the hash, and returns it to the eSignature solution to compile it into the user’s signature.
What is the Cloud Signature Consortium?
The Cloud Signature Consortium (CSC) is a group of industry and academic organisations committed to building robust standards for cloud-based digital signatures. Ascertia is a member.
The standards ensure mobile and web-based applications comply with the most demanding global eSignature regulations. The CSC was created to develop standard protocols to ensure distributed applications and services leverage digital signatures in a non-proprietary way.
With digital signatures migrating to a cloud-based approach, the functions needed to create digital signatures are distributed across several service instances, each carrying out sometimes multiple steps within the eSignature creation process. The CSC has ensured that the interfaces between such services are now standardised.
The remote signing process
Remote signing requires slightly more effort to set up than other types of digital e-signatures. While more time-consuming initially, it provides greater flexibility and accessibility in out-of-office situations.
Users must be securely vetted before they start using the SigningHub remote signing service, and their unique signing key must be created inside the Hardware Security Module (HSM) with a Signing Certificate issued by the Trust Service Providers’ Certificate Authority.
eIDAS and ETSI/CEN standards place strict requirements for HSM requirements. Ascertia’s ADSS SAM Appliance complies with Common Criteria EAL4+ EN 419 241-2 Protection Profile.
Our remote signing solution can be embedded into any third-party business web application, and SigningHub can be embedded via REST/JSON API, our mobile browser, iOS Android apps or third-party business application connectors.
How secure are remote signatures?
Remote signatures using Advanced Electronic Signatures provide a high degree of security, as it falls under the exact security requirements of traditional Advanced Electronic Signatures.
With remote signing, the user’s identity can be captured and bound to their signing certificate after they have been through an accredited identity provider’s extensive checks.
A user’s signing key can be held centrally in a secure HSM, in an encrypted database or within their mobile device. Additionally, various single-factor or multi-factor options can authenticate users.
This type of eSignature provides an even higher level of security since the entire process of signing and verifying is standardised and assured to very robust levels
Are cloud signatures via remote signing legal?
Remote signatures provide the same high level of trust as Advanced Electronic Signatures and Qualified Electronic Signatures.
The regulations around such signature processes govern the trusted Certificate Authorities, which issue e-identity certificates to end-users. User signing keys are highly protected, and trying to dispute a cloud signature made using your key under your control is almost impossible.
In terms of law standards, a remotely signed Advanced Electronic Signature or Qualified Electronic Signature is deemed equivalent to or better than a handwritten signature.
We recommend remote signing signatures when only the highest levels of trust and security will do when you’re on the move. Remote signatures provide security and peace of mind, even when you’re away from the office.
Remote signing provides robust interoperability based on industry-standard digital signature techniques (ISO 32000, ISO 19005 and ETSI PAdES formats).
Choosing an electronic signature solution that can support your current needs and is flexible enough to adapt to your business’s future requirements is important.
Want to learn more about the different types of eSignatures and discover which suits your business needs?
Download our eBook: Choosing the Right Type of eSignature.