We spoke to Patrick Beckman Lapré, Director of Sales at DigiCert, about local signing. This conversation included what local signing entails, the European market and specific advancements in Belgium.
Let’s start by breaking this concept down. Instead of having your certificate hosted and managed by a QTSP, local signing is stored on a smart card, ID card, or USB token. You have the certificate of your digital identity in your hand to make a signing request.
We can use Belgium as an example. Specifically, governmental suppliers. Belgium’s eIDs have embedded certificates so, instead of having an additional identity to buy or use, you can use your existing ID card or passport for local signing.
In a lot of cases, however, there are still legacy applications that cannot work with certificates that are hosted by a QTSP. These applications use a local certificate on a smart card, ID card, or token because of these limitations.
The finance industry is a little further along in its adoption, whereas governmental departments are often lagging a little behind. This time-to-adoption gap is often what you see with eProcurement and the European Commission. It still works with local tokens.
itsme is a digital identity. What itsme is doing is using the local smart card – like the eID in Belgium - whereby you authenticate yourself and then, in the background, there is a remote certificate issued hosted by itsme. The local certificate then authenticates the user and issues a qualified certificate in the background.
The most important thing is that you can rely on the existing issuance process of a local certificate and, based on that process, you are issuing a certificate in the cloud or in a QTSP environment which you can then use for remote qualified signing using an app, for example.
Looking beyond Europe sees local signing wane a little in popularity. There are still plenty legacy applications that are not capable of working with remote signatures and it’s mainly governmental.
Returning back to Europe, the Netherlands is another interesting example. The country’s the Chamber of Commerce’s staff all need physical tokens to operate in their jobs. You still see a growth of signing based on local signing capabilities, but you will also see that those organisations are now looking a little further. The COVID pandemic has driven that change as people no longer need a local token or local ID card.
In Germany, they have a German eID and therefore, you need a PIN to activate a remote identity. This is not a good user experience.
Thank you to Patrick for his thoughts on local signing. For more in-depth information on local signing, read our other blog posts or read Patrick’s previous guest blog on digital signing and identity.
You can also contact our team for advice on local signing.