Ensuring digital trust in e-signed documents

Posted by Mike Hathaway on Mar 2, 2022 4:14:44 PM

In this blog we’ll discuss digital trust and level assurance, two elements of proving a digital identity to ensure trust in your e-signed documents. 

Online transactions and electronic documents require the same checks as a paper equivalent. It needs to be possible to prove the identity and establish trust in both the entity and the documentation.

How to ensure digital trust in your e-signed documents

How to establish digital trust

Establishing trust in any online transaction begins with proving the identity of an end entity, prior to them being issued with a digital identity. A digital identity can be issued to a person, server or application.

Different identity types are supplied by different Trust Service Providers (TSPs). These all have differing enrolment and identity vetting requirements. Without establishing and verifying identity, it is not possible to trust any transaction they are attempting to perform.

There are different categories of trust service provider depending on the type of certificates or audit requirements:

  • TSP – The basic public Trust Service Provider
  • AATL – Adobe Approved Trust List Provider
  • QTSP – Qualified Trust Service Provider (additional audit requirements to comply with eIDAS regulations for legally binding digital signatures)
  • RSSP Remote Signature Service Provider (encompassing all the above but also exposing different signing services).

What does level of assurance mean?

We’ve discussed establishing digital trust. The type of trust scheme you need from your certificate will determine the provider you select and the type of vetting required.

The higher the trust level, the more rigorous the vetting. This is also known as the level of assurance or the assurance you can place in the process that proved your identity for you to obtain a certificate.

This is the foundation of digital trust. Certificates can be issued at different assurance levels to different entities and organisations.

The assurance level or certificate type will determine the type of protection that is required to generate and store your keys and certificates. This could be a cryptographic smartcard or token or even a Hardware Security Module or Remote Qualified Signature Creation Device. 

As the term suggests, there are different levels of assurance:


  • No cryptographic security
  • Simple mark in a document, check box or user drawn
  • Little security for document alteration

Advanced – Individual or eSeal signing certificates

  • Signatures based on private PKI
  • Software or hardware based keys
  • Local and remote signature support

AATL – Adobe Approved Trust List – Individual or eSeal signing certificates

  • Must be stored in a FIPS 140-2 Level 2 or 3 smartcard of hardware device (HSM)
  • Applicants must submit proof of identity that can be verified independently

EU Qualified – Individual or eSeal signing certification

  • Must be stored in a FIPS 140-2 Level 2 or 3 smartcard of hardware device (HSM)
  • Applicants must submit proof of identity that can be verified independently
  • Face to face or video vetting required

How Ascertia provides online digital signatures

The type of service provider you are or that you are subscribing to will determine the enrolment or eKYC process users will undergo. The higher the level of assurance required, the more vetting and checks that will take place to verify a user’s identity. 

Ascertia’s ADSS Web RA Server supports enrolment and meets KYC vetting certificate subscriber requirements. ADSS Web RA Server is an advanced registration authority application that harnesses the power of ADSS CA Server by directly issuing and managing the lifecycle of certificates, enabling users to select the standard required in SigningHub.

The latest release of SigningHub 8.0 is more closely aligned with eIDAS and digital signature terminology than ever before. It is now possible to select the level of assurance for individual documents in the eSignature field. SigningHub 8.0 is also Cloud Signature Consortium (CSC) enabled, meaning that it can now be connected to a CSC compliant RSSP to easily enable organisations to pick and choose between Trust Service Providers.

The latest release of ADSS Server provides support for Cloud Signature Consortium (CSC). This addition makes it easy for TSPs to establish signing services that are highly interoperable with CSC enabled signing applications such as SigningHub.

Customers can tailor the user experience for users operating SigningHub outside of the EU by applying a customised label for the local equivalent of a Qualified Electronic Signature (QES) to provide the level of assurance for a customer’s needs.

Get in touch to discuss your digital trust requirements.