Ensuring digital trust in e-signed documents

Posted by Mike Hathaway on Mar 2, 2022 4:14:44 PM

In this blog, we discuss digital trust and level assurance. These are two elements of proving an identity to ensure digital trust in e-signed documents.

Online transactions and electronic documents require the same checks as a paper equivalent. You need to be able to prove your identity and establish trust in both the entity and the documentation.

How to ensure digital trust in your e-signed documents

How to establish digital trust

Establishing trust in online transactions begins with proving the identity of an end entity.

You need to do this before issuing a person, server or application with a digital identity.

There are various identity types supplied by different Trust Service Providers (TSPs). These all have unique enrolment and identity vetting requirements. You must establish and verify an identity to trust attempted transactions.

There are different categories of TSPs, depending on the type of certificates or audit requirements:

  • TSP – The basic public Trust Service Provider
  • AATL – Adobe Approved Trust List Provider
  • QTSP – Qualified Trust Service Provider (additional audit requirements to comply with eIDAS regulations for legally binding signatures)
  • RSSP – Remote Signature Service Provider (encompassing the above but also exposing different signing services)

What does level of assurance mean?

We’ve discussed establishing digital trust. The type of trust scheme you need from your certificate determines the provider you select, and the type of vetting required.

The higher the trust level, the more rigorous the vetting. The high-trust industry calls this the level of assurance. This level gauges the assurance you can place in the process that proves your identity for you to obtain a certificate.

This is the foundation of digital trust. Providers can issue digital certificates at different assurance levels to different entities and organisations.

The assurance level or certificate type determines the type of protection that is required to generate and store your keys and certificates. This could be a smart card or token, a Hardware Security Module (HSM) or Remote Qualified Signature Creation Device.

As the term suggests, there are different levels of assurance:


  • No cryptographic security
  • Simple mark in a document, check box or user-drawn
  • Little security for document alteration

Advanced – Individual or eSeal signing certificates

  • Signatures based on private PKI
  • Software or hardware-based keys
  • Local and remote signature support

AATL – Adobe Approved Trust List – Individual or eSeal signing certificates

  • Must be stored in a FIPS 140-2 Level 2 or 3 smart card or hardware device (HSM)
  • Applicants must submit proof of identity for independent verification

EU Qualified – Individual or eSeal signing certification

  • Must be stored in a FIPS 140-2 Level 2 or 3 smart card or hardware device (HSM)
  • Applicants must submit proof of identity for independent verification
  • Face-to-face or video vetting required

How Ascertia provides online digital signatures

The type of service provider you are or that you are subscribing to will determine the enrolment or eKYC process users will undergo. The higher the level of assurance required, the more vetting and checks that will take place to verify a user’s identity.

Ascertia’s ADSS Web RA Server supports enrolment and meets KYC vetting certificate subscriber requirements. ADSS Web RA Server is an advanced registration authority application. Using the power of ADSS CA Server, it directly issues and manages the lifecycle of certificates, enabling users to select the standard required in SigningHub.

SigningHub, one of our digital signature solutions, closely aligns with eIDAS. It is possible to select the level of assurance for individual documents in the signature field. SigningHub is also Cloud Signature Consortium (CSC) enabled. Organisations can connect it to a compliant RSSP to pick and choose between TSPs.

The latest release of ADSS Server provides support for CSC. This allows TSPs to establish signing services that are compatible with CSC-enabled signing applications such as SigningHub.

Customers can tailor the user experience for users operating SigningHub outside of the EU. They can apply a customised label for the local equivalent of a Qualified Electronic Signature (QES) to provide the level of assurance a customer needs.

Get in touch to discuss your digital trust requirements.