This guest post from the Ascertia partner community comes courtesy of Stefan Claeys, Managing Partner at KeySign. This blog discusses the eSignature landscape, smart cards and remote signing.
Where do we start with digital signatures? This is often the question that customers ask, and our response is to counter with two questions:
- What level of assurance do you need?
- What signing method best suits your requirements?
We ask because every use case is different.
Take a mortgage, for example. That is a legal document that requires a Qualified Electronic Signature (QES). This type of eSignature has the same legal weight as a written signature. In contrast, you might be signing a timesheet or a purchase order. For these, a basic electronic signature is likely to suffice.
The minimum level of required assurance normally determines the right digital signature for the situation. The more flexible the signing solution, the more useful it will be to the document owner. Flexibility allows the user to request an appropriate level of assurance from document signers on a case-by-case basis.
Let’s take Belfius, the Belgian bank, as an example. The bank manages its digital signatures easily and quickly using the itsme service and a Belgian eID card. Belfius doesn’t mind which option a customer selects, as long as it is a QES.
And this is the crux of the matter.
Document owners should be able to request an appropriate level of assurance from signers, regardless of the signature method needed.
Are smart cards smart?
When it comes to different methods, smart cards (or eID cards) are ideal for local signing where they act as a secure PKI signing key. They are compatible with a wide range of browsers, and because the signer doesn’t have to download any code, they are simple and accessible.
Bulk signing on a local basis is more cost-effective when managed by using a smart card, too. There are some drawbacks to this method, though. To start, it requires a card reader; the signer must be able to recall their pin number, and a card won’t work if the signer is working on a mobile phone.
A larger challenge occurs within large organisations with thousands of employees. Issuing a card with a corresponding certificate to every single worker is a heavy task, particularly if people are unlikely to sign a document more than once a year. eID cards have not been designed to scale in this way.
By comparison, a cloud-based remote signing solution allows people to digitally sign documents without the need for a reader using any internet-connected device. This also makes this method ideal for digital signatures that need to cross borders.
The CSC (Cloud Signature Consortium) is committed to building new standards for cloud-based digital signatures. It acknowledges the importance of smart cards, particularly when it comes to managing costs for local signers. However, the CSC’s remit is to encourage cloud-based services using centrally held keys that allow signing on any device, at any time, from anywhere.
The real key to successful digital signature management is allowing for changing circumstances. A person may select a remote method one day because they are using phone. However, the next day, sitting at their desk with many documents to sign, they prefer to use a smart card because the reader is at hand.
Organisations require a solution that has a minimum level of built-in assurance. Additionally, they need the ability for the document owner to adjust thresholds for each signer as necessary.
At a time when businesses are adapting to new ways of working, the accessibility, compatibility and security of high-trust signing solutions add considerable value and ensure organisations are prepared for the digital future.
For more information on the digital trust landscape, browse our other blogs.