PEPPOL quality trust ratings - explained

Posted by Liaquat Khan on Apr 15, 2013 1:03:00 PM

PEPPOL is a large-scale European Commission project, working on allowing any company in the EU to be able to communicate electronically with any EU governmental institution for all procurement processes. This includes both pre-award (e.g. tendering) and post-award (e.g. ordering and invoicing) processes. The results of PEPPOL are very interesting because they go beyond just e-procurement to also other e-Gov applications and even to non-government sectors, as well as being applicable on a global basis rather than just within the EU.

PEPPOL vision for e-signatures

The e-signature vision of PEPPOL is “to have solutions that make it possible for economic operators in any European country to utilise the e-signatures of their own choice when submitting offers electronically to any European public sector awarding entity.” Economic operators are seen as product and service suppliers responding to public tenders. PEPPOL’s ultimate interoperability aim for e-signatures can be expressed as:

  • An eID holder shall be able to use the eID to sign a document towards any counterparty, even internationally. The eID holder independently selects the eID to use
  • The receiver (relying party) of a signed document shall be able to accept signatures from all counterparties, regardless of the eID used by the counterparty. In an open market, the RP has no influence on a counterparties’ selection of eID
  • A third party, receiving a document signed by other parties, shall be able to verify the signatures no matter which eIDs has been used by other parties. A signing party does not know at the time of signing who may need to verify their signature.

Need for trusted Validation Authorities (VAs)

To achieve this vision PEPPOL recognises that there are many challenges for the Relying Party application which needs to process e-signatures. Beyond the technical challenges like multiple signature/document formats, multiple eID issuers and issues of scaling, the real problem to the Relying Party is the assessment of the risk implied by accepting the signature/eID. This risk is determined by the legal status of the signature, the quality of the eID and the cryptography used, the liability position, and the trustworthiness of the issuing Certificate Authority (CA).

These are tough questions for a would-be relying party needing to accept e-signatures from any corner of Europe and beyond! To aid the process PEPPOL recommends relying parties use Validation Authority (VA) service providers which not only take the technical burden of signature verification away from business applications but also the associated risk through use of an agreed liability model.

Such a model already exists in the form of the BBS Global Validation Service, a centralised authority for verifying e-signatures and eIDs across Europe and beyond. The following diagram illustrates how BBS offer validation services to relying parties shielding them from the complexity of PKIs and associated risks:


PEPPOL vision for e-signatures

The BBS Global Verification Service uses Ascertia ADSS Server as the underlying signature and eID verification technology. Note originally this service was offered by DNV using earlier versions of ADSS Server. For further information on the BBS service, see this presentation.

Signature & eID Quality Requirements

In an open, non-exclusive, environment determining which CAs are trustworthy to an appropriate quality level in an automated manner is an essential requirement for Relying Parties.

Therefore differences in national legislation as well as different requirements for different business applications necessitate development of a framework to enable quality ratings for e-signatures and eIDs. PEPPOL provides a specification for non-discriminatory rules for acceptance of eIDs to replace present policies for national solutions, which only refer to domestic eID issuers or national accreditation schemes.

Ascertia working with DNV as part of the Global Verification Service worked on a signature and eID quality rating scheme back in 2006. The PEPPOL project took this framework and extended it further, in particular to include a parameter for measuring the independent assurance level.

The PEPPOL quality rating framework is based on the following aspects:

  • eID quality: consisting of:

    a certificate quality parameter ranging from 0 to 6 depending on the issuing CA’s CP/CPS. E.g is a qualified certificate policy being used in accordance with ETSI TS 101 456 standard, is the user’s private key held within a SSCD etc. 6 is the highest level.

    an independent assurance parameter ranging from 0 to 7 which defines how the issuing CA is audited and accredited. E.g. is the CA accredited by a public, national or international authority according to applicable law to the CA? 7 is the highest level that can be achieved.

  • Hash Algorithm quality: ranging from 0 to 5 depending on how secure the hash algorithm is. 5 is the highest level, although most algorithms that are considered secure today are expected to have a rating of 2 indicating they are good for next 5 to 10 years.
  • Public key quality: ranging from 0 to 5, same as above.


A qualified electronic signature created with an SSCD and a qualified certificate issued by an accredited CA and using the SHA-224 hash algorithm and a cryptographic key length of 2048, would have signature quality parameters as follows:

  • eID quality: (6,7) – meaning certificate quality level 6 & independent assurance level 7
  • Hash quality: 2 – regarded as trustworthy for 5-10 years
  • Public key quality: 2 – regarded as trustworthy for 5-10 years

Therefore this signature example would have a signature quality = {(6,7),2,2}.

Standard Validation Authority Interfaces

The PEPPOL project has extended the OASIS DSS specifications and W3C XKMS specifications to allow a Relying Party to request the signature and certificate quality levels from an online Validation Authority (e.g. like BBS GVS).

Note a signature can be deemed to be of insufficient quality if it fails to meet the required quality level but passes normal cryptographic checking, certificate path building and certificate validation checking.

ADSS Server v4.1 already supports the PEPPOL enhanced OASIS DSS protocol v4.1 and v4.2 due in Q2 2010 will support the PEPPOL XKMS enhancements.


In large cross-border, non-discriminatory, environments there is a need for being able to quality rate e-signatures and eIDs in an automated manner. PEPPOL has defined such a mechanism.