Qualified digital signature, old wine in new bags?

30 August 2016

Recently, the qualified digital signature has been in the news more and more because of changes in the law. There are also more and more questions about the qualified digital signature. Or the qualified electronic signature, as the legislator calls it. How exactly does a qualified electronic signature work? And what is the difference with the advanced electronic signature. And can a qualified electronic signature and an advanced electronic signature on a document simultaneously put?

To explain what a qualified electronic signature is, I would like to go back a few centuries. Because not much has changed in the past 800 years ... In earlier times, important documents were always sealed. This was done by folding the document and sealing it with a drop - usually red - of hot melted wax. Using a signet ring, the sender's seal was then pressed into the hot wax before it hardened. The seal thus guaranteed the identity of the sender and an undamaged seal that the contents had not been changed.

With the advanced and qualified electronic signature, basically the same thing happens, although the seal is replaced by a so-called PKI certificate. Such a certificate - issued by the certificate authority - guarantees the identity of the signer and ensures that documents with such a seal cannot be modified without 'breaking the seal'. How does this work in practice?

There are two types of electronic signatures where certification plays a role, the advanced electronic signature and the qualified electronic signature.

Advanced electronic signature

With an advanced electronic signature, the signing service provider seals the document with their organization-specific PKI certificate. Say the company seal ring. Sealing then means that the signing service provider has sufficiently verified the identity of the signers using a secure means of authentication, such as iDIN or DigiD. And that after sealing, the content of the document can no longer be changed without breaking the seal. All this as required by law for signing service providers. In the past, that would mean that a document is drawn up, the signing service provider checks the identity of all the signers and seals the document with its own signet ring.

Qualified electronic signature

There are certain documents where the legislator requires that the authentication of certain signatories be guaranteed to an even higher degree. Think of notaries, accountants and mayors. These parties then have their own personal or organisation-specific PKI certificate. This certificate not only guarantees the identity of this signatory, but it is also used to coseal the document, in addition to the signing service provider's seal. The latter remains necessary because not all signatories have their own certificate and to guarantee that the process has proceeded as prescribed by law. Compare it to the signet ring method, a document is created, the signing service provider checks the identity of all signatories and seals the document with its own signet ring. And the document is also sealed by all other parties with their own seal.

Oh yes, since 1 July 2016, employers have also been required by law to have their own PKI certificate when they sign an employment contract electronically. However, they can also use such a certificate for the qualified sealing of outgoing digital invoices, which is also a requirement from the legislator these days.

Incidentally, the ordinary electronic signature does not use such a seal or certificate. The ordinary electronic signature can therefore still be legally valid, but documents can be changed after signing and are therefore unreliable. Also, the identity of the signers is not guaranteed. An example of an ordinary electronic signature is a scanned image of a signature that is pasted in a Word document.