Digital signature reliability

How reliable is a digital signature really? European legislation contains six requirements for a sufficiently reliable digital signature or, more generally, a sufficiently reliable electronic signature.

Dutch legislation on electronic signatures has been enshrined in Article 3:15a of the Civil Code since May 21, 2003. This law still follows from the European Directive 1999/93/EC. Article 3:15a of the Civil Code sets the following requirements for an electronic signature, with paragraphs 2e and 2f applying unconditionally only to qualified digital signatures.

Article 3:15a of the Civil Code

• 2a. it is uniquely linked to the signatory;
• 2b. it allows identification of the signatory;
• 2c. it comes about by means that the signatory can keep under his sole control;
• 2d. it is attached to the electronic file to which it relates in such a way that any subsequent modification of the data can be detected;
• 2e. it is based on a qualified certificate referred to in Article 1.1, part ss, of the Telecommunications Act;
• 2f. it is generated by a secure electronic signature creation device referred to in Article 1.1, part vv, of the Telecommunications Act.

Technical requirements

In addition to the legal frameworks surrounding digital signatures, which are established at the European and national levels, a technical standard has also been determined for digital signatures. These, too, are laid down in eIDAS (Electronic identification and trust services). For example, the ability to authenticate must be continuously available. However, no specific technical requirements such as hardware or software can be imposed on the parties that depend on such authentication.

For signing documents, PDF document signing is mainly used. For signing PDF, there is the PAdES standard developed by ETSI. In addition to PAdES, the XAdES (for XML) and CAdES (for Code signing) standards have also been developed for signing.

Reliability in practice

Legal validity says a lot about the reliability of digital signatures. The advanced digital signature and the qualified digital signature can be considered reliable. With both types of digital signature, you can assume that the signer is the one to sign. And that once signed, the signed documents cannot be changed. For the ordinary digital signature (for example, a mouse signature or a scanned image) this unfortunately does not apply. Therefore, it cannot be considered reliable.

Besides the legal validity of the digital signature, the reliability level of the authentication means used for digital signing is of equal importance. The law (Art. 3:15 BW) says the following about this: "An electronic signature has the same legal effect as a handwritten signature, if the method used thereby for authentication is sufficiently reliable, taking into account the purpose for which the electronic data is used and all other circumstances of the case."

To determine the reliability level of an authentication means, the levels of assurance (LoA) included in ISO 29115 can be used. To determine which reliability level is appropriate for a specific process, the European STORK model can also be used; this is shown in the Handreiking betrouwbaarheidsniveaus voor authenticatie bij elektronische overheidsdiensten (Guide to reliability levels for authentication in electronic government services ). An important note here is that the guide is a guideline and not a legal framework. When choosing an authentication method, one should therefore also consider whether it is workable for the process for which it is being used and does not act as a brake.