The Banker newspaper: "The electronic signature goes into the phone"
- Dear Sirs, no matter how familiar the Qualified Electronic Signature (QES) is, let us give a definition for it. What possibilities does it provide?
Krasimir Georchev: After the adoption of Regulation (EU) No 910/2014 the terminology was slightly changed – now the term is a "Qualified Certificate for Qualified Electronic Signature". In Bulgaria, the QES has two main usages. One of them is signing documents and electronic statements, which is legally equal to a handwritten signature on a paper. The other usage is identification of the person who signs with the signature, if the QES certificate includes an identifier such as Personal No for example. This usage will be valid up to one year after the national electronic identity scheme appears under the Electronic Identification Act.
Dimitar Nikolov: According to the Bulgarian legislation, the QES must meet certain requirements. These are: to be uniquely related to the holder, to be able to identify the signature’s holder, to be related to the data that is signed with it in a way that allows any subsequent change to be detected. The last requirement is to be stored on a qualified signature creation device: a smart card or a device that meets certain standards. Complying with these requirements, the legislation makes the QES equal to the handwritten signature - in the sense that the electronic signature allows the holder to identify himself as the author of the electronic document, to agree with the content of the document, and to protect the document from subsequent changes.
- What would happen if someone tries to change the contents of the document after signing?
D.N.: If such attempts have been made, the subsequent verification of the electronic signature on the document will fail, and the document will have an invalid signature.
- What is the legal framework of the cloud QES?
D.N.: Regulation (EU) No 910 appeared in 2014, and although remote electronic signature was offered years ago, it was its first regulation at EU level. This regulation had to become active in the national legislations by 2016, and this was carried out in Bulgaria in the Electronic Document and Electronic Certification Services Act.
- What is the main difference between the Cloud QES and the QES on a smart card?
D.N.: The main difference between them is that the Cloud QES displaces the QES on a smart card to a remote server platform. From now on, in order to use QES, you need to authenticate yourself through a mobile smartphone. The phone is a means of authentication - a second step in the access. Similar to the normal QES where we should have a smart card and a PIN, the Cloud QES requires a phone and a PIN in order to be used. The remote hardware cryptographic device generates a signature only after the successful two-factor authentication of the electronic signature’s holder. Mobility as a feature of the Cloud QES does not mean that it is generated in the mobile device (smartphone) - it only serves to initiate the QES into a remote server. The goal of the Cloud QES is to facilitate the use of QES and the value-added services, thereby contributing to expand the volume of e-services users, while being a catalyst for the introduction of more e-services on the Internet.
- What are the advantages of using Cloud Qualified Electronic Signature?
D.N.: The main advantages of Cloud QES over card QES - with high level of security, are several. For end clients, the main advantage is the convenience and easy usage - requires only a two-factor authentication mechanism and Internet connection. It is no longer necessary to store and carry the smart card. We shall also not underestimate the cost-effectiveness, because a smart card, smart card reader, and the relevant drivers in the QES set are no longer required, there is no software installation for the client and no software support. The inconveniences recently imposed by browsers, related to the use of active components when operating with smart cards, are also eliminated.
The Cloud QES has several advantages for the relying parties as well. It offers easy integration to added services that improve the quality and functionality of the legally-validated electronic signature by using Qualified Electronic Timestamps, by the use of Online Certificate Status Protocol (OCSP) service, as well as formatting services for electronically signed documents, as per the standards (XAdES, PAdES, CAdES, ASiC) to Regulation (EU) No 910/2014 of European Parliament.
- Please explain at “instruction” level how QES works through the mobile phone?
D.N.: There are two major scenarios for the Cloud QES product - issuance and use in a system. Regarding the first one, up to now has been provided the possibility of issuing a "Cloud QES" to an individual, on the basis of already issued QES on a smart card, (soon will be possible a scenario for Cloud QES issuance in a B-Trust office). Preconditions for the first scenario are the user to have a smart device with B-Trust Mobile application installed, as well as to have a qualified electronic signature from B-Trust or another qualified certification service provider. The issuing procedure then proceeds through the following steps:
The user opens the BORICA online store, authenticates and signs a request for issuing Cloud QES and a Certification Services Agreement by their hardware QES. The user downloads, installs, initiates the B-Trust Mobile application, and enters authorization code (OTP), received from the application in the store page, proving ownership of the phone. The user enters a PIN (created by him) for the issued Cloud QES in B-Trust Mobile and after that follows a key pair generation process on the remote cryptographic device and creation of QES certificate. A push notification is sent to the mobile application for a successfully issued Cloud QES. If the push notifications on the phone are turned off, the user can check the status of their requests by themselves. Regarding the scenarios for using Cloud QES in any system, we should say that it can be used both to sign documents generated or uploaded in the system, as well as for entrance in the system itself. The scenarios of usage are numerous - depending on the needs of the relying party.
- What is the security level of the new system?
D.N.: "Cloud QES" is a product which architecture and principles in development meet the highest security requirements typical of other high-risk systems operated by BORICA AD. Hardware devices (HSM and servers) meet the requirements for remote signing service with QES. The algorithms used for two-factor authentication, mobile application protection, and remote signature creation are secure, public and used in a number of EU countries.
- Who and how can issue the cloud signature?
К.G.: Now a cloud electronic signature can be issued on the basis of an existing QES on a smart card with which the client signs the request for issuance. At a later stage will be possible to issue QES at all B-Trust offices, including local registration offices of BORICA’s partners.
- Will we be approved for a loan by the phone from now on?
К.G.: The short answer is "yes" and depends on the proposals and the way of operation of the particular bank or financial institution. There are many possible scenarios where "Cloud QES" is applicable to user identification and submission of loan documents, and all the correspondence in this process can be signed with Cloud QES. Other potential systems using Cloud QES can be those of banks and financial institutions, telecoms, pension insurance companies, state administration, etc.
- At what stage is the development? What are BORICA's plans for marketing?
D.N.: Currently, project tests are carried out in a production environment. We work with several relying parties for integration with their systems. We hope that the service will provoke great interest due to the numerous advantages it provides. As a result, market expansion is expected with the attraction of new clients using QES. Increasing the security and trust of the relying parties will lead to the creation of new electronic services requiring the use of QES, which will contribute to the expansion of the QES market. Due to the nature of different services using QES, clients can both possess a card and a Cloud QES. We expect that the QES market will increase by at least 50%, and in the near future by even more. On the other hand, the volume of the market will only expand when services using Cloud QES appear in the relying parties’ systems - Internet and mobile banking, telecom systems, insurance and leasing companies.
Source: The Banker newspaper