Role of a Qualified Trust Service Provider in Europe
1. Much More Than Capturing a Signature
www.xyzmo.comGet Documents Signed. Anywhere. Any time. 1
Qualified
Trust Service
Provider
Role in the European Union
2. Much More Than Capturing a Signature
www.xyzmo.comGet Documents Signed. Anywhere. Any time.
Trust Services under eIDAS
• eIDAS ensures that Trust Services will work across borders and
have the same legal status as traditional paper based processes
• Ensure the security and legal validity of an electronic transaction
in cross-border scenarios (as at national level)
3. Much More Than Capturing a Signature
www.xyzmo.comGet Documents Signed. Anywhere. Any time.
Levels of Trust Services
4. Much More Than Capturing a Signature
www.xyzmo.comGet Documents Signed. Anywhere. Any time.
Qualified Trusted Service Provider
Benefits of QTSPs
Only QTSPs have a standard level of
security in Europe and comply with
the requirements defined in the eIDAS
Regulation
Only QTSPs are part of the
EU’s Trust List,
which contains the providers and
services at qualified status.
If an entity is not on that list, they
are not permitted to provide
qualified trust services
Only qualified trust service providers may
use the powerful Trust Mark to advertise
or market their services
Because of stringent process to become a
QTSP, the trust services they provide have a
higher legal certainty and higher
security of electronic transactions than
non-qualified trust services
5. Much More Than Capturing a Signature
www.xyzmo.comGet Documents Signed. Anywhere. Any time.
How To Become a QTSP
Business needs to get an assessment report issued by
an accredited conformity assessment body. This
assessment will verify the business and the services it
provides meet the requirements to be qualified.
Trust Service Provider sends the report with letter of
intent to the national supervisory body in the
member state where the business is located.
Supervisory body has three weeks to determine if the
report proves compliance.
If qualified status is granted, the Trust Service
Provider, together with the qualified trust services it
provides are added to the Trusted List. These Lists
are established, published and maintained by the
Member States.
1). Assessment
2). Approval
3). Trust List
4). Trust Mark After the Trust Service Provider is deemed Qualified,
the Trust Mark is provided and clearly differentiates
them from other trust services.
6. Much More Than Capturing a Signature
www.xyzmo.comGet Documents Signed. Anywhere. Any time.
Certification Process
for Qualified Trust Service Providers
7. Much More Than Capturing a Signature
www.xyzmo.com
Qualified E-Signatures
Executed by a natural person to express consent
QES certificates issued from a QTSP are valid in the entire EU.
• National certificate authorities (CAs) that want to become a QTSP need to be accredited by
national supervisory bodies by July 1, 2017.
• Until assessment completion, accredited national CAs are considered QTSP until July 1, 2017.
Remote signatures - creation environment managed on behalf of the signatory
• Receive the same legal recognition as e-signatures that are created entirely user-managed.
• Generating or managing e-signature creation data on behalf of a signatory—for a qualified remote
e-signature—may only be done by a QTSP
• E-signatures may be generated or managed either in the data center of the QTSP (Cloud service) or
on customer premises (under the control of the QTSP).
Qualified e-signature creation devices (QSCD) require certification by
public/private bodies designated by member states
QTSPs can only issue a qualified signing certificate to a holder after their
successful identification in accordance with national law
• By physical presence (face-to-face),
• Remotely, using electronic identification to ensure a physical presence (live video ID)
• By using other ID methods recognized at the national level that ensure physical presence (e.g. eID)
7
8. Much More Than Capturing a Signature
www.xyzmo.com
Qualified E-Seals
Executed by a legal person to guarantee origin & integrity
New with eIDAS
Similar requirements as signing certificates
• Must be to be stored and executed on a qualified e-signature creation device
No qualified eSeals today
• No QSCDs certified today for managing certificates issued to a legal person
• Relevant ETSI standard needs to be published (probably end of 2017)
• HSM must be certified against the new standard (1H 20018)
Use advanced e-Seal based on a qualified certificate instead
• Use non qualified HSMs
• Advanced electronic seal – EU Trust Service List, AATL compliant
• Perfect match for biometric or process/HTML5 signatures
8
9. Much More Than Capturing a Signature
www.xyzmo.com
Qualified Time Stamps
Binds data to a particular time, establishing evidence that
• the subject data existed at the asserted time
• the data has not changed since then
Based on defined ETSI standards
• 412, 422
Useful to ensure legal validity of data with
• archiving documents
• executing and signing electronic documents
9
10. Much More Than Capturing a Signature
www.xyzmo.com
Namirial Trust Service Provider
Namirial is a Software Company and a Certification Authority, which provides Trust Services like
e-signature, registered e-mail, e-invoicing and digital archiving to more than 500.000 customers.
Namirial is specialized in Digital Transaction Management (DTM)
10
Sign it! Share it! Store it!
Namirial Spa
Headquartered in Senigallia, Italy
>40M€ revenue in 2015 with 350 employees
>2.000.000.000 pages digitally archived annually
>350.000 (qualified) digital certificates issued
Member of the Adobe Approved Trust List (AATL)
Certification & TSA Authority (accred. by AgID)
ISO 9001:2008 (accred. by Bureau Veritas)
ISO 27001:2005 (accred. by Bureau Veritas)
Namirial Trust Services
Digital signing certificates
Qualified remote digital signing
Advanced e-sealing (AATL compliant)
Qualified time stamps
Private key management
Video identification
Long-term archiving
E-Registered Delivery
11. Much More Than Capturing a Signature
www.xyzmo.comGet Documents Signed. Anywhere. Any time. 11
Namirial Trust Services
Usage with SIGNificant e-Signature Solution
xyzmo SIGNificant: read, edit & sign documents
Namirial Trust Services: qualified signatures, seals & time stamps
eSignAnyWhere: workflows & transaction control
Customers in the
branch or shop
Customers directly
in the field (mobile)
External users to sign
on their own device
Internal Users
online in the office
12. Much More Than Capturing a Signature
www.xyzmo.comGet Documents Signed. Anywhere. Any time. 12
Namirial Trust Services
Usage with SIGNificant e-Signature Solution
SIGNificant Platform
eSignAnyWhere
Flow (eSAW)
eSAW Viewer
HTML5 Capture
E-Signing Workflow &
Reporting
CA Platform
Certificate enrolment
Signature Execution (PKCS#1)
Sign Engine
HSM
Significant Device DriverSign on Phone
eSAW Apps
Biometric Capture
SIGNificant Server
Document Signing (PAdES)
SIGNificant
Biometric Server
Real-Time Signature
Verification
Saas or On-Premise SaaS or On-Premise*
Identity DB
ViSi
Internet
or LAN
Add-Ons for external devices
Kiosk SDK Client
Mobile Apps/SDKs
Offline Capable
ViSI Viewer/Client
* TSP controlled
Internet
or LAN
13. Much More Than Capturing a Signature
www.xyzmo.com
Klaus Fellner
VP Sales & Alliances
+43 7229 88060 760
Klaus.fellner@xyzmo.com
Ready to move Forward?
13Get Documents Signed. Anywhere. Any time.
Editor's Notes
E-signatures: Exectued by an individual (natural person) - to “sign,” i.e. mainly to express consent on the data on which the eSignature is put
Electronic seal: Executed by an organization (legal person) instead of a individual. The electronic equivalent of a seal or stamp which is applied on a document to guarantee its origin and integrity
Time stamping: The date and time on an electronic document which proves that the document existed at a point-in-time and that it has not changed since then
Electronic delivery: A service that, to a certain extent, is the equivalent in the digital world of registered mail in the physical world
Legal admissibility of electronic documents to ensure their authenticity and integrity
Website authentication: Trusted information on a website (e.g. a certificate) which allows users to verify the authenticity of the website and its link to the entity/person owning the website
Qualified signature creation device