Local vs. remote signing and sealing according to eIDAS


One of the eIDAS objectives is the creation of a European market for electronic trust services with the same legal status and validity as paper-based processes – consistently applied across all member states.

How to ensure trust, transparency and integrity of documents and transactions based on (qualified) electronic signatures & seals

Qualified electronic signatures and seals can be generated and applied locally, or remotely with a trust service provider creating the signature or seal on behalf of the signatory, i.e. the individual/company who signs/seals.

Digitization has created an exponential increase in electronic business transactions and online services, requiring strong security for every aspect of a transaction. Citizens, companies and government bodies all take benefit from the eIDAS regulation: less administrative burden due to more efficient processes, support for innovative digital services moving away from paper processes and a better user experience all along the line.

Introducing the qualified electronic seal under eIDAS

Since electronic signatures can only be created by individuals (natural persons), not companies or organizations, eIDAS introduced the concept of qualified electronic seals. These are created by legal entities to proof the origin and integrity of data and documents issued by them. The sealing requirements and processes are – other than that – very similar to what the paragraph about signing states here below.

The difference between qualified and advanced signatures (or seals)

  • An “electronic signature” is any digital form of a signature, e.g. simply the scan or picture of a handwritten signature. It is rather easy to forge or apply/replicate without the signatory’s consent.
  • An “advanced electronic signature” is a signature that meets the requirement set forward by the eIDAS regulation, e.g. that only the signatory is able to create it.
  • The most secure form is the “qualified electronic signature” which in addition is based on a qualified certificate and requires a QSCD for its creation.

Local signing versus remote signature creation (server signing)

The eIDAS regulation introduces the concept of remote signing / server signing as opposed to local signing. While local signing uses cryptographic keys stored on the user’s device to create a signature, server signing relies on a trust service provider (TSP) to remotely generate and manage the signing keys on the signatory’s behalf. This eases the burden for users to securely manage their own keys and transfers this responsibility to an expert in the field.

Under eIDAS, Qualified Signature or Seal Creation Devices (QSCD) are required for issuing qualified certificates and for using qualified certificates, i.e. for the generation of electronic signatures and seals. In the case of server signing, a so-called Signature Activation Module (SAM) is part of the QSCD. It must be Common Criteria (CC) certified based on the eIDAS Protection Profile (PP) EN 419 241-2 “QSCD for Server Signing” to meet the requirements of such a QSCD.

The SAM in turn must interact with a Hardware Security Module that is CC-certified based on the eIDAS PP EN 419 221-5 “Cryptographic Module for Trust Services”.

In the past, no common certification framework existed, and alternative certification processes and test methods have been applied. With the eIDAS Protection Profiles EN 419 221-5 now available, this changes.

The Utimaco CryptoServer CP5 Hardware Security Module (HSM) has been certified according to this eIDAS Protection Profile EN 419 221-5 “Cryptographic Module for Trust Services”. Equipped with the certification, it creates the most flexible basis for developments of a SAM according to EN 419 241-2.