Remote Signing Platform
The platform of BORICA AD for remote signing of е-documents with a cloud qualified electronic signature – ‘Cloud QES’ – facilitates operation with trust services both for relying parties, and for end customers. It allows for remote identification of natural persons on the basis of a Qualified Certificate of Qualified Electronic Signature (QCQES) or signing an electronic document with an electronic signature on behalf of a natural person, using cloud technologies and in compliance with Regulation (EU) 910/2014 (eIDAS).
The Cloud QES platform is integrated in the B-Trust infrastructure for qualified trust services of BORICA AD, as a qualified trusted services provider (QTSP), and provides centralized storage and management of Signatories’ private keys and remote QES generation in an environment of high security, strict administrative and operational procedures with physical and logical protection. Signatories keep full and personal control over their private key by a secure (2-factor authentication) mechanism of strict online authentication, which is supported by a cloud QES mobile application. On this basis, by their smart device the signatories gain ‘mobility’ for their QES. Signatories are ‘free’ from the specific technical requirements to signing with a QES – to have a smartcard and a reader, and to install the respective drives required for them, while via the Cloud QES platform they generate a legally valid qualified electronic signature.
- Expanding the scope of the electronic services offered, making them more accessible
- Reliable user identification
- Easy integration with added services that improve the quality and functionality of the QES, i.e., the relying party can profile its electronic document workflow
- Independence from operating systems, browsers, development and support of active components (drivers) for readers and cards
- Higher security – the acknowledged vulnerabilities of the hardware QES are remedied with the proposed 2-factor authentication scheme at each signature
- Immediate stop of the use of a cloud QES upon termination
- Easy integration with value added services, which improve the quality and applicability of the legally valid electronic signature:
- by using qualified electronic timestamps
- by using a service of online verification of the status of electronic signature certificates - Online Certificate Status Protocol (OCSP)
- by using services for development of formats of electronically signed documents, according to standards (XAdES, PAdES, CAdES, ASiC) to Regulation (EU) 910/2014 of the European Parliament and of the Council
- integration of Relying Parties’ systems with validation qualified services pursuant to Regulation (EU) 910/2014 of the European Parliament and of the Council.
The Relying Party’s application system can use the service for customer authentication by means of a cloud Qualified Electronic Signature. For the purpose, the Relying Party’s application system sends to the service a predefined identifier (the user has to be registered with this identifier in the service) and an authentication request upon entry into the system. The customer receives on the mobile device a notification of the received request for entry in the relevant Relying Party’s application system and confirms the request by signing - by entering the PIN code of the respective cloud QES.
Via the user interface of the Relying Party’s application system, the Signatory selects one or more electronic documents for signing with a cloud QES. Irrespective of the mode of operation (hash or a whole document), when signing a single document or more electronic documents, the application system delivers the document(s) prepared for signing with instructions about the format, level and type of the electronic signature to the Cloud QES platform.
The Signatory receives on the mobile application a notification of a received request and respectively confirms the signing by entering the PIN code of the cloud QES certificate.
The services of providing a functionality of signing by a one-time/limited electronic signature require from the Relying Party to perform the role of a Local Registration Authority (LRA) of the trust service provider BORICA AD for the issuance of qualified electronic signature certificates. A requirement for issuing an electronic signature is the identification of the Signatory, immediately prior to the issuance of the certificate. The relations between BORICA AD and the Relying Party, as an LRA, are provided for in a Local Registration Authority Agreement dealing with the activities for identification of the Signatory and issuance of an electronic signature by the Relying Party.
A one-time certificate may be issued and applied for signing documents, after using the Web identification service.
A one-time qualified certificate is a cloud qualified certificate of qualified electronic signature issued for a particular purpose. A one-time CQES is issued under the same terms and conditions as the standard qualified certificate of electronic signature. The certificate is issued to the person for the purpose of signing an electronic document with a qualified electronic signature. The certificate may not be used after the activity it was issued for has been completed, even though it may be completed before the expiry of the certificate’s validity. After the end of its validity term, the certificate automatically becomes null and void.
To confirm signing with a one-time CQES, a one-time password (OTP) code sent to the Signatory’ mobile phone is used.
The Relying Party’s application system can possibly use the service through an automated mechanism for signing documents without the need of their confirmation by a PIN code by the Signatory. For this purpose, the Relying Party sends a request for consent to the certificate holder. The Signatory confirms and signs the request electronically by entry of the PIN code of the certificate. Based on the consent request signed by the certificate holder, the Relying Party sends documents for automated signing with no need for them to be confirmed individually by the customer via the mobile application.