New ETSI standard allows for remote signing with identification only

In December 2024, the European Telecommunications Standards Institute (ETSI) published an updated version of the TS 119 431 standard, effectively eliminating the need for a one-time password (OTP) in a qualified remote signing process. Here, Sebastian Elfors, Senior Architect at IDnow and CSO at IDnow Trust Services AB, provides an in-depth summary of the standard, analyzes the changes and their benefits for a more user-friendly process.

Introduction to remote signing services

The concept of remote signing means that the user’s private key and qualified certificate are generated and protected in a Remote Qualified Signature Creation Device (RQSCD). The RQCSD in turn is operated by a Qualified Trust Service Provider (QTSP). The user can access its private key and qualified certificate by authenticating to a Signature Authentication Module (SAM), which triggers the creation of a qualified electronic signature in the RQSCD. The QTSP that operates the SAM and RQSCD are also referred to as a remote signing service.

In other words: the user can delegate the use of its private key and qualified certificate to a remote signing service, which can create qualified electronic signatures “in the cloud” on behalf of the user. There are several benefits with this approach: most importantly, the user can access the remote signing service from any device that supports the required level of authentication. This is a more user-friendly solution than the smart cards (local QSCDs) that need to be attached to the user’s device over USB or NFC (Near Field Communication).

Relevant regulations and standards

Under eIDAS1 (Regulation (EU) No 910/2014), the RQSCD operations can be performed as a module, given that the QTSP is certified for another qualified trust service, such as a certification authority. Under eIDAS2 (Regulation (EU) 2024/1183), the RQSCD operations is legally defined as a qualified trust service. Hence, there is a need for standards that technically define how the remote signing service should operate a RQSCD.

The European Committee for Standardization (CEN) has published three standards on remote signing services:

• CEN EN 419241-1: Trustworthy Systems Supporting Server Signing part 1 – General System Requirements
• CEN EN 419241-2: Trustworthy Systems Supporting Server Signing part 2 – Protection Profile for QSCD for Server Signing
• CEN EN 419221-5: Protection profiles for TSP Cryptographic modules part 5 – Cryptographic Module for Trust Services

In addition to the CEN standards, the European Telecommunications Standards Institute (ETSI) has published three complementary standards on remote signing services:

• ETSI TS 119 431-1: Policy and security requirements for trust service providers; Part 1: TSP service components operating a remote QSCD / SCDev
• ETSI TS 119 432: Electronic Signatures and Infrastructures (ESI); Protocols for remote digital signature creation
• ETSI TS 119 431-2: Policy and security requirements for trust service providers; Part 2: TSP service components supporting AdES digital signature creation

An overview of a remote signing service according to CEN EN 419241-1 is illustrated in the picture below (adapted from CEN EN 419 241-1).

Long-term versus one-time certificates

These CEN and ETSI standards are the cornerstones for eIDAS1/eIDAS2-compliant operations of remote signing services.

However, the CEN and ETSI standards were scoped for use with long-term qualified certificates. This means that the certificate will be valid for 2-3 years in the RQSCD, and the users will come back multiple times for repeated use of their certificates. Hence, the CEN standards specify an authentication framework that consists of a SAP (Signature Activation Protocol) with a SAD (Signature Activation Data) at SCAL2 (Sole Control Access Level 2). This solution is beneficial for users that need to sign multiple electronic documents– for example, a managing director who digitally signs several contracts on a weekly basis.

There is, however, another scenario where one-time (or short-lived) qualified certificates are more suitable. For example, this is the case when a private person needs to digitally sign an agreement with a bank or a telecom operator. This is a one-off process: the user will be identified by the bank or telco provider once, and then signs the PDF agreement. There is typically no need for the user to return and sign another agreement with the bank or telco provider.

In order to be compliant with the CEN and ETSI standards, the QTSP would firstly need to identify the user to issue the certificate and secondly have to authenticate the user to create the signature with the RQSCD. This makes perfect sense if the certificate is long-term and the user is authenticated multiple times to create several signatures.

In the case of one-time certificates, however, the second authentication step is redundant since the user has already been identified within the same process.

Changes to the ETSI TS 119 431 standard

With this background, IDnow proposed to CEN TC224 WG17 and ETSI ESI that the relevant standards would be updated to allow for remote signing with identification only if one-time certificates are used. ETSI ESI embraced the proposal and updated the ETSI TS 119 431-1 to v1.3.1 in December 2024. In this new revision of ETSI TS 119 431-1, the concept of one-time certificates is defined, and it is clearly stated that it is sufficient to identify the user for (1) issuing the certificate and (2) creating the signature in the RQSCD, provided that these two operations are performed within the same session during a limited period of time.

Further implementations and standardization

With the revision of ETSI TS 119 431-1 v1.3.1, it is now possible for QTSPs around the EU to design their remote signing flows with one-time certificates based on identification only. This caters to a more user-friendly process without a one-time password, since the user only needs to be identified once.

The Cloud Signature Consortium specification CSC API can also be adjusted to allow for such remote signing procedures, which is illustrated in the picture below.

This change to the ETSI TS 119 431-1 will result in more user-friendly, yet secure, remote signing flows for the QTSPs and EU citizens.

About the author

Sebastian Elfors is Senior Architect at IDnow.

Article Topics

digital identity  |  electronic-signature  |  ETSI  |  ETSI TS 119 431  |  IDnow  |  Qualified Trust Service Provider (QTSP)  |  remote signing services  |  standards