Digital signatures in Estonia and the rest of Europe – a look back and ahead
Estonia’s clear leader position in Europe and worldwide1 in the field of electronic identity (eID) is no surprise – it’s the result of 10 years of work. While a number of other countries have also issued Estonian-style ID cards to the population, Estonia is unique in that the cards are actually used electronically. Nearly half of Estonia’s adult population has used their ID card at least once over a computer; while the average ID card or mobile-ID user tallies about 20 authentications or digital signatures per month.
Seeing the digital signature the same way
Estonia appears to be the only country where the validity of digital signature is considered beyond reproach and where there are no fundamental technical problems in using them. The reason for the success is choice of strategy – already back in 2002, a number of freeware programs were released to end users and system integrators. All of the components of the software processed the same document format – the DigiDoc format, .ddoc-extension files familiar to us. Everyone assumes that the digital signatures they generate are legitimate, have long-term validity and are legally accepted in Estonia. They’re right!
In contrast, the view of digital signatures in Europe differs greatly and often it is e-service-central: a website prompts the user for the PIN2 at some point and then thanks them – the system does not return the digitally signed output. The reason for this is largely the fact that every e-service generates digital signatures in a proprietary format and for internal use only.
On one hand, the problem for Europe is that the scope of application of the electronic signature directive that entered into force in 1999 is too lax. Estonian legislation requires certification that the signer’s certificate is valid at the time of the signature (incidentally, that is why we must be connected to the Internet at the moment of the signature – so that this confirmation can be obtained). The directive does not require this, though. Worse, the directive mandates that digital signature generated by means less secure than the Estonian ID card or mobile-ID are also to be accepted. This has all led to a state of neglect, meaning that digital signatures are viewed in practice more as a security measure that has little to do with an
A second problem for Europe is the large number of digital signature standards and the laxity of these standards, occasioned by the nature of the directive itself. The most popular standard, the one Estonia uses, too, XAdES2, is long and wide, allowing different security levels as well as internal technologies and formats. DigiDoc is nothing but a specific XAdES profile that ensures the highest level of security and which keeps internal options to a minimum. Many of the producers of software compatible with XAdES support all of the options allowed by the standard, posing a difficult problem for the user – how could a signer know what kind of signature the verifier “likes”?
Latvia (their XAdES profile is called edoc) and Lithuania (adoc) have gone the same route as Estonia. But unfortunately adoc, edoc and ddoc are not interoperable. In 2007, a compromise was struck as part of the work of the Baltic WPKI Forum – we would develop a new profile, called BDOC. Estonia has since adapted it into a national standard, but Latvia and Lithuania have not followed suit.
There is hope, however. In early 2012, the institution that maintains the XAdES standard, ETSI (European Telecommunication Standards Institute) unveiled a XAdeS profile at the behest of the European Commission3 („Baseline Profile“), which limits options significantly. It is quite similar to the specifications of the BDOC. The container that joins files and digital signatures, ASiC4, and its profile5 have been standardized, and these are 99% compatible with our BDOC standard. These developments give reason to hope that we will make headway from national standards toward European ones and that digital interoperability will be achieved.
There is still a long way to go, though. And that goes for Estonia, too.
- ETSI TS 101 903 - XML Advanced Electronic Signatures
- ETSI TS 103 171 – XAdES Baseline Profile
- ETSI TS 102 918 – Associated Signature Containers
- ETSI TS 103 174 – AsiC Baseline Profile