Europe has been running a legislative framework for electronic signatures and digital identities since 1999. In 2022, the European Parliament introduced a significant upgrade by presenting electronic identification and trust services for electronic transactions in the internal market place, or eIDAS, regulation.

In light of recent initiatives in Australia to improve legislation for doing concern remotely, this experience is valuable considering the European community was amongst the beginning in the world to introduce electronic signatures, and information technology developed a unique legal and technological framework that many other countries borrowed.

Though the experience is full of pitfalls and drawbacks, which are also valuable to consider. It also has a pregnant gap in the employ of blockchains and addressing the issue of the legal validity of blockchain transactions, including smart contracts.

Bullet points:

  • eIDAS distinguishes three levels of electronic signatures depending on the credibility of the technology.
  • "Electronic signature" is a legislative notion, while "digital signature" is the engineering science underneath the beginning two levels of electronic signatures.
  • Digital signature ways the utilize of public key cryptography, also known as asymmetric cryptography.
  • eIDAS's Public Key Infrastructure is based on a arrangement of trusted third parties. Trust Service Providers, known as TSPs, are contained certified market players that provide customers with electronic signatures/digital identities.
  • QES: a qualified electronic signature is a nonrepudiable signature, meaning that the signatory cannot deny that they are the originator of such a signature. It is ensured by 2-cistron/multifactor authentication and the utilise of cryptographic devices.
  • Before eIDAS regulation, the EU market suffered from interoperability issues. TSPs did not cooperate and limited the use of their services to proceed customers within their technological frameworks.
  • eIDAS is highly centralized.
  • eIDAS is highly standardized.
  • Digital certificates, or digital identity records, are stored on 3rd-party servers; therefore, they are not nether users' control. Services are at risk of distributed denial-of-service and man-in-the-eye attacks.
  • TSPs do not apply the advantages of blockchain engineering.
  • There is a gap of TSP services on blockchain. Blockchain private keys have no QES status. Therefore, their legal applicability is significantly limited.

Permit us drill down to details.

Nosotros must dissever the notion of an electronic and digital signature. The first 1 is the nearly general concept. It means whatever type of east-signature, including a digital one. A person's name under an electronic mail and a browse of a handwritten, hardcopy signature are kinds of electronic signatures. They ensure the everyman level of brownie though, as they can be easily faked.

The digital signature is a cryptographic function based on public primal, or asymmetric, cryptography.

Electronic vs. digital signature

An asymmetric pair consists of a user's private key and their public cardinal. The private key is used to encrypt letters. Permit us concord that throughout this article a "message" means annihilation that the user wants to sign, such every bit a contract, email, media file, blockchain transaction, checksum, etc. The public fundamental is used to decrypt a user's message. Private and public keys are mathematically connected.

If Alice encrypted a bulletin and sent it to Bob, Bob tin decrypt information technology using Alice's public central. Another's public central will not decrypt it. And so, he can be certain that Alice's individual key signed it. Therefore, a private fundamental is used to create digital signatures for messages. The user will keep it individual and condom. On the contrary, the user may want to share the public key among counterparties or even the general public. Hence, we tin can consider the public key as a digital identity.

Asymmetric pair

However, pure public key cryptography is hard to apply practically in the real world. If Charley stole Alice's private fundamental and signed the message, Bob would recall that Alice signed it. To address it, people use Public Primal Infrastructure, known as PKI, where trusted third parties play a crucial part.

Alice kickoff volition ask Dave, who is a document potency, to verify her identity. Dave will include Alice's public key in the file and marker information technology valid. It is called a certificate. Dave will store it on his server, and each time anyone makes inquiries about Alice'southward digital identity, the server volition respond that Alice'southward public key is valid. But if Alice lost her cardinal, she would ask Dave to marking information technology invalid. Therefore, fifty-fifty if Charley stole Alice'due south private central, when Bob verifies the message through Dave'south server, he would know that it was invalid by the moment when it was signed.

There is too a Timestamping Authority in PKI. This is another third-political party actor that provides timestamps for signatures. In this way we know when the signature took identify.

In the European market, certificate authorities are chosen Trust Service Providers.

To ensure the credibility of a newly created digital identity, or public key certificate, Alice usually will visit Dave'due south office and show her ID. Therefore, if Bob trusts Dave, he does non need to know and run into Alice in person. They can interact remotely.

eIDAS established 3 levels of electronic signatures depending on their credibility.

Qualified Electronic Signature: a nonreputable, highly secured scheme. Alice must store her private key on a special certified cryptographic device, such every bit a smart carte, USB token, crypto wallet, etc. Nobody, not fifty-fifty Alice, can extract the private fundamental from the device. The process of signing is performed inside the device in protected software. Even if Alice loses it, nobody can apply it because information technology likewise requires Alice'south secret Pin code. Also, at the moment of signing, a trust service provider, Dave, verifies Alice's identity to make sure that the device and PIN are not stolen. For example, Alice will receive a text message with a secret code or volition use other forms of two-factor or multifactor authentication. QES is used for undeniable legal actions, meaning that Alice will non be able to say that it was not her signature; she will have to prove that it was stolen.

Avant-garde Electronic Signature, or AES: In this scheme, it is accepted that the private key will not be stored on a secured device, though it nonetheless must be Pin and 2FA protected.

Other electronic signatures: eIDAS also recognizes technological neutrality and the right to use other types of signatures. Though in disputes, parties may deny their authorship. Technical expertise and evidence of authenticity might be needed to address this.

How will people know which TSP is to be trusted and which is compromised? There is a acme-level private key that belongs to someone whom everybody trusts: the government. It announces one private cardinal as a root record, which is used to sign lower-level certificates. Therefore, if the provider Dave loses control over his arrangement, the government volition mark his certificate invalid and reissue a new one.

Every bit you see, this organization is highly centralized. Alternatively, there is an anarchistic system known every bit a web of trust. Users identify themselves by creating their lists of trusted public keys and roots. Though this approach has not become widespread, it is an officially recognized eIDAS/TSP scheme that is supported by various technical standards and security protocols, which makes the domain stable and predictable.

Why is this system convenient?

For example, Estonian e-Residency is zilch more than a smart card with a private cardinal that can be used to sign transactions. Say Alice lives in Australia, and she visits the Estonian embassy and receives her smart carte du jour. In this case, the embassy plays the role of a TSP. Now, Alice tin can remotely register her Estonian visitor and do multiple legal actions online, including signing contracts.

Estonian e-Residency card

Are Australian electronic signatures dissimilar?

The Australian legal framework does not recognize nonreputable signatures. Any technologies are equal and can be used as electronic signatures every bit long as they can ensure some level of certainty in "who signed what."

Australian lawyers, based on the existing legislative incertitude and precedents, recommend avoiding electronic signatures in the corporate sphere in favor of paper documents signed with wet-ink signatures, which does not sound like we are in the 21st century.

The Australian system is ad hoc. For example, in electronic land title deeds where legislators take defined specific regulations for electronic forms, Australians apply a like PKI system based on certificate government, though their keys are non reusable elsewhere.

People accept to use different technologies and approaches in different cases, which may require managing multiple keys and passwords and supporting the validity of numerous digital identities. Inevitably, it leads to higher transaction costs.

If there was an overall, national PKI organization recognized across public and commercial services, people could use one arroyo in various schemes.

Allow'due south say that if Alice could get her generally recognized private key, she would apply it to register her company, register her auto, pay taxes and fines, or even vote in elections. Nowadays, if Alice needs to apply for a certificate for working with children, she will become to a post function and pay $125 Australian dollars. The postal service office staff will check her ID and photograph her on their photographic camera for one reason only: to verify her identity and tell the government agency that Alice is truly Alice and then that the agency can upshot the certificate. Something similar will happen with other public services. Whereas if Alice had one full general digital identity, this transaction could cost just a few cents. Information technology would involve neither post office nor agency labor at all due to full automation.

Why did the European market suffer for many years?

At that place was ane pregnant flaw until 2022: TSPs were not obliged to interoperate with each other. If Alice got her cardinal from Dave, and Bob received his fundamental from Eve, Alice and Bob could not sign a contract. They must exist either Dave's or Eve'south clients.

eIDAS regulation addressed the issue of interoperability. For instance, an Estonian smart menu opens the doors to all Eu member states' markets.

How tin blockchain improve trusted services?

With blockchain, cryptocurrency is fastened to an address. The address is cypher more than than a representation of a user's public key. If Alice wants to spend her coins, she creates a transaction — which is technically a command for the blockchain node to spend these coins from one address in favor to another — and signs information technology using her individual key.

At a more than abstract level, blockchain itself is nothing more a list of records:

  • Alice sent five coins to Bob. Alice's signature.
  • Bob sent three coins to Charley. Bob's signature.
  • [...]

This creates a few aspects to consider.

If we identify the accost, it volition become the user'south identity. The individual cardinal can exist used to authenticate both blockchain transactions and other transactions off-chain because it is but a standard cryptographic key. To make it piece of work together, there must exist a developed PKI over the blockchain.

To develop a PKI, nosotros tin can utilize blockchain itself to store the certificates. It will mitigate the risks of DDoS and man-in-the-middle attacks. What are these? Say Dave'due south server is under a DDoS assail and therefore cannot reply to inquiries. So, when Bob receives a bulletin, he cannot verify if Alice's identity is valid or not. In a man-in-the-heart assault, Alice's certificate is faked, meaning that when Bob checks the message, Dave's server says that the message belongs to Alice while in reality it belongs to someone else.

All this tin be addressed by storing certificates on-chain. Hence, counterfeiting will exist incommunicable, and the blockchain will always be accessible for inquiries.

Of course, this is true unless a permissioned distributed ledger is used instead of blockchain. In this case, the brownie of the ledger relies on the authorization — be information technology a single actor or a divers group of "validators" — that runs the ledger, which is equivalent to a centralized arrangement.

Another advantage of the public ledger is that blockchain-based PKIs do not require a centralized Timestamping Say-so. The blockchain stores transactions chronologically that cannot be contradistinct. Blockchain is a kind of decentralized "timestamping machine."

If Alice has her private primal and recognized blockchain address, she will be able to perform legally binding transactions on the blockchain, such every bit execute smart contracts and insert legally important information, which past default volition be considered as Know-Your-Client checked.

To ensure the European union's equivalent of QES, Alice will accept to use a hardware cryptocurrency wallet, which protects her private primal from theft.

Eventually, the main reward of blockchains is that they play the role of a decentralized public infrastructure with suspend-only repositories and a native mechanism to authenticate transactions through public fundamental cryptography.

To address the result of 1 root of trust, communities may create their customized webs of trust on blockchains. By the way, this is probably the reason why the concept of a web of trust did non get mainstream before. There was no such public decentralized infrastructure every bit blockchain. Blockchain is that common pipeline, a spare environment where independent parties interact peer-to-peer without relying on someone'southward volition and authorisation.

The earth is moving in the direction of digitizing the various spheres of our life. The unification of approaches to managing digital identities is the call to address issues of transaction speed and costs, all-encompassing labor, convenience and usability of technologies, forth with the result of trust, assuming that blockchain is in use.

The views, thoughts and opinions expressed here are the author'due south lone and practice not necessarily reflect or correspond the views and opinions of Cointelegraph.

Oleksii Konashevych is the author of the Cantankerous-Blockchain Protocol for Government Databases and a protocol of smart laws for holding rights. Oleksii is a Ph.D. boyfriend in the Joint International Doctoral Caste in Law, Science and Engineering science program funded by the Eu regime. Oleksii is visiting RMIT University in Melbourne, Australia, and collaborates with the RMIT University Blockchain Innovation Hub, researching the apply of blockchain applied science for e-governance and e-democracy. He works on tokenization of real estate titles, digital IDs, public registries and eastward-voting. Oleksii is the co-writer of a law on e-petitions in Ukraine, collaborating with the presidential administration of Ukraine as the manager of the nongovernmental e-Republic Grouping from 2022 to 2022. In 2022, Oleksii participated in drafting a pecker on Anti-Money Laundering and revenue enhancement issues for crypto assets in Ukraine.