AdES vs QES =========== .. post:: Aug 12, 2022 :tags: signatures According to the eiDAS regulation, there are `3 levels`_ of electronic signatures: #. Simple Electronic Signatures: "data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign". `source`_ #. Advanced Electronic Signatures (AdES): identifies the signatory / non-repudiation #. Qualified Electronic Signatures (QES): created by a qualified signature creation device (QSCD) / uses qualified certificates QES at a minimum is legally equal to a hand-written signature. That doesn't mean that simple signatures or AdES is not - the court can decide on a case to case basis. .. _3 levels: https://ec.europa.eu/digital-building-blocks/wikis/display/ESIGKB/What+are+the+levels,+simple,+advanced+and+qualified+of+electronic+signatures .. _source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN#d1e791-73-1#:~:text=%E2%80%98electronic%20signature%E2%80%99%20means%20data%20in%20electronic%20form The question is that why doesn't NemID/MitID and other eID providers just generate QES? They know the identity of the signer - so it should be a straightforward process to generate QES - no? Here are my thoughts on it... Let's take a step back and talk about some standards for signing data and representing the signature information: - XMLDSIG: XML Digital signature processing rules and syntax https://www.w3.org/TR/xmldsig-core1/ - CMS: Cryptographic Message Syntax. https://datatracker.ietf.org/doc/html/rfc5652 They are not compatible with each other since the value being signed is not the same according to the standards. Anyway, on a conceptual level the idea is to sign digital content (i.e. encrypt the hash of the content). In order for any third party to ensure that the data is signed by some individual, a public key is also stored with the signature - but just storing the public key isn't enough. Additional proof is required to assure that the public key belongs to the signer. This proof comes in the form of a certificate (i.e. public key certificate or simply digital certificate). A certificate chain is probably also needed which would contain all the certificates - all the way to the root certificate - which is trusted by all parties. So, a xmldsig or cms signature must have at least the following: - Signed value (encrypted hash) - Public key certificate - Optionally, additional certificates (certificate chain) going all the way to the root certificate This is what AdES contains and it works well if the signature is required for short periods e.g. login. However, if I want to sign documents using AdES then we need to make sure that the signature stays valid at least for the life time of the document. How can a signature not stay valid after signing? It can happen if the certificate (any certificate in the chain) either gets expired or revoked for some reason. This is why it is important to ensure that the signature stays valid over a long term. The concept is called Long Term Validation (LTV). It can be achieved as follows: - Check the OCSP responses against all the certificates / or check the certificate revocation lists to make sure that the certifcates are valid at that point in time - Get a timestamp from a trusted authority - called a Time Stamp Authority (TSA) This information needs to be present with the signature to enable LTV. xmldsig or cms don't support mechanisms to store this information. However, their extensions do: - XAdES - CAdES And similar standards also exist for pdf and json: - PAdES - JAdES Anyway, having LTV information is expensive and not always needed - which is why services like NemID/MitID don't need to generate signatures containing this info. Qualified Signatures (QES) contain this information (and I imagine they also contain other guarantees). So the creators of the standard probably just made the specification easy to understand by asking that qualified signatures should be generated by a Qualifiec Signature Creation Device (QSCD) which probably ensures that the signature contains all the proof needed like ltv, etc. Maybe there is more to it - but this is what I understand as of now.