Digital Signatures need global interoperability

By Patrick Beckman Lapré, Digital Trust Specialist, DigiCert.

  • 1 year ago Posted in

Digital Signatures are a foundation of modern business. They’re the encrypted marks of authentication that allow us to trust the messages, contracts and documents that we send and get sent. They both prove the identity of the signer and assure that the document has not been tampered with since signing. However, in a globalised and digitised world they face real interoperability and security issues.

National regulation and international commerce

Digital signatures require regulator approved status in order to be considered legally admissible. However, business is now global - while national legal authority often remains just that - national. The specific requirements and regulations that each individual country puts on digital signatures can differ significantly - threatening interoperability and introducing serious security problems into a process which should be normalised across countries and technologies.

Perhaps the most notable piece of regulation around digital signatures is the EU’s eIDAS (electronic IDentification Authoritarian and trust Services). Starting in 2016, eIDAS established a legal basis for digital signatures in the EU’s 27 member states. There are regulations of this kind all over the world: In India, China, USA, Brazil and many other countries and many are attempting to align their own digital signature regulations with eIDAS to enable cross-border interoperability.

However, because digital signatures need regulator recognition to work - and regulatory jurisdiction is still mostly national - there arises the risk of balkanization between different territories which could ultimately harm the interoperability and security of those digital signatures.

The differences in regulations and standards between different territories come with the risk of inconsistency and lack of interoperability. One digital signature which is compliant in one territory may be invalid in another. Digital signatures must be provided by a nationally authorised certificate authority. If one regulator does not recognise a CA from another territory or jurisdiction then the digital signature may be unrecognised. In other cases, the comparatively lower security standards required by one jurisdiction, may threaten the security of a party being transacted within another jurisdiction. This mismatch threatens both the smooth transaction of international trade and the security of the parties, frustrating a process that should be seamless.

Sectors

These problems don’t just raise their head when it comes to borders, but sectors too. Take the banking sector which is one of the primary users of digital signatures. Even within the jurisdiction of eIDAS, banking regulations in the EU are often nationally set which causes potential clashes with eIDAS compliance. A 2023 report from the University of Maribor -entitled eIDAS Interoperability and Cross-Border Compliance Issues - notes “When setting up eIDAS, one of the use cases was to enable the remote opening of bank accounts across borders. However, the banking area is heavily regulated, and local legislation hinders the envisioned seamless connection with foreign banks.”

Devices

This isn't just a point about national jurisdiction but device heterogeneity too. Outside of the realm of regulation and compliance, digital signatures are still often balkanized between devices. When many e-services were devised - it was assumed that they would be accessed from traditional endpoints: desktops and laptops. Following on from that, digital signature solutions are often tailored to those specific types of endpoints.

However, much has changed since that first assumption. The Covid pandemic ushered in the rise of mass remote work and workers are now more reliant on their mobile devices than ever. There are now 5 billion unique mobile internet users around the world. Furthermore, for 60 percent of the global population - mobile internet is the primary way they access the internet. As more and more people use their mobile devices as their primary endpoint, digital signature solutions need to accommodate this new reality.

Lowering barriers

Digital signature standards and technologies need to be unified and homogenized to a great degree as possible to promote interoperability to the greatest degree possible. Failing to do so risks technology failures, security issues and at best, time consuming integration projects. To end that balkanization - we need open frameworks to make trust services and products compatible which can thus offer the same levels of trust and work together, independently of geographical provenance or proprietary origin.

There are a number of attempts at fixing this problem. In 2021, ETSI released TS 119 182-1 which, based on JSON Web Signature, aimed to bridge the gaps between myriad digital signature solutions. It had a particular effect in the financial sector, where - before adopting the standard - thousands of banks were using different signing algorithms for their APIs to online transactions.

The Cloud Signature Consortium (CSC) is also attempting to widen digital signature interoperability. The CSC brings together a collection of industry giants within the sector to build a common architecture for digital signature interoperability. They’ve released an open source API standard which can integrate the essential components of a remote signature solution established between different service providers and consumers. The CSCs API allows the generation of remote digital signatures for desktop, web and mobile devices and ensures compliance with e-signature laws in both the US and the EU. What adds weight to the CSC is the variety of industry giants who have signed up - such as AdobeSign - giving it a wide potential scope across the industry.

It's an observable fact that business is now global. We transact with customers, partners, third parties, suppliers and businesses all around the world every second of the day. We make those transactions over the internet, and because we need assurance that those interactions are secure, we rely on digital trust in order to make them so. These are the systems - such as digital signatures - that allow a manufacturer in Santiago to trust a supplier in Shenzhen and a customer in Montana to trust a vendor in Monaco. Digital signatures are a key piece of ensuring the security of transactions across borders and as such, they need wide interoperability between countries, jurisdictions, devices and sectors. Open frameworks and normalised regulatory boundaries are crucial to achieving that goal.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.