Definitions and principles

With the use of cryptographic methods, electronic signing ensures the integrity of a signed document as well as the person signing it. (Définition ANSSI )

The electronic signature is based on two complementary algorithm families:

  • asymmetric encryption algorithms, sometimes called “public key “, and
  • algorithms footprint.

In practice, there are two types of signatures:

  • signing sealing  or “certification”. This is generally performed using a certificate issued on behalf of a corporation (usually called “stamp server”) that ensures the authenticity and integrity of the signed document;
  • signing of consent  or “approval”. This is achieved using a certificate issued to an individual (not representing a corporation) which ensures, amongst others, non-repudiation. This means that the signer can not deny having signed the document and the commitment it represents.

Legal levels of electronic signatures

There are two types of signing consent:

  • The electronic signature of consent that is not believed to be correct until proven otherwise. In case of dispute, it is up to those who want to avail themselves of the legal effects of this signature to prove the reliability of the system implemented,
  • The electronic signature of consent  presumed reliable, which can be challenged only by proving its unreliability.

To be “presumed reliable”, an electronic signature process must be:

  • secure ;
  • established through a secure signature creation device ;
  • verifiable with a qualified certificate issued by an electronic certification service provider.

A secure electronic signature must be:

  • specific to the signatory;
  • created using means that the signatory can maintain under his sole control;
  • secure with an act attached via a link, such that any subsequent amendment of the instrument is detectable.
A qualified certificate shall conform to standard ETSI TS 101 456.

signature formats

The signature formats PAdES, CAdES XAdES and define formats for “advanced electronic signatures” are likely to remain valid for long periods, according to the “European Directive 1999/93 / EC.” These formats are derived from the work of ETSI section.

  • PAdES: PDF Advanced Electronic Signatures
    • PDF content only
    • Well suited to electronic invoicing, orders, etc.
    • The viewer includes (usually) the verification of signatures
  • CAdES: CMS Advanced Electronic Signatures
    • Particularly suited to binary content since it does not require processing (eg video, images, programs, etc.)
    • Has the advantage of natively cosigning at the same level
  • XAdES: XML Advanced Electronic Signatures
    • Particularly suited for XML content as it appears light
    • Very  used by the French administration
    • Is also used by Microsoft Office (from 2010 preferred)

 Security levels for electronic certificates

The RGS (Référentiel Général de Sécurité, the General Security Database) applies in France since May 2013 and defines three security levels for electronic certificates:

  • One star: These are used by applications where there is an average risk of attempted identity theft to forge the signing of documents. The wearer’s identity is verified by sending a paper or electronic file.
  • Two stars: These are used by applications where there is a larger risk of attempted identity theft to forge signatures. The wearer’s identity is confimed by verifying the identities of original parts, face to face with the wearer.
  • Three stars: These are used for applications where there is a high risk of attempted identity theft to forge signatures. Identity is verified face to face.

The RGS requires the use of hardware devices for the three stars and recommend it for the two stars.

Legislation

The legal framework governing the status of electronic signatures in France and Europe is the result of the transposition of Directive 1999/93 / EC.

The contributions are:

  • 1999: European Directive 1999/93 / EC;
  • 2000: Law No. 2000-230 of March 13, 2000: Consideration of the electronic signature in the Civil Code;
  • 2001: Decree No. 2001-272 of March 30, 2001: Implementation of the European Directive 1999/93 / EC;
  • 2002: Decree No. 2002-535 of 18 April 2002: Award of the role of certifying DCSSI;
  • 2002: Decree of 31 May 2002: Award of the role of accreditation COFRAC for evaluating an electronic certification service;
  • 2004: Order of 26 July 2004 on the recognition of qualifications of service providers, electronic certification and accreditation bodies that carry out the evaluation;
  • 2005: Order of 8 December 2005 on electronic exchanges between users and administrative authorities and between the administrative authorities themselves;
  • 2010: Decree of 2 February 2010 (“the Decree RGS”);
  • 2010: Decree of 6 May 2010 approving the general security and the implementation of procedure for validating digital certificates (called “arrested RGS”);
  • 2012: Decree of 6 May 2010 approving the general security and the implementation of procedure for validating digital certificates (called “arrested RGS”).

A draft of the “European Regulation on electronic identification and trust services for electronic transactions in the internal market” is currently being written. This regulation aims to replace the European Directive 1999/93 / EC.