On this page frequently asked questions are answered.
In general, certificates originating in the European Union or the European Economic Area are legally equivalent to certificates issued by Austrian trust service providers. This applies in particular to qualified certificates. Pursuant to Art. 17(1) of the eIDAS Regulation, the Member State in which the trust service provider is established is responsible for supervision.
Certificates from third countries can in any case be used for non-qualified electronic signatures in the European Union and the European Economic Area (refer to Art. 25(1) and Art. 35(1) eIDAS Regulation). Yet such certificates are only regarded as qualified certificates when issued as part of a trust service that has been recognised under an agreement concluded between the Union and the third country in question or an international organisation in accordance with Article 218 TFEU.
Beyond the legal validity of the certificate, the issue needs to be considered whether the recipient of a signed message trusts and accepts the certificate. Private individuals will usually prefer certificates issued in Austria, simply because they are more familiar with the Austrian trust service provider or more easily understand the language of the provider’s policy statement (e.g. the certificate policy and the certification practice statement). Government offices are not permitted to discriminate against certificates issued in other countries (at least within the EU internal market).
An electronic signature can be created during the validity period of the matching certificate. Yet, such a signature can be verified even after certificate expiry. Signature verification is in fact still possible even after the certificate is withdrawn, as long as the time of signature creation can still be determined, or at least narrowed down, based on a time stamp or other characteristics of the signed data.
Renewing a certificate prior to expiry is permitted by law. Consequently, signature creation data can be used even after the original certificate has expired. Whether certificates for existing signature creation data are renewed in the specific case, depends on the policy statement of the particular trust service (e.g. the certificate policy and the certification practice statement). On the other hand, modifying the signature creation data is usually not really a problem.
For qualified trust services, the recognition of third-country trust services for electronic signatures or seals is based on Art. 14 of the eIDAS Regulation and, for non-qualified trust services, on Art. 25(1) and Art. 35(1) of the Regulation. In the absence of any legal specifications it is unclear, however, whether electronic signatures or seals based on such a trust service can be recognised as advanced electronic signatures or seals.
Whether the requirements for advanced electronic signatures or seals are met, might under certain conditions be determined based on the policy statement of the particular trust service (e.g. the certificate policy and the certification practice statement).
Yet, in the final instance only taxation authorities can decide whether invoices that are electronically signed based on third-country trust services are admissible.
Further information can be found by following these links:
Electronic transmission of invoices
For the signature per se, you only require suitable software, which is already integrated for instance in many mail clients. S/MIME has come to be recognised as the most important standard for electronically signed e-mails. OpenPGP is another de facto web standard.
You need a certificate, which is your ‘online ID document’, to allow a recipient who does not know you personally to verify your signature. To get a certificate, refer to a trust service provider.
To be able to create qualified electronic signatures, you need a qualified signature creation device.
Further information can be found by following these link:
What is a ‘qualified electronic signature’?
There is no general answer to this question.
Many certificates (even qualified certificates) are available free of charge or for a small fee. Periodic expense may be incurred depending on the trust service.
Low-priced smart card readers are available. Basic software components are available free of charge. You need to reckon with additional costs for special applications such as programs for electronically creating and issuing invoices or offers; the software manufacturers provide details on prices.
Further information can be found here:
What kind of environment needs to set up for the electronic signature on the user side?
What later effort is required to maintain the environment?
Stated simply, a certificate is an online ID document. The certificate contains information on the identity of a natural or legal person as well as verification data used to assign electronic signatures or seals to that person. The certificate is protected from modification by the electronic signature or the electronic seal of the party issuing the certificate.
In the legal definitions, distinctions are made between certificates for electronic signatures, for electronic seals and for website authentication. Art. 3(14) of the eIDAS Regulation defines a ‘certificate for electronic signature’ as an electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person. Art. 3(29) of the eIDAS Regulation defines a ‘certificate for electronic seal ’ as an electronic attestation that links electronic seal validation data to a legal person and confirms the name of that person. Art. 3(38) of the eIDAS Regulation defines a ‘certificate for website authentication’ as an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued. These definitions do not depend on any particular technology.
In technical terms, certificates usually refer to a certain data format. X.509v3 certificates link public keys to the name of a person or server. Numerous other details can be included in X.509v3 certificates.
There are two main differences between the technical definition of a certificate and the legal definition:
1. The legal definition of a certificate does not depend on any particular technology and in theory includes even certificates for which the verification data do not represent public keys encrypted using a certain technique. The definition is thus open-ended with regard to future technical advances.
2. Only certificates containing verification data, i.e. data (also) used specifically for verifying electronic signatures or seals or for authenticating websites, fall within the legal definition of a certificate. Certificates in the technical sense can also be used for other purposes, such as encryption. Certificates used exclusively for encryption do not fall within the legal definition of a certificate.
Further information can be found here:
What is a ‘qualified certificate’?
What is the difference between a signature and a certificate?
A qualified certificate is a certificate issued by a qualified trust service provider that contains specific items of information as defined in Annexes I, III and IV of the eIDAS Regulation. The crucial quality features defining a qualified certificate are:
that the identity of the natural or legal person that issued the certificate is reliably verified;
and that stringent requirements apply to the trust service provider and especially to the technical components used by that provider.
Further information can be found here:
What is a certificate?
What is the difference between a signature and a certificate?
The legal definition of a qualified electronic signature is given in Art. 3(12) of the eIDAS Regulation.
The eIDAS Regulation, along with the implementing regulations based on it, define numerous technical requirements that apply to qualified electronic signatures. To create a qualified electronic signature, the signatory requires both a qualified certificate as well as a qualified signature creation device, for example a smart card and accompanying signature software.
Pursuant to Art. 25(2) of the eIDAS Regulation, a qualified electronic signature meets the legal requirements for a handwritten signature (refer also to Art. 4 Signature and Trust Services Act).
Further information can be found by following this link:
A qualified signature creation device is a signature creation device that meets the requirements specified in Articles 29 and 30 and in Annex II of the eIDAS Regulation. Implementing Decision (EU) 2016/650 and the technical standards laid down in this legislation specify these requirements in detail. The key concern of these provisions is to ensure that the signatory is the only person with access to the signature creation data.
The simplest way to meet the requirements is to store the signature creation data (i.e. the private keys) in a device used only for this purpose. For this reason, qualified signature creation devices are frequently found in the form of smart cards. The private keys are only on the smart card and never leave it. (With some cards, the keys are generated on the smart card itself. With others the keys are generated in a secure environment and then transferred to the smart card, while at the same time the keys outside of the smart card are deleted.) The signature is created within the smart card, after the smart card is unlocked, for instance by entering a PIN code.
Electronic signature security depends on a variety of factors.
The cryptographic technique used in creating the signature plays a key role to prevent modification of the signed message during transmission via the network or by the message recipient. The techniques supported by qualified signature creation devices usually provide adequate protection against later modification.
To ensure that no third party can sign a message in the signatory’s name, it is important for the signatory to securely store the signature creation data (the private keys). It is common to store such data in encrypted form on a hard drive or a smart card. When the data is stored on a hard drive, it could potentially be accessed by others such as hackers who intrude into PCs via the internet. Signature smart cards are designed in such a way as to prevent the signature creation data from ever leaving the smart card. The signature is determined mathematically within the smart card itself, when the smart card is unlocked using an authorisation mechanism (e.g. PIN code entry). The eIDAS Regulation and Implementing Decision (EU) 2016/650 define stringent requirements governing the storage of signature creation data for qualified electronic signatures.
Critical aspects include the program for generating the signature and the data format of the signed document. With some mail clients, users have an option to “Sign all outgoing messages”. In such a case the signatory could easily sign messages unintentionally, or during a brief absence a colleague could send signed messages from the signatory’s workplace.
An electronic signature is attached to a document. When used with cryptographic techniques, each individual signature contains information about the signed document and the signatory’s private key (i.e. the signature creation data). Consequently, every signature has a different appearance. You do not need a certificate to generate a signature.
The certificate is the online ID document. By referring to the signature validation data (i.e. the signatory’s public key) in the certificate, the recipient of a message can verify whether the signature was created using the corresponding private key. The recipient can then also derive the signatory’s name from the certificate.
Further information can be found here:
What is a certificate?
What is a ‘qualified certificate’?
The environment needing to be set up depends primarily on whether the electronic signature will be created by the computer, or using a smart card or a hardware security module.
You always need a computer with an operating system and at least one application enabled for signatures installed (e.g. Microsoft Outlook, Mozilla Thunderbird, OpenOffice.org, Adobe Acrobat). You also need signature creation data (i.e. a private key for creating the signature) and a certificate issued by a trust service provider. How you obtain the signature creation data and the matching certificate depend on the particular trust service. Details are available from the policy statement of the particular trust service (e.g. the certificate policy and the certification practice statement).
To create a signature using a smart card, you first of all need a suitable smart card reader. The website of the trust service lists the dealers selling suitable readers. Additional software also needs to be installed and configured in accordance with the manufacturer’s instructions:
- Driver for the smart card reader (supplied with the device or available from the manufacturer’s website)
- Any components required for integrating the smart card with applications enabled for signatures
- Secure viewer and/or Citizen Card Environment
A smart card reader is not required for verifying electronic signatures (e.g. for recipients of invoices transmitted by electronic means). Standard software applications (e.g. various mail clients or Adobe Reader) support signature verification in many cases.
Further information can be found here:
What later effort is required to maintain the environment?
What expense is incurred by setting up the environment on the user side?
Certificates are valid for a limited period (usually no longer than five years in the case of qualified certificates). A new certificate needs to be acquired and integrated in the user’s system prior to the certificate’s expiry.
In addition, specific software components (e.g. driver for the smart card reader) may need to be updated periodically and any available operating system updates could be required in order to ensure a secure system environment, as specified in the certification practice statement of a particular trust service.
Further information can be found here:
What kind of environment needs to set up for the electronic signature on the user side?
What expense is incurred by setting up the environment on the user side?