eIDAS compliant electronic signature without a Trust Service Provider, is that possible?
Woleet has launched a complete electronic signature service based on cryptographic standards. It is compatible with Bitcoin wallets, without using signature certificates. This new approach of electronic signature without a Trust Service Provider seems contradictory with the last regulatory evolutions in Europe (since eIDAS regulation in 2016).
We strongly believe in the potential of Bitcoin technology so we develop the uses of Bitcoin
At Woleet, we are convinced of the potential of Bitcoin technology. A smart combination of best practices in network, distributed systems, and cryptography. With an innovative protocol, described in Satoshi Nakamoto’s 2008 paper, designed to guarantee the integrity of a public registry of electronic transactions.
Bitcoin as a Distributed Ledger Technology will be an essential component in the future landscape of computer science, thanks to major benefits:
- The decentralized model.
- The open, permissionless model.
- The security offered by the Bitcoin growing network.
- The scalability opportunities offered by complementary, layer-2 solutions.
Our first application on top of Bitcoin is about creating proofs of the existence of data, mainly for intellectual property and regulatory compliance stakes. In the field of proof management, signature proof is essential. So we have developed a complete electronic signature solution. It is fully compatible with the cryptographic keys of Bitcoin wallets, but without requiring any X.509 V3 certificate. We anchor such signatures in Bitcoin blockchain to create proofs.
I have heard of eIDAS regulation, is this Bitcoin-related signature eIDAS compliant?
The eIDAS regulation, that came into effect in 2016 in Europe, defines an open framework for electronic signature. Any electronic signature can now be used as an evidence. The validity of this proof shall be demonstrated by the provider, except if this electronic signature is “qualified”, in which case it benefits from the presumption of reliability.
A signature is qualified if it was delivered by a qualified Trust Service Provider, that was audited by an accredited conformity assessment body. Note that the legal value of qualified signatures is only worth in Europe… Practically, the criteria for qualified signatures are pretty high, and impose constraints on the user, which makes its use quite rare. Most of the time, simple electronic signatures are deployed instead.
Woleet electronic signature, while not qualified and using no electronic certificates, is though compatible with eIDAS regulation.
What is the value of Woleet signature?
The concept of Trust Service Provider conflicts with the underlying principles of Bitcoin, where the need of trust is replaced by an open and distributed, though resilient and secure system.
Woleet finds it possible to propose an alternative electronic signature, independent from any Trust Service Provider, but still secure and verifiable.
Woleet signature relies on standards for cryptographic algorithms, key types, and key storage:
- Asymmetric keys cryptography (key pairs private / public).
- Standard algorithms and key sizes: SHA-256, ECDSA (256 bits).
- Protection of private keys via secure hardware (Ledger Nano S), already used in wallet applications of Bitcoin and other types of blockchains.
Additionally, Woleet leverages Bitcoin potential with:
- Timestamping provided by the Bitcoin network composed of multiple nodes agreeing on the time and sequencing of transactions.
- Proof creation via Woleet anchoring mechanism in Bitcoin blockchain, with an open standard (Chainpoint), so as to create proofs of signature that can be verified independently by anybody possessing the original signed document.
Finally, Woleet designed its signature solution to significantly enhance security:
- Preserve confidentiality of signed data: the original data remains in the customer information system. It is then cryptographically hashed and signed (via Woleet tools). Woleet only processes data hash, so that the proof anchored in Bitcoin blockchain does not contain the original document, but the hash. Even if all the validation tools are public, only the data owner can check the proof.
- Let the signatory master the disclosure of identity evidence: Bitcoin signature keys are pseudonymous, which allows to manage identity independently from the signature. Only the signatory can prove the possession of a signature key and consequently the signature of a document.
What about advanced electronic signatures?
Advanced electronic signature is at an intermediate level between simple and qualified signature. It is defined in article 26 of eIDAS regulation and in an implementing act. The standard signature formats PAdES, XAdES, CAdES allow to meet the definition but they assume the use of X.509 V3 certificates. We cannot use them but we can demonstrate how Woleet signature meets the four properties of the article 26, as follows:
An advanced electronic signature shall meet the following requirements:
1. It is uniquely linked to the signatory;
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures
2. It is capable of identifying the signatory;
3. It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
4. It is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.’
To fully meet these four criteria, Woleet signature need to be completed with a strong enrolment solution and with the use of a device under the control of the user. See the details below:
- This requirement is fulfilled by the use of asymmetric key pairs. By design, Woleet prevents that a key pair is linked with more than one user.
- Woleet manages the link between a signature key and an identity. Identity evidence, at the relevant level depending on business risks, shall be provided by a complementary enrolment solution.
- Woleet provides various solutions to protect the private key, the more secure being the use of Ledger. Such a hardware offers good guarantee level that the key is under the sole control of the user.
- This requirement is fulfilled by the use of a hash function.
Convinced of the potential of Bitcoin technology, relying on our highly-scalable proof management system, we build an alternative electronic signature solution that allows to go for ambitious digital transformation projects, where the cost of electronic signature is not a barrier, and without denying security stakes.