A QES or qualified electronic signature is often used as a synonym for the general term electronic signature in the EU and Bulgaria. However, it should be immediately clarified that electronic signatures are of 3 different types – simple, advanced (AES) and qualified (QES). The matter is regulated in the Bulgarian legislation and Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and certification services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
- A simple electronic signature according to the Regulation and the law is data in electronic form that is added to or logically linked to other data in electronic form and that the holder of the electronic signature uses to sign. That is, there is no requirement here other than logically linked data in electronic form. It follows that even a simple email signature or a pen signature on paper, which has then been scanned and saved electronically in JPG or PNG format and inserted into a PDF or DOCX file, also constitutes an electronic signature within the meaning of the current legislation. It should be borne in mind that, in the case of scanned signed documents, courts adopt a more particular position.
- An advanced electronic signature (AES) should meet more requirements and the most popular one is DocuSign. First, it must be uniquely linked to the holder so that it can identify him or her. In addition, it should be created using electronic signature creation data that is under the control of the holder, but most of all it should have the technical ability to track unauthorised changes to a signed document. The latter capability is absent by default in a simple electronic signature, making it much easier to forge. Simple and advanced electronic signatures only have the legal meaning of handwritten signatures by virtue of a legal fiction where the parties have agreed to this, i.e. the parties agree that these two types of electronic signature are equivalent to a handwritten signature in pen on paper.
- Qualified electronic signatures (QES) meet the highest possible requirements and therefore, under EU-wide law, QES enjoy absolute evidentiary value as to their authorship. With a few exceptions, of course, such as the signing of a title deed, which by law must be done not online but in person, in the most “analogous” way possible – by handwriting in ink and pen in front of the notary who has personally verified the identity of the signer. According to the law, a QES is in practice a AES + 2 additional requirements – a/ to be created by a device for creating a QES and b/ to be based on a QES certificate. In simple words, a QES certificate is a database containing records of all QESs issued by a given qualified certification service provider (in Bulgaria there are only a few of them – “INFORMATION SERVICE” AD [StampIT], “BORICA – BANKSERVICE” AD [B-trust], “InfoNotary” EAD [InfoNotary], “SPECTER” AD, “SEP BULGARIA” AD). A device for the creation of a QES is the hardware part provided by the providers, usually consisting of a USB device (so-called flash drive) in which a memory (usually a SIM card) is inserted, on which the data for the QES is contained.
An electronic document is any content stored in electronic form, in particular a text or sound, visual or audio-visual recording. The law says that “the written form is deemed to be complied with if an electronic document containing an electronic statement is drawn up”. Electronic documents are recognized as fully valid even as evidence in court, where they are equated in strength to simple written paper documents. Such a document may be submitted to the court in the event of litigation in paper form, authenticated by the party producing it. However, it is possible that the opposing party or the court may also require the production of the document in electronic form.
Successfully challenging or proving forgery of an electronic document and electronic signature depends primarily on the type of document. At first sight, the easiest document to challenge is an electronic document signed with a simple electronic signature, such as an email message, which may contain both a unilateral expression of intent (e.g. invitation, application, notice, etc.) and a bilateral contract to which both parties (email recipients) must agree. Electronic messages exchanged between two parties constitute electronic statements and can serve as evidence of a commercial transaction. In Bulgaria, however, an electronic message is deemed to have been delivered and received within the meaning of the law when it is received in the recipient’s information system or another information system, and successful communication between two servers is sufficient to assume a connection and data exchange between two information systems, and respectively to assume that the message has been delivered, and the fact that the recipient has not opened his e-mail is of no legal significance, even though, e.g. the message sent may be perceived as malware or spam and deleted from the server without the message ever reaching the recipient’s mailbox. When it comes to transactions worth many thousands or millions, criminals can try to circumvent the law, e.g. in such cases, the email appears to be completely authentic and sent from the respective email account, but a forensic technical expert may find compromised records at the respective hosting account which, in aggregate with other evidence, testify to the intentional sending of an inauthentic (forged) email message. Or e.g. sending a perfectly valid cancellation notice contained in an email, which however deliberately includes visually merging entries with the background, which however are detected by the email provider’s filters. The spam score of the email message, which enters the recipient’s system (i.e. from a legal point of view is considered to have reached the recipient), but immediately afterwards is terminated as an unsolicited commercial message and does not reach the recipient’s email inbox at all. In such situations, the intervention of a competent lawyer or technical person is recommended, who can identify such unlawful actions and protect the interest of the person represented.
A QES is not generally subject to challenge. This also applies where the holder of the QES has provided his or her identification details to a third party and the third party has in fact signed a document rather than the holder. In this case, however, the law allows a challenge to be made by the holder himself, but it will only have effect in the future. However, it is important to bear in mind that authorship is not open to challenge, but a number of other attributes of an electronic document are, e.g. the date of signing of the document. An experienced IT law attorney knows that there are different types of QESs, some of which include a time stamp, and the legal representation of one can lead to a successful challenge of an electronic document.
The validity and successful challenge of an electronic signature is related to a thorough knowledge of the different technical specifications of the QES contained in Regulation (EU) No 910/2014.
- Possible formats of QES
- CAdES – an upgrade of the popular CMS/PKCS7 format, allows different levels of signing of all kinds of files. The file extensions of this format are .p7m (for ENVELOPING signature type) and .p7s (for DETACHED signature type).
- PAdES – for signing PDF files only, only ENVELOPED type of signing is allowed, and the extension after signing remains .pdf.
- XAdES – for signing XML files only, the only one that supports all three signing types – ENVELOPED, ENVELOPING and DETACHED, and the extension after signing remains .xml.
- Possible file formats after signing
- ENVELOPED – 2 in 1, the signature is integrated into the signed file and the file extension remains the same, applicable to PAdES, XAdES.
- ENVELOPING – 2 in 1, the whole signed file is “inserted” into the signature file and the file extension is changed, applicable in CAdES and XAdES.
- DETACHED – signature and document are in 2 separate files (1 original file + 1 signature file), applicable in CAdES and XAdES.
- Possible signature levels
- BASELINE_B – the most basic level of electronic signature possible. It certifies only the authorship of the signed document.
- BASELINE_T – BASELINE_B + added time stamp attribute.
- BASELINE_LT – BASELINE_T + added CRL and OCSP attributes ensuring the validity of the signature by verifying only the signed file, without requiring additional checks such as the status of the QES certificate or a search of the QES certificate certification chain.
- BASELINE_LTA – BASELINE_LT + added attributes to allow periodic updating of the certified time and validation of the signature long after its creation. Or in simple words, even if one day the provider of the QES ceases to exist, together with the database in which the validity of a document signed with a QES can be checked, the latter will still be verifiable.