Qualified electronic signatures in times of the eIDAS2-wallet - a Nordic-Baltic perspective

Thank you. Thank you so much. And it will be concrete. My name is Johan Newman. I'm from Finland, but I represent the company E I D Z, which is based int Estonia. I will show some concrete examples of electronic signing, both on a qualified level and also on lower levels. All examples that I show here you will get access to. They are not all linked in the presentation, but by emailing you, you will get a link to where you can find the documents that I show here, investigate them yourselves, validate them, scrutinize them. I will show my email address again at the end, as an inspiration for, for being here. I will mention two other persons that are present here on this conference. That is Raj Hegde by COA Cole and Sebastian Manhardt. And you might have seen on the video screen around here at the area, you might have seen the video running from their podcast last year, and I wanted to live forward three points that Sebastian mentioned there.
He was a keynote speaker here the first day also, or a few days ago, first foster open source solutions and strive for interoperability. Do communication, seek conversation between the private and the public sector and talk to the other side, move across the sectors more often. And this last piece of advice, I follow myself by after a whole life in public sector, joining the Estonian digital identity tech startup scene from the start of this year, specifically on qualified electronic signatures. When it comes to digital identity, oftentimes we tend to think mostly of identity identification authentication, but I would claim that signing electronic signing is just as important.
Sometimes they go together, but both on its own accord, it's important. The, the signing part, but sometimes also in connection to identification, this is a personal number. It's my personal number, official personal number and my Estonia personal number. If you Google this number, you will not get many results. You will get a few, maybe two results. You will get this one. You will also get this one. Now, what good does this number tell, I mean, anyone could put this in their profile for sure, but not anyone could sign a document with a qualified electronic signature bearing this personal number as its unique identifier. That's only I can do because only I hold the private key to the signing certificate.
And there we see it highlighted again. But what does this visual element really tell in the PDF document? Nothing much, nothing much per se. It claims to show my name and my personal number and the time when the document was signed. But when we open the validation panel in Adobe reader, then we see that it is claimed to be valid. My name is shown and the personal number. Again, this might not be enough yet because what Adobe reader shows as valid. Well, sometimes it is valid sometimes not, but it might be an indication that there's a chance that this signature might be valid. So let's examine a bit more if yeah, and tip first here, if possible prefer signatures based on personal certificates in the name of the designer, because then they are easy to validate. Then when we validate them, the signer's own name is shown and not some other name like of a corporation or company or something.
If we right click the signature, we will indeed see that this is a qualified electronic signature. According to a does I say a does in English, you would say E does. And then we can start being certain that it is indeed valid and only I process the private key to the certificate. So with a document signed like this, I will be able to identify myself with this personal number because it's an official personal number. That is the subject serial number in the certificate. And we can find the metadata and the issuer and, and all kinds of nice things in the signature there, but there is another number present in those search results. So this is a finished number. It is not an official personal number. This is a pseudonym or an a alias. It is persistent. It is unique, but it is very difficult to use this, to identify myself.
It is not written in my ID card or anything. What it can be used for is to show my affiliation to an organization. So if we enter this number into a university webpage, a certain one, a yeah, there it comes again. ABO fi university in Finland, I'm affiliated with there, the number is entered and then we will get as a search result. My name, if we click on it, we will see my affiliation to that university. So in this sense, you can use that number to see if a document signed by me, claiming that I do it on the organization's behalf, that I really have the affiliation to that organization. Another example from the same organization, a study secretary signing a study transcript within the open university, and we can again see that it is valid and the source of trust is obtained from the European union trust list.
You will get access to this example to, to investigate yourself also. And in the same way, we can indeed validate and see that the affiliation is what it is claimed to be a secretary of that unit of that organization. How is this possible then to sign on behalf of the organization with a private certificate, with the help of a as introductory point 58 58, which says that when a transactional, when a transaction requires a qualified electronic seal from a legal person, then a qualified electronic signature from the authorized representative of that legal person should be equally acceptable. Here. We see another example. You will also get access to, to this one with three different signatures. They're all produced in different environments, different systems, different portals, but they are all there. And they are all valid. Two of them, me and my university colleague, Annette, we have those finish S Nu numbers, and then we have an Icelander signing at the bottom.
His personal number is not, or his ID number is not shown there, but if we right click on the signature, we will find it. I will show that a bit later. The good thing here is that every name of the signer is shown. When we validate this, we can validate them independently. For example, as here in the EU commissions signature validation service, I will check the time a bit here. Yes. Good. There is Annette and there Ishan. So my advice here would be prefer again, prefer signature based on personal certificates in the name of the signers before generic yields in the name of the provider, not to say that they should not be used, but if possible use personal certificates because they're easy to validate.
Yes, here it comes. The Icelander vein. We can actually find his personal number, even though it isn't shown directly in the document. When we right click it, we will in the metadata, we will find his personal number. And again, this is a real official personal number. Swan is born 10th of February, 1982. And these are his four last digits all out in the op out in the open in Finland. This would not be possible also not in Sweden and other Nordic countries. We, we can't do this. We are not on that maturity level yet, but in Iceland, they are also in Estonia. They are the best example I have found to exemplify. This is a contract from 2013, sign between two ministers and Estonian minister and the Finn minister, both prime ministers on corporation on e-government and yeah, electronic matters Andro uny from Estonia and U UK KA from Finland.
So the Estonian minister uny here again is his full personal number and QTA and the Finn minister, this, the pseudonym or Lias used this document. You can also look at yourself, the digital signatures of it. And I will briefly show how it was signed in a container format, a predecessor to what now, today is called ASIC E will European countries then ever be ready to use single national personal number like they do in Estonia. Like they do on Iceland. Well, as you know, the wallets digital wallet work is ongoing. We will see what it leads to. But what we can say is that various pre-war approaches do exist for this, for a signer to choose. Do I want my personal number to be seen in this particular document that assign, or would I rather prefer to use on Lias, a pseudonym that is possible then on to the format that the minister signed ministers signed in?
Is it, it is a predecessor to the Isaac E container format. You have the signatures on the outside, and then you have the link to the signed document and you have to click on that one. So the approach is a bit different from Adobe PDF here. Note that with this format, you can sign any document, be it word, Excel, vector, a vector map, a sound clip, or a video clip or, or a text file. So, and even several files at the same time, the signatures are on the outside and the sign document on the inside. So here we see the document. When we scroll to the end of it, we see the names of the signers and it says digital signatures, digital signature, but the signatures aren't here, they are in the container that encompasses this document. This text document validity and validates ability is an important aspect of e-sign.
And here, I would say two, two words, platform independence, and no vendor lock in. What is valuable is to make sure that the e-sign approach you use, that the signatures are valid. Dateable if that is a word independently, so that, that you are not in a vendor locking with a certain provider, this the validate ability is a science in itself. Do we want to be able only to validate the signature when the certificate is valid and that happens when it is not valid anymore, or when it has been revoked? What happens if we try to create a signature after the certificate has been revoked? What happens if we add a timestamp, can we maybe then validate the signature even after the certificate has expired? And what happens if we add revocation in for, into the signature, then we can probably validate it. Even after the certificate, valid validity has gone out.
If we maybe still add a separate document timestamp, then we might be able, or we are able to, to demonstrate that we are capable of re stamping our documents with newer algorithms. So that even post quantum, when the RSA encryption algorithm has weakened, we can still validate those older documents. This is taken from, by, from an article in LinkedIn, by outside. So you can go and read that article if, if validates ability and timestamping is, is of interest for you signature versus seal. We have seen now a few signatures, and I will demonstrate how it looks like if we use an ID based signing approach, where the signing environment stamps their seal on, instead of using a personal signature, the three top ones are personal signatures. Then we have a lot of signatures that they might even have like a visual element in the document, but all you see when you validate them are the name of the commercial provider that has put their seal on. So this is how it looks when we do seal based signing. I am not saying that this is not a good approach. Actually, what I'm saying is that we should allow qualified level and advanced and simple level to, to be in the same document. If we have established that a lower level is okay, then also a higher level should be okay.
Always ensure would be my tip that the e-sign system does not remove signatures made in, in another environment before it was uploaded. And as I said, enable different levels of signatures to meet in the same document. The third one we already saw prefer personal certificates. And I also mentioned the ASIC E format plan for ensure that the system can handle that as well. If you don't want to code all and implement this all yourself, you can use a readily made aggregator service. This is what my company does. Signature versus steel. As a last example, I will show someone has logged into their internet bank. If I do that in Finland, then I will get a PDF. If I try to, if I want to show a payment certificate, it's a PDF. It would be very easy to change it in Estonia. If this is done, you get an automatically qualified, sealed payment order.
The content of it is here. This company has paid this much money to cloud signature consortium. This example, you will also get yourself access to. And then we are sure that it cannot be changed. We are sure that it is the bank that has sealed it automatically done. Another example is the qualified ECL made on European digital credentials. And this I would say is a first step towards what will be the digital wallet that is already existing. So leading by example, I am coming to an end here leading by example, last year, Finland and Germany signed an agreement on digital identity development together, both digital digitalization ministers did that together. Did they do it digitally? No. They signed it by hand. Why? This is not really leading by example, as I see it, it is understandable in what happened only six days ago when Estonia and Japan did it, because then that's another country outside the European union.
But when it comes to EU, I think it should be done. I actually asked the German minister, dear minister, are you INPO possession of a qualified S signature. If so, could you maybe provide it to that document? We will make sure that the finish minister just the same, she did not answer, but many others chimed in and answered that for sure, the minister should do that. And this is how she, she could do it. My presentation ends here. You will get access to the material. Also, you will get a digital credential as a participation diploma. If you email me that bears a qualified electronic seal, it might even identify you on a qualified level. If you provide a qualified signature, thank you very much.