Public authorities have shown much interest in introducing digital signatures to the public. Until now, solutions with a high level of security have been technically complicated, thus it has been necessary to settle for a lower level of security to achieve high degrees of user-friendliness. There is a solution which relieves end users of the physical responsibility for a signature – but how secure is it?
The vision for the new 'digital society' is that every citizen should have a digital identity in the shape of a certificate and a signature key stored securely (eg on a chip card). With this in hand the citizen can then apply digital signatures when using public self-service applications. The reality of today, however, is that most self-service systems are only protected by a PIN code. Very few individuals have actually bought and installed a card reader on their PC.

The security level in PIN-based systems is not high enough, but at the moment it's also undesirable to base the introduction of digital signatures on chip cards. An alternative could be to store the signature key on the end user's hard disk. An easier solution to implement, but one that's neither mobile nor totally secure.

Fear not, though. There is actually another solution which, seen from the user's point of view, combines the best of the other two.

The problem with the known solutions is the storage and management of the signature key. Thus the answer must lie with leaving the physical responsibility for the key to a professional authority – much as we do with our money and valuables. With this kind of solution the end user can sign documents and transactions via a Web browser or a mail client, and the signature key never has to leave the secure server where it's stored.

Professional key storage explained
Professional storage of the signature key has a number of advantages:

  • mobility: the key can be used from any terminal with Web access;
  • logging: all signatures are logged, making it possible to trace any abuses of the system;
  • high physical security: a hard disk can crash and a chip card may break, but systems with bank-level security do not go down;
  • protection against theft: if the thief steals your PC, he will also have access to your key – your chip card can disappear with your wallet, but it's virtually impossible to steal your key if stored on a secure server.

Access to the key must be protected (as it is when stored on a hard disk or card). Again, professional key storage provides superior possibilities for choosing the right degree of access control. A solution already in use deploys the username/password in combination with one-time passwords distributed online via a network (eg SMS) or delivered on a printed card.

Degrees of user-friendliness
There are two good reasons for not forcing through a chip card solution. First, the low degree of user friendliness and, second, the market is developing so fast that new solutions are emerging all the time.

Instead, the introduction of digital signatures should follow the market development – this will definitely encourage the procurement of more user-friendly systems such as that described above.

A mobile way of using digital signatures involves a network application which allows the user to carry out mobile transactions from any terminal connected to the Internet – be it a PC or a mobile telephone – in an unmatched, secure way. The user's signature key is stored in a secure database, with access at all times via a Web browser, a mail client or a mobile device.

Thus the key used for conducting electronic transactions and creating digital signatures is no longer the user's responsibility, stored as it is on either the user's PC or a smart card.