Content

Electronic signatures

Electronic signatures protect and guarantee the authenticity and integrity of an electronic document. Any change to an electronically signed document inevitably leads to the invalidity of the attached electronic signature. Electronic signatures play an important role in the scope of eGovernment in Austria. Here, information becomes a key component, provided both for the creation as well as verification of electronic signatures.

 

Signature verification

The signature verification service of RTR GmbH as a supervisory authority is a central solution for the verification and checking of signatures of different file formats. The signature verification service relies on PDF-AS for verification of electronic PDF signatures.

The underlying file format is identified after the document is uploaded to the signature verification service. Depending on the respective file format, the corresponding verification process is initiated. PDF-AS is used for the verification of PDF documents. Besides current PAdES signatures, the older PDF-AS signatures can also still be verified. In addition, the signature verification service also supports, for example, XML signatures, CMS signatures as well as Adobe PDF signatures. Other file and document formats can be simply integrated into the signature verification service.

The signature verification service is available online at http://www.signaturpruefung.gv.at

The signature verification service is offered here for free to be downloaded for your own operation and for different operating systems.

 

Official signature

The official signature identifies the electronic signature of a government agency, which is applied to electronic documents. Essentially, an official signature is applied to notifications or other documents to be protected that are issued by a government agency. The objective here is to identify electronic documents in such a way that it can be clearly recognised that these documents were issued and signed by a government agency and that it is an official document.  The identification is expressed on the one hand by a special certificate, which includes a special attribute (object identifier), which expresses the affiliation with a government agency. On the other hand, the electronically signed document is equipped with a visual figurative mark. This figurative mark of the government agency visualises to the recipient of the signed document that it is a document with an official signature of a government agency. The design of the figurative mark is essentially up to the issuing government agency. However, the figurative mark must be published securely in the Internet. In summary, the official signature applied to a document guarantees that on the one hand the document originated from a government agency, and on the other hand that the document is verifiable.

Details on the official signature can be found here on the page of Platform Digital Austria. The following illustration shows an example of an official signature including the figurative mark (Source: Digital Austria). To make it easier for citizens to recognise an official signature, a convention was created for a standardised appearance in the scope of the Austrian eGovernment strategy. This convention recommends displaying the official signature as a tabular structure as shown in the illustration. Besides the figurative mark of the government agency, it contains diverse details on the electronic signature, information on verifying the signature, and a reference that this is an official signature.

Amtssignatur

Details on the official signature are essentially regulated in the Austrian eGovernment Act. According to this act, the following conditions must be fulfilled for an official signature:

  • An official signature must be an advanced signature in accordance with the Austrian Electronic Signature Act.
  • It must be possible to assign the certificate used for the signature to a government agency. This is done through a respective attribute in the certificate (administrative attribute of the government agency).
  • The official signature may be used exclusively by customers of the public sector for electronic signing or for duplication of documents that it created.
  • The official signature on the electronically signed document must be identified by a figurative mark as well as by a reference that the document was officially signed.
  • Suitable ways of verifying the official signature must be provided by the government agency.

Based on a short guide, the following outlines how official signatures for government agencies can be introduced.

Guide to the creation of an official signature

The following sections describe necessary measures to introduce an official signature. The order presented here is not obligatory. Details on the guide can be retrieved here.
 
1. Applying for a signature certificate
According to the eGovernment Act (at least), the official signature must constitute an advanced signature in accordance with the Electronic Signature Act. For advanced signatures, not only can a private individual appear as a signatory, but the government agency itself as well. With a qualified certificate, on the other hand, only private individuals may sign. The signature certificate that is used must show the administrative attribute or service provider attribute. Both attributes are identified in the certificate with the help of a special OID. Suitable official signature certificates can, for example, be applied for and ordered from the Austrian certification service providers A-Trust or alternatively A-Cert.
 
2. Creation of a figurative mark
The creation of a figurative mark to display the official signature as well as the secure publication of this figurative mark in the Internet is another requirement. The figurative mark is to be unquestionably associated with the issuing government agency or the official signature. Technically, it must be possible to process the figurative mark accordingly with the signature application. It is recommended to use common image formats such as PNG, JPEG or GIF for the figurative mark. The size of the figurative mark is to be 120 x 120 pixels. 
 
 
3. Secure publication of the figurative mark
The figurative mark used by the government agency must be published securely in the Internet. This is usually carried out via one of the websites provided by the government agency with access that is secured via HTTPs (SSL).

4. Choice of official signature software
To now also be able to implement official signatures technically, the Austrian eGovernment relies mainly on two key components. On the one hand, there is the module MOA-SS, which can be used to electronically sign XML documents or alternatively binary data on the server side and automatically, and on the other hand, there is PDF-AS, which can be used for signing PDF documents. By means of PDF-AS, PDF documents can be signed both with a Citizen Card as well as on the service side by means of MOA-SS. In the case of MOA-SS, both software-based certificates as well as hardware-based certificates (e.g. on the basis of an HSM) can be used for the creation of an official signature.
 
5. Layout of the signature visualisation
To ensure the most uniform appearance possible for all government agencies to citizens, the signature visualisation of the official signature should be represented uniformly. The official signature layout specification defines the appearance in detail. Signature applications such as PDF-AS, for example, are already preconfigured with signature profiles according to the standard layout specifications.
 
6.  Reference to the official signature
A document equipped with an official signature must contain a reference that it has been officially signed. This reference can also appear in the signature visualisation.
 
7. Verification application for the officially signed electronic document
The government agency must provide the respective information on how the issued official signatures (both electronic as well as a hard copy) can be verified. A central signature verification service is available for the verification of official signatures, for example at http://www.signaturpruefung.gv.at. The respective information on the signature verification service can be integrated into the signature visualisation.

Electronic signatures protect and guarantee the authenticity and integrity of digital data. Any change to electronically signed data inevitably leads to the invalidity of the electronic signature. Electronic signatures play an important role in the scope of eGovernment in Austria.

Digital signatures can be calculated for any data at all. But digital signatures also have to be saved in a structured way in order for them to be processed automatically. With the concept of the Citizen Card as well as with MOA-SS, digital signatures can be created in XMLDsig (for structured XML data) and in CMS format (for binary data).

Depending on the type of electronic document, the structured digital signature must be integrated in the respective document. This is highly dependent on the format of the electronic document. By means of PDF-AS, digital signatures, for example from the Citizen Card or MOA-SS, can be integrated in PDF documents. PDF-Over uses PDF-AS to provide a simple user interface for the signature of PDF documents.

To verify digital signatures, the digital signatures must be extracted, suitably structured from the document to be verified and then verified cryptographically. The signature verification service integrates PDF-AS to check PDF documents, but also makes it possible to check other types of documents.