When one is interested in electronic signatures and in particular in contracting, one frequently encounters a “technique” called “certificate on the fly” or “certificate for single use”. And when one discovers a new solution, one can legitimately ask oneself whether it is “good” or “bad”. In this post, we propose to present this technology and to recall the position of Cryptolog on this subject.
A contractualization requires one or more electronic signatures. To make an electronic signature, an “electronic certificate” is often used (and, of course, for the most technical readers, the associated private key, which is the mathematical object with which the signature will actually be made). The certificate is comparable to a digital ID card which can be used to certify the identity of the signatory and to verify the electronic signature.
It must be understood that the production of an electronic signature – based on an electronic certificate – necessarily involves two steps :
1. A first step, generally called registration, consists mainly in validating the identity of the future signatory, in order to certify that it is indeed the legitimate owner of the associated private key. This check is carried out by the Registration Authority (EA). Once this validation has been carried out, the Certification Authority (CA) issues a certificate, including the public key of the future signatory (the one that verifies the signatures made with the private key), as well as its identity (verified by The EI).
2. The second step is the signature itself, during which the signer triggers the use of his private key in order to realize the electronic signature.
However, the overwhelming majority of people today are not equipped with these famous electronic certificates. One solution therefore consists in issuing, prior to the signature, such certificates. This raises another problem : in the context of a contractualization, whether online or during a physical interview, the signatory generally does not have a simple device enabling him to retain the key and the certificate generated. A natural idea is therefore to each signature to generate a certificate “on the fly” or “single use”, valid for a single use and then destroy it. This idea seems seductive.
However, a certificate has no intrinsic value. Anyone can produce an electronic certificate in minutes using one of the free tools of the market, such as OpenSSL. What constitutes the value of a certificate is the fact that one can trust the identity of the signatory.
However, this value results from :
– On one hand, the set of rules applied by the EA and the CA when issuing a certificate;
– On the other hand, the certification by an independent entity that this set of rules is in conformity with the “regulations in force”: as in many other sectors, it is important to be able to refer to labels issued by An official body offering an independent and impartial assessment of the degree of compliance of an electronic certification service with a set of standardized and recognized national or international best practice.
For this reason, standardized standards for all market players have been set up in France, Europe and all around the world. In France, for example, the GRS (General Security Repository) defines the levels one (*), two (**) and three (***) stars for the certificates. In Europe, there are ETSI 102 042 and 101 456. Finally, in many other countries, the WebTrust standard applies, either regulated or de facto. Some of these levels have legal effects. For example, a certificate issued in accordance with the RGS *** or ETSI 101 456 provides a presumption of reliability on the identity of the future signatory (several other elements may enter a game in order to presume reliability, Signature process – but the identity part is covered by these certifications). The attestations of compliance with these standards are issued following an audit carried out by a body accredited to do so (in France, this is indirectly COFRAC, which itself accredits auditing companies in order to That they issue such certificates).
It should be noted that this issue of certification is fundamental. For our digital trust sector, as for all others. Would you deposit your money in an institution that has not obtained a banking license ? Would you trust the accounts of a company that does not have an auditor ? Would you use a non-certified body to establish the different diagnostics (lead, asbestos, termites, energy performance, gas, electricity, etc.) of your property ? Would you buy a Picasso without its certificate of authenticity ? Would you accept a library card instead of an ID card ?
Similarly, a certificate issued by a non-audited and uncertified authority is of little interest because there is no simple way of verifying that it was issued in good conditions.
A “certificate on the fly” is therefore not a “good” or “bad” solution per se. It may or may not be, depending on the context. The real question is whether or not this certificate was issued in accordance with the rules in force and whether it is therefore the bearer of the actual identity of the signatory and whether there can be confidence in the Authority Of Certification that issued it.
Now, it must be understood that obtaining an authorization to issue “quality” certificates with a reliable identity imposes a relatively complex registration process. It can therefore prove, on the one hand, economically costly for the provider implementing it and, on the other hand, potentially cumbersome and not very ergonomic for the future signatory. However, in the context of an on-the-spot certificate, insofar as the registration and issue of the certificate must be carried out at each signature, the heaviest phase, that of registration, must be systematically repeated.
This results in the limits of the interest of the certificate “on the fly”. Why repeat the most expensive and complicated phase of the process if it is possible to do it only once ? By caricaturing a little, it would mean going back and forth to the police headquarters to get a new identity card every time you need to present it, rather than doing it once and for all.
The position of Cryptolog-Universign on the certificate “on the fly” has not evolved for ten years :
We believe that regulatory and regulatory constraints related to the registration phase are too cumbersome to justify using this technique, except in a few very specific cases;
Universign therefore does not issue certificates “on the fly” from its certification authorities. Universign issues only permanent and reusable certificates through audited certification authorities certified in accordance with the various safety references quoted above.