EN 419241-1:2018
EN 419241-1:2018 is a European standard specifying requirements for trustworthy systems supporting electronic signatures. It outlines security requirements for signature creation devices (SCDev) to ensure the integrity and authenticity of the signatures users produce.
Compliance of ThrivoSign with EN 419241-1:2018
ThrivoSign is designed to comply with the detailed requirements set forth in EN 419241-1:2018, ensuring a secure and trustworthy environment for electronic signature creation. Below is a comprehensive outline of how ThrivoSign meets these requirements:
| No | Profile Component | Description |
|---|---|---|
1 | The TW4S is composed at least of one Server Signing Application (SSA) and one Signature Creation Device (SCDev) or one remote Signature Creation Device. | T-RSSP is a compliant Server Signing Application that securely handles the process of creating electronic signatures. It ensures user authentication, document integrity, and signature creation within a controlled and secure environment. ThrivoSign provides detailed logs and audit trails to ensure transparency and accountability in the signing process. I4PSAM is a compliant Signature Creation Device that securely generates and manages cryptographic keys. It provides a tamper-resistant environment to protect private keys and supports secure cryptographic operations for creating electronic signatures. I4PSAM ensures secure communication with the SSA, maintaining the integrity and confidentiality of the signing process. |
2 | A remote SCDev is a SCDev extended with remote control provided by a Signature Activation Module (SAM) executed in a tamper protected environment. This module uses the Signature Activation Data (SAD), collected through a Signature Activation Protocol (SAP), in order to guarantee with a high level of confidence that the signing keys are used under sole control of the signer. | T-RSSP integrates with I4PSAM to ensure secure, compliant remote signature creation under signer’s sole control. |
3 | The SSA uses a SCDev or a remote SCDev in order to generate, maintain and use the signing keys under the sole control of their authorized signer. Signing key import from CAs is out of scope. | T-SSA uses I4PSAM to securely manage signing keys under the authorized signer's sole control. |
4 | 3.6 remote signature creation device signature creation device used remotely from signer perspective and applying the signature activation protocol to provide control of signing operation on its behalf and guarantees with a high level of confidence that the signing keys are used under sole control of the signer | I4PSAM ensures remote control of signing operations via the Signature Activation Protocol, guaranteeing that signing keys are used solely under the signer's control with high confidence. |
5 | 3.7 signature activation data set of data, which is collected by the SAP, used to control with a high level of confidence a given signature operation, performed by a cryptographic module on behalf of the signer, that this under sole control of the signer |
|
6 | 3.8 signature activation module configured software that uses the SAD in order to guarantee with a high level of confidence that the signing keys are used under sole control of the signer | I4PSAM is a configured software module that uses Signature Activation Data (SAD) to ensure, with high confidence, that the signing keys are used solely under the control of the authorized signer. It integrates with an EAS setup and utilizes JWT tokens for delegated authentication to enhance security and ensure the integrity of the signing process. |
7 | 3.10 signature creation application application that creates a signed document, using the digital signature generated by a SCDev | T-SSA is a compliant Signature Creation Application that creates signed documents using the digital signatures generated by I4PSAM, ensuring secure and authenticated signature creation. |
8 | signature creation sevice configured software and/or hardware cryptographic module used to create a digital signature | i4p SAM module to comply |
9 | 3.14 signer’s interaction component software and/or hardware component used by the signer to support the SAP | T-SIC is a mobile app that provides software interfaces for the signer to securely interact with the Signature Activation Protocol (SAP), ensuring the signing process is performed under the signer's sole control. |
10 | 5.4 — Sole control assurance level 2 (SCAL2): — The signing keys are used, with a high level of confidence, under the sole control of the signer. — The authorized signer’s use of its key for signing is enforced by the SAM by means of SAD provided, by the signer, using the SAP, in order to enable the use of the corresponding signing key. Only support SCAL2 | T-RSSP supports SCAL2, ensuring signing keys are used under the sole control of the signer with high confidence. The authorized signer’s key usage for signing is enforced by the SAM using SAD, with delegated authentication handled separately from the T-SIC mobile app, which complies with the Signature Activation Protocol (SAP). |
11 | 5.5 The enrolment of the signer and the electronic identification means characteristics and design requirements are defined in SRA_SAP.1.1. | Contact sales@idthrivo.com for further information |
12 | 5.7.2.2 1.1.1.1 SCAL2 The authentication mechanism requirements are defined in SRA_SAP.1.1. | Contact sales@idthrivo.com for further information |
13 | 5.7.3.2 SCAL2 —The SAD SHALL be set, computed or be the result of a secured interaction between the SAM and the SIC through the SSA, to authorize the signing operation within the SCDev, and — The SAD SHALL be transmitted to the SAM through the SSA to authorize the signing operation within the SCDev for a dedicated DTBS/R. | T-RSSP supports SCAL2, ensuring signing keys are used under the sole control of the signer with high confidence. SAD is securely set or computed through SSA-SIC interaction and transmitted to the SAM for authorization. |
14 | 5.7.4 Delegation of authentication to an external party The TSP MAY delegate the authentication process to an external party (e.g. to an identity provider). | T-RSSP use build-in IDP to comply delegation of authentication |
15 | 5.8 1.1 Signature activation data To reach the SCAL2, the use of the SAD to ensure control over the signer’s key SHALL be enforced by the SAM. Signature activation at SCAL2 requires fulfilment of several conditions as signer authentication and authenticity of signature operation request from the signer (details are given in 5.7). Both properties MAY be given directly by the SAD. It is however for instance also possible to perform signer authentication prior to SAD generation, e.g. using delegation of authentication. SAD can be a set of data or be a result of cryptographic operations (details are given in SRA_SAP.2) from which the same information can be derived. SAD contributes to authenticate directly or indirectly the signer. When the signer authentication takes place prior to collection of the SAD, the SAD SHALL contain items to identify the signer asserted by a known source. This assertion MAY come from either the SIC or from a trusted electronic identity provider. The source of the assertion SHALL be authenticated. | T-RSSP use build-in IDP to comply delegation of authentication |
16 |
| T-SIC used to authenticate the signer, and the T-RSSP generate assertion that identify the signer will be used in the SAD generation. |
17 | For SCAL2 private or secret keys are required to be generated and used in a tamper protected environment. In addition the software of the SAM is also required to be used in a tamper protected environment. | T-RSSP only support SCAL2 for now. |
18 | ||
19 | ||
20 | ||
21 | ||
22 | ||
23 | ||
24 |
Diagram
In summary, ThrivoSign complies with EN 419241-1:2018, ensuring a secure and trustworthy environment for electronic signature creation. By meeting the detailed requirements of this standard, ThrivoSign guarantees the integrity and confidentiality of electronic signatures through advanced security measures and robust key management protocols. This compliance ensures that ThrivoSign provides a reliable solution for organizations needing secure and legally compliant electronic signatures.
Last updated