Signature Levels

The signature portal supports all standard signature types as well as all eIDAS-compliant signature levels, from the simple signature to the qualified signature and the seal. The options of signature types available to the user can be configured in the signature portal/workflow configuration.

These options can then be selected by the workflow creator when configuring the workflow. Depending on the signature type, the user must perform different levels of identification, before he can sign the workflow. For a qualified signature, for instance, the user must first be identified by a remote signature service.


Signature types in the signature portal

In the signature portal, you can sign with different signature types. The following setting in the Signature Portal/Workflow menu provides an overview (Image 1).
The required signature can then be specified during workflow creation (Image 2), when creating the template (Image 3), or it is possible to request an advanced signature or remote signature directly via the menu. If the action "Check" is requested in a workflow, the workflow participant must check the document and the workflow settings and approvals in this step.



Combination Possibilities

You can combine certain signature methods to ensure the desired
protection potency and thus also the evidential value and non-repudiation.


There is a workflow that two people (A and B) need to sign. This document must then be protected so that it is tamper-proof. Persons A and B sign with a simple signature. Person B has to confirm their signature with an SMS OTP, similar to a bank transfer in online banking. The document is then sealed by the server. In addition, an audit log is created for this workflow and this is also sealed. This ensures the following safety-relevant factors:

  • There is a visual signature from A and B
  • B has to enter an SMS OTP in addition to the login at the signature portal. This makes it much harder for B to deny that B created this signature (since a hacker would have had control over B's password and cell phone at that time).
  • The document is protected from manipulation and modification by the seal.
  • It is clear that the document was signed using the company's server
  • The audit workflow log (which cannot be changed) can be used to prove which person signed which document and how the persons authenticated themselves.

There is a workflow in which two documents need to be signed: Instructions.pdf and contract.pdf. Instructions.pdf Is supposed to be signed by two internal users. Only when the instructions.pdf has been signed, should the contract.pdf be signed by an internal authorized signatory and then by an external user. The two internal signatures on Instructions.pdf are simple signatures. The authorized signatory who is then supposed to sign Contract.pdf must do so with a qualified signature. The signature of the external user should also be qualified. The following security-relevant factors are thus ensured:

  • Contract.pdf is not signed until instructions.pdf is signed/approved by internal colleagues.
  • The qualified signatures ensure that both signers of the contract.pdf know that it was really signed by the specified person and there was no manipulation of the file
  • The audit workflow log for the entire process is sealed, thus ensuring the correctness of the entire procedure

All signature levels at a glance

Simple Signature

An image of the visual signature is integrated into the PDF. Here there is no tamper protection (integrity protection) of the PDF which is safeguarded by cryptographic signatures. These can be used, for example, for so-called formless agreements, i.e. voluntary agreements that are written and signed for the purpose of providing evidence. In this case, the signer is a user who has previously been entered in the user directory.

Qualified signature

In this case, there can be a simple signature, i.e. visual signature, in the PDF. In addition to this, the file is protected from manipulation with the help of modern encryption (integrity protection). In addition, it ensures that the person signing the certificate has been strongly identified and that the recipient can be confident that the person indicated in the certificate is indeed the intended person. This is confirmed by the trust center. A Qualified Signature in the EU can only be created with the help of signature cards or remote signature. This is the only way to replace the written form required by law for a particular document. The signer here is a user previously added to the user directory.

Advanced signature

(with your own CA - the SecPKI server creates and manages the certificates) In this case, there can be a simple signature, i.e. visual signature, integrated into the PDF. In addition, the file is protected from manipulation using modern encryption (integrity protection). Furthermore, the PKI used allows the recipient to be identified by his or her public key. In the event of a legal dispute, it must be proven in this case - as with the simple electronic signature - that the signature and the identifier (e.g., a personnel number) are genuine. The signatory here is a user who has previously been registered in the user directory.

Qualified digital seal

This is the same as the qualified signature, except that the certificate does not contain a natural person (John Doe), but a legal entity (such as a company). However, the signed files are protected with the same level of security as with a QES or advanced signature. A qualified seal in the EU can only be created using signature cards or a remote signature. The important difference with the qualified signature is that with the qualified remote seal, no interaction on the part of the user and no 2FA is required. The sealing process for remote sealing or with the signature card can thus be integrated into workflows and processes in a completely automated manner.

With an electronic seal, it is possible for a group of persons to place an eIDAS-compliant (and thus is valid throughout Europe) company stamp or official seal on an electronic document. So, in the case of the qualified seal, the certificate for the qualified electronic seal is granted to a legal entity - in contrast to a qualified signature, where it is granted to a natural person. A qualified seal can be used as a smart card (seal card) HSM or as a remote seal with our software. The advantage of the seal is that the server used for sealing can and should be able to regulate via its authorization management who can access the seal and how. This means that users no longer have to enter a PIN for the card (more on authorization management below). Of course, client software (SecSigner) can also be used to sign directly with the seal at your workstation.

Advanced remote signatures

In the event of a legal dispute, it must be proven in this case - as with the simple electronic signature - that the signature and the identifier (e.g., a personnel number) are genuine. The signer here is a user previously registered in the user directory.

Qualified remote signature

With qualified remote signature, no signature card is required for a qualified signature.

Similar Topics