We have updated our signing solution to use Certification Authority services and timestamps provided by Intesi Group, an EU Qualified Trust Service Provider certified under eIDAS standards.
This means that a document signed via Penneo is now secured through a seal certificate issued by a Qualified Certification Authority that guarantees the origin and integrity of the document, as well as the authentic date and time of the creation of digital signatures.
The validity of documents signed via Penneo and their individual signatures can still be verified via our internal Validator. Additionally, users can now upload their documents on the EU validator to get information on the signature’s status, scope, and time, as well as on the certificate chain, timestamps, and LTV (Long Term Validation).
Same efficient outcome, higher security
Our choice to entrust Intesi Group was mainly due to two reasons:
We wished to further increase our services’ reliability:
Alongside the operation of our software, the creation of digital signatures via Penneo also depends on the continuity and good performance of two external services:
• digital IDs (MitID, BankID, itsme®, FTN, etc.), whose functioning is ensured by the Trusted Service Providers issuing such eIDs (such as Nets, Belgian Mobile ID, the Finnish Digital and Population Data Services Agency, etc.);
• the Certification Authority, which provides the certificate enabling the digital signature of the document. Such a certificate is an electronic attestation that links the signature data to the natural person that signs the document and confirms the identity of that person and the integrity of the document.
To ensure continuousness and ongoing availability of our services, we now lean on Intesi Group as a primary provider but still maintain our previous one (Globalsign) as a backup provider. It follows that in the case of disruption, maintenance, or any other issue that might occur to our primary certification authority, Penneo will automatically be supported by the second one, and our services will keep working as usual.
We wanted to offer our users an even higher level of assurance
At Penneo, we constantly strive to improve the quality of our services to meet and exceed users’ expectations. Our digital signatures are built on three core security principles: authenticity, content integrity, and non-repudiation. As a result, they ensure and demonstrate the identity of the signers, non-alteration of the data, and intent of signing and being bound to the agreement.
To provide an even greater level of assurance, the trustworthiness of our digital signatures and documents is now attested by a qualified certificate (issued by Intesi Group) that creates a PDF seal within the document. In this way, any alteration after the moment of signing is prevented (and detected if it occurs).
Moreover, both documents and signatures are time-stamped by that same qualified Certification Authority, meaning that their creation’s date and time are embedded in the document itself as cryptographic elements that can be subsequently verified to assess the validity of documents and signatures.
N.B. Digital signatures created in Penneo via eIDs meet the eIDAS requirements for advanced electronic signatures (AES).
Are Penneo users required to do something about this update?
Our new subscription to Intesi Group has no effect on the way Penneo works for our customers and no action is needed on their side.
The only difference users might notice appears when using a PDF viewer to open the document signed via Penneo. If you use Adobe Reader, for instance, the seal of the document (displaying information about the certificate) will appear as a blue bar at the top:
• For documents signed via Penneo until the 24th of February 2021, this message appears:
• As we now rely on Intesi Group to issue the qualified electronic seal on our documents, the following message appears:
The seal guarantees the probative value of the document. If the document is not valid, the bar will show the following text instead: “Certification by Penneo A/S is invalid”.
Why can a document signed with Penneo be considered legally binding? What evidence can users show later?
Penneo e-signatures meet the key legal requirements for digital signatures worldwide and provide users with any evidence they may need.
In case of a dispute, the digital version of the documents signed via Penneo embeds technical evidence that certifies who signed the agreement, what was agreed on, and when this happened:
• Within the digitally signed document, there is proof that the signer has accepted a statement of declaration and consent, which includes an overview of the document itself, as well as the signer’s role; this statement is stored as part of the signature itself.
• Besides, each newly generated digital signature is time-stamped by the time-stamping authority so that the trusted time of signature generation can be identified and used as non-repudiation evidence.
• Using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs), you have the electronic proof that undisputedly confirms the signatory identity and links the electronic signature validation data to that person.
• Moreover, once the digital signature has been submitted to a document, the entire package is signed by Penneo, guaranteeing its immutability. Our secured audit trail makes it extremely easy to verify if the signed document has been modified since it was signed.
How can I check the validity of a document signed via Penneo?
Documents signed via Penneo have very specific characteristics that are clear and visible in the digital version. Their presence provides assurance that the content and the signature have not been forged or compromised. Therefore, the final document is indisputable proof of authenticity of the signature and non-tempering of the content, and the parties involved cannot deny having signed it.
See what a document signed via Penneo looks like. You can also upload this document on the official validation tool made available by the European Union to verify digital signatures’ validity and read all the information it provides.
Verifying digital signatures and signed documents is also possible in other ways.
