What are the challenges when validating signatures?

A qualified electronic signature is uniformly accepted and validated using various tools. Although the interfaces differ, these tools fundamentally use the same validation source called the trust anchor. In the case of a qualified electronic signature, that trust anchor is a so-called Trusted List, published and maintained by each EU member state, and then all these lists are compiled into the EU Trusted List. 

When validating the signature, a tool would look up whether the certificate within the chain is located on that Trusted List and whether the certificate is valid. Further checks on the validity of the subscriber certificates are made via status services and timestamps. However, the fundamental legitimacy known as trust originates from the Trusted List.

Sometimes a document signed with a qualified electronic signature is enveloped by an additional certificate. Such certificates are called technical certificates, and they generally serve the purpose of tying the envelope to an audit trail or transaction. However, in most cases, those technical certificates are only advanced in nature, meaning that they do not have a trust anchor residing in the Trusted List.

For this reason, a document signed with a valid qualified electronic signature may be mistakenly classified as invalid due to the second technical certificate that envelopes the whole document for an entirely different purpose rather than document signing. Thus, such situations create friction between the signer and the receiving party since the signer has legitimately signed the document while the verifying party is looking at the wrong certificate.

Technical certificates should either also get qualified status or be completely foregone to prevent such misinterpretations from arising in the case of a qualified document signing. Naturally, it takes time for incumbents to implement such changes. Meanwhile, the signers can inform the receiving (verifying) party about the current state of affairs and demand to explain why a qualified signature is not accepted. This generally leads the receiving party to take a closer look at the signature validation challenge and accept the signature.