Digitally signing documents across Europe: an Italian perspective

I recently moved back to Italy from Belgium. As I opened a new fiscal position as a freelance consultant, I faced the question of signing documents digitally. There are several providers of digital identity services in the Italian market, with reasonable prices ranging from 25 to 85 euros per three years (plus VAT). However, as an e-resident of Estonia I already have a card, and related certificates, issued by a European Union member state that enables me to sign legally binding documents (with the usual identification, non repudiation, time stamping and other properties). So I wondered if I could use the Estonian digital identity cum signature in Italy too. 

The European Union has already created a legal framework for the inter-operability of digital identity tools across various the continent. It is called eIDAS (electronic IDentification Authentication and Signature) Regulation No. 910/2014. After a two years transition period, the regulation became fully effective in mid 2016.

The Agency for Digital Italy (AGID) provides a very helpful application (including links to the source code and a downloadable standalone version) to digitally sign or validate documents, or check if they comply with the eIDAS standards https://dss.agid.gov.it .

To test it, I created a simple pdf document and signed it with my Estonian e-resident card using the DigiCert4 software (recommended by the Estonians and available on the Mac app store). DigiCert4 produced a signed document in .asice format (a zipped container with the original pdf and others xml files containing signature and timestamp; linked here for testing, gunzip first because WordPress does not allow the direct upload of .asice files).

I tested it on the AGID web app and it was validated without a glitch.

If this is promising, it might not be the whole story. It is unlikely that the average Italian user will use AGID’s web app to validate digital signatures. On the national market there are several providers of digital signing services, each of them issuing a card (compliant with the Carta Nazionale dei Servizi – CNS) and the combination of hardware (USB keys or readers) and software to use it. I downloaded the free apps provided by three of the main players, put myself in the shoes of the recipient of my digitally signed document, and tried to validate the Estonian signature. Here are the – disappointing – results:

CompanySoftware [version]Outcome: can open the .asice file? Signature valid?
Aruba s.p.a.Aruba Sign [4.2.5]Yes, but signature is “invalid” and timestamp “corrupted”
InfoCertDike [6.5.8]No (files with this extension are greyed out, impossible to select and open them)
Poste ItalianeFirma OK [1.5.3]No (“the file is not a valid Pkcs7”)
[PosteItaliane’s app screenshot]

Among these apps, ArubaSign went the furthest: it could open the signed file and recognised its various components inside. However, while it found that the certificate had legal validity (compliant with EU regulation n. 910/2014) and is “reliable with reservations”, it deemed the signature “invalid” and the timestamp “corrupted”. A reasonable user of ArubaSign product would be excused if s/he refused my digital signature. However, the AGDI web app – developed and sanctioned by the Italian government, let’s not forget – says that my signature is fully legit.

Acknowledgements

Cover photo: Signature, une oeuvre signée dans le lit de La Durance Alpes de Haute Provence, by marc carpentier, (CC) 2018