Skip to main content

Introduction

QSCD stands for Qualified electronic Signature/Seal Creation Device. It may be referred also as QSigCD used to create electronic signature of QSealCD used to create electronic seal.

QSCDs based on crypto modules are used specifically for server signing purposes. QSCD makes use of various technical procedures and means in order to ensure, among other things, that signature keys remain confidential and are generated by means of established cryptographic procedures.

QSCD must satisfy the requirements of Annex II of eIDAS regulation, also see eIDAS requirements for the QSCD below.

It is typically a hardware security module that meets the requirements of the eIDAS regulation and is certified according the Common Criteria Protection Profile EN 419 221-5 “Cryptographic Module for Trust Services”.

Such QSCD can be used in conjunction with the qualified certificate to produce qualified signature/seal.

Which QSCD is supported?

The following QSCDs are currently tested and supported:

eIDAS requirements for the QSCD

According the eIDAS regulation, the QSCD is configured software or hardware used to create an electronic signature/seal that meets the following requirements:

  1. Qualified electronic signature creation devices shall ensure, by appropriate technical and procedural means, that at least:
    • the confidentiality of the electronic signature creation data used for electronic signature creation is reasonably assured;
    • the electronic signature creation data used for electronic signature creation can practically occur only once;
    • the electronic signature creation data used for electronic signature creation cannot, with reasonable assurance, be derived and the electronic signature is reliably protected against forgery using currently available technology;
    • the electronic signature creation data used for electronic signature creation can be reliably protected by the legitimate signatory against use by others.
  2. Qualified electronic signature creation devices shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing.
  3. Generating or managing electronic signature creation data on behalf of the signatory may only be done by a qualified trust service provider.
  4. Without prejudice to point 1, qualified trust service providers managing electronic signature creation data on behalf of the signatory may duplicate the electronic signature creation data only for back-up purposes provided the following requirements are met:
    • the security of the duplicated datasets must be at the same level as for the original datasets;
    • the number of duplicated datasets shall not exceed the minimum needed to ensure continuity of the service.