Electronic signature of documents in the UAE

In this note, I will not go deeply into technical details so that what is described remains understandable to most readers, but I will also try to ensure that people related to software development also usefully spend 10 minutes of their time.

The level of digitalization in the UAE is very high. At the same time, you need to understand that the “only the wrapper is beautiful” feature and the “simplified approach to software development” affect software services and products.

As in Russia, in the UAE, a qualified electronic signature is equivalent to a handwritten signature, unless otherwise specified by law. This is legally governed by Federal Decree by Law No. 46 of 2021 on Electronic Transactions and Trust Services (Federal Law No. 46 of 2021 “On Electronic Transactions and Trust Services”), which unifies previous laws related to electronic signatures. The Law can be found at Arabic And English languages. Let me remind you that the main (but not the only) difference between a qualified electronic signature and an unqualified one lies in the issuer of the electronic signature certificate. The certification authority issuing certificates must be accredited by the state.

I will talk about the electronic signature of an individual – this is enough to understand the overall picture, and I will start with a brief description of the Russian Gosklyuch system, which will help with comparison.

Service

State Key

is a system for cloud-based electronic signature of documents. All certificates are stored in the cloud. There is no provision for transferring certificates to the client. Document signing also takes place in the cloud. The client application for iOS and Android is based on the IDPoint application from InfoTeKS Internet Trust JSC. The InfoTeKS Internet Trust company is an accredited certification center and automatically issues qualified certificates for Gosklyuch users. The same company makes a certified CIPF ViPNet, with the help of which certificates are issued and signatures are made.

The issuance of cloud-based qualified electronic signature certificates occurs through authentication using a biometric foreign passport or visiting the MFC.

There are practically no complaints about the operation of the system; everything is perfectly designed and implemented. The Gosklyuch application itself does not have the functionality for the user to upload documents from his device. All documents are transmitted through third-party information systems that are adapted to work with State Key via SMEV or API. For example, State Services.

Through State Key you can sign files in PDF, TXT, XML and graphic formats. Detached signature in CMS format. Signature algorithm: GOST R 34.11-2012/34.10-2012 256 bits. Hash algorithm: GOST R 34.11-2012 256 bits. The attributes of the signature certificate contain the full name, INN, and SNILS of the signatory, as befits a qualified electronic signature.

“Gosklyuch” for the average person may seem like something progressive at first glance. The quality of implementation plays an important role in this perception (it is really high). But in reality, this solution is technologically outdated:

The signature is in an outdated CMS format. The format must be “upgraded” to at least the current CAdES, profile with a trusted time stamp, in accordance with ETIS. Those. the signature must contain a trusted time stamp for creating the signature. This is legally important, it is provided for by law, there are no technical difficulties. More precisely, there is a difficulty – this is the outdated ViPNet CIPF.

There is no support for the PAdES format. There must be support for the PAdES format with the BT profile. Those. It should be possible to sign a PDF document with an embedded signature with a trusted time stamp and a visual electronic signature mark in accordance with the PDF format. The Gosklyuch team (InfoTeKS) will tell you that all this is not necessary for electronic document management, and they have their own way, but this is a utopia. Other countries think differently, and the path is still common to everyone. Just look at the implementation of an electronic contract for the purchase and sale of a car through State Services from the Ministry of Digital Development, where “GosKlyuch” and an unqualified electronic signature are used – the result looks like moss and sawdust (any adequate product manager will say: “Guys, who did you do this for? This should not be released in production, this is not the norm.”): 7 closely interconnected files located in different places, PDF visualization of the contract with fake visual signatures of the electronic signature, incorrect correspondence of disconnected signatures of the PDF contract. The average user is simply unable to deal with this zoo, and he shouldn’t, he just needs to do it well right away.

A couple of officials/managers should be given “Russian traditional values - piz***li” instead of money, and the shortcomings in Gosklyuch will be eliminated.

UAE PASS

is a unified identification and authentication system, similar to the Russian ESIA, on the one hand. Only technically and technologically it is simpler, the rules for use by third-party developers are more lenient. On the other hand, UAE PASS is a cloud-based electronic signature system. UAE PASS integrates functionality for working with electronic signatures, namely: document signing and document signature verification functions.

Develops system and applications Dubai Digital Authority.

Promotional video:

For the average user, UAE PASS is an application for

iOS

Android

. The UAE PASS website is complementary, and the described functionality will not work without the application (authentication in it).

To register for UAE PASS, you need an Emirates ID card (every resident and citizen has one), phone number, e-mail and facial identification (from the phone).

UEA PASS has two account levels: Basic and Verified. I will only refer to the last level with maximum rights – Verified. All residents receive it automatically after passing facial identification, because provide biometric data upon entry and when applying for a residence permit.

A small note – when actually using the UAE PASS, I saw certain differences and discrepancies with the documentation. Of course, this is due to the development and change of the product, and the poor quality of work of technical writers or its complete absence in such an important product.

An electronic signature certificate is automatically issued for your UAE PASS account. The electronic signature certificate is stored in the cloud HSM and cannot be downloaded. Those. The signature system is completely cloud-based, just like Gosklyuch. The validity period of issued certificates is 3 years. Most likely, the certificate is reissued automatically based on various events. The certificate is qualified and the electronic signature created using such a certificate is equivalent to a handwritten signature under UAE law.

The signature is implemented according to ETIS standards. You can only sign PDF documents with two types of Qualifed and Advance signatures to choose from – signature in PAdES BT and PAdES B-LTA format (embedded in PDF). The BT profile contains a trusted time stamp. The B-LTA profile is a long-term signature for archiving with an archival timestamp. A visual DS stamp is affixed to the PDF in a location of your own choice. The visual stamp contains the signatory’s data and an electronic copy of the handwritten signature (it is created when submitting biometric data). Signature algorithm: RSA (2048 bits). Hash algorithm: SHA (384 bits). The signature certificate attributes contain full name and Emirates ID.

To create an electronic signature, you cannot do without UAE PASS and network access. You can verify signatures using any convenient means, where the corresponding root and intermediate certificates are added to the trusted ones, because everything complies with ETIS standards. The simplest and most reliable option is the UAE PASS system itself. You can also use Adobe Acrobat:

The certificate of the certification authority that issues certificates for UAE PASS users is called ICA Qualified CA G4 E3. ICA is an obsolete acronym for the Federal Authority for Identity and Citizenship. Currently used ICP – Federal Authority For Identity, Citizenship, Customs & Port Security.

CA certificate issued using UAE government root certificate UAE Global Root CA G4 E3. I have not found any mention of it anywhere, but I have a suspicion that it refers to the emirate of Abu Dhabi. Theoretically, the repository with the description should be here (but it's empty now). For example, a certificate UAE Global Root CA G4 E2 belongs to the emirate of Dubai and is posted in Dubai government repositories.

The authorized time stamp is placed by the service Dubai Timestamping Authority. Wherein certificate differs from what is posted in the Dubai government repository.

To work with PDF in the UAE PASS north, the Java library iText 5.5.12 is used under the AGPL license. I did not find the published source code of the part of the system that uses the iText library on sites related to UAE PASS.

In general, everything is done efficiently and conveniently. Applications for Android and iOS work stably. The service has obvious and visual bugs that do not affect key functionality, but they raise questions about how they got into production and have not yet been fixed.

Available for developers

documentation and REST API UAE PASS

The API is heterogeneous, created either by different teams or on different technology platforms. There are contradictions in the documentation, lack of information, currently missing functionality is mentioned, etc. But in general, you can use it, there is enough information.

Available:

Ready-made SDKs for iOS (Swift) and Android (Kotlin), allowing you to implement UAE PASS authentication, document signing, document signature verification.