Caution required in the handling of qualified electronic signatures
Banka Slovenije and the Ministry of Digital Transformation have become aware of certain improper practices at one of the credit institutions that might induce holders of qualified electronic signatures into using them dangerously and unlawfully. We therefore advise all holders to exercise caution when using them.
The Electronic Identification and Trust Services Act (ZEISZ) requires holders of qualified electronic signatures to use them in person, with the diligence of a good manager; any other kind of use is sanctioned by a fine. Users must thus be particularly attentive to the safe storage of qualified electronic signatures; in particular access to the electronic media on which the qualified electronic signatures are stored must be strictly controlled, and qualified electronic signatures must not be not passed on to other persons. At the same time we are also highlighting the need to take the utmost care in keeping the private key secure. We are advising users to immediately contact the issuer to cancel the qualified electronic signature if they suspect their private key has been misused, or has been passed on to unauthorised persons.
Every holder of a qualified electronic signature has a pair of keys, one private and one public.
The private key allows for the creation of:
- an advanced electronic signature, if the qualified certificate is saved in browser storage, or
- a qualified electronic signature, if the qualified certificate is saved on a certified smartcard or smart token. A qualified electronic signature has the same legal effect as a handwritten signature.
The private key is unique to each holder, and thus needs to be handled with the utmost care for security. The public key is also unique to each holder, but is accessible to anyone.
An electronic document is signed using the private key, while the electronic signature is verified using the signatory’s public key. The two keys are thus linked in that the electronic signature on a document made using the private key can only be verified by the corresponding public key. The qualified electronic signature is the data structure that links the holder with their public key.