Public Key Infrastructure (PKI)

Qualified Electronic Signatures under eIDAS require PKI-based certificates issued by trusted service providers.

**How PKI works in document signing**

The PKI process for digital signatures follows a chain of trust:

1. **Key generation:** A signer generates a public-private key pair. The private key is kept secret; the public key is shared. 2. **Certificate issuance:** A Certificate Authority (CA) verifies the signer's identity and issues a digital certificate binding their identity to their public key. 3. **Signing:** The signer uses their private key to create a cryptographic signature of the document's hash. This proves they (and only they) signed it. 4. **Verification:** Anyone can verify by using the signer's public key (from the certificate) to confirm the signature matches the document hash.

**PKI vs simpler e-signature approaches**

Full PKI infrastructure is complex — it requires certificate management, revocation checking, and trust chain validation. For most business contracts, simpler approaches (email verification, OTP, API key authentication) provide sufficient identity assurance without PKI overhead.

PKI becomes essential when: - Regulatory compliance requires cryptographic proof of identity (QES under eIDAS) - Documents must be verifiable years or decades later - The signing system must integrate with government identity infrastructure - Non-repudiation requirements are stringent (the signer cannot deny they signed)

**PKI in the real world**

PKI is the foundation of HTTPS (TLS certificates), code signing, email encryption (S/MIME), and government digital identity systems. In the e-signature space, DocuSign and Adobe Sign use PKI for their digital signature features, while simpler APIs like Signbee use SHA-256 hashing with email-based identity verification — sufficient for standard business contracts.