FAQ on the issuance and verification of an e-Apostille

1. What technology is suggested under the e-APP to issue e-Apostilles and how does it work?
2. What is the suggested process for issuing and using e-Apostilles?
3. What are the advantages of using e-Apostilles?
4. What are the costs of implementing and issuing e-Apostilles as suggested under the e-APP?
5. Can an e-Apostille be issued for a paper public document?
6. What is a digital signature?
7. How does a Competent Authority obtain a digital certificate?
8. Which Certificate Authority should be used?
9. How does a Competent Authority use a digital certificate to sign e-Apostilles?
10. How does the recipient of an e-Apostille verify its origin, including the current status of a Competent Authority's digital certificate?
11. How can a recipient verify the digital certificate of a Competent Authority for the first time?
12. How can a recipient recognise the digital certificate of a Competent Authority?

1. What technology is suggested under the e-APP to issue e-Apostilles and how does it work? ^

Under the e-APP, it is suggested that Competent Authorities use readily available and already widely used PDF technology and digital certificates to issue e-Apostilles. Digital certificates can now be used within Adobe® PDF as well as in Microsoft® Word 2007 to secure sensitive documents from unauthorized tampering. In addition, PDF technology now supports an optional XML layer of data that can be used to secure and transmit data in a human-readable format.

For a Competent Authority to be able to issue e-Apostilles as suggested under the e-APP, it has to acquire a valid license to the Standard or Professional version of Adobe 7.0 or greater. PDF documents that have been created with Adobe 8.0 Professional can be digitally signed using the free version of Adobe Reader 8.0. This means that for large Competent Authorities with several officials who issue e-Apostilles, only one licensed version of Adobe Professional 8.0 is required.

The recipient of the e-Apostille will be able to view the e-Apostille using the free Acrobat Reader.

The use of PDF technology is a suggestion only and Competent Authorities can develop or use comparable proprietary software to issue e-Apostilles.
 
2. What is the suggested process for issuing and using e-Apostilles? ^

The process is as follows:

  • The Competent Authority applies for a digital certificate from a Certificate Authority. The Certificate Authority screens and verifies the identification of the Competent Authority and issues a digital certificate for the Competent Authority that includes such information as name, business address, e-mail address, etc. (this process of applying for and obtaining a digital certificate need only be done once, although the certificate must be renewed on what is typically an annual basis).
    Under the e-APP, it is strongly recommended that a certificate only be issued to a Competent Authority upon personal appearance of an authorized representative before a registered agent of the Certificate Authority to present appropriate identification documents.
  • The Competent Authority digitally signs the e-Apostille, to which an electronic version of the underlying document is attached so that the two documents form one single PDF file. The single PDF file (i.e., the e-apostillised document) is then sent to the requesting party.
  • The requesting party (or in some cases the Competent Authority itself) sends the e-apostillised document to the relevant person or authority in the receiving State.
  • Using Adobe 7.0 or greater (Reader, Standard or Professional), a party receiving an e-Apostille can configure the Adobe product to verify the current "revocation status" of the Competent Authority's digital certificate. This automated verification requires an Internet connection, as it ensures that the certificate has not been revoked and is still in good standing with the issuing Certificate Authority. A party receiving an e-Apostille for the first time may notice that a "Question Mark" icon displays on the signature block of the Competent Authority who signed the e-Apostille. Configuring Adobe to verify the current revocation status of a digital certificate will have the added benefit of removing this question mark icon because the configuration process also adds the Competent Authority's digital certificate to the list of "trusted" digital certificates. For more details on this point, see questions 11 and 12.

See the step-by-step instructions for issuing an e-Apostille for a more comprehensive answer.

3. What are the advantages of using e-Apostilles? ^

An e-Apostille signed using a digital certificate will provide the following assurances:

  • Integrity - assurance that the complete e-Apostille file has not been altered;
  • Authentication - assurance as to the origin of the e-Apostille; and
  • Non-repudiation - assurance that the e-Apostille was indeed signed by the Competent Authority identified in the e-Apostille.

Considering that current methods of attaching paper Apostilles to the underlying public document (e.g., the use of staples or other insecure forms of attachment) render them easily vulnerable to fraud, the use of PDF e-Apostilles in combination with digital certificates offers dramatically increased security and effective fraud-fighting tools to Competent Authorities and all users of Apostilles.

4. What are the costs of implementing and issuing e-Apostilles as suggested under the e-APP? ^

The costs are small. The use of PDF technology to issue e-Apostilles requires minimal investment:

  • Digital certificates compatible with Adobe Acrobat PDF and a licensed version of Adobe Acrobat Standard or Professional (7.0 or greater) represent the only required cost - any recipient of the e-Apostille can view the e-Apostille with the freely available Adobe Reader;
  • It is easily possible for a Competent Authority to receive at reasonable cost a digital certificate from a trusted Certificate Authority whose issuance process follows widely recognized standards;
  • The only additional required expenditures are appropriate hardware and technical staff resources to produce and manage electronic documents and e-Apostilles.

5. Can an e-Apostille be issued for a paper public document? ^

Yes. Under the e-APP, e-Apostilles can not only be issued for public documents presented in electronic form, but also for public documents which have been executed in paper form but are subsequently scanned by the authority who issued the public document or by the Competent Authority.

6. What is a digital signature? ^

A Competent Authority may digitally sign a document using a "digital certificate", which is an electronic file containing the issuer's name, email address, and other relevant information. The digital certificate is issued by a Certificate Authority and is protected by sophisticated cryptographic methods to prevent forgery. Certificates of this character form the basis of most online commerce and are widely trusted. For a helpful description of electronic signatures in general, see p. 19-31 of the Guide to Enactment 2001 relating to the UNCITRAL Model Law on Electronic Signatures.

For the purposes of the e-APP, digital certificates used by Competent Authorities must adhere to the ITU-T X.509 standard, which ensures the uniformity of the information these certificates convey. Further information about this standard may be found here.

7. How does a Competent Authority obtain a digital certificate? ^

In most situations, a Competent Authority will need to submit an application to a Certificate Authority directly, but in some situations a Competent Authority may submit an application to an authorized agent of the Certificate Authority, typically known as a Registration Authority. A Certificate Authority is an independent third-party that issues the digital certificate that is used to digitally sign the PDF. It is an audited organisation that must adhere to strict operating procedures in order to maintain trust in the digital certificates that it issues. The Registration Authority is a party contracted to the Certificate Authority that is solely responsible for proofing the identity and establishing the related rights and duties of a person requesting a digital certificate.

In some other cases, the Competent Authority may be required to obtain a digital certificate from a government-run or government-authorized Certificate Authority.

8. Which Certificate Authority should be used? ^

The HCCH and the NNA may assist a Competent Authority in identifying Certificate Authorities who issue individual or organisational digital certificates in a trusted manner, such that all relying parties will have a very high degree of trust in the digital certificates used by Competent Authorities to digitally sign e-Apostilles as a part of the e-APP. The e-APP thus includes an effort to work with Competent Authorities, Certificate Authorities and any other groups and individuals interested in the e-APP to maintain a list of Certificate Authority providers who can facilitate the secure issuance of digital certificates to Competent Authorities. The goal of this list is not to exclude or otherwise favour specific Certificate Authorities. Rather, Competent Authorities are free to identify those Certificate Authorities they wish to work with and to publicise this information through the e-APP for the benefit of all participants.
One of the authorities is http://www.verisign.com/

9. How does a Competent Authority use a digital certificate to sign e-Apostilles? ^

In software applications such as Adobe Acrobat and Microsoft Word, a digital signature is affixed to an electronic document by clicking a signature field. Rather than signing by hand, in other words, a mouse click suffices.

In Acrobat, a digital signature renders a PDF document tamper-evident such that any subsequent changes to the document will be evident in the document itself. The changes can be investigated to determine whether or not they were authorized changes.

In Microsoft® Word 2007, however, a digital signature by default renders the document tamper-resistant such that the document cannot be modified or edited in any way without removing the digital signature entirely.

10. How does the recipient of an e-Apostille verify its origin, including the current status of a Competent Authority's digital certificate? ^

An interested person has two options to verify the origin of an e-Apostille he or she has received:

  1. by accessing the e-Register (if applicable) of the Competent Authority which supposedly issued the e-Apostille (see FAQ on e-registers); and/or
  2. by verifying the status of the digital certificate of the Competent Authority which supposedly issued the e-Apostille. The recipient of an e-Apostille may indeed click the digital signature field of a Adobe PDF documents; this will open a dialog box that enables the recipient to verify that:
    • a. the digital certificate was issued by a particular Certificate Authority,
    • b. that the digital certificate has not expired, and
    • c. that the digital certificate has not been revoked.

11. How can a recipient verify the digital certificate of a Competent Authority for the first time? ^

When a recipient of an e-Apostille verifies the digital signature of a Competent Authority for the first time, Adobe is likely to display a "question mark" message on the digital signature (it should however be noted that previous Adobe versions displayed an "Unknown" message).

In the PDF environment, a recipient of a digitally signed document must deliberately add the signer's digital certificate to his or her list of trusted identities in Adobe Reader (or Standard or Professional). This process ensures that the recipient of the document has the option to trust or not trust a particular signer's digital certificate.

This simple security protocol encourages the document recipient to independently verify the authority and identity of the sender of the document. The recipient can do this by contacting (e.g. by telephone or (e-)mail) the Competent Authority which (supposedly) signed the e-Apostille and ask if they did actually sign the relevant e-Apostille. The recipient may also contact the Certificate Authority whose name appears in the certification path; this may again be done by telephone or (e-)mail), or (if applicable) by accessing its public key register on-line and verify the origin of the certificate. A Certificate Authority will generally maintain a publicly accessible web page or provide contact information on their web site for such a purpose.

Generally, however, it is easier to verify the authority and identity of the sender's digital certificate by calling the Competent Authority (contact details of most Competent Authorities are available on the "Apostille Section" of the Hague Conference's web site).

12. How can a recipient recognise the digital certificate of a Competent Authority?  ^

Once satisfied with the verification process, the recipient then follows the steps described below to recognise and trust the digital certificate in the PDF document signed by that sender. This process of recognising and trusting the digital certificate need only to be completed once, as any future documents digitally signed by that sender's certificate will automatically be recognised and trusted by the receiver's Adobe software.

In Adobe Reader/Standard/Professional versions 7.0 and 8.0, for example, the recipient should take the following steps to add a sender's digital certificate to the recipient's list of trusted identities:

1) Click the digital signature.
2) Click the Signature Properties button in the Signature Validation Status dialog box.
3) Click the Show Certificate button on the Summary tab in the Signature Properties dialog box.
4) Click the Trust tab.
5) Click the Add to Trusted Identities button.
6) Click the OK button.
7) In the Import Contact Settings dialog box, check the appropriate Trust Settings checkboxes to trust the digital certificate. It is recommended that the user select only the first checkbox for "Signatures and as a trusted root".

For a more detailed explanation, see How to Add a Digital Certificate to the List of Trusted Identities and How to Remove a Digital Certificate from the List of Trusted Identities in Adobe Acrobat 7.0 or greater.

Further and more detailed information about this whole process can be reviewed in Prel. Doc. No 18.

Übereinkommen