The electronic Apostille Pilot Program FAQs (frequently-asked questions)

Under the e-APP, it is suggested that Competent Authorities use readily available and already widely used PDF technology and digital certificates to issue e-Apostilles. Digital certificates can now be used within Adobe® PDF (as well as in Microsoft® Word 2007) to secure sensitive documents from unauthorized tampering. In addition, PDF technology now supports an optional XML layer of data that can be used to secure and transmit data in a human-readable format.

For a Competent Authority to be able to issue e-Apostilles as suggested under the e-APP, it has to acquire a valid license to the Standard or Professional version of Adobe 7.0 or greater. The recipient of the e-Apostille will be able to view the e-Apostille using the free Adobe Reader.

Considering that current methods of attaching paper Apostilles to the underlying public document (e.g., the use of staples or other insecure forms of attachment) render them easily vulnerable to fraud, the use of PDF e-Apostilles in combination with digital certificates offers dramatically increased security and effective fraud-fighting tools to Competent Authorities and all users of Apostilles.

The use of PDF technology is a suggestion only and Competent Authorities can develop or use comparable proprietary software to issue e-Apostilles.

Under the e-APP, Competent Authorities who contemplate issuing e-Apostilles are encouraged to contact receiving jurisdictions to inquire whether these jurisdictions will accept the envisaged e-Apostilles.

The process is as follows:

An e-Apostille signed using a digital certificate will provide the following assurances:

The costs are small.

The use of PDF technology to issue e-Apostilles requires minimal investment:

Yes. Under the e-APP, e-Apostilles can not only be issued for public documents presented in electronic form, but also for public documents which have been executed in paper form but are subsequently scanned by the authority who issued the public document or by the Competent Authority.

A Competent Authority may digitally sign a document using a "digital certificate", which is an electronic file containing the issuer's name, email address, and other relevant information. The digital certificate is issued by a Certificate Authority and is protected by sophisticated cryptographic methods to prevent forgery. Certificates of this character form the basis of most online commerce and are widely trusted. For a helpful description of electronic signatures in general, see p. 19-31 of the Guide to Enactment 2001 relating to the UNCITRAL Model Law on Electronic Signatures.

For the purposes of the e-APP, digital certificates used by Competent Authorities must adhere to the ITU-T X.509 standard, which ensures the uniformity of the information these certificates convey. Further information about this standard may be found here.

In most situations, a Competent Authority will need to submit an application to a Certificate Authority directly, but in some situations a Competent Authority may submit an application to an authorized agent of the Certificate Authority, typically known as a Registration Authority. In some other cases, the Competent Authority may be required to obtain a digital certificate from a government-run or government-authorized Certificate Authority.

In any case, once the application is received, the information in the application will be verified by the Certificate Authority or its authorized Registration Authority. Depending upon local laws and regulations, this verification will typically involve the physical appearance of the Competent Authority agent who completed the application before an authorized representative of the Certificate Authority, a process known as in-person proofing. The Certificate Authority's agent will require the Competent Authority applicant to present satisfactory evidence of identity (usually in the form of a picture ID) and may require the applicant to provide some other proof of identity depending upon any local laws or regulations. In some jurisdictions, the Certificate Authority may also call the Competent Authority applicant's place of employment to verify facts stated on the application, for example.

When the verification process is complete, the Competent Authority applicant will typically receive an email notification to enter a unique PIN or Authorization Code to request the digital certificate. After entering the unique PIN or Code, the applicant will receive an email to download the digital certificate.

In the Windows operating system, a digital certificate is normally downloaded to a secure location in the operating system known as the Windows Certificate Store. The Certificate Store is simply a location within the Windows operating system that is designed to conveniently store digital certificate for use with third-party applications like Adobe® Acrobat® or Microsoft® Word (see the FAQ, "How does a Competent Authority use a digital certificate to sign e-Apostilles?").

During the download process, the Windows operating system may prompt the Competent Authority to create a password to protect the digital certificate from unauthorized access. Each time a Competent Authority uses the digital certificate to digitally sign an e-Apostille, the Competent Authority must enter this password.

Each Certificate Authority's process may differ but will likely follow these same basic steps.

The HCCH and the NNA may assist a Competent Authority in identifying Certificate Authorities who issue individual or organisational digital certificates in a trusted manner, such that all relying parties will have a very high degree of trust in the digital certificates used by Competent Authorities to digitally sign e-Apostilles as a part of the e-APP. The e-APP thus includes an effort to work with Competent Authorities, Certificate Authorities and any other groups and individuals interested in the e-APP to maintain a list of Certificate Authority providers who can facilitate the secure issuance of digital certificates to Competent Authorities. The goal of this list is not to exclude or otherwise favour specific Certificate Authorities. Rather, Competent Authorities are free to identify those Certificate Authorities they wish to work with and to publicise this information through the e-APP for the benefit of all participants.

In software applications such as Adobe Acrobat and Microsoft Word, a digital signature is affixed to an electronic document by clicking a signature field. Rather than signing by hand, in other words, a mouse click suffices.

Once the Competent Authority clicks the signature field, for example, in PDF, a dialog box will display all the digital certificates eligible for digitally signing the document in question (in this case, an e-Apostille).

The Competent Authority simply selects his or her digital certificate and then clicks a "Sign" button to digitally sign the document. In Acrobat, a digital signature renders a PDF document tamper-evident such that any subsequent changes to the document will be evident in the document itself. The changes can be investigated to determine whether or not they were authorized changes.

In Microsoft® Word 2007, however, a digital signature by default renders the document tamper-resistant such that the document cannot be modified or edited in any way without removing the digital signature entirely.

An interested person has two options to verify the origin of an e-Apostille he or she has received:

- by accessing the e-Register (if applicable) of the Competent Authority which supposedly issued the e-Apostille (see FAQ 4.4); and/or

- by verifying the status of the digital certificate of the Competent Authority which supposedly issued the e-Apostille.

The following explanations address the second option only; they refer to the process as it is designed in Adobe PDF documents.

The recipient of an e-Apostille may click the digital signature field of the document; this will open a dialog box that enables the recipient to verify that

a) the digital certificate was issued by a particular Certificate Authority,

b) that the digital certificate has not expired, and

c) that the digital certificate has not been revoked.

In Adobe Reader version 8.0, for example, the recipient should take the following steps to verify the origin and current status of a digital certificate:

1) Click the Competent Authority's digital signature.

2) Click the Signature Properties button.

3) Click the Show Certificate button.

The Certificate Authority that issued the digital certificate will appear as the first Certificate Authority in the certification path to the left of the dialog box. This basic information enables an interested person to verify the origin of the digital certificate.

The expiration date of the certificate will appear in the "Valid from" and "Valid to" date fields on the Summary tab.

The revocation status of the digital certificate (i.e., whether or not the digital certificate has been revoked) will appear on the Revocation tab.

The following comments address the particular situation where the recipient of an e-Apostille verifies the digital certificate of a Competent Authority for the first time:

“When a recipient of an e-Apostille verifies the digital signature of a Competent Authority for the first time, Adobe is likely to display a "question mark" message on the digital signature (it should however be noted that previous Adobe versions displayed an "Unknown" message).

In the PDF environment, a recipient of a digitally signed document must deliberately add the signer's digital certificate to his or her list of trusted identities in Adobe Reader (or Standard or Professional). This process ensures that the recipient of the document has the option to trust or not trust a particular signer's digital certificate. In other words, Adobe has designed its software so that it does not automatically trust the digital certificates but rather requires the end user to choose to trust a digital certificate.

This simple security protocol encourages the document recipient to independently verify the authority and identity of the sender of the document. The recipient can do this by contacting (e.g. by telephone or (e-)mail) the Competent Authority which (supposedly) signed the e-Apostille and ask if they did actually sign the relevant e-Apostille. The recipient may also contact the Certificate Authority whose name appears in the certification path; this may again be done by telephone or (e-)mail), or (if applicable) by accessing its public key register on-line and verify the origin of the certificate. A Certificate Authority will generally maintain a publicly accessible web page or provide contact information on their web site for such a purpose. For example, if an interested person wants to verify the revocation status of a certificate issued by GeoTrust, he or she could view the CRL at the following URL: http://www.geotrust.com/resources/crls/index.asp. And if an interested person wanted to verify the revocation status of a certificate issued by TC Trust Center, he or she could view the CRL at the following URL: http://www.trustcenter.de/cgi-bin/CRL.cgi?Language=en.

Generally, however, it is easier to verify the authority and identity of the sender's digital certificate by calling the Competent Authority (contact details of most Competent Authorities are available on the "Apostille Section" of the Hague Conference's web site at www.hcch.net).

Once satisfied with the verification process, the recipient then follows the steps described below to recognise and trust the digital certificate in the document signed by that sender. This process of recognising and trusting the digital certificate need only be completed once, as any future documents digitally signed by that sender's certificate will automatically be recognised and trusted by the receiver's Adobe software.

In Adobe Reader/Standard/Professional versions 7.0 and 8.0, for example, the recipient should take the following steps to add a sender's digital certificate to the recipient's list of trusted identities:

1) Click the digital signature.

2) Click the Signature Properties button in the Signature Validation Status dialog box.

3) Click the Show Certificate button on the Summary tab in the Signature Properties dialog box.

4) Click the Trust tab.

5) Click the Add to Trusted Identities button.

6) Click the OK button.

7) In the Import Contact Settings dialog box, check the appropriate Trust Settings checkboxes to trust the digital certificate. It is recommended that the user select only the first checkbox for "Signatures and as a trusted root".

Further and more detailed information about this process can be reviewed online in Preliminary Document 18 on the www.e-app.info web site (http://www.e-app.info/documents/prel_doc_18.pdf).