Looking for a solution: trusted identity with corresponding digital signatures (QES) for intercontinental charity
We are looking for a solution to meet the needs of a UK incorporated charity (CIO) that has three to seven trustees from at least three continents.
Obligations as trustees of a board include signing (by a quorum of the trustees):
- minutes of trustee meetings and AGMs
- annual accounts
- decisions and press releases
- deeds (eg of retirement and appointment)
- contracts (eg bank accounts and employment contracts)
- and registers (what happened / didn't happen, etc).
While there's been lots said about eIDAS, our experience (with other charities) has been rather less exciting: our experience has been that, despite eIDAS, every solicitor we've had to deal with has expected QES (or insisted upon a paper-based identity process) despite many saying things like "there are no documents that require use of Qualified Electronic Signatures in the UK". Even more so, we are aware that the Land Registry really doesn't accept electronic/digital signatures at all (unless you are a registered conveyancer).
If we had no prior experience, we wouldn't be aware of the issues at all, but having been embroiled in an investigation as to who was present at a meeting of another charity; who signed the minutes, and who did not - it became clear that we definitely need to establish both identity and corresponding signatures tied to that identity.
Here's the kicker: I'm looking for a non-commercial approach in order to spend as little money as possible.
We cannot feasibly use snail mail to garner signatures (though we could do that with establishing identities).
If we manage to gather proof of identity (using all the normal hard-copy tricks of having a notary sign that the copy is a genuine copy, etc), then use some method to provide a secure chain (via some form of certificate) of those identities, and then we use that to generate a set of related certificates, could we not therefore have something which says "this person has signed this document, given that they have (1) a private key that is directly dependant upon (2) the certificate against these documents which have been uniquely identified as being who they say they are?
... I guess I'm asking, is it possible to hand-roll an identity/digital signature service, bearing in mind that the purpose of this is only to be able to prove identity internally, or if required by legal?
... Otherwise, is there a methodology or approach which isn't so commercially out of reach that we can afford it?
I’m really looking for guidance - like a guide, and mechanism(s) for this. I’m not so interested in COTS - but wouldn’t reject it out of hand. For the sake of the question - I’m looking for ideas and approaches rather than adverts or commercial service recommendations.
