The Belgian government has deployed a digital procurement service that allows Belgian and foreigner companies to submit offers to tenders and sign documents electronically. This e-signature system is based on a platform developed internally by the Belgian Federal ICT Department (Fedict) and is paired with the Belgian eID. An optional system relies on open source software developed by the European Commission, named DSS (Digital Signature Service).
In 2001, the Belgian Council of Ministers validated the concept of an electronic identity card. This “eID” is now the legal form of identity for every citizen in Belgium. In 2004, a nationwide rollout was decided. As of 2009, all newly issued ID cards delivered in Belgium are eID cards. The eID card is based on a microchip that contains the ID elements (name, address, etc.) and two digital certificates: a signature certificate that allows the ID holder to sign legal documents electronically; and an authentication certificate, which can be used to confirm the identity on websites and other online services.
In 2001, Belgium adopted European Directive 1999/93/CE, which defines a legal framework for e-signature in Europe and for the attribution of certificates. Since then an e-signature has had the same legal value as a handwritten signature. Belgian citizens can sign legal documents and files with the signature certificates contained in their eIDs.
Following a decision of the European Commission in 2004, which allowed the use of e-Procurement functionalities for EU contracting authorities, Belgium started to digitise the public procurement process in 2005. E-procurement aims to increase competition in public tenders, enhance transparency and simplify procurement processes. The Belgian e-procurement system comprises multiple Web applications, including an e-notification system allowing administrations to publish their offers, an e-auction system for inverse auctions, and an e-tendering platform through which companies can respond online to calls for tender. The e-tendering platform includes a digital signature system (DSS). “The call for tender is published on the e-notification platform. A directory is then created in the e-tendering platform in which companies can submit their offers,” says Roel Arys, former project leader on the submission application. After being signed with qualified certificates and a secure tool, the offer must then be validated.
In 2005, the Belgian government decided to create a massive e-procurement programme to assist administrations in publishing their calls for tender, and help private companies respond to these calls. The e-tendering platform is part of this programme.
One of the main challenges was to secure an e-signature system that certified companies’ offers. Above all, this system should be accessible to all companies, whether or not the owner of the company has an eID. The government’s e-procurement department deployed a combination of web services based on two platforms: a digital signature service (DSS) developed by Fedict (a government agency dedicated to IT and IT support of administrations); and an open source DSS system developed by the European Commission.
“On the e-tendering system, companies can upload their documents to a repository and then create a submission report. This report compiles data on the companies and the tender they are responding to, and information on the submitted documents. Finally this report must be signed,” Roel Arys explains.
i. eID Signature
The e-procurement service has translated several use cases into Web services. First, a company can sign with the eID of its owner. This first method is based on the DSS system developed by Fedict. “Most of the companies that are submitting offers are from Belgium or have a subsidiary in Belgium. The owner can thus sign the submission report (XML format) with their eID,” Roel Arys says. The company needs to enter the PIN number associated with the owner’s eID card, and then to upload the signed report into the Web service.
But an owner can also give the submission rights to a group of users. All of them (once the rights accepted) will share the same working space on the e-tendering platform. Each of them can then sign the same offer, Sandro Di Venti, the current project leader for e-tendering, added. “Moreover, in the application, there is no control between the user who submits an offer and the certificate used to sign the offer. Once the dossier is opened, the Contracting Authority must validate the certificate ” he said. Then a lawyer of a company can also sign an offer.
ii. e-Token signature
Alternatively, companies can buy certificates or e-tokens from a certified supplier, of which one is based in the Netherlands. Certificate providers have to comply with the requirements of the Belgian regulation. E-tokens are stored on USB keys. Companies can then upload their submission reports through an applet developed internally by the e- procurement service. This applet is directly integrated in the e-tendering platform. “Originally, this applet was designed to work with both eID and e-tokens, but when Fedict deployed its own DSS service, this proved to be much more efficient for eID,” explains Sandro Di Venti. Now the applet only supports signatures with e-tokens.
iii. An open e-signature system called “Third party”
The third option is for companies that have no eID and no e-token. “They can download their submission report in an XML format and sign it with their own certificate and their own tools, before uploading it into the e-tendering platform,” Roel Arys explains. Nevertheless, the XML format of the signature must be supported. “Companies can obtain the submission report, sign it and upload it on the e-tendering system,” Sandro Di Venti adds. This is the most open of the three e-signature methods.
iv. An optional e-signature option
Lastly, another option has been deployed to assist users of the third e-signature method, Sandro Di Venti adds. “We have launched the website based on the DSS system developed by the EU,” he explains. EU's DSS allows companies to sign their submission reports, “but the whole system can run without it, using the third alternative,” he explains. This website is seen as a support for the main e-signature system, and is external to e-tendering, notes Sandro Di Venti. He adds that the e-tendering helpdesk can direct companies who have no tool to this last website.
The system is also used as a backup when the primary system, based on Fedict's DSS, is unavailable. All traffic switches to the secondary system until the primary system is repaired.
A hosted Fedict Web Service
The DSS system developed by Fedict is hosted on a public portal, sign.belgium.be. “All types of documents can be signed. E-signature is integrated into the document (ODT, or Microsoft Docx, for example). When an XML document is signed with eID card, a new XML document is created that includes the signature. The signature is based on the European standard format XAdES-X-L,” says Fedict CTO Peter Strickx. “For non-XML documents, like PDF, an archive (Zip) file is created containing the original document to be signed plus a file that contains the XML signature.”
But Sandro Di Venti says the e-tendering platform uses an interface (a Webservice) that sends the XML submission report directly to the hosted DSS service. The Zip archive is not used by the e-tendering system because the exchange format is always XML.
The e-Tendering platform doesn’t sign PDF files at all, Sandro Di Venti said. The two methods (the one with eID and the one with eToken) sign only XML files. The “Third Party” option provides an XML file. It must be signed outside the e-Tendering platform, he added.
A DSS Service developed by the European Commission
According to the website of this EU tool, “DSS provides all the functionalities for the creation and validation of e-signatures. For validation, the software relies on the information in MS trusted lists of certification service providers issuing qualified certificates (established in accordance with Decision 2009/767/EC).”
The two open source DSS solutions exemplify different approaches: Fedict's DSS has a server-based architecture, whereas EU's DSS is more client-oriented. “The server architecture of Fedict’s solution is very lightweight,” notes Peter Strickx of Fedict. “When a document is signed, only a small applet – 2 or 3 megabytes – is loaded on the client. All the workloads run on the server. The EU's DSS model was developed to run on the client, where it downloads several tens of megabytes. It can be useful for signing confidential documents that need to stay inside the company’s infrastructure.”
Fedict's DSS has been prioritized on EU's DSS because the Belgian government agency is supporting it. “Fedict is adapting solutions to IT environments that are continually evolving. With EU's DSS, we have no support and we are doing it on our own,” Roel Arys explains. Fedict provides the right web services for exchanging data and also maintaining it.
Actually, one of the main disadvantages of EU's DSS is that the EU provides a software foundation but does not support it. "The administration which uses the solution has to support it internally and allocate resources for that. But, we want to use (web)services, not just software,”, Roel Arys adds. Today, the alternative service powered by the EU's DSS is not supported by the e-Tendering team. “Supporting it would have been too costly [for such low traffic], ” he said.
But as a free and open source solution developed by the EU, the team has deployed a system at no charge to support an alternative solution with low traffic. “The system is only for 2% of companies, because 98% of companies sign their submission reports with their eID cards and Fedict's DSS.”
Sandro Di Venti said that the integration of Fedict's DSS on the e-Tendering has costed about EUR 20 000. The EU's DSS deployment was made by the operational e-Tendering team of the platform. The solution was installed on a unique server. No cost has been associated with, as EU's DSS is a free and open source solution.