ADSS SAM Appliance
Overview
The ADSS SAM Appliance delivers Signature Activation Module capabilities for secure, standards-compliant remote signing. It is evaluated to Common Criteria EAL4+ against EN 419 241-2, providing the certified QSCD (Qualified Signature Creation Device) foundation required for eIDAS-compliant qualified electronic signatures and seals.
Unsung implements ADSS SAM Appliance for UK customers that need to deliver qualified remote signing services or meet high-assurance digital signing requirements in regulated environments.
The Challenge
Creating qualified electronic signatures under eIDAS requires that signing keys are generated and used within a Qualified Signature Creation Device. Traditionally this meant physical smart cards or USB tokens held by individual signatories — an approach that does not scale for remote working, automated workflows, or high-volume transactions.
Remote signing solves this by centralising signing keys within a certified HSM, but the signature activation process itself must also meet specific standards to ensure that the signatory maintains sole control over their signing key. Without a certified Signature Activation Module, organisations cannot claim their remote signing service meets qualified signature requirements.
What It Does
The ADSS SAM Appliance provides the certified signature activation layer between the signatory and the HSM-protected signing keys. It implements the Signature Activation Protocol to ensure sole control at SCAL2 (Sole Control Assurance Level 2), verifying the signatory's authorisation before activating the signing key for each individual signature operation.
The appliance works alongside HSMs such as Thales Luna for key protection and integrates with SigningHub and ADSS Signing Server to provide the complete remote signing stack. It supports the Cloud Signature Consortium API for interoperability with third-party signing applications and eID wallets. The Common Criteria EAL4+ certification against EN 419 241-2 provides the independently verified assurance that trust service providers and regulated organisations require.
How Unsung Helps
Implementing a qualified remote signing service involves multiple components — HSM infrastructure, signature activation, certificate authority, and the signing application itself. Unsung brings these together, helping clients design and deploy the complete trust architecture. Our experience with hardware security modules and PKI design and build ensures each component is properly integrated and configured for the required assurance level.
Related Unsung Services
Hardware Security Modules — HSM deployment and integration for cryptographic key protection.
PKI Design & Build — End-to-end design and implementation of trust service architectures.
PKI Consultancy — Guidance on trust service compliance frameworks and qualified signature requirements.
