In this article we’ll explain why you need a proper solution for the preservation of digital signatures. This is of course not necessary for all digital signatures, that’s why we’ll start with explaining the differences between the different types of digital signatures.
1. What Is A Digital Signature?
In simple words, the digital equivalent of your signature.
Not as simply put: A digital signature is a valuable security technique based on a mathematical scheme that can verify digital messages or documents.
It enables proving:
- Who signed off or approved the information (User authentication)
- That the information has not changed since signing (Data integrity)
From the technical point of view, a digital signature is a code created using a public-key infrastructure (PKI) —a two-key asymmetric cryptosystem to achieve high-level information confidentiality and encryption. The two keys—a private and a public one—are the two main pieces that facilitate this secure data management.
There are three types of digital signatures:
- Simple—does not require any identity verification from the signer (the thing you know from your delivery service)
- Advanced—issued by certification authorities to require identity verification from the signer
- Qualified electronic Signatures (QeS)—ideal for high-risk environments where the consequences of a security failure could be devastating
Note: Be aware that the terminology used in the EU is Electronic Signature.
2. Problems With Digital Signatures And Their Preserving
Governmental administrations, businesses, and individuals have documents of which they are expected to preserve them. These letters, records of transactions, bills, contracts, and other documents have a retention period and are used to prove their rights.
These may be later used as evidence when a dispute over a transaction such as decay and attempts to modify the information on records arise.
But due to technological progress, preservation of digital signatures (and other documents for that matter) be regarded as reliable for more than about ten years when using basic storage techniques or using a Document Management System.
So, in theory, no matter how long and complicated the digital signature is today, there will come a day when it will be possible to ‘break the code’ it is based on and therefore to ‘fake’ this signature—and document. Of course, for documents that have been signed years ago, that is already the case today.
This fact brings several challenges connected to the preservation of digital documents and signatures:
- Time-limited verification. Basic digital signatures are only shown (and accepted) as valid for the certificate’s lifetime—usually one or two years. Therefore, they are not sufficient for business documents that need to be verifiable for several years.
- This includes the lifetime of the storage medium, keys and certificates used, signing method, document, signature, and certificate formats, and the lifetime of (trusted and other) actors involved.
- Expired digital certificates. Let’s say a user has signed a document with his/her valid certificate. But once the signer’s digital certificate is expired it can not be validated = it can not be trusted.
- Technological progress. A digital signature is highly dependent on the technology it was created. Since technology advances rapidly, it is inevitable that digital signatures will change as quickly. Otherwise, they will lose their functionality.
Verification of a digital signature should be based on the time the document was signed, and not on the current time.
If the certificate was valid at the time of signing, then the signature holds, even if the latter certificate is expired or revoked.
But relying on what the signer states at the time of signing is not sufficient proof.
How you should overcome these issues, is a subject for our next newsletter so don’t forget to subscribe.