Qualified Preservation of Digital Signatures

This text is dedicated to Chief Technical Officers, digital archives managers, and IT operations managers in commercial businesses, financial and law institutions, and government organizations responsible for digital heritage preservation.


The main goal of this text is to explain the functions of digital signing and enlighten the importance and means of its preservation. Based on these explanations, the personnel mentioned above should be ready to suggest, present, and help choose a suitable way of preserving digital signatures.


1. What Is A Digital Signature?


A digital signature is a valuable security technique based on a mathematical scheme that can verify digital messages or documents. It enables proving:

  • Who signed off or approved the information (User authentication)
  • That the information has not changed since signing (Data integrity)


From the technical point of view, a digital signature is a code created using a public-key infrastructure (PKI) —a two-key asymmetric cryptosystem to achieve high-level information confidentiality and encryption. The two keys—a private and a public one—are the two main pieces that facilitate this secure data management.


There are three types of digital signatures:

  • Simple—does not require any identity verification from the signer
  • Advanced—issued by certification authorities to require identity verification from the signer
  • Qualified electronic signatures—ideal for high-risk environments where the consequences of a security failure could be devastating


2. Digital Signature vs. Electronic Signature


The two terms are frequently though incorrectly used as synonyms. Digital signatures are often utilized to implement electronic signatures (which includes any electronic data that carries the intent of a signature), but not all electronic signatures actually use digital signatures.


Electronic signature (e-Signature) is a more simple process resulting in, e.g., a handwritten signature transformed into a digital form to be used on a digitally-based document. For example, it is an electronic symbol attached to a contract and used by a person with the intent to sign.


A digital signature, on the other hand, is authorized by certification. It is a guarantee that an electronic document is authentic, carrying important information within.


Electronic signature

  • Is used to verify the document
  • Is commonly not authorized and cannot be verified
  • Is mostly a digitized handwritten signature, sound, or a tick


Digital signature

  • Is used to secure the document
  • Is authorized by certification authorities and can be verified
  • Is more secure and has a higher authenticity level than e-Signature


All digital signatures are electronic, but not all electronic signatures are digital. A digital signature is verifiable and authorized by a trusted third party (certification authority). Both electronic and digital signatures are legally binding, but the digital signature is preferred—it is more secure and ready for the digital age.


3. Problems With Digital Signatures And Their Preserving


Governmental administrations, businesses, and individuals are expected to preserve the letters, records of transactions, bills, contracts, and other documents which prove their rights. These may be later used as evidence when a dispute over a transaction such as decay and attempts to modify the information on records arise.


But due to technological progress, the storage cannot be regarded as reliable for more than about ten years. So, in theory, no matter how long and complicated the digital signature is today, there will come a day when it will be possible to ‘break the code’ it is based on and therefore to ‘fake’ this signature—and document. This fact brings several challenges connected to the preservation of digital documents and signatures:

  • Time-limited verification. Basic digital signatures are only shown (and accepted) as valid for the certificate’s lifetime—usually one or two years. Therefore, they are not sufficient for business documents that need to be verifiable for several months or years.

    This includes the lifetimes of the storage medium, keys and certificates used, signing method, document, signature, and certificate formats, and the lifetime of (trusted and other) actors involved.

  • Out of expiry digital certificates. Let’s say a user has signed a document with his/her valid certificate. But once the signer’s digital certificate is out of expiry, it can not be validated = it can not be trusted.
  • Technological progress. A digital signature is highly dependent on the technology it was created. Since technology advances rapidly, it is inevitable that digital signatures will change as quickly. Otherwise, they will lose their functionality.


Verification of a digital signature should be based on the time the document was signed, and not on the current time. If the certificate was valid at the time of signing, then the signature holds, even if the latter certificate is expired or revoked. But relying on what the signer states at the time of signing is not sufficient proof. To overcome this problem of verifying signatures after a few months or years, the basic signature needs to be enhanced to what is called a long-term digital signature.


4. Legal Framework


The solution to the above-mentioned problems is represented by providing authenticity, integrity, and then trust for all the preserved records. Importantly, it is much less costly than re-signing and updating the digital signatures with the progress of digital technology.


The need for long-term preservation is acknowledged amongst others in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market [i.2], as can be seen in recital (61):


“This Regulation should ensure the long-term preservation of information to ensure the legal validity of electronic signatures and electronic seals over extended periods and guarantee that they can be validated irrespective of future technological changes.“


In general, qualified preservation of digital signatures is implemented in the EU and worldwide laws, standards, and regulations. The most common and proven standards are the following:

  1. ETSI TS 119 511
    Policy and security requirements for trust service providers providing long-term preservation of digital signatures or general data using digital signature techniques.
  2. ETSI EN 319 401
    Electronic signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers.
  3. eIDAS Regulation
    Article 34: Qualified preservation service for qualified electronic signatures
    Article 40: Validation and preservation of qualified electronic seals


The strength and suitability of cryptographic mechanisms on which the digital signatures are based is a function of time. One needs to apply suitable preservation mechanisms, able to maintain the validity status of a signed object over long periods. To gain and keep the trust in digital actions—such as digital signing—trust service providers work with worldwide accepted certifications and standards.


5. Main Benefits And Functions Of Digital Signature Preservation


By preserving digital signatures, we not only keep the signature itself but, more importantly, the content within the signature container. This main goal is achieved by the following functions and brings the following benefits.


Functions:

  • Proof of the existence of general data
  • Preservation of signatures and associated signed data
  • Augmentation of evidence sent to preservation service (useful for moving data from one service to another)


Benefits:

  • Extending the trustworthiness of the qualified electronic signature beyond the technological validity period
  • Security guaranteed by Public-key cryptography, Certificate authority validation, and Trust service provider validation
  • Global business acceptability—more and more businesses accept or even work only with digital signatures
  • Timestamping—is crucial in clarifying the order of events


Digital preservation is ensuring that digitized and/or born-digital objects and records remain findable, accessible, and usable over time and technological progress. It is the main difference between data backup and data preservation. The preservation focuses on providing long-term access to digital objects.


6. Types of storage


There are three main types (models) of preserving digital signatures renowned by official standards.

  1. Preservation services with storage. Data is stored by the preservation service, while the evidence and the preserved data are delivered upon request by the preservation service to the preservation client.
  2. Preservation services with temporary storage. Data is stored on the client’s side. The preservation service keeps the data only temporarily. Once the evidence is produced, it is stored for some time so the client can retrieve it.
  3. Preservation services without storage. Data is stored on the client’s side. The preservation service only keeps traces of its actions to be able to provide records of its activities.


7. Conclusion


A digital signature is a generally accepted technique for verifying documents, transactions, and online operations by proving data integrity and user authentification. Your business or organization is probably already using digital signatures (or some form of electronic signatures) in your daily operations.


However, several challenges pop up without the proper preservation of digital signatures: technological progress making it impossible to read signatures on obsolete technologies; signature certificate expiration or revoke.


A solution to these challenges is the preservation of digital signatures using the services of third-party companies operating with worldwide accepted certifications and standards. Like this, long-term digital signatures remain findable, accessible, and usable. In addition, and most importantly, they will be able to maintain the validity status of a signed object over time.

Docbyte

Kortrijksesteenweg 1144 B

9051 Gent

Belgium

VAT: BE0880119503

Phone: +32 9 242 87 30

GDPR

Docbyte is Certified.

ISO27001