Digital transactions and communications bring many uncertainties regarding the legal status and authenticity of documents. The concept of digital signatures plays a vital role in ensuring authenticity, integrity, and security. Currently, many legislations define procedures to ensure the legality and authenticity of online procedures.
What is a Digital Signature?
A digital signature is a valuable security technique based on a scheme that can verify digital messages or documents. It enables proving:
- Who signed off or approved the information (User authentication)
- That the information has not changed since signing (Data integrity)
From the technical point of view, a digital signature is a code created using a public-key infrastructure (PKI) —a two-key asymmetric cryptosystem to achieve high-level information confidentiality and encryption. The two keys—private and public—are the two main pieces facilitating this secure data management.
There are three types of digital signatures:
- Simple—does not require any identity verification from the signer
- Advanced—issued by certification authorities to require identity verification from the signer
- Qualified electronic signatures—ideal for high-risk environments where the consequences of a security failure could be devastating
Why Digital Signatures Matter
Digital signatures preserve the integrity of documents and transactions in several ways:
- Authentication: They verify the signer’s identity, ensuring that the document comes from a trusted source.
- Integrity: They confirm that the content has not been altered or tampered with after signing it.
- Non-Repudiation: Signers cannot deny signing the document, providing legal validity and accountability.
Problems With Digital Signatures And Their Preserving
Governmental administrations, businesses, and individuals must preserve the letters, transaction records, bills, contracts, and other documents that prove their rights. These may later be used as evidence when a dispute over a transaction arises, such as decay and attempts to modify the information on records. However, due to technological progress, storage cannot be regarded as reliable for more than about ten years.
So, in theory, no matter how long and complicated the digital signature is today, there will come a day when it will be possible to ‘break the code’ it is based on and, therefore, to ‘fake’ this signature—and document. This fact brings several challenges connected to the preservation of digital documents and signatures:
Time-limited verification.
- Digital signatures are only shown (and accepted) as valid for the certificate’s lifetime—usually one or two years. Therefore, they are insufficient for business documents that must be verifiable for several months or years.
- This includes the lifetimes of the storage medium, keys and certificates used, signing method, document, signature, and certificate formats, and the lifetime of (trusted and other) actors involved.
Out-of-expiry digital certificates.
- Let’s say a user has signed a document with his/her valid certificate. But once the signer’s digital certificate expires, it can no longer be validated = it can not be trusted.
Technological progress.
- A digital signature is highly dependent on the technology it was created. Since technology advances rapidly, digital signatures will inevitably change as quickly. Otherwise, they will lose their functionality.
Validation of a digital signature should be based on the time the document was signed, not on the current time. If the certificate was valid at the time of signing, the signature holds, even if the certificate has expired or been revoked.
However, relying on what the signer states at the time of signing is not sufficient proof.
The Role of Qualified Digital Certificates
A qualified digital certificate is often required for a digital signature to be considered valid and legally binding. According to eIDAS (the Electronic Identification and Trust Services Regulation), a qualified certificate meets specific standards and requirements, ensuring its reliability and authenticity following European regulations.
Legal Framework
The solution to the problems as mentioned earlier is represented by providing authenticity, integrity, and then trust for all the preserved records.
Importantly, it is much less costly than re-signing and updating the digital signatures with the progress of digital technology.
The need for long-term preservation is acknowledged amongst others in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market [i.2], as can be seen in recital (61):
“This Regulation should ensure the long-term preservation of information to ensure the legal validity of electronic signatures and electronic seals over extended periods and guarantee that they can be validated irrespective of future technological changes.“
In general, qualified preservation of digital signatures is implemented in the EU and worldwide laws, standards, and regulations. The most common and proven standards are the following:
- ETSI TS 119 511
Policy and security requirements for trust service providers providing long-term preservation of digital signatures or general data using digital signature techniques. - ETSI EN 319 401
Electronic signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers. - eIDAS Regulation
Article 34: Qualified preservation service for qualified electronic signatures
Article 40: Validation and preservation of qualified electronic seals
The strength and suitability of cryptographic mechanisms on which the digital signatures are based is a function of time. One needs to apply suitable preservation mechanisms, able to maintain the validity status of a signed object over long periods. To gain and keep the trust in digital actions—such as digital signing—trust service providers work with worldwide accepted certifications and standards.
Key Components of a Qualified Digital Certificate
A qualified digital certificate typically includes:
- Details about the certificate holder, such as name and organization. It’s important to identify and verify the signer.
- A cryptographic key that pairs with the private key used to create the digital signature.
Main Benefits And Functions Of Digital Signature Preservation
By preserving digital signatures, we keep the signature itself and, more importantly, the content within the signature container. This main goal is achieved by the following functions and brings the following benefits.
Functions:
- Proof of the existence of general data
- Preservation of signatures and associated signed data
- Augmentation of evidence sent to preservation service (useful for moving data from one service to another)
Benefits:
- Extending the trustworthiness of the qualified electronic signature beyond the technological validity period
- Security is guaranteed by Public-key cryptography, Certificate authority validation, and Trust service provider validation.
- Global business acceptability—more and more businesses accept or even work only with digital signatures
- Timestamping—is crucial in clarifying the order of events
Digital preservation ensures that digitized and/or born-digital objects and records remain findable, accessible, and usable over time and technological progress. It is the main difference between data backup and data preservation. The preservation focuses on providing long-term access to digital objects.
Types of storage
There are three main types (models) of preserving digital signatures renowned by official standards.
- Preservation services with storage. The preservation service stores data, while the evidence and the preserved data are delivered upon request by the preservation service to the preservation client.
- Preservation services with temporary storage. Data is stored on the client’s side. The preservation service keeps the data only temporarily. Once the evidence is produced, it is stored so the client can retrieve it.
- Preservation services without storage. Data is stored on the client’s side. The preservation service only keeps traces of its actions to be able to provide records of its activities.
Conclusion
A digital signature is a generally accepted technique for verifying documents, transactions, and online operations by proving data integrity and user authentication. Your business or organization probably already uses digital signatures (or some form of electronic signatures) in your daily operations.
However, several challenges pop up without properly preserving digital signatures: technological progress makes it impossible to read signatures on obsolete technologies, and signature certificate expiration or revoke is also a challenge.
A solution to these challenges is preserving digital signatures using third-party companies operating with internationally accepted certifications and standards. Like this, long-term digital signatures remain findable, accessible, and usable. In addition, and most importantly, they will be able to maintain the validity status of a signed object over time.