Electronic signatures have become vital for many activities nowadays. Regardless of size or sector, virtually all companies will have to obtain electronic signatures on a regular basis. After you obtain a signature, you must also store the signed document correctly. Furthermore, electronic signatures need to be maintained periodically to ensure their long-term validity, or they may become invalid at some point.
There are three main challenges that must be addressed when it comes to long-term validation:
- The data used for validation must remain available, as the validity of an electronic signature may be compromised only a few days after signing. This includes, for example, the certificate used for signing, or information related to revocation (proof that the certificate was valid at the time of signing).
- The time of creation of the signature must be obtained in a secure and accurate manner.
- Cryptography has a limited lifetime, so any solution for document preservation must be future-proof.
Signicat addresses these issues with two solutions: packaging and preservation, both of which are discussed below.
After a document is signed, it is packaged using Signicat’s own solution. Packaging is a proprietary technique which helps ensure long-term validation. Packaging is used for all of Signicat’s signing products. You can obtain signatures using different ID methods by integrating with Signicat’s identity hub, which simplifies the process. Then Signicat gathers the signature, the visual signed document, the validation data, the certificates used in the process, and the relevant timestamp, and packages them. This prevents the signature from being tampered with. The result of the packaging process is a document in the PAdES format which can be viewed with any PDF reader. Additionally, the seal on the package can be verified with Adobe Acrobat Reader.
The main advantage of packaging from a usability standpoint is the fact that Signicat adds a proof of signature directly on the document, meaning that users can easily check if a document is signed, when and by whom. This proof of signature is effectively part of the document, which means that it will be visible even if the document is printed, for example.
When it comes to long-term validation, packaging solves two of the three main challenges: it ensures long-term availability of validation data as well as trusted timestamping.
Availability of validation data
The data used to validate the signature must remain available even after signing, so that it is always possible to ensure that the certificate used for signing was valid (that is, not revoked) at the time of signing. The usual solution is to ask the certificate authority (CA) if the certificate is valid at the time of verification. This usually suffices for short-term usage, although there is a certain risk that the certificate may be revoked or expire between the time of signing and the time of verification.
Generally speaking, the longer the time that passes between the time of signing and the time of validation, the more difficult it will be to gain access to reliable certification data. In order to solve this problem, some have attempted to use logs. This solution is not optimal, however, mainly because the trustworthiness of the logs must still be established. A better alternative is to collect proof of validation at the time of signature and store it. Signicat’s solution goes a step further and incorporates the proof of validation into the electronic signature, thereby ensuring that, no matter how much time elapses between the time of signing and the time of validation, validation data will be available and sufficient.
Timestamping is another vital factor for long-term validation. In order to ensure that the signature is valid, its certificate must be validated against its creation time. Initially, ensuring the time at which a document was signed may seem like a straightforward task. However, it would be possible for attackers to steal a private key, forge a signature, and backdate it to a time before they stole the key, making it look like the signature is legitimate. In order to avoid this, Signicat only uses timestamps provided by a Time Stamping Authority (TSA).
A TSA is a trusted third party that issues a timestamp which is very difficult to reverse-engineer. TSAs must comply with several audited and standardized security requirements, which increases the security of the timestamp. Timestamps produced by a TSA combine digital signatures and trusted time sources to create cryptographically strong evidence that a given piece of data existed at a given time.
Some documents signed with an electronic signature may need to be valid for decades, but electronic signatures typically have a limited lifetime. Computing power and knowledge about cryptography are evolving constantly, which is a threat to preservation. Breakthroughs in cryptography or technology may make it possible to break an algorithm which was previously considered unbreakable, and advances in mathematics could render existing algorithms invalid. For example, old hashing algorithms such as SHA1 or MD5 are no longer used as they are not considered secure anymore. To address this issue, documents signed by Signicat undergo a recurring preservation process. This, in combination with packaging, fully ensures long-term validation. This process involves the following steps:
- Validate the previous timestamp.
- Obtain an updated timestamp that meets current cryptography standards.
- Re-package the document with the updated timestamp.
When a document and its corresponding signature are re-packaged, this is done using updated algorithms, which adds a new layer of security and ensures that the signature is preserved for as long as necessary.
Preservation is offered by Signicat as a part of its archive service, meaning that the client does not need to develop their own archive service, although they may choose to host the archive. In this case, the client will have to send the archived documents to Signicat periodically through an API.
Frequently Asked Questions
Question: Is a digital signature the same as an electronic signature?
Answer: No. Both terms refer to a similar concept, but ‘electronic signature’ refers to a broader concept that includes that of ‘digital signature’. An electronic signature is any electronic data that carries the intent of a signature. Even writing your name at the end of an email can be considered a form of electronic signature. In contrast, a digital signature is a way to implement electronic signatures in a secure manner, such as through cryptography. Digital signature technology is generally used to implement electronic signatures.
Question: What is the difference between sealing and packaging?
Answer: Sealing refers to the act of using an electronic signature whose owner is not a person (but rather an organization, for example) to seal a document. Packaging is a proprietary technique used by Signicat to seal a document. Signicat’s packaging solution gathers the data related to the signature, such as the algorithms and certificates used, seals them using the XAdES format, and then packages the visual signed document together with the XAdES file and seals them together using the PAdES format. The final result is a document that can be read with any PDF reader and whose relevant validation data can be accessed using Adobe Reader.