Electronic signatures are not valid ad vitam aeternam
In the context of the health crisis, many companies were forced to resort to teleworking. The need for electronic signatures then became necessary when employees were unable to come to the office to sign documents by hand.
The market has since observed a growing demand for the digitalisation of the signing process. Nevertheless, the majority of those who benefit from this digitisation tend to think that the signing process stops once the document is signed and transmitted. The process does not stop there, though. If a document is to remain valid for more than several years, the technical validity of its signature(s) must be preserved.
But preserved from what?
Three major events can invalidate a so-called “basic” electronic signature:
- Certificate expiration: Let’s take an ID card as an example; this identity card has an expiry date. The same applies to a signature certificate. Once this certificate has expired, it can no longer be used to create signatures.
- Certificate revocation: Just like the identity card, the means of creating an electronic signature (also called “private key”) can be stolen. The user therefore requests a revocation. He/she asks his/her provider that the signatures created from the date of the theft are not valid. The signature certificate is then revoked.
- Depreciation of cryptographic algorithms: As computer power increases, the chances that an attacker can produce two different documents technically covered by the same signature also increases. Some algorithms that are used to create the signature become outdated by computer power. These algorithms are then said to be deprecated.
My signature was created when my certificate was neither expired nor revoked and I used the recommended cryptographic algorithms. What can I be afraid of?
The problem with so-called “basic” electronic signatures is that their date of creation cannot be trusted. A signature created on a computer or server that indicates a date of 1 January 1990 will indicate that the document was signed on 1 January 1990. It is then entirely possible to include a date at the time of signing that is earlier than the actual date of signing.
How can I trust the electronic signature if I cannot rely on its creation date?
Most often, an electronic timestamp is added to the signature when it is created, by the signature creation software itself. These timestamps establish the proof that the signature existed at a given time.
Now that my signature is time-stamped, does my document need anything else?
In order to ensure the long-term validity of the document, it is also recommended to include all evidence that the signature and its timestamp were not revoked at the time of signing. This data is called revocation data and is available online at a given location, but it is very likely that it will one day no longer be available (e.g. after the supplier ceases operations). It is then recommended to include all this data in the signature while it is still available. Finally, a final timestamp is applied to ensure that the data existed at the time and to protect its integrity.
All these signature levels are called “baseline levels” and are defined by standardisation bodies such as ETSI (European Telecommunications Standards Institute) in Europe.
Need more information on the preservation of electronic signatures? Do not hesitate to contact us at the following address: firstname.lastname@example.org
Author: Xavier SCHUL