Validation of the electronic signature: Did you know?

Electronic signatures are not valid ad vitam aeternam

In the context of the health crisis, many companies were forced to resort to teleworking. The need for electronic signatures then became necessary when employees were unable to come to the office to sign documents by hand.

The market has since observed a growing demand for the digitalisation of the signing process. Nevertheless, the majority of those who benefit from this digitisation tend to think that the signing process stops once the document is signed and transmitted. The process does not stop there, though. If a document is to remain valid for more than several years, the technical validity of its signature(s) must be preserved.  

But preserved from what?  

Three major events can invalidate a so-called “basic” electronic signature: 

horodatage, esignature

My signature was created when my certificate was neither expired nor revoked and I used the recommended cryptographic algorithms. What can I be afraid of?

The problem with so-called “basic” electronic signatures is that their date of creation cannot be trusted. A signature created on a computer or server that indicates a date of 1 January 1990 will indicate that the document was signed on 1 January 1990. It is then entirely possible to include a date at the time of signing that is earlier than the actual date of signing. 

How can I trust the electronic signature if I cannot rely on its creation date?   

Most often, an electronic timestamp is added to the signature when it is created, by the signature creation software itself. These timestamps establish the proof that the signature existed at a given time. 

Now that my signature is time-stamped, does my document need anything else?  

In order to ensure the long-term validity of the document, it is also recommended to include all evidence that the signature and its timestamp were not revoked at the time of signing. This data is called revocation data and is available online at a given location, but it is very likely that it will one day no longer be available (e.g. after the supplier ceases operations). It is then recommended to include all this data in the signature while it is still available. Finally, a final timestamp is applied to ensure that the data existed at the time and to protect its integrity. 

All these signature levels are called “baseline levels” and are defined by standardisation bodies such as ETSI (European Telecommunications Standards Institute) in Europe.

Need more information on the preservation of electronic signatures? Do not hesitate to contact us at the following address:  

Author: Xavier SCHUL