Dealing with official or business matters without paper is becoming the norm. We sign contracts online, issue invoices electronically, send important documents by e-mail. But how do we make sure that these digital documents are reliable and their content intact? With help comes digital trust services - a set of tools that guarantee the security and authenticity of e-documents. Although it sounds technical, in practice it's all about the digital equivalents of the solutions we are familiar with: a handwritten signature, a company stamp, a date stamp or a registered letter - only that in an electronic edition.
Simply put, digital trust services are tools and technologies that ensure the integrity and authenticity of of documents and electronic communications. They allow us to trust that the e-document has not been altered and that the identity of the signer has been verified. Regulation eIDAS (EU regulation) has given these services a legal framework - for example, qualified electronic signatures have been recognized as equivalent to handwritten signatures in all EU countries. What specific solutions do we count as trust services? Here are the most important ones:
(Note: The eIDAS regulation also lists website authentication certificates as a trust service, although in the context of this article we focus mainly on electronic document services).
The increasing use of these services is due to the time savings and convenience offered by digital documents. E-signatures and e-seals make it possible to get things done remotely, without printing and hand-signing piles of papers. An electronic document bearing a qualified signature or seal can replace a paper document in many procedures - provided, of course, that it remains reliable over time. And here we come to the crux of the problem: how to guarantee the long-term validity of of such signed files? After all, a document signed today must be verifiable and also valid in a few or several years, especially when we store it in an archive. This is the key challenge in the world of digital documents.
Qualified electronic signature (QES) is based on a qualified certificate issued by a trust service provider for a specified period of time - usually one, two or three years. During the validity period of the certificate, any document signed with this signature is treated as a validly signed. Verification systems easily confirm the validity of an e-signature during the validity of the certificate.
The problem occurs after the expiration of the certificate. The document still remains legally signed, after all, the signature was valid at the time of submission - but proving this fact years later may prove difficult if additional safeguards are not taken care of. Figuratively speaking: an e-signature has its "expiration date" depending on the certificate. When a certificate becomes invalid, after a certain period of time, programs may start reporting a message upon verification that the signature is invalid or "insecure." Why? Because its certificate has expired, and the system is not sure if the signature was actually made before it happened, or if the document was signed only later (with an already expired certificate). It sounds absurd, but such warning signals give us the tools to verify when additional data confirming the time of the signature is missing.
To better illustrate the problem, let's use an example. Mr. Jan signed a valid contract with a qualified e-signature and quietly kept the file on his computer. However, Mr. Jan's certificate expired after a year, and our hero did not apply any additional security measures. After several months, there was a court dispute with the contractor, and suddenly it turned out that the verification software indicated the signature in the contract as "invalid" - the certificate was no longer valid, there were no current revocation lists, in a word, the signature seemed to have "time-barred". The court doubted whether the contract was actually signed while Mr. John's certificate was valid, because there was no evidence in the file of the specific date of the signature. In short, the lack of preparation of the document for long-term storage undermined its evidentiary power - Mr. Jan did not take careto be able to prove the validity of his e-signature in the future.
This example emphatically demonstrates that electronic signature is not "disposable" - if a document is to retain legal force, we must think about its verifiability over the years. Fortunately, there is a way to do this.
The solution to Mr. John's problem (and anyone else who wants to store e-documents for a long time) is a qualified timestamp. This is nothing more than a special, trusted time stamp, which confirms the date and time the document was signed. The timestamp provider uses an independent, synchronized time source - so the timestamp is objective and reliable. When we stamp a signed file with a time stamp, even if the signer's certificate later expires or is revoked, we have an ironclad proofthat the signature existed and was valid at the moment marked by the date.
Figuratively speaking, the timestamp "freezes" the state of the document and signature at the time it was applied. Years later, when verification is needed, it can be shown that the signature was valid at the time stamped - just as a time-stamped photograph confirms what something looked like at a given moment. In the world of e-documents, this is crucial to maintaining the legal validity of of long-stored files. Good practice even says to add the timestamp right away when signing the document - then we have confirmation from the beginning that the signature was made when the certificate was valid. If Mr. John had timestamped his agreement with a qualified timestamp, his problem probably would not have occurred - the date of the signature would have been unambiguously confirmed.
However, will it last forever? A single time stamp perfectly documents the moment of the signaturebut if you plan to keep an e-document for many years (e.g. 5, 10, or even 50), a single stamp alone may not be enough. In a few years, technologies, security algorithms or certification policies may change. Therefore, in addition to stamping the document once in a while, you should think about further maintenance activities - That is, how to keep the signature alive and valid despite the passage of time.
Coming up in the next article: Electronic signature for years - document preservation and archiving in practice we will tell you what the preservation of an electronic signature is about and how to safely archive signed documents so that they remain valid for years to come. We invite you to read the second part - because an e-signature, like a valuable painting, also requires proper care so that it does not lose its luster.
