In one of our latest webinars we have presented some of the solutions and services available to create a strong e-signature that lasts the test of time. One of these services is the e-signature validation service. It is an eIDAS trust service that comes especially handy when companies have to check the validity of the e-signatures on documents received from clients or business partners. Being a rather new service on the market, our attendees had plenty of questions, some of which will find their answer below.
If you want to watch the recordings of webinars in full, they are available online on our LuxTrust webinar channel.
Why is the e-signature validation service so important?
There are a variety of reasons for why we should consider this service. Most of them are connected to the life-cycle of an e-signature. With time, some of the key components of the e-signature (algorithms, cryptographic keys, signed data included in the signature) can become outdated or weak. Furthermore, the certificates embedded in e-signatures can expire or be revoked. So, we should ensure that our e-signatures were valid at the time of application and despite of any technological advancements over time.
Does the validation of an e-signature ipso facto concern only qualified electronic signatures (as defined in eIDAS)?
No, of course not. Its usage/focus is much wider. For example, LuxTrust’s qualified validation service, besides qualified signatures, can also check advanced signatures on the condition that:
- the signatures in question are digital signatures based on public certificates X.509 and
- the issuer of these certificates is accredited under the European eIDAS Regulation.
In addition, the LuxTrust’s validation service can integrate “custom” root certificates which belong to a closed user group. These certificates can have their own a specific policy, not necessarily following the eIDAS framework. Even in such a case, LuxTrust can validate these e-signatures specific to this closed group or restricted community.
How is it possible to ensure that a contract is valid at the time of signature, even if the certificate on which the e-signature is based has since expired?
If the certificate is issued by a qualified trust service provider, such as LuxTrust, then the provider is obliged to maintain the status of qualified certificates. This makes it possible to check when and if such a certificate has been revoked in the past and thus see whether the signature was valid at the time of application.
However, the validation of an electronic signature must also take into consideration many other elements, e.g. the validity of applied timestamps, CRLs or OCSP responses, intermediate certificates and, above all, the security of the algorithms used. So, even if you may be able to determine the status of a certificate outside the duration of its validity, it may no longer be possible to validate the electronic signature if its elements are not preserved correctly.
An e-signature can be verifiable as long as it is properly maintained. Such maintenance requires adding new evidence and additional archiving timestamps on a regular basis. This ensures that the e-signature is sustainable and its integral structure keeps a probative value.
How can we guarantee the validity of the e-signature for longer periods of time (for example, 12 years)?
To ensure that an e-signature is valid for longer periods of time, the service must be able to apply and work with a special configuration. For example, in our e-signature platform COSI, you may set the e-signatures in an LTA format (parameter). This will include all evidence of the validity of the e-signature at the time of its creation. A timestamp of 12-year validity will then protect these elements of evidence (OCSP, CRL, certificate and chain of intermediate certificates, etc.). The e-signature will therefore become valid for up to 12 years.
Should you have any other inquiries regarding the validation of e-signatures, do not hesitate to send us your questions here. Our teams will get back to you shortly.
Disclaimer: The above represents LuxTrust’s understanding of the relevant law or regulation and should not be taken, relied on or interpreted as a legal opinion. Customers are encouraged to seek independent legal advice before acting on this information.