- eIDAS requirement for document immutability
- How does Signi provide it?
- Before we mention advanced methods
- Advanced methods - time stamps from certification authorities
- Renewal of time stamps, electronic seals or electronic signatures with certificates
- What happens when...
- How to solve the long-term archiving of documents signed in Signi
eIDAS requirement for document immutability
SIGNI, as an electronic signature service under the EU eIDAS Directive, must ensure the immutability of the document after the moment of signature (see eIDAS, Section IV, Article 26 d), sometimes also referred to as "time anchoring of the document".
How does Signi provide it?
The document to be signed is created and modified exclusively in the controlled Signi environment. The user cannot influence the data about its changes, for example, by changing the time on his computer or mobile phone at the time of signing.
The time data of the changes, i.e. who signed the document, when and where, is available to Signi users in the so-called Document Control Sheet. This control sheet can then be used by a forensic expert or can be provided to a controlling authority such as the Tax Office or the Labour Office as information about the times of creation and changes to the document.
When changes are made to the document, a so-called "hash" is inserted into the document, which is the condensed content of the document. If someone subsequently changes the content of the document, the manipulation is recognised by the fact that the content of the document does not match the hash.
Before we mention advanced methods
Before we mention advanced methods for ensuring document immutability, there is one important thing to note. Even in the paper world, not all documents are created equal:
we throw away the receipt from the candy store the next day,
many companies store invoices in the office where they can be stolen or burned in a fire,
invoices or delivery notes going back ten years are kept in the basement where the company pays the same with the risk of extra flooding,
only some documents are stored in special warehouses with security, flood protection and strict fire precautions.
The reason is simple - long-term high protection of documents costs money and does not always make business sense. The very same is true in the world of electronic documents. We just have to get used to that world.
Advanced methods - time stamps from certification authorities
An advanced way of proving that a document has not changed since it was signed is through qualified time stamps provided by an independent, state-controlled certification authority.
A time stamp proves that a document already existed at a certain time and in a certain form. How is this ensured?
The time stamp consists of a "document hash", i.e. the content of the document condensed into a long text string + a time stamp from the qualified service provider + the signature of the qualified service provider.
The timestamp is created and inserted into the document by the CA.
If the document is subsequently modified, its content will not match the hash included in the timestamp. This shall be confirmed again by the CA.
As a matter of principle, it is not possible to obtain a time stamp from the certification authorities from a previous period and thus anti-date a certain document status to an earlier date.
How do I verify that a time stamp from an independent certification authority is embedded in a document? For example, in Adobe Reader, I get "Signature contains an embedded time stamp" in the Signature Panel of an electronic seal.
Renewal of time stamps, electronic seals or electronic signatures with certificates
Electronic time stamps, seals or signatures with certificates have a limited validity, typically one or three years. The main reason for this is the fear that the computing power of computers is increasing and the ciphers used could be decrypted after, for example, 9 years and thus all the electronic information created with them could be changed retrospectively.
Does this mean that embedded electronic seals or electronic signatures with certificates need to be constantly renewed in electronic documents? That does not make sense. How could a defunct company renew its seal on all electronic original documents if it no longer exists? Similarly, the signature of a person who has passed away?
If we need to have a high degree of certainty that no one has altered a document, we need to have a continuous series of then-current time stamps on a document or set of documents.
Ensuring the immutability of a document or set of documents by a sequence of time stamps.
The time-stamping of documents or sets of documents is provided by so-called "trusted archives". Signi will also provide one of these, and companies can also store documents from Signi in their archives, where they also store other documents such as issued invoices that are not signed by anyone. Whether to use the archive and for which documents or sets of documents is then the choice of each company, similar to the way it decides whether to leave documents in a file cabinet in an unsecured office, a safe or a professional archive.
What happens when...
...your electronic document from Signi is not time-stamped at the time of signature?
Signi is a controlled environment for electronic signing and guarantees the content of the document at the time of signature.
If necessary, Signi will provide the necessary information to the forensic expert or controlling authority to ensure the immutability of the document.
.. your document or set of documents will not be re-stamped with valid time stamps?
The certification authority - trust service provider - is obliged to provide information on whether the document or the certificates for electronic signatures, seals and time stamps provided by it were valid at a certain time.
If necessary, the certification authority shall provide the necessary information on the immutability of the document to the forensic expert or inspection body. The court will take its opinion into account in the event of a dispute even if the electronic document does not bear currently valid electronic signatures, seals or time stamps and is therefore not valid at the time of the dispute.
However, this may have some limitations. PDF readers may report that the document is not current, it will not be possible to convert the document to paper form if the service requires the document to be current, etc.
How to solve the long-term archiving of documents signed in Signi
Each signer will receive their original electronic document with electronic signatures. Each signer is then responsible for the long-term archiving of this document - similar to a paper document
There are two options when using Signi:
Use the archiving module in Signi, where the documents are moved from Signi after a set period of time.
Signi will connect to the corporate archive via the Signi API, where Signi will be one of the sources of archived documents.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article