Long validity

 

Effectiveness of electronic signatures

In accordance with international standards, the term "long term of the signature" must be established, provided that the requirements that allow it to maintain its validity and the capacity to verify it over time are met.

 

The verification process aims to determine:

 

• The integrity of the signed data ensuring that they have not undergone any modification.

 

• The authenticity of the certificates that have been used to sign, and

 

• Check that the status of the certificate with which it was signed was current at the time of signature.

 

Once the certificate expires or is revoked, if the signature does not include an Electronic Time Stamp, the verification of the signature will be negative, since it is not possible to determine if the certificate, when used, was valid.

 

To solve this problem it is necessary to include in the electronic signature information of the date of its creation (Time Stamping) and of the validity of the certificate at that moment (OCSP response). In this way, the validity of the signature is achieved beyond the validity of the certificate.

 

All signatures created with ANF AC approved devices are AdES (Advanced Electron Signature) XL signatures (Long Term Signature = long term signatures).

 

The ANF AC Re-stamping Service, in terms of electronic signatures, follows the AdES A format.

 

 

Advanced signature formats: CAdES, XAdES, and PAdES are defined by ETSI standards. These rules specify certain extensions based on the attributes they include. Specifically:

• Basic Signature
o AdES - BES, is the basic format to meet the requirements of advanced electronic signature. It provides basic authentication and integrity protection, does not contemplate "non-repudiation" or long-term validation.
o AdES - EPES, is an AdES - BES which incorporates information about the signature policy, such as information about the certificate used and the CA that issued it.
• AdES ¬ T, (TimeStamp T). It is an AdES-EPES to which a time stamp is added in order to place in time the moment in which a document is signed. This is a second signature made by ANF TSA CA (Time Stamp Authority).
• AdES ¬ C, (Chain C). It is an AdES-T to which is added references about the certificates and validation source used to confirm the validity of the certificate used. This mode is the basis for long-term verification.
• AdES ¬ X, (X of eXtended). It is an AdES-C to which information about the date and time of the data entered in extension C is added to the references created in the AdES-C model.
•AdES ¬ XL, (XL of Long Term). It is an AdES-X to which you add the certificates (only public key) and the validation sources that were used. Unlike the -C, where only a reference (a pointer) was included, in this format a third signature (OCSP response) made by ANF AC is added. This is used to ensure validation many years after signing even in the event that the CA that issued the certificate, or the validation source (OCSP Responder or CRL), is no longer available. That is, it guarantees long-term offline validation.
• ADES ¬ A, (A of File). This format includes all of the above information but includes meta-information associated with remittance policies. A policy of reaffirmation establishes a period of expiration of the digital signature, and after this time, a reaffirmation is proceeded. The ideal scenario for this format of signature are those documents whose validity is very high: 15, 20, 50 years, etc.

In addition to ensuring the possibility of verifying the status of the certificate over time, it is necessary to complement the process with proper storage and custody.

Electronic signature documents can not be attacked by humidity, rats, fires ... etc, but it is also necessary to make a proper storage.

We must be aware that the process of verification of a signature must be repeated years after its generation and over time, magnetic or optical media degrade, and technology inexorably advances: the keys, the algorithms that are now safe , In the future can be considered obsolete or even, the format of files has changed and we will not be able to access the information, but we have saved the necessary applications.

ANF AC provides a service of conservation of electronic signatures, according to what is established in Regulation (EU) 910/2014 (Art.34, 1), and a Re-sign Service.

 

"Qualified service for the preservation of qualified electronic signatures
1. Only a qualified service provider of reliable services using procedures and technologies capable of extending the reliability of the data of the qualified electronic signature beyond the period of technological validity may provide a qualified service of preservation of qualified electronic signatures."