Discover Le Brief de la Démat, a free thematic newsletter dedicated to professionals in digital transformation and dematerialization!
It should be borne in mind that, according to European legislation, in order to be legally acceptable, in the case of administrative control or litigation, electronic documents must be imperatively archived in conditions that guarantee their integrity.
Much of the organization’s documents (contracts, purchase orders, report on receipt or receipt of location, etc.) are likely to be evidence in litigation, so it is necessary to ensure that they cannot be changed, voluntarily or not, during storage obligations.
Not to mention that the organization must be able to postpone them at any time and use them until the deadline.
> Read also: How to prove the validity of an electronic signature?
Electronic signature and its evidence file
In the case of a dispute involving a document, in particular a contractual one, which has been the subject of an electronic signature, it will also be necessary to provide a file of evidence and traceability proving:
- Established processes;
- The link between the document and the person from whom it originates;
- Consent given by the signatory;
- Conducted integrity checks (conditions, periodicity, etc.);
- The algorithm used for this integrity management;
- Validity of the electronic signature (and the corresponding certificate) at the time of its affixing to the document;
- Uncompromising signature algorithm used.
Thus, in case of a dispute, a court-appointed expert will be able to perform technical checks (verification of the fingerprint of the document, comparison with the fingerprint in the signature, verification of the signature validation report, etc.) and provide the judge with elements to decide whether or not to accept these. electronic documents as evidence.
> Read also: Electronic signature: enhanced security thanks to LuxTrust’s certified validation service
Have you verified the validity of your electronic signature certificates?
Indeed, an electronic signature is associated with the use of a certificate whose validity period is generally 2 or 3 years.
If at the time of signing it is known that the certificate used for signing is valid (not expired and not revoked by its owner) and if it is easy to verify during its lifetime, it is no longer possible to do so after these 2 to 3 years. This can prove detrimental in the event of a lawsuit.
Therefore, it is very important that this signature is “certified” as soon as it is placed on the document.
Verification / validation steps
In order to provide a response to the market and reassure users, the European eIDAS regulation, which entered into force on 1 July 2016, introduced several specific trust services. One is specifically dedicated to the validation of qualified electronic signatures and is provided by eIDAS Qualified Trusted Service Providers (PSCQs). By offering this service, this famous PSCQ will:
- ensure the presence of signatures and the integrity of the sent document;
- check whether the certificate used was valid at the time of signing;
- identify the signatory;
- request the necessary external services (European Trusted List, OCSP tokens, revoked certificate lists).
> Read also: Electronic signature: do you have to sign everything?
Valuable validation report
When these verifications are performed, the validation report is generated in Xades format (signed XML) and added to the archive envelope elements, in the same way as the archive object (signed and archived document) and metadata files. This report is integrated into the sealing archive. This will later provide proof of the validity of the signature at the time of transmission of the document to be archived and consolidated the evidence file.
Finally, when an organization wants to consult its document, it can also consult a validation report and has all the necessary elements.
> Read also: Electronic signature: how to make the right choice?
Qualified and advanced signatures
If this validation service initially refers to “qualified” electronic signatures, it can also be used to strengthen the quality of the evidence file in the case of “advanced” type electronic signatures.
Because, with this type of signature, in case of a dispute, the burden of proof is on the person who proposed the electronic signature to the other party, and thus on the provider of the signature service / software.
> Read also: Electronic signature in progress: what kind of compliance?
After validation, preservation
Another sensitive topic concerning the long-term storage of electronic signature documents is related to the fact that this electronic signature is associated with the use of cryptographic algorithms. However, they are likely to evolve in line with the risks of piracy or technological obsolescence.
To see more clearly, the eIDAS regulation has therefore introduced a trust service dedicated to the preservation of electronic signatures. Thus, in the event of a warning from the information system security authorities (in France, Annecy) regarding a possible compromise of the algorithm used, this storage service will re-sign the document with a new, newer and more robust algorithm. This will prevent any modification of the signature algorithm and potentially any “appropriation” of the signature by the “evil” person or organization.
> Read also: Electronic signature: several levels of security for binding documents
This protection enables organizations that use the electronic archiving service to preserve documents with electronic signatures, to have legally acceptable documents in case of litigation, but also to protect themselves from possible cyber attacks, avoid data theft and protect against technological obsolescence. or compromise the algorithms used for the signature.
Finally, we note that these two services can be used throughout the European Union and that their sole purpose is to strengthen organizations’ trust in electronic signatures.