TrustedX: The Custody of Signed Documents
This article expounds the strategic guidelines for resolving the problematic issues related to the custody and management of electronic signatures, thereby making long-term maintenance possible. Topics covered in this document include issues related to electronic signature maintenance, the standardisation of the functions of the electronic archive service and the need to use advanced document management systems. In this context Safelayer, the manufacturer of the TrustedX platform, provides one of the most advanced and, at the same time, fundamental tools for the deployment of electronic processes which is in line with the new regulatory framework.
Introduction
Despite the ever-growing spectrum of applications based on the electronic signature, the virtualization of business processes remains unresolved. For example, the recent introduction in Spain of the DNI-e (electronic national identity card) and the Law on Citizens' Electronic Access to Public Services (Ley 11/2007) constitute a huge leap forward in terms of citizens' rights to electronic services. First and foremost however, such laws are conclusive tools without which it would not be possible to establish a consolidated framework for electronic business processes or for improved competitiveness and efficiency. This is especially true in the case of Public Administration.
Consequently, the challenge now facing the ICT sector is how to successfully emulate the paper-based processes and replace them with proven operating mechanisms which are more efficient and reliable. The premises established for the custody of signed documents guarantee the interchange of information, the access to data from different applications, the integrity, authenticity, confidentiality, quality, protection and maintenance of the stored documents. In other words, the use of the standards for interoperability and security is a key factor, while at the same time the content management features provided by the new electronic means and the lack thereof in the paper-based processes must not be overlooked.
Long-Term Preservation of Electronic Signatures
The verification of an electronic signature must be declared valid or non-valid. The verification of electronic signatures is now usual in electronic transactions. Moreover, even some years after the signature generation, corroboration should be possible using irrefutable mechanisms and without having to obtain evidence that would not have been properly updated by automatic mechanisms. An example of such evidence is one which proves that digital certificates were valid at the time of signing.
Usually, the loss of evidence is related to the passing of time (evidence that in its day was valid ceases to be valid as of a particular moment) or to the moving of the signed document (in some implementations evidence is only valid in the context of the archive system). The resolution of this problem was set out in RFC 3126 by IETF (Internet Engineering Task Force) and was later adopted by the ETSI (European Telecommunications Standards Institute) XAdES and CAdES standards which TrustedX supports.
These recommendations are based on the following: (i) the updating of signatures, by complementing them and systematically maintaining the evidence before it loses its probative value (ii) the safeguarding of data from possible cryptographic attacks, especially when the algorithms and keys have lost their strength with the passing of time. And so, these standards minimize the need for organizational measures in terms of electronic signature verification, while allowing the extraction of signed documents from the custody service for their verification using third party tools or simply for their archiving in other systems (making it possible to move a file).
