Pursuing the goal of process optimization and improvement of customer satisfaction every day more enterprises offer the contracting of their services using the Internet. The drawback is, though, the increase of the associated risks, as shown by the substantial increasing of ciber-atacks (phishing, pharming, etc). For that reason the electronic contracting platforms must guarantee the integrity of the e-contracts and, above all, the identity of each party.
The technology of Public Key Infrastructure (PKI) offers an excellent solution to overcome such risks. By using advanced electronic signatures it is technically possible to ascertain the integrity of the e-contracts as well as the identity of the contracting parties in front of third parties.
Such technical suitability has favoured that the law specifically requires their use in order to compare e-contracts to traditional paper based contracts: Directive 97/7/CE, of the European Parliament and the Council, may 20th, about distance contracts or the Spanish Royal Decree 1906/1999 of December 17th about electronic contracting. This last decree literally says in its fifth article: “… advanced electronic signature shall be used to attribute the electronically recorded data the same juridical value as of the handwritten signature…”
The electronic contracting process
The economic and legal implications of a contract breach requires the use of technologies to ascertain the authenticity of the contents for its validity period.
The diagram above shows the steps to follow for such process:
- Once formulated the clauses of the contract it is necessary that the contracting parties commit to them.
- To make an electronic contract effective, first of all, it must be electronically signed by the agreeing parties . “Parallel signatures” can be used since the signing order in not relevant.
- In order to irrefutable prove that the contract was signed prior to a given date it is necessary that a trusted third party adds a time stamp (signature format XAdES-T/CAdES-T).
- The contract expiry date can go further than the one of the certificates used for the electronic signatures and the time-stamp. It is therefore essential to have a system that, in the case of conflict, any of the contracting parties can demonstrate the validity of the signed agreement. That implies the “long-time signatures validation” (signature format CAdES-A/XAdES-A).
Electronic contracting lacks of an standard electronic format, though there are standardization initiatives such as the OASIS LegalXML eContracts Technical Committee. Therefore e-contracts are distributed using XML or PDF formats.
TrustedX simplifies the creation of e-contracting management processes. As shown on the above illustration, a e-contractign platform uses a set of Web Services to be able to sign and validate electronic documents in any of the commonly used formats (PKCS#7, CMS/CAdES, S/MIME o XMLDsig/XAdES) and, at the same time, custody them for the e-contract validity period.
In order to accomplish the above mentioned tasks, TrustedX uses the services of certification, validation and time stamping authorities. Electronic documents under custody are stored on a document management system refreshing the electronic evidences before the certificates used to sign and successively time-stamp expire.