In order to have a deep understanding of the issue, we would like to describe the process in which the validity of the signature can be verified, and its limitations. By default, the customer signs the document with a qualified e-signature based on a valid qualified certificate. This signing certificate is included in the LDAP registry of issued certificates. Simultaneously with signing the document Evrotrust generates a qualified timestamp and attaches it to the e-signed document. The timestamp is signed by Evrotrust CA with its certificate issued for the specific purpose of signing timestamps.
Accordingly, at this point the document has the following "attachments":
1. the e-signature created;
2. the client's qualified signing certificate;
3. Evrotrust’s qualified timestamp
4. Evrotrust's qualified signatory certificate with which the time stamp was signed.
When this “full package” is available, a secure document viewer application (such as Adobe or others) can automatically verify the validity of the certificates and then use the public key to automatically verify the signature on the document.
If the validity of the certificate with which the timestamp was signed by Evrotrust CA expires, the “full package” will not be available for automatic verification any more (by using a secure document viewer application). In this case, it is necessary to verify the authenticity of the e-signature “manually”.
By manual review we mean reviewing the following in the publicly available registers of the EU and Evrotrust, as a qualified trust service provider registered in the EU:
- It needs to be checked whether the timestamp issuing authority (Evrotrust) was on the EU trust list at the time the timestamp was created;
- It needs to be verified that the certificate used to sign the timestamp was valid at the time indicated in the timestamp token (which can be considered authentic);
- It should be checked whether the authority issuing the qualified certificate for the customer's e-signature (Evrotrust) was on the EU trust list at the time the timestamp was created;
- It should be checked whether the qualified certificate for the client's e-signature has been entered in the public register of the issuing authority (Evrotrust);
- It needs to be verified that the qualified certificate for the customer's e-signature was not included in the CRL at the time of signing.
If the private key was compromised and Evrotrust has not been notified of it, the certificate will not be included in the CRL. Without being notified, there is no way for Evrotrust to revoke the certificate. Evrotrust revokes a certificate when it becomes aware of any event leading to the private key having been compromised.
Evrotrust ensures the storage of signed documents in its systems for 10 years for the convenience of users. This is not a Qualified Preservation Service.
Storage security can be enhanced by using a Qualified Preservation Service. Evrotrust will soon make its Qualified Preservation Service available to its users (within 3 months at the latest). The trust service provider has recently prepared a conformity assessment report for its service and is currently awaiting the inspection report arriving before the service can be included in the EU trust list.