How to prove the validity of the electronic signature?

The electronic signature is most often approached through the prism of the “signatory path” and “signature levels” (simple, advanced, qualified), but the question of the validity of the electronic signature is only very rarely addressed. And yet it is a major subject. How to know if the signature of a contract is opposable, for example?

Recall that the electronic signature is a process that allows, from a certificate in the name of the signatory, to produce an imprint of the data (the hash) at the time of signing and to associate this imprint with the document. A bit like taking a picture of the content to be able to check, a posteriori, that it has not been modified. But how to do this check? And what are the elements checked?

The technical validity in question

The question of the validity of a signature must be approached from two angles: technical validity and business validity. These two aspects must be green to attest to the level of validity of the signature.

The technical validity of the signature

With regard to technical validity, an electronic signature must, above all, use a valid certificate, in other words respect technical standards, not revoked, etc. The certificates can be provided by electronic certification providers and are backed by two standards: the RGS (General Security Regulations) for France and the eIDAS regulation (Electronic IDentification Authentication and Trust Services) for Europe. The “signing” application, ie the interface visible to the signatory for consulting and signing the document, must therefore check the usability of the signature certificate.

Identity, ETSI standards and incremental profiles

It is then necessary to check that the identity of the signatory is indeed the one expected. This seems like a no-brainer, but it’s not always the case. The signature must also comply with ETSI standards (Xades, Pades and Cades depending on whether it is an xml, pdf or other file), or, for the advanced signature within the meaning of the eIDAS regulation, comply with the act of Commission Execution 2015/1506 of September 8, 2015. Then, to ensure that the certificate used was valid at the time of signing, even after the end of its validity (a certificate generally has a lifespan of 2 to 3 years ), the electronic signature can integrate additional information, timestamp tokens, facilitating verification. This is what we call incremental profiles.

Verification: two scenarios

It then remains to verify the technical validity of the signature. When it is a document in PDF format generated by Adobe software, the signature is generally integrated into the document. So just look at Adobe’s signature panel. If a green “check mark” appears, everything is fine. On the other hand, if the “tick” is orange or red, it means that an anomaly has been detected by Adobe (this can only be the fact that Adobe does not know the certificate for example). For other document formats, the signature being detached from the data (the data on one side, the hash on the other), it is necessary to use an application which compares the two and provides information on the certificate used ( its attributes, the service provider, etc.). Information that should of course be checked.

The business validity of the signature

Once the “technical” validity of the signature has been confirmed, comes the question of its business validity, which amounts to knowing whether the level of the signature does indeed correspond to the use case concerned and to the regulations in force according to the type of signed document. The electronic signature of a notarial deed, for example, cannot be done with a simple signature. Legally, a handwritten signature is required, or its legal equivalent, namely a qualified electronic signature. Thus, according to the legislation and according to the risk, it is necessary to ensure that the level of signature of a document corresponds to the “business” need.

The 3 pillars of trust

It is therefore necessary to dive back into certificates and rely on the triptych of trust:

  • guarantee the identity of the signatory (avoid oppositions such as: “I did not sign this document”),
  • guarantee the data (and avoid: “this is not what I signed”),
  • guarantee the time (and avoid the: “I could not sign this document at that time”) and in time (keep the opposable document and all the proofs of the conformity of the signature for several years).

Depending on the level of the certificate, more or less evidence can be obtained on these elements. Is the identity verification for the generation of this certificate equivalent to a physical face-to-face, or is it based solely on a photocopy of the identity document, for example? Is the security surrounding the certificate (management, hosting, revocation, etc.) weak or strong? Does the signature include a qualified (enforceable) timestamp token? Is it possible to guarantee that the signatory indeed has exclusive control of the certificate, or has he delegated the signing to the signature provider?

Different Verification Services

It is therefore necessary to be able to answer these questions and recover all the necessary elements. Remember that from the attributes of the certificate, it is possible to go back to the policy of this certificate, to its level, to its use. But the operation is not necessarily obvious. To remedy the problem, various verification services are offered, ranging from simple certification to complete validation (technical and business) of the act concerned.

To know everything about electronic signatures and electronic signatures, download the 2022 edition of the Archimag Supplement entirely dedicated to this theme.

We would like to thank the writer of this short article for this amazing content

How to prove the validity of the electronic signature?

You can find our social media profiles as well as other pages related to it.