There’s been a lot of discussion about the long-term validity of electronic signatures. For example, will a document you sign today still be valid in 10 or even 50 years’ time? Here, we explore what makes an electronic signature legally binding, how long electronic signatures can be validated and how technology plays a crucial role in achieving this.
How long does your electronic signature need to be valid for?
One of the very first questions you’ll need to ask yourself, is how long do you actually need your electronic signature to be valid for? After all, it makes little sense trying to preserve its validity if it only needs to be validated for a few years.
With that in mind, it’s important to think about the type of document you’re signing as retention periods will vary accordingly. You’ll also need to be mindful of (inter)national, regional and local laws on document retention. So, whether it’s an employment contract, terms of service, bank or medical records, check what the regulatory rules are. In addition, consider any specific policies within your organisation with regards to litigation, statutes of limitation, tax or financial reporting.
What makes an electronic signature legally binding?
Electronic signatures are recognized as legally binding in most parts of the world, although different countries will work to their own specific regulations. For example, in the US, electronic signatures are governed by the ESIGN Act and UETA, while the UK works to the Electronic Communications Act 2000 and the Electronic Signatures Regulations 2002. For Europe, the legal status of electronic signatures is enshrined under eIDAS regulations.
However, while electronic signatures are considered legally binding, their validity is limited by the accompanying certificate of electronic signature. These certificates go by different names (such as signing certificate and digital certificate), but they are all issued by a Certificate Authority (CA) which acts as a gatekeeper – guaranteeing authenticity and integrity. In other words, a certificate issued by a trusted CA means the person signing the document is who they say they are.
What happens if the certificate expires or the CA ceases to exist?
Digital certificates issued by a CA are only valid for a certain amount of time, usually between one and three years. What happens then, if you need to keep a document valid for five years and the certificate expires part way through this time? Similarly, what happens if the issuing Certificate Authority suddenly becomes inactive?
To make sure your electronic signature remains valid regardless of when certificates expires or CAs decides to cease their services, it will need two components embedded within it. These are, an official timestamp issued by a trusted timestamp authority, and the original signing certificate verification – here’s why they’re important.
Time stamping your electronic signature
Long term electronic signatures include a timestamp which proves when the signature was created. If the timestamp shows the document was signed while the digital certificate from the CA was still valid, then so too is the electronic signature. Even if the CA is no longer operating, so long as the document was signed when it was, it remains valid.
The timestamp itself is provided and allocated by an independent trusted party called a timestamp authority (also known as a TSA). This offers further integrity to electronic signatures and ensures they cannot be easily manipulated or antedated.
Signing certificate verification
In addition to a timestamp, long-term electronic signatures also contain data that verifies the validity of the digital certificates at the time of signing. This is typically done via a CRL (certificate revocation list) or OCSP (online certificate status protocol) check. When available, OCSP is the preferred method to do the verification. The main reason for this is that this method requires less data and reduces the overall impact on storage.
Fundamentally, as long as the certificate was valid at the time of signing (and is also verified by the timestamp as such), the electronic signature will remain valid.
What document format is best for long-term electronic signature validity?
Document formats that embed data are recommended, such as PDF/A formats. Not only do PDF/A documents embed data, they provide a standardised format and fulfil ISO 19005. In addition to this, they work under an open document format which can be downloaded and accessed by numerous software.
In short, PDF/A documents are self-contained, self-documenting and are independent from any specific types of hardware and software, making them ideal for long-term accessibility.
What happens if the software gets hacked?
The benefit of electronic signature software is that it uses secure algorithms to encrypt data, which in theory make them hard to hack in the first place. However, electronic signatures are a technology-based solution which means that at some point, the software and algorithms will succumb to technological obsolescence.
To mitigate that risk, newer encryption standards should being used in order to keep the technology one step ahead. One example of this, is periodic timestamping with and up to date algorithm before they become technologically weak and vulnerable to hacking.
So, are electronic signatures legally valid forever?
Ultimately, whether your electronic signature will be valid forever will depend on how that signature is set up. To stay valid indefinitely, it will need to have been timestamped and show an active digital certificate of verification. It will also need to be protected by periodic timestamps that maintain levels of algorithmic complexity and prevent obsolescence.
At Connective, enabling long-term security is a fundamental part of what we do. Our digital signature solution means you can be confident about keeping vital documents safe, secure and valid for as long as you need.
For more information about how we can help, why not send us a message using our contact form.