2020-09-13

Indeterminate status of the electronic signature in the validation report

When can an electronic signature be considered valid and meet the requirements for a qualified status? What if we get an “indeterminate” result in the protocol and the business situation requires a quick decision? In the circulation of electronic documents, as in the case of traditional documents, an expert approach is important when assessing the risk of their acceptance.

Qualified validation service
In the previous article I pointed out the fundamental differences between validation and verification (checking) of the validity of a qualified electronic signature (QES). The validation service issues a confirmation of the result of the check. In the case of a qualified validation service, such a confirmation (certified report) constitutes evidence which is difficult to challenge also in court proceedings as it enjoys a legal presumption of its veracity under the eIDAS rules (EU Regulation 910/2014).

It is certainly worth using the qualified validation service, but is this always necessary? One of the comments on the previous article rightly points out that this depends on the assessment of the risks involved in the legal action. Risks should always be considered in the context of both the possibility of undermining the validity or status of the signature and the consequences of that fact and the cost of the service itself and its availability at a time when, for example, a business decision has to be made quickly and there is no possibility or knowledge of how to use a qualified validation service. I would like to elaborate on this topic at the end of the cycle of considerations on various aspects of recognition of qualified electronic signatures and the possible risks of their acceptance. What can be particularly interesting after receiving a report issued by the QVS (qualified validation service) stating the status of the signature as “indeterminate”? This is one of three basic validation statuses defined in the ETSI TS 119 102-1 standard. The other two are TOTALPASSED (full compliance with QES requirements) and TOTALFAILED (at least one discrepancy found to preclude the signature from being considered QES valid).

Apparently, it seems that the matter of signature verification is simple, because eIDAS clearly states what the premises and circumstances and what facts had to exist for a signature to be a valid qualified electronic signature. However, the legislation does not require the creation and collection of explicit evidence of all the determinants of the validity and status of the signature, leaving some discretion and space for the presumption of certain facts. A little confusing? I hope I can explain this later.
First of all, it is worthwhile to talk about some of the determinants. eIDAS refers to them in Article 32. An electronic signature may be considered valid and eligible for qualified status if, inter alia, the following conditions are met simultaneously:

  1. The integrity of the signed data (content) is not affected;
  2. The certificate indicated in the signature at the time of placement of this signature was a valid qualified certificate;
  3. The signature was made using a qualified signature creation device (QSCD);
  4. The signature has been created as structured information using appropriate cryptographic means, methods and algorithms that guarantee the integrity of the signed content and its unambiguous connection to the indicated certificate, by which only the verification of the signature and identification of the person who signed it can take place.

A validation service operating online must be able to confirm all these requirements automatically according to an established process. When executing it, the service checks the validity and status of the certificate. It is then based on programmed “knowledge” about possible signature structures, the attributes it contains, and the cryptographic algorithms used. It analyzes whether the uniqueness of the signature is guaranteed to be associated unambiguously with a given content. In most cases the process runs smoothly and the validation service provides a report with a clear answer. A problem with the proper course of the process occurs when it is not possible to automatically confirm or deny the conformity of the examined signature with at least one necessary requirement. There may be several reasons for this. The regulations (eIDAS and the decisions) and the standards indicated therein recommend certain methods, the use of which meets the technical and formal requirements for a qualified signature. However, these recommendations do not constitute a closed list which would limit the use of other solutions for the creation of a qualified signature (the so-called principle of technological neutrality of law). Therefore, the result of the validation may be indeterminate. This happens when the cryptographic algorithms used are, as they are not widespread, not supported by the validation service, which does not necessarily mean that they are not strong enough for a signature to meet all the requirements generally set out in eIDAS Article 32. Other factors preventing unambiguous verification of the signature may be the lack (sometimes only temporary) of online access to information provided by the issuer on the validity of the certificate (CRL, OCSP service) or the lack of access to the TSL list (published by national supervisors) confirming the qualified status of the entity issuing the certificate.

“Indeterminate” status and expert risk assessment
Where a validation service can neither confirm nor deny the validity of a qualified electronic signature, an “indeterminate” result shall appear in the protocol with a possible comment indicating the reason. Sometimes it is enough to carry out a check again when access to the necessary information is restored. However, it happens that an expert assessment is necessary and, weighing the business risk, it should be decided whether or not to accept the signed document.

In such situations, additional questions arise – can one of the parties to a legal transaction refuse to recognize a “non-standard” qualified signature? In such a case, can the court question the legal effectiveness of an agreement for the validity of which the written form (electronic form) was reserved under pain of nullity? In the latter case, if compliance with the eIDAS requirements for a qualified signature is confirmed (by a validation service or expert/expert witness), the court will have no grounds not to recognize compliance with the required legal form. However, the answer to the first question is not so obvious. Acceptance of a document signed with such a “non-standard” signature depends on the situation and legal circumstances or interest of the party accepting the document. Public administration, according to Article 27 of eIDAS, should recognize “qualified electronic signatures at least on format level or using methods specified in implementing acts”. This means that a public entity cannot selectively and freely indicate which standards it recognizes and accepts but must accept all the ones resulting from the implementing acts related to eIDAS. On the other hand, it may, but does not have to, refuse to accept a document if the electronic signature is to be executed by methods not described in the above mentioned standards.

The use of a validation service that supports all the standards for qualified electronic signatures required by the eIDAS Regulation could solve the problem of formal assessment of documents received, often from abroad, by public bodies.

Electronic or paper document?
Very often I encounter specific situations where one of the parties to the exchange of electronic documents has doubts in assessing whether the signature meets the requirements for a qualified status. Many uncertainties arise simply because there are no well-established interpretations in the legal doctrine based on such a rich body of case-law as that concerning the documentation of legal transactions in paper form. However, in the case of electronic documents, as in the paper world, common sense is needed to assess the risk of their acceptance, which is de facto much lower than in the case of traditional circulation. All legal and technical considerations, including those presented by me, due to their complicated and – for many – incomprehensible matter, increase the degree of distrust in electronic documents, instead of convincing their use. I assure you that if I describe how poorly a paper document is secured against a change in integrity, what are the possibilities of challenging the originality of a handwritten signature or falsifying it, etc., then you could conclude that we should not accept any documents without notarial or graphological confirmation of their authenticity. And yet we do not do that. Often, without hesitation, we consider a paper document signed by a counterparty “on the other side of the world” and sent by courier service to be correct, and sometimes we take action only on the basis of the received scan of a contract signed on paper. Risk assessment is usually based on business experience and intuition. There is still a lack for the above in the world of electronic commerce, where we do not fully know the possible threats and ways to stop them.

I am not claiming that a qualified validation service acts as an electronic notary, but without a doubt it gives a high degree of certainty in assessing the effectiveness of a declaration of intent validated by an electronic signature. Despite some exceptions, it frees a participant operating on the electronic services market from many legal and technical dilemmas. These exceptions are when the verification status of the electronic signature in the validation report is recorded as “indeterminate”. This is what I would like to talk about in the following articles, paying particular attention to the validity of “historical” signatures, i.e. signatures that have been submitted in the past and are verified today after the certificate has expired or the recommendation for cryptographic algorithms used to create this signature has been withdrawn.

Andrzej Ruciński, Advisor to the President of the Board, Asseco Data Systems