Qualified validation service

Why use the Qualified Validation Service (QVS), Qualified Electronic Signature (QES) and Qualified Electronic Seal (QESeal)

What is validation? How does it differ from checking or verifying the validity of an electronic signature?

Without analyzing the dictionary meaning of the term, let us explain it on the basis of the applicable regulations on legal transactions documented in electronic form.

The answer can be found in the EU Regulation 910/2014 called eIDAS, which is a legal act directly and uniformly applicable in all EU Member States. Article 3 item 41 reads:

“Validation” means the process of verifying and confirming the validity of an electronic signature or seal.

In practice, this means that when using a validation service to check the validity of an electronic signature bearing a document, we not only receive information about the validity of that signature (or its invalidity), but also confirmation of that fact in the form of an electronic attestation (document) issued by the validation service.

In legal transactions, it is important to ensure that we are dealing with a valid qualified electronic signature (QES), especially if the signed document, for its validity or evidential value, must meet the requirements of the Civil Code for an electronic form equivalent to a written form. Moreover, it is not only sufficient to have this certainty when accepting a document (e.g. when concluding a remote agreement by electronic means), but it is also necessary to have a guarantee that this certainty, e.g. after a few years, will be shared by the court which will decide on the right of one of the parties on the basis of a document signed electronically in the past.

We are not so sure about the verification with many different programs or services available on the market used for verification of electronic signatures and seals.  There are two main reasons.

• We do not have complete assurance that all the conditions for a signature to be considered as a valid QES are taken into account and checked during the verification process. Software or service providers are unlikely to declare that they are financially and legally liable for damages resulting from faulty verification. And even if such a declaration were to take place, it would be difficult to demonstrate that an erroneous result was obtained due to the lack of direct proof of verification and of the result obtained.
• Even if the verification result presented was credible and positive, it may not be possible to confirm this result effectively in the future or to obtain the same result again if the validity of the same QES is checked again after a longer period. This is because verification can give the correct result in particular if the (signatory) certificate by which the signature check is carried out is within its validity period. After this period, the signature, if it was valid, remains valid, of course, but there is a problem with proving it clearly.

The validation service, on the other hand, issues a certificate on the outcome of the verification, which may provide evidence of the long term validity of the QES. The credibility of the service itself is a condition for the recognition of this proof. Here we arrive at the answer to the titular question:  the certificate confirming the validity of a QES issued by a Qualified Validation Service (QVS) uses a legal (based on the eIDAS rules) presumption of validity and also provides credible evidence of the validity of the QES regardless of whether, for example, the signatory’s certificate has lost its validity in the meantime.

The qualified status of a validation service, like that of other qualified trust services, is granted by a supervisory body by entering the service in the register of qualified trust services. In Poland, the role of the supervisory body is played by the Ministry of Digitization, which issues a decision on entry in the register after receiving evidence of service operation in accordance with legal, organizational and technical requirements, which are set out in the eIDAS regulation and decisions issued on its basis, as well as standards and norms indicated in these decisions. The compliance of the qualified service provider with these requirements must be confirmed periodically by an independent audit body. And the service provider must be highly insured in case a mistake is made and damage is caused to the trustee. The register of Polish qualified trust service providers, including the qualified validation service, is available at the address: www.nccert.pl

It is worth stressing that the intention of the EU legislator introducing qualified trust services, including qualified validation, into the legal order was, first of all, to guarantee the security of electronic legal transactions by placing particular responsibility (also financial) on the providers of these services, so that the remaining participants in these transactions using qualified services can be sure of the correctness of legal transactions without going into the complexity of legislation and related complex technical issues, in particular in the field of cryptography. Secondly, making electronic legal instruments universal across the EU in such a way that a qualified electronic signature (like a seal) must be recognizable and accepted regardless of the country of the provider of trust services, using which it was created.

A qualified validation service guarantees the correct assessment of the validity of qualified electronic signatures in cross-border trade and provides evidence facility for these circumstances in the long term.

However, please note that the validity or invalidity of a qualified electronic signature is determined by a number of factors, including the means used and the manner and timing of its creation, and validation is only meant to check and confirm this validity. In practice, there are cases and situations where the validation service is not able to explicitly declare a qualified signature valid or invalid. Thus, the validation report may contain one of three information: valid qualified signature, invalid qualified signature, indeterminate verification result. While the first two cases do not raise questions of interpretation, the undefined status causes a lot of misunderstanding and is worth explaining a little more in order to minimize the risk of misjudging the validity of an electronic document. Understanding the reasons behind the problem of unambiguous verification of an electronic signature can help, in particular, in choosing the right configured software and the manner of placement of a qualified electronic signature, so that there are no problems with its recognition by the other party involved in a given legal action and, in the long run, with recognizing the validity of signatures if, for example, legal action has already taken place.

The most controversial are the practice cases of recognition or non-recognition of signatures based on various cryptographic algorithms (including the “famous” SHA-1) and signatures verified after the certificate expires, especially when the signature was not marked with a qualified time stamp.

Sometimes, when a validation service cannot automatically verify the validity of an electronic signature, the service provider may, through expert analysis, make a proper evaluation and issue an appropriate report.

The following articles will deal with various problems of interpretation in assessing the validity of QES, often very important for the parties to a given legal action.

Andrzej Ruciński, Advisor to the President of the Board, Asseco Data Systems