By historical document is meant a document signed with a certificate that is past its validity period today.
Cencert’s GetValid service allows validation of historical documents, but its effectiveness depends heavily on access to information about revoked certificates that Certificate Issuers publish.
If a certificate issuer provides an OCSP service that returns the validity status of its issued certificates regardless of expiration (Cencert is an example of such an issuer), then validation of historical documents signed with certificates from such an issuer is as simple as validation of current documents. Otherwise, however, the validation service must rely on cyclically published CRLs.
To perform signature validation based on the CRL, it must meet two conditions:
- The list must be issued within the validity period of the certificate, because after the expiration of the certificate, information about the revocation of this certificate is no longer published on the CRL.
- The list must be newer than the date of the certificate you have proof of existence, unless the certificate on the older list you have is revoked, in which case such a list is sufficient (revoked certificates cannot become valid again).
From these two conditions, it follows that in order to validate historical signatures, the Cencert GetValid validation service must have access to historical CRLs. Having the most recent list is insufficient, as it does not satisfy condition one.
Cencert’s GetValid validation service has a database of historical CRLs, and is constantly collecting new CRLs produced by well-known Certificate Issuers.
However, there is no guarantee that the collection held is complete and sufficiently extensive in time for each validation. If the required CRL is not available, then automatic validation of such a signature will not produce a conclusive result. This is indicated by an undefined validation status and the occurrence of one of the reasons (Validation Status Detail field) in the validation report:
- Lack of appropriate revocation information for the certificate used for the signature
- No corresponding revocation information for CCK certificate
For the validation process of historical documents, the date of proof of the document’s existence is an equally important premise. Unfortunately, even if the signatures are time-stamped, this may not be sufficient. This is due to the fact that the timestamp also has a specific validity period (in Poland, usually 8-11 years), and it may happen that if a document old enough is validated, the timestamp is no longer valid. In this case, the user must manually enter the date of existence of the signed document, which he can defend in case of any disputes.
If the document is time-stamped, it is sufficient to enter a date that is within the validity interval of the timestamp, which may even lie beyond the expiration date of the certificate used for the signature. Such a date may be easier to prove, since for such a long-stored document, one can find various evidence of its existence in a given time interval (e.g., its presence in historical backups).
The Cencert GetValid qualified validation service system software, when entering a document for validation, checks whether the signatures are time stamped and whether the timestamps are still valid. If not, it proposes to enter such a date by the user indicating the time interval in which it should lie in order to obtain an unambiguous validation result.
