Combating electronic signature forgery with QTSP
How do you ensure documents are genuine when there is no notary in the digital world? There is a way to combat digital signature forgery: timestamps. But should you choose a trust service provider, or a QTSP to issue them?
Knowing what the time is now, is simple. Trusting a time in the past however is difficult. Time stamping an electronic document by a qualified third party gives you the confidence in trusting the time a document was signed, which is critical need for many legally binding documents.
# Accuracy of time - different solutions for different times
What time is it? This is an easy question with an easy answer which people have been asking for centuries. The first sun dials date back to 1500 BE. And it answers the question with pretty good accuracy, at least down to a fraction of an hour.
The first wall clocks came around 1300, and showed the time down to the minute. I still have this old wall clock from my childhood, with its soothing ticks and tocks, which used to hang in my grandfather’s cabin.
However, these old clocks were not completely accurate, and needed constant adjustment to be correct. The clocks were not synchronized between different locations, and this synchronization was not really needed until demanded by national train schedules. The first railway time was introduced in 1840, and the time was then synchronized (over the telegraph) with the Greenwich Royal Observatory, and we are still using the abbreviation GMT (Greenwich Mean Time).
# Accuracy isn't automatic
Up until 2010 the Norwegian broadcasting corporation (NRK), sent the time signal on radio to its listeners for the purpose of setting your clock. This was a series of beeps with a one-second delay, and then a break for 5 seconds before the full hour – it sounded like this.
With this, you could set your clock within about a second of accuracy, which is good enough for most purposes.
If you happen to have an old long-wave radio around, you can pick up the time signal from the DFC77 in Germany (a radio station). Today, this signal also includes encoding of date and other information.
Today we do not think about this as most clocks are adjusted automatically, typically from an Network Time Protocol (NTP) server. Your computer, phone and tablet will by default all synchronize time automatically and by geographic location, so they are correct down to fractions of a second.
The Time-Based One-Time-Password (TOTP) which is used for two-factor authentication, which (typically) changes the code every 30 seconds, depends on that the clock from your local device and the server being synchronized.
# Electronic signature forgery is easier than you think
If I receive a piece of paper with a date written or printed on it, or I receive a PDF where the date is part of the text, how can I trust that this date is correct? In the above cases I cannot. The author of the document could have added any date in the document. Even an electronically signed document, if the signature is added on a user’s PC it cannot be trusted, as it is easy to tamper with the clock on the PC before adding the signature.
As described above, electronic signature forgery is actually quite easy. Too easy even. There is therefore a need for a trusted party, which can confirm the correct time of documents.
# Qualified trust service provider is like a notary in the digital world
You can bring a physical document to a notary service. You will identify yourself, and the notary service will stamp and sign the document, confirming that you are who you say you are. They will possibly also add other security measures, like a seal. An important part of this notarization is that the notary, when signing, also adds the date. Oddly enough, you will rarely find mention of this when looking what the notary service provides. Nevertheless, this is an important part of their service.
# What is the difference between trust service provider and QTSP?
One of the trust services defined in eIDAS is Time Stamping Authority (TSA). By using a TSA, or even better a QTSA (a Qualified TSA), a trusted time stamp is added to the document. A QTSA can only be operated by a Qualified Trust Service Provider (QTSP).
The QTSP isn't a title not just any organization can carry: it is subject to strict control and is being regularly audited by an externally accredited organization, to ensure that all procedures are followed in adding the time stamp. And the time must be fetched from a trusted time source, which makes tampering with the time close to impossible. The QTSP will also be liable in case of wrong time stamps.
How does the QTSA ensure that it has the correct time?
A QTSA must always have the correct time, and several mechanisms can be used to achieve this. For one, a trusted NTP server is required, providing the UTC(k) time. Signicat uses the NTP server from the Norwegian Metrology Service. In addition to the automatic update of the clock by the operating system, there is a separate process, which also gets the time from the UTC(k) source and compares the two. And on top of this, there is an external server, which monitors that the time on the QTSA server increased by one second every second. If any of these mechanisms indicates a problem, the service is halted, and an alarm goes off.
When adding an electronic signature, the trust service provider validates the identity of the signer, while adding a time stamp, the trust service provider validates the time. From a technical perspective, these are not very different, and both are tamper evident. This means that if any changes are done to the signed or time-stamped data, this will be flagged when validating.
To ensure that it is possible to validate the time also in the future, long term validation (LTV) data is added, and the signed or time-stamped data needs to be preserved periodically. Doing this, it will always be possible to validate the identity or the time.
When receiving a document containing a time stamp added by a QTSP, you can have very high confidence that the time is correct, and that the data has not been changed since the time stamp was added.
It is also important to recognize that time stamping is mostly about trust, responsibility, and liability, and less about technology. Different technologies may be used to add a time stamp, (including PKI and blockchain) but regardless of which technology is used, a trust service provider is needed.
# When does digital signature with timestamp matter?
Why is it important to know when a document was signed? In some cases, this may not be important, while in others it is essential.
- Consider a will. The author of the will may change their mind and create a new one. And this may happen several times. When the author is deceased, it is important to know which will is the latest one, and some beneficiaries may have strong reasons to challenge this.
- Ownership of a deed can be transferred between people, and in this case, it is important to know who the rightful owner of the deed is. There may also be cases where the ownership at a given point in time was, in case of an incident.
- In the case of intellectual property, it may be important to be able to prove that I was in possession of certain information at a given point in time. I may need to prove that I had an idea before it was stolen by somebody else, claiming it was their idea.
- A contract may specify certain conditions happening relative to the time of signing, i.e. that the contract is only valid a year from the time of signing.
- A contract may also have dependencies to price volatile parameters, for example supply of petroleum, securities, interests etc., in which case the time is important to determine the correct dependency.
- Betting and auctions are other examples where time is important, for example knowing that a bet was received *before* a race ended, as well as knowing when bids in an auction was received.