Qualified Trust Service Provider – So what?

Signicat has recently (2018-11) been approved as a QTSP – Qualified Trust Service Provider, and the qualified service is the QTSA – Qualified Time Stamp Authority.

So what is the big deal, and who needs time stamps anyway?
A trusted time stamp is needed to ensure that the signature can be validated after the certificate expires. To check the validity of a signed or sealed document, you must be able to trust the time when the document was signed or sealed, as all validity checks on certificates is based on the time. The time stamp must be added in a way which makes it extremely hard to forge.

So what does the QTSA do?
It is obvious that if this time is taken from a local clock on your machine, this cannot be trusted, as it is very simple to set a different time. What if the service provider does this, it would be OK, right? It really depends on the service. Can you be confident that the clocks on the servers are running correctly? And that it is not possible for somebody working there to tamper with the time, to make a forgery? And if you check the document in a few years, are you confident that you can still trust the time it was signed.

How do you synchronize the clock?
You cannot just pick up the time from any NTP (Network Time Protocol) server, which gives no guarantee or liability for the time which is returned. This means that the clock must be synchronized with an authorized time source. Signicat’s QTSA service is using the Norwegian Metrology Service (https://www.justervesenet.no/en/), which provides a legal certified time. In addition, a separate server continuously monitors the derived time from the main server, and if any deviation is found, an alarm is set off, and the service is stopped.

Having a trusted time on the signed and sealed documents is one important aspect of long-term validation (LTV). If you have requirements to validate the document in the future, after the signing certificate has expired, or even long into the future (for example for contracts regarding properties which can be for 50 years or more), there must be some way of validating that the process of signing followed certain standards. One way of doing this is using LVT information embedded into the document, which gives the advantage that everything is embedded in the document. The LTV information contains all the certificates in the certificate path, all the certificate statuses, and the very important trusted time stamp. Every 3 to 5 years, the document is re-validated using this information, and a new time-stamp is added. Without the trusted time-stamps, you will not be able to have confidence in *when* the document was signed, nor when it was validated, and you may lose trust in the signed document.

Finally, there is the need for a QTSP – Qualified Trust Service Provider – which is the organization which binds this together. To become a QTSP, there are a lot of standards to follow, a lot of controls to implement, and any important configuration changes are done using dual-control, meaning that at least two people must be involved in the changes. The setup has dedicated hardware with strict physical and logical access control, including auditing of everything which is done. All of this would make it, if not impossible, at least extremely difficult to tamper with the system.

Each year, independent auditors scrutinize the service and the organization, delivering their report to the national notification authorities. The system is anchored in the legislation in all EU/EEA countries, and is the same as we know from the EU qualification of certificate authorities.

I have already mentioned that the service is operated under dual-control. This is just one of many controls which is required to get a QTSP status. Others are procedures for reporting incidents, insurance for handling closure of the service (for any reason), periodic internal and external audits. All this is done according to ETSI standard, which dictate how it should be done, and it is audited by an accredited external auditor (we were audited by BSI group https://www.bsigroup.com/en-GB/), and approved by the national accreditation body (in our case NKOM (https://www.nkom.no/), as we are based in Norway), which then added us to the EU trust list (https://webgate.ec.europa.eu/tl-browser/#/), where you can see all the QTSPs in Europe.

Read press release: Signicat named as Qualified Trust Service Provider

Blog post by John Erik Setsaas, VP of Identity & Innovation, Signicat

Posted in Blog.