How do you ensure documents are genuine when there is no notary in the digital world? There is a way to combat digital signature forgery: timestamps. But should you choose a trust service provider, or a QTSP to issue them?
Knowing what the time is now, is simple. Trusting a time in the past however is difficult. Time stamping an electronic document by a qualified third party gives you the confidence in trusting the time a document was signed, which is critical need for many legally binding documents.
What time is it? This is an easy question with an easy answer which people have been asking for centuries. The first sun dials date back to 1500 BE. And it answers the question with pretty good accuracy, at least down to a fraction of an hour.
The first wall clocks came around 1300, and showed the time down to the minute. I still have this old wall clock from my childhood, with its soothing ticks and tocks, which used to hang in my grandfather’s cabin.
However, these old clocks were not completely accurate, and needed constant adjustment to be correct. The clocks were not synchronized between different locations, and this synchronization was not really needed until demanded by national train schedules. The first railway time was introduced in 1840, and the time was then synchronized (over the telegraph) with the Greenwich Royal Observatory, and we are still using the abbreviation GMT (Greenwich Mean Time).
“There was even railway time observed in clocks, as if the sun itself had given in” – Charles Dickens in Dombey and Son
Up until 2010 the Norwegian broadcasting corporation (NRK), sent the time signal on radio to its listeners for the purpose of setting your clock. This was a series of beeps with a one-second delay, and then a break for 5 seconds before the full hour – it sounded like this.
With this, you could set your clock within about a second of accuracy, which is good enough for most purposes.
If you happen to have an old long-wave radio around, you can pick up the time signal from the DFC77 in Germany (a radio station). Today, this signal also includes encoding of date and other information.
Today we do not think about this as most clocks are adjusted automatically, typically from an Network Time Protocol (NTP) server. Your computer, phone and tablet will by default all synchronize time automatically and by geographic location, so they are correct down to fractions of a second.
The Time-Based One-Time-Password (TOTP) which is used for two-factor authentication, which (typically) changes the code every 30 seconds, depends on that the clock from your local device and the server being synchronized.
If I receive a piece of paper with a date written or printed on it, or I receive a PDF where the date is part of the text, how can I trust that this date is correct? In the above cases I cannot. The author of the document could have added any date in the document. Even an electronically signed document, if the signature is added on a user’s PC it cannot be trusted, as it is easy to tamper with the clock on the PC before adding the signature.
As described above, electronic signature forgery is actually quite easy. Too easy even. There is therefore a need for a trusted party, which can confirm the correct time of documents.
You can bring a physical document to a notary service. You will identify yourself, and the notary service will stamp and sign the document, confirming that you are who you say you are. They will possibly also add other security measures, like a seal. An important part of this notarization is that the notary, when signing, also adds the date. Oddly enough, you will rarely find mention of this when looking what the notary service provides. Nevertheless, this is an important part of their service.
One of the trust services defined in eIDAS is Time Stamping Authority (TSA). By using a TSA, or even better a QTSA (a Qualified TSA), a trusted time stamp is added to the document. A QTSA can only be operated by a Qualified Trust Service Provider (QTSP).
The QTSP isn't a title not just any organization can carry: it is subject to strict control and is being regularly audited by an externally accredited organization, to ensure that all procedures are followed in adding the time stamp. And the time must be fetched from a trusted time source, which makes tampering with the time close to impossible. The QTSP will also be liable in case of wrong time stamps.
How does the QTSA ensure that it has the correct time?
A QTSA must always have the correct time, and several mechanisms can be used to achieve this. For one, a trusted NTP server is required, providing the UTC(k) time. Signicat uses the NTP server from the Norwegian Metrology Service. In addition to the automatic update of the clock by the operating system, there is a separate process, which also gets the time from the UTC(k) source and compares the two. And on top of this, there is an external server, which monitors that the time on the QTSA server increased by one second every second. If any of these mechanisms indicates a problem, the service is halted, and an alarm goes off.
When adding an electronic signature, the trust service provider validates the identity of the signer, while adding a time stamp, the trust service provider validates the time. From a technical perspective, these are not very different, and both are tamper evident. This means that if any changes are done to the signed or time-stamped data, this will be flagged when validating.
To ensure that it is possible to validate the time also in the future, long term validation (LTV) data is added, and the signed or time-stamped data needs to be preserved periodically. Doing this, it will always be possible to validate the identity or the time.
“A time stamp is to time, what an electronic signature is to identity”
When receiving a document containing a time stamp added by a QTSP, you can have very high confidence that the time is correct, and that the data has not been changed since the time stamp was added.
FUN FACT: The time received from the GPS satellites is 18 seconds ahead of UTC. Now and then, UTC is adjusted with a leap second, to ensure that UTC is as close to solar time as possible, while this is not done for GPS.
It is also important to recognize that time stamping is mostly about trust, responsibility, and liability, and less about technology. Different technologies may be used to add a time stamp, (including PKI and blockchain) but regardless of which technology is used, a trust service provider is needed.
Time stamping is more about trust than about technology.
Why is it important to know when a document was signed? In some cases, this may not be important, while in others it is essential.
Learn more about Signicat's electronic signing offering, which also includes additional levels of security, such as long-term validation (LV) and preservation.
John Erik Setsaas
VP of Identity and Innovation at Signicat
August 19 2020