Time is a critical component in establishing the sequence of activities in real life. It is an equally important aspect of the value proposition of digital signatures that establishes the authenticity and integrity of a document or transaction. Certificates have a significantly shorter life span than the demands records management requirements place on a document. So, how does one create long term records of compliance for digitally signed documents? Will the digital signature become invalid when the signing certificate expires? The key to unraveling this problem is first to establish the point in time the validation takes place.
Let us start with an example of a home loan document that I digitally signed in 2005 when the interest rates were so low. Next, let us define that my certificate used to sign had a validity period of three years, 1 Jan 2004 to 31 Dec 2006. So, technically any attempt to validate the signatures after 31 Dec 2006 would be somewhat troublesome. Surely it would be easy if we mimicked the paper based workflows. The financial institution that honored my wet ink signature for the life of the document should have a similar experience with a digital signature. After all, the undeniable (non–repudiable) fact is that the signature was valid at a previous point in time and there should be a way to present this fact. The rest of the article describes the mechanism of accomplishing this using Adobe Acrobat or Adobe Reader.
Adobe Acrobat 8.0 provides the ability to validate the signature at three relevant points in time that is determined by the relying party. The default is the validation at “Secure” time. Secure time is the timestamp signature time that is part of the digital signature. A signer can use a timestamp server of choice by configuring the Time Stamp Authority security setting in Adobe Acrobat. This is a user preference that is tucked in the security preferences section. It can also be tuned within an organization. Alternatively, if the signing certificate has this information in the signing certificate, it is used to automatically include the timestamp signature at the time of signing.
Including timestamp signature is a good first step but is not sufficient information for a relying party to validate the signature in the future. Including the revocation information of the signer’s certificate along with the timestamp signature now provides the relying party enough information to validate the signature at a future point in time.
The relying party with the two pieces of information (secure signing time and revocation information of the signer’s cert) now has the “default” experience that the signature is always verified at the secure signing time and immediate access to the revocation details that were evaluated at that secure time. If required, the relying party can also verify the signature at “Current” time. Current time represents the time on the relying party’s computer clock at the time of validation of the signature.