Language switcher

You are here

University of Tartu research: Europe needs to specify how digital signatures are given

Researchers at the University of Tartu – Tõnu Mets, guest lecturer of IT law at the School of Law and sworn advocate, and Arnis Paršovs, head of the information security working group at the Institute of Computer Science – published the article ‘Time of signing in the Estonian digital signature scheme’.

The article estimates that the signing time given to the signed file may not reflect the actual signing time, as it can be maliciously modified. Margus Arm, Head of the Electronic Identity Department of the Information System Authority, is thankful that this issue is being addressed. ‘We became thoroughly acquainted with the research article analysing digital signing regulations in Estonia and Europe. The paper points out that the timing of digital signatures in Europe is not clearly defined, can be interpreted in many ways, and can give rise to legal disputes. We agree that the definition of the time of the signature should be more accurately defined across Europe,’ Arm said.

‘A digital signature is valid even if its date is changed. The most important thing about a signature is the person’s declaration of intention, and the article does not call that into question. It is also not a weakness or problem of the ID-card. The contents of the signed document cannot be changed in any way,’ Margus Arm emphasised. Digital signatures in Estonia comply with international requirements and are recognised throughout the European Union.

Asking for a new time stamp is similar to making a physical copy of a document, with the only difference being the more recent signing date. ‘By comparing the two documents, you can find out which document is the original. As said, copying does not call the contents of the original into question,’ Arm said. He added that changing the time of the signing is not in itself an offence – for that, there would have to be a consequence.

He added that a digital signature is valid even if the time stamp has been changed. ‘Changing the time of signing a document does not seem to be of practical value, as the time is changed on a document that is already digitally signed. By comparing the original signed document with a document with a new time stamp, it is possible to identify which document is the original document. It is also not possible to mark a date from the past or the future as the date of the signing.’

However, Arm was of the opinion that changing the date of the signed document for later is not an acceptable activity. ‘Concerning the definition of the time of signing, there are disputes in various international working groups with the participation of Estonian representatives. Research will certainly help us defend our positions in these working groups,’ Arm noted.

It is not agreed in the European Union whether the time of the signing is the time of entering the PIN, the time of checking the validity of the certificate, the time confirmed by the time stamp, or when the whole container, i.e. the new document with the signature, is completed. ‘This can be compared to signing a paper: whether the time of the signing is the moment the pen is grabbed, the pen cap is removed, the pen touches the paper, or the person signs and adds the date. In Estonia, in practice, the time of the digital signature is the moment when all three components (time stamp, certificate validity check time, and PIN) are in place. The research draws attention to the fact that changes are needed in the regulations of the European Union, but this does not affect the digital signatures given in Estonia,’ Margus Arm concluded.

A comprehensive discussion of the topic can be found on the ERR’s science portal Novaator.

Seiko Kuik
Press Officer of the Information System Authority
+372 5851 7028
seiko.kuik@ria.ee

More news on the same subject

18.09.2019

Director General of RIA: the courage to experiment and make mistakes ensures a brighter future for the e-state

17.08.2019 – Experts from more than 30 countries will meet at the conference about the future of electronic identity starting today to seek and present new challenges of the digital society.

04.07.2019

Estonia is participating in the large-scale cyber exercise Blue OLEx in Paris

3.07.2019 – Today, on 3 July, a high-level exercise is taking place in Paris, led by the National Cybersecurity Agency of France (ANSSI), in which representatives of Estonia and other Member States of the European Union must resolve a developing cyber crisis.