Frequently asked questions about validation of e-signatures and e-seals
Here’s everything you need to know about the validation of e-signatures and e-seals: what it is, when it’s needed, how it works in the Dokobit portal, and so much more.
1. What is a validation?
According to eIDAS regulation, validation is a supplementary service for electronic signatures and seals. It shows whether the signature or seal was valid from the time of their creation up until the moment of validation. Validation is needed to evaluate the integrity of e-signed or e-sealed documents, as well as check the validity of e-signatures and e-seals.
2. Why can a signature or seal be invalid?
Electronic signatures and seals can be invalid or lose their validity through time due to a number of collective reasons, e.g., a qualified certificate had been revoked or expired at the time of signing or sealing; signature or seal has been issued with a non-qualified certificate; a non-qualified timestamp was added; inappropriate or weak cryptography; document has been changed after it was signed or sealed; signature or seal has not been prepared for long-term validity and qualified certificate had been revoked, etc.
3. In what cases do I need to validate e-signatures and e-seals on my documents?
Already e-signed or e-sealed documents received from other parties need to be validated to make sure the signatures or seals in them are valid. Validation ensures the integrity of e-signed or e-sealed documents, as well as the validity of e-signatures and e-seals.
4. What is the difference between a qualified and non-qualified validation service?
A qualified validation service meets the requirements of eIDAS regulation which is ensured by the authorities as qualified trust service providers are regularly audited by accredited auditors and are listed in the European Commission’s Trusted Service List. A qualified validation service provider is bound to ensure that cryptographic signature or seal validations are successful, there are no limits applied to signatures and seals, as well as signer's authentication, and that validation is carried out based on eIDAS regulation and ETSI standards.
Meanwhile a non-qualified validation service provider has not undergone an official process needed to ensure compliance with eIDAS requirements, meaning that the validations are carried out without any validation policy, and no liability is applied to the results provided.
In other words, a validation report provided by a qualified service provider can be submitted as evidence in court as it has legal power, meanwhile the non-qualified service results should not be blindly trusted.
5. What makes validation service a qualified service?
A qualified validation service provider undergoes an official process needed to meet the compliance with eIDAS regulation requirements, including being audited by accredited auditors. Once the auditors confirm that the provider meets all the requirements, the provider is recognised as a certified service provider and is listed in the European Commission's Trusted Service List for Qualified validation service for qualified electronic signature and Qualified validation service for qualified electronic seals.
6. Why should I use a qualified validation service?
In short, validation of e-signatures and e-seals being a regulated area, binds the eIDAS certified qualified trust service providers to hold actual responsibility for the results provided in the validation report. Therefore, choosing a qualified service provider offers you more assurance and certainty that the signatures and seals are validated correctly, and the results stated by the service provider are legitimate.
Going more into details, a qualified validation service provider is bound to be able to validate the certificates issued by all the qualified service providers for the certificates of qualified e-signatures, e-seals and timestamps, operating in the EU and listed in the European Commission’s Trusted Service List (currently, over 450 qualified service providers in total). Meanwhile a non-qualified validation service provider is not bound to do that, therefore, possibly validates signatures and seals incorrectly, and not necessarily informs the users.
7. What can happen if I use a non-qualified service for validating e-signatures and e-seals on my signed documents?
When using a non-qualified validation service you may not be 100% sure that signatures and seals on signed documents are valid, as a non-qualified validation service provider is not bound to take any responsibility for the results provided when validating your documents.
Opposite to a qualified validation service provider, the non-qualified one has no obligation to ensure compliance with eIDAS requirements and validate all the qualified providers of electronic signatures, seals, and timestamps operating in the EU and listed in the European commission’s Trusted Service List (currently, over 450 qualified service providers in total). Therefore, the validations by a non-qualified service provider are carried out without any validation policy, possibly incorrectly, and no liability is applied to the results provided.
As a result, in case there is a dispute in court and you provide a validation report by a non-qualified service provider as an evidence trying to prove that at a certain time the signatures or seals were valid, it would be questioned. The final decision of the validity would be in the hands of a judge, and in case of loss, the non-qualified validation service provider would hold no responsibility for the outcome and your misfortune.
8. How do I make sure I am using a qualified service provider for validating e-signatures and e-seals?
Qualified trust service providers are listed in the European Commission’s Trusted Service List under the services of Qualified validation service for qualified electronic signature and Qualified validation service for qualified electronic seals. The list can be accessed here. Also, only the Qualified Trust Service Providers are allowed to use EU trust mark on their web and other materials. Learn more here.
9. Why can validation results differ when validating documents in different systems?
This can happen because non-qualified validation service providers might be carrying out validations without any validation policy, they not necessarily comply with the eIDAS regulations and are not bound to validate all the qualified providers of electronic signatures, seals, and timestamps operating in the EU and listed in the European commission’s Trusted Service List (currently, over 450 qualified service providers in total). Only qualified validation service providers can be fully trusted to provide correct results as they are certified service providers and hold actual responsibility and liability for their services.
10. What do validation policies mean?
Validation policy allows you to choose what kind of signatures and seals should be considered as valid on your signed documents, i.e., only Qualified Electronic Signatures or in addition to them also Advanced Electronic Signatures.
Advanced Electronic Signatures and Seals with Qualified Certificates are considered as strong evidence in legal proceedings, meanwhile Qualified Electronic Signatures and Seals comply with the highest eIDAS regulation requirements and therefore have indisputable legal force. As a result, some institutions or businesses accept only Qualified Electronic Signatures, in such cases you will want to choose the policy of “Only Qualified Electronic Signatures and Seals”.
11. What do validation liability levels mean?
Liability level defines the assurance of responsibility taken up by Dokobit as a Qualified Validation Service Provider.
Basic liability validations are recommended for the documents that are valued at less than EUR 100, as Dokobit will be liable for up to EUR 100 per validation report. In other words, basic liability is right for you if minimum assurance is enough, usually in cases when the validity of signatures is not likely to raise disputes.
Advanced liability validations are recommended for the documents that are valued at as far as EUR 10 000 – Dokobit will be liable for up to EUR 10 000 per validation report. Advanced liability is more suitable if you want more assurance for the validity of signatures, usually in cases when the documents are of higher value.
12. What is a validation report?
A validation report is a document showing the results of performed validation which can be used as evidence necessary to prove that the signatures and seals were valid from the time of their creation up until the moment of validation.
Dokobit provides two types of validation reports. Simple validation report provides necessary information about signer’s identity and the status indication per validated signature or seal. Detailed validation report contains detailed information on each of the validation constraints meaning that you can see which parts – from signature, seal or timestamp certificate to cryptography, etc. – are, e.g., indeterminate.
All Dokobit validation reports are prepared in accordance with Dokobit Signature Validation Service Practice Statement and Policy.
13. Why is qualified validation service not available for ADoc format documents?
The validation of signatures and seals on ADoc format documents are currently carried out using a non-qualified validation service due to technical reasons and ADoc being a local document format only relevant to the limited geography users, i.e., Lithuanians. Do not worry – non-qualified service validation will still provide the needed information about the validity of signatures and seals, it is simply not substantiated with a liability coverage. If you want your documents to be validated using a qualified validation service, please use internationally recognised document standards, PDF or ASiC-E.
14. If I sign documents using Dokobit, do I need to validate them separately?
In the Dokobit portal, you can sign documents only using Qualified Electronic Signatures and Advanced Electronic Signatures with Qualified Certificates, and all signing and sealing transactions include qualified timestamps, so there is no need to worry about the validity. All the documents signed and stored in Dokobit portal by default show the signature or seal and certificate information – signee’s name, signing time, certificate issuer, type and validity period. Nevertheless, in case you need to prove the validity of signatures or seals out of Dokobit portal, validation service will come in handy as each validation provides you with a validation report that can be used as evidence necessary to prove that the signatures and seals were valid up until the validation moment. Usually, validation is necessary when you need to validate an already signed or sealed document received from other parties.