SHARE 

The management of digital signatures: a headache for document and records management
PDF Print E-mail
Monday, 18 July 2011 11:31

The early and advanced development of digital signature certificates and certification authorities in Spain has a lot of positive for the security of digital transactions, but for document and records management and recordkeeping professionals is an ongoing headache.

Specifically, the problems when implementing recordkeeping overtime come from the interpretation of invalidity of an electronic record that has not been signed with a digital certificate. But also they part from a specific understanding of the meaning of signing a document/record. And once these premises are accepted, they imply that not only records need to be managed over time but also their signatures.

DNI This approach is reflected in our Standards for interoperability in public administration, whose drafts have been published in the Portal e-Government in both English and Spanish. On an initial design these standards have also included "other kinds of signatures" much easier as the CSV (secure code verification) of the Tax Agency (Agencia Tributaria), but added that takes on more complexity to the model.

So in this way, the recordkeeping professionals are involved in solving new problems of management and conservation of signatures. When in the paper world if someone consult a record/archive has the archivist to rush to the signatures file (which incidentally does not exist) to verify that the signature is still valid, or was in the long-lived signature file (which incidentally also does not exist)? Or, When a necessary action for the preservation of a paper record for example from the effect of a ferruginous ink (certainly in Spain it is also a well developed field), could be raised as the invalidation of the signature and consequently of the authenticity of the record?
But ... this is what we have. So some hints about the issues to be addressed:

  • The first is how to parameterize the document management application. The EDRMS (Enterprise Document and Records Management Systems) on the market have not include digital signatures management facilities. The optional MoReq2 module is not met (at least to my knowledge) by any application sold in the market. Its requirements are vague (is said in his introduction that the subject is in its infancy) and in some cases a little difficult to reconcile with others who are not optional. In MoReq2010 are not mentioned and the reference in ISO-16175 is limited to the warning of the effects of digital signatures on the records useability and the recommendation of include all digital signatures information in metadata. In practice, means opening the wallet to pay for the customization of initially very expensive applications. My advice is trying to simplify complexity and apply a single model for the variety of different digital signatures.
  • Second, acMoReqcepting the counsel of the ISO-16175, digital signature information shall be capture as metadata, raising the lack of standardization and criteria of textual information from the digital certificates. Our role is to emphasize and explain that since we got into this mess unless we should obtain quality information. Just one example, unless you sign the documents as a individual, in a signature is very important your position at the time of signing (CEO of a company or Manager of a government unit). Endeavor to collect this information as metadata is something that will ultimately be as valuable as to know if the certificate is / was in effect.
  • The third is that the digital signed documents need to seem signed for any user. The development of viewers that interpret this information is basic for the use of records overtime. What a feeling of uneasiness take place, after spending a few thousand in the implementation of electronic records and document management and signatures, when you open a signed PDF and the first you see is an interrogation with a message "The signature could not be validated"!

 

Last Updated on Monday, 18 July 2011 16:31