University of Tartu scientists found a weakness in digital signing and offered their solutions
Scientists of the University of Tartu, visiting lecturer of IT Law at the Faculty of Law Tõnu Mets and Head of the Working Group on Information Security of the Institute of Computer Science Arnis Paršovs found a problem related to giving, validating and the effectiveness of digital signatures.
They found out that third parties can update the time stamp of the digital signature, i.e. the exact time and date the validity of the certificate is verified. Thus, a document may have actually been signed considerably earlier than it officially appears. This creates a legal problem because it is not possible to determine whether the certificates of the person who signed the document were valid at the moment of signing.
Since the trustworthiness of digital signatures is critical for the digital society, it’s important to raise this issue and approach it in depth. Finding a quick solution to the time stamp error is necessary to strengthen the fundamentals of our digital society and ensure that the firm trust in the digital signature will not disappear.
Therefore, Tõnu Mets and Arnis Paršovs informed the Information System Authority and the Ministry of Economic Affairs and Communications of the problem. The scientists submitted proposals to the state for solving the problem of the time stamp and validity of the digital signature.
For example, Tõnu Mets and Arnis Paršovs find that it would be reasonable to waive the requirement of identification of the time of signing and change the lifetime of the certificates in a manner where the certificate is issued to the owner after the issue of the ID card and the certificate is valid until its expiry or cancellation. The situation where an invalid certificate becomes valid again must be ruled out, i.e. the possibility to suspend the validity of a certificate should also be abolished. First of all, it is necessary to update the DigiDoc software, which should currently be showing the time of signing on the time stamp but actually shows the time when the validity of the certificate was verified.
Mets and Paršovs described the results of their research in the article “Time of signing in the Estonian digital signature scheme”, which was published in the international peer reviewed science journal Digital Evidence and Electronic Signature Law Review.
Head of the Institute of Computer Science Jaak Vilo said that one of the most important roles of the University of Tartu as a research institution is to support the good progress of the Estonian society with its research. “This covers the task of finding complicated social problems and offering solutions for perfecting the legal area and the existing technologies,” explained Vilo. “Discovering and discussing the problem related to the digital signature is a good example of the cooperation of jurists, computer scientists and the state.”
For further information, please contact:
Jaak Vilo, Head of UT Institute of Computer Science, 737 5483, jaak.vilo [ät] ut.ee
Tõnu Mets, visiting lecturer of IT Law of the Faculty of Law at UT and lawyer, tonu.mets [ät] ut.ee
Arnis Paršovs, Head of the Working Group on Information Security of the Institute of Computer Science, arnis.parsovs [ät] ut.ee