(EN) Long-term electronic signature: How to configure it

Administració Electrònica - 

Long-term electronic signature: How to configure it


With the use of the basic electronic signature, if the certificate is expired, the signature is automatically given as invalid. When the reliability of the electronic signatures cannot be guaranteed by technical means, the documents will be validated, with the annexation of a new signature of the hierarchical person in charge of the entity that produces the document or the person in charge of the public faith (guarantee of authenticity and integrity of the documents that are validated, but would not certify the legal or jurisdictional validity of the acts that derive from them).

For this reason, long-lived signatures and time stamps are used. Long-lived signatures add additional information and evidence from third parties (certification authorities) to the signature; as well as time certifications that guarantee its long-term validity, since they really "certify" what the state of the certificate was at the time of the operation, regardless of the validity period of the certificate.

Given that computer tools for signing electronic documents such as Adobe Acrobat generate "BY DEFAULT" documents signed with a basic electronic signature, it is highly inadvisable to use them for signing documents whose usefulness is not short-term (notifications or official letters with the scope of an academic year). This is the FUNDAMENTAL REASON why all the documentation generated by the UV Electronic Office includes a long-term electronic signature, either with the organ's seal in the procedures or the signature of our staff in the SIGNATURE HOLDER)

In any case, there is the possibility of configuring, in a very simple way, the Adobe Acrobat software tool to ensure that electronically signed documents are generated in long-term PDF format (technically called 'PAdES-LTV'). Therefore, a configuration guide prepared by the Technology and Electronic Certification Agency (ACCV) of the Generalitat Valenciana is attached:

https://links.uv.es/gestio/adobeLTV

Once configured, the only thing left to do is, after signing electronically using the Adobe Acrobat tool with the usual procedure, press the "Time Stamp" button to apply the time stamp (it will ask us to save the previously signed document):


If we want to lock the document after signing, we should first apply the time stamp and then the signature, activating the check box to lock the document after signing to permanently lock it.

It is highly recommended that at the end of signing the documents (in particular, the first ones made after changes in the configuration of the signing tool, Adobe Acrobat) verify that the resulting signature is in LTV format. For this, the VALIDe tool of the Ministry of Finance and Public Administration (MINHAP) must be used, accessible from the address:

https://valide.redsara.es/valide

Basically, with this very simple-to-use tool, you can easily check if an electronically signed document includes a long-term signature, an attribute identified as "PAdES-LTV" in this web application.


The time server signs a hash of the document + time to, in addition to certifying who (with the signature), certify when (using a TSA).

How to do it with Linux?


The TSA (Time Stamp Authority) of the ACCV is very well explained at: https://www.accv.es/servicios/sellado-de-tiempo/

Acrobat is not supported on Linux.

There are solutions for those who use free software: https://www.freetsa.org/guide/

The latest versions of LibreOffice support the signing and verification of documents signed with digital certificates and -also- add a TSA certificate to the signature. (NOTE: It is not tested by SIUV).

LibreOffice knows how to sign/check not only PDF's generated by itself when "exporting as PDF", but also PDF's generated by others, although it does not put the drawing/stamp with the 'aesthetic' of Acrobat.