How can documents and their eIDAS signature be verified?
Content
Digital signatures can be validated both offline and online, with each method having its own specific advantages and disadvantages. This article highlights the characteristics and advantages and disadvantages of the two validation types and provides information on how to verify signatures in documents.
1. Types of validation
1.1. Offline validation
Tools: Use of PDF readers such as Adobe Acrobat in various versions.
Process: The signature is verified on your computer by comparing it with a trusted certificate database of the tool manufacturer.
Advantage: The document does not leave your sphere of influence, which increases data security.
Disadvantage: Not all valid certificates are listed in the tool manufacturers' databases. This can lead to an otherwise valid signature being incorrectly displayed as invalid because the certificate chain has not or not yet been published with the respective manufacturer.
1.2. Online validation
Tools: Use of online systems such as those of the European Commission or RTR in Austria.
Process: The signature is validated over the internet, which requires the transfer of the document outside of your organisation.
Advantage: Broader coverage of valid certificates and thus a higher probability of correct validation.
Disadvantage: The document must be transmitted to external providers. This requires a careful examination of the data protection and security policies of these providers.
XiTip
Please carefully consider which method is best suited for the validation of your documents, in particular with regard to the sensitivity of the content and the requirements for data protection and security.
There are several ways to verify the signatures in documents. The following articles provide an overview of the most common methods.
1.2.1. Validation options online in detail
1.2.1.1. EU/EEA Trusted List Browser of the European Union
The eIDAS Dashboard provides a listing of qualified trust service providers in accordance with the eIDAS Regulation (see figure 1).
Figure 1: eIDAS Dashboard
You can search for trust service providers as follows:
by type of trust service provider
by name of trust service provider
via a signed document
If you upload a document with signatures, the signature certificates (see figure 2) or seal certificates (see figure 3) of the trust service providers are displayed.
Figure 2: eIDAS dashboard result
Figure 3: Seal certificate eIDAS dashboard result
1.2.1.2 DSS Demonstration WebApp of the European Union
You can also validate a signature using the WebApp of the European Union (see figure 4).
XiTip
Please note the information on data protection. By using the DSS demonstration features below, your files will be transferred to the European Commission's infrastructure. By doing so, you consent to this data transfer. We strongly encourage you to use documents that do not contain sensitive material. The transferred data will not be stored.
Figure 4: DSS Demonstration WebApp - Signature Validation
If you decide to use this service, you need only three steps to success (see figure 5):
First, select the desired options.
Then upload the file.
Now confirm by clicking on the [Submit]-button.
Figure 5: Selecting signature validation options
After uploading, the results are displayed immediately (see Figure 6). You can choose between the following options with regard to the details:
Simple Report
Detailed Report Diagnostic Tree
ETSI Validation Report
XiTip
Depending on the report, these can also be downloaded and/or printed (see figure 6).
Figure 6: Example of a simple report (including download and print options)
1.2.1.3 RTR verification report (Austrian signature verification service)
The Austrian Rundfunk und Telekom Regulierungs-GmbH provides an encrypted signature verification service as a web application. This means that electronic signatures can be verified without the installation of specific software.
Select the document to be verified using the [Select file]-button (see figure 7 [1]) and click the [Verify]-button (see figure 7 [2]).
Figure 7: RTR signature verification process
You will receive a test report immediately, which you can also download as a PDF file by clicking on the [Download signed test report as PDF]-button (see figure 8 [1]).
Figure 8: RTR audit report available for download
1.3.1 Validation options offline in detail
1.3.1.1. Verification in the PDF reader
The validity of signatures can be read by almost all PDF readers (e.g. Adobe Acrobat Reader). Figure 9, for example, shows a signature that was created using the A-Trust signature type.
Figure 9: Verifying a signature using the Acrobate Reader
Clicking on the signature opens a pop-up with information about the validity of the signature. When you click the [Signature Properties...]-button (see figure 10), the detailed signature properties are displayed. Details about a certificate and its entire issuance chain can be accessed by clicking the [View signer's certificate...]-button (see figure 11). It is also possible to export the data there by clicking the [Export]-button (see figure 12).
Figure 10: Signature validation status
Figure 11: Validity summary and signing information
Figure 12: Certificate display and export
The bar shows a preview of whether the document has been signed and whether the signatures are valid (see figure 13). Clicking on Signature Panel opens the signature area, where all the signatures present are listed and can be verified. The reference to the EU Regulation means that the qualified electronic signature or the qualified electronic seal is legally binding and is equivalent to a wet ink signature.
Figure 13: Valid qualified electronic signature based on EU Regulation 910/2014