Skip to main content eIDAS szerinti minősített bizalmi szolgáltató

Qualified long-term electronic archiving

Long-term archiving requires a special, dedicated environment for both paper-based and electronically signed documents. A cryptographic algorithm that can be used for creating secure signatures today might become breakable in the future due to sudden advances in cryptoanalysis or in computational capabilities. Thus, there is a possibility that today's secure signatures become forgeable in the future. The Hungarian law on electronic signatures defines a service for the trusted (qualified) long-term archiving of electronically signed documents. If a document with an electronic signature is archived by a qualified long-term electronic archiving service provider, it is to be presumed, that the electronic signature on the document was valid at the time of creation. Qualified electronic archiving service providers are supervised by the Hungarian National Communications Authority.

Our qualified electronic archiving service work according to the principles of RFC 4810 of the Long-Term Archive and Notary Services (ltans) workgroup.

When submitting a signed document into the archive, one needs to establish an SSL channel with the archive based on a client-side SSL certificate. The signed document can be sent through this SSL channel, via SMTP or HTTP.

Our archive supports signatures of XAdES format (defined in ETSI TS 101 903). We accept signatures from XAdES-BES to XAdES-A. We have developed a so-called 'e-Dossier' format, which is an XML containing base64-encoded documents and XAdES signatures. In an e-Dossier, multiple signatories can sign a single document, or a signatory can sign many documents at once. An e-Dossier also supports the inclusion and signing of metadata according to the Dublin Core specification. We also develop an application - e-Szignó - for creating such e-Dossiers. (Click here for more information.)

As the archiving service receives an e-Dossier, it extends the signatures inside to the XAdES-A format, it computes and stores a hash of the resulting e-Dossier, and encrypts the e-Dossier in a way that it can be decrypted either by the private key of the encryption certificate of one or more clients, or by the private key of our archiving service. Generally, we store the e-Dossiers in the encrypted form, and the decryption key of the archiving service is generally not present in the system. It is rarely needed, and it can be reconstructed using a special procedure, by multiple security officers only.

The archiving service regularly places timestamps (and qualified signatures) on the list of the hashes of e-dossiers. (Individual archive timestamps are not added to each XAdES-A signature, as it would be rather inefficient.) These hash values are computed and stored when the e-Dossier is submitted to the archive. In case the applied hash algorithm becomes weak, we need to decrypt the e-Dossiers and compute their hash values using a new, secure algorithm and use these new hashes in the future.

A client can download e-Dossiers from the archive via HTTPS. The client also needs the client-side SSL certificate for this operation. The client can search among documents based on the Dublin Core metadata associated with them. The client can download the encrypted e-Dossier only, and can decrypt it with the private key corresponding to his or her decryption certificate.