Basic information and terms

The Qualified storage module provides documents with long-term validity and long-term archiving. Its configuration controls – the Archive button on the ADMINISTRATION tab and additional options directly in the form settings – are only displayed if the module is enabled.

Long-term validability (of an electronic signature, seal, time stamp) means that any time in the future it will be possible to verify with certainty that the document has not been changed, the electronic signature attached to the document was valid at the time of signing and who owned the signature. If more than one electronic signature is attached to the document, each one of them must be secured in this way. This status is called LTV (Long Term Validity).

For LTV purposes, FormFlow recognizes the following formats:

  • PAdES (PDF Advanced Electronic Signatures) are specific technical requirements on electronic signatures attached to PDF documents. They include the type of encryption algorithm, attributes used in hash calculation, etc.

    Signatures in PDF files are long-term preserved in compliance with the standard ETSI TS 102 778-4 V1.1.2 (2009-12), Part 4: PAdES Long Term – PAdES-LTV Profile. Information used to validate certificates (CRL, OCSP and the certificate chain) is stored in compliance with Annex A.1: Document Security Store, time stamps are attached to the PDF in compliance with Annex A.2: Document Time-stamp.

  • XAdES (XML Advanced Electronic Signatures) is a set of extensions to XML-DSig, which is XML syntax for electronic signatures defining specific technical requirements for electronic signatures attached to XML documents (e.g. xml, isdoc, zfo, fo).

  • CAdES (Cryptographic Message Syntax Advanced Electronic Signatures) defines the requirements for an electronic signature to sign any data (for example documents in common office formats). In this format, signatures, seals and stamps are usually stored in a separate file.

In FormFlow context including this manual, a document means a form attachment.

Digital continuity of an authorized document

Validity and validability of an electronic signature must not be interrupted even for the shortest time. This means that the first time stamp must be attached before the certificate used for signing expires or is invalidated, and that before the time stamp expiry another time stamp must be attached. As a result, archiving must be understood as a process. A document needs continuous care, simply saving it is not enough.

List of Qualified storage module components

Common settings

The common settings of the Qualified storage modules are available from the Archive button menu on the ADMINISTRATION tab. They are available to users with the corresponding permission.

  • Select Settings to view and set up general configuration for Qualified storage.

Individual form settings

You can also set up document type individually for each form template – these settings are available in form template management.

Managed files

Files managed by the Qualified storage module are available on the Archive tab using the following buttons:

  • Qualified storage – a list of files included in long-term validity preservation.

  • Conversion to PDF/A – a list of files included in long-term archiving.

  • Statistics – statistical overview of files and their properties.

Preserved files

Qualified storage can only preserve files that meet the following conditions:

  • they are attachments of finished forms,

  • they are registered in the database,

  • the Information/Archive parameters section of the form template has a default archive folder set up,

  • attachment extraction has been started (udat).

The decision to include a specific file in preservation also depends on the following conditions:

  • a global setting to preserve the file type,

  • a setting at the form template to preserve the file type,

  • any time boundaries at the form template (the setting Enable long-term validability starting from),

  • information from a finished form (ltv_accept) whether to preserve the file, Doc_xpath_ltv_accept.

There are three system operations in FormFlow related to management of long-term preserved documents. To grant these operation permissions to users or remove them, go to ADMINISTRATION  Operation Permissions, see chapter Operation permissions.

  • LTD_ADMINISTRATOR – can access system settings for the Qualified storage module. The user can see all long-term preserved documents under the Documents option and can manage them, that is, decide whether they will be included in long-term signature preservation (LTV) or long-term archiving (LTA), and grant exceptions.

  • LTD_AUDITOR – can view all preserved documents under the Documents option.

  • LTD_EDITOR – can view all preserved documents under the Documents section for entities the editor is a member of. The user also manages the visible documents, that is, decides whether they will be included in long-term signature preservation (LTV) or long-term archiving (LTA), and grant exceptions.

Document LTV statuses

A document placed in long-term preservation passes through various statuses during its lifecycle. They are the following statuses:

  • Waiting for an exception – at least one of the document signatures has been found invalid. An administrator can grant an exception. Usually, only documents with all signatures valid are preserved.

  • Changed after signature – this status is applied to a document that was changed in some way after it was signed. After analysis, the document receives the state Waiting for an exception and waits for an LTV-authorized user to act. If an exception is granted, the document is signed and stamped and its status changes to Registered.

  • Prepared for update – maintenance is update for the document – adding another time stamp.

  • Prepared for registration – the document has at least one signature and a time stamp that is not new, and it is ready for registration in Qualified storage.

  • Registered – the document is registered in Qualified storage.

  • Prepared for unregistration – the document has been preserved for some time. Now the administrator has decided not to preserve the document anymore. The document will be unregistered from Qualified storage.

  • Unregistered – the document has completed the unregistration process.

  • Queued for processing – a new document.

  • Temporarily deferred – the operation cannot be run right now, but a new attempt is planned. This status can occur e.g. when an external service is out of order temporarily, or it is too early to attach a time stamp, because the system is waiting for a new CRL from a certification authority.

The following statuses are error statuses and require a user to step in – an administrator or an editor (LTD_ADMINISTRATOR, LTD_EDITOR). Documents with these statuses are displayed on the LTA errors screen. The following error statuses are the most common:

  • Analysis failed – an error occurred during the analysis. This may be caused e.g. by a damaged PDF document.

  • Timestamping failed – failed to attach a time stamp to the document.

  • Sealing with a time stamp failed – failed to sign the document electronically and attach a time stamp to it. E.g. the Qualified storage service not being available.

  • Registration failed – an error occurred during the document registration process, and it cannot be recovered.

  • Unregistration failed – an error occurred during the document unregistration process, and it cannot be recovered.

  • Update failed – an error occurred during the document update process, and it cannot be recovered.

Alphabetical list of all statuses for preserved LTV documents

Status Meaning LTV_STATE_UDAT value

accept-yes

accepted

30

accept-no

not accepted

31

analyze-prepared

prepared for analysis

1

analyzed

analyzed

33

analyze-failed

analysis failed

2

analyze-failed-temp

analysis failed temporarily

1002

dm-reauth-prepared

prepared for data message reauthorization

40

dm-reauthed

data message reauthorized

41

dm-reauth-failed

data message reauthorization failed

42

dm-reauth-failed-temp

data message reauthorization failed temporarily

1042

dm-not-reauth-type

the data message does not need to be reauthorized

43

invalid-signatures

there are only invalid signatures

50

ltv_accept_udat_was_set_null

the Preserve option was set to the default value from template

80

ltv_accept_udat_was_set_true

the Preserve option was set to yes

81

ltv_accept_udat_was_set_false

the Preserve option was set to no

82

manually-disabled

manually disabled

51

manually-enabled

enabled manually

52

no-signature

no signatures

4

no-sigts

no document time stamp

5

preprocessing-prepared

prepared for preprocessing

70

preprocessed

preprocessed

71

preprocessing-failed

preprocessing failed

72

preprocessing-failed-temp

preprocessing failed temporarily

1072

preprocessing_waits_for_rule_exception

preprocessing waiting for a confirmation

73

queued-for-processing

queued for processing

NULL

rule-exception-yes

an exception has been set

32

rule-not-met

waiting for an exception

3

register-prepared

prepared for registration

7

registered

registered

8

register-failed

registration failed

9

register-failed-temp

registration failed temporarily

1009

sig-with-ts-prepared

prepared for sealing with a time stamp

10

sig-with-ts-failed

sealing with a time stamp failed

11

sig-with-ts-failed-temp

sealing with a time stamp failed temporarily

1011

sig-with-tsed

sealed with a time stamp

12

too-early

temporarily deferred

6

transfer-preservation-prepared

prepared for registration transfer

75

transfer-preservation-finished

finished registration transfer

76

transfer-preservation-failed

registration transfer has failed

77

transfer-preservation-failed-temp

registration transfer has temporarily failed

1077

ts-prepared

prepared for timestamping

13

ts-failed

timestamping failed

14

ts-failed-temp

time stamping has temporarily failed

1011

tsed

timestamped

15

unregister-prepared

prepared for unregistration

16

unregister-failed

unregistration failed

17

unregister-failed-temp

unregistration failed temporarily

1017

unregistered

unregistered

18

update-prepared

prepared for update

19

updated

updated

20

update-failed

update failed

21

update-failed-temp

update failed temporarily

1021

unregister-prepared-rollback-register

prepared for registration repair by re-registering

60

unregister-prepared-rollback-update

preservation repair by re-registering

61

List of codes that express validity

Kód Význam

COMMERCIAL

commercial

GENERAL_ERROR

general error

INVALID_NOT_YET_VALID

the validity period has not started yet

INVALID_EXPIRED

expired

INVALID_REVOKED

revoked

INVALID_HASH_FAILURE

the hash does not match

INVALID_SIG_CRYPTO_FAILURE

signature error

INVALID_FORMAT_FAILURE

format error

INVALID_SIG_CONSTRAINTS_FAILURE

invalid signature use

INVALID_CHAIN_CONSTRAINTS_FAILURE

certificate chain error

INDETERMINATE_TRY_LATER

try later

INDETERMINATE_TRY_LATER_TSL_CONNECTION_ERROR

TLS connection error, try later

INDETERMINATE_NO_POE

validation information not available

INDETERMINATE_UNKNOWN_SIGNING_TIME

unknown signing time

INDETERMINATE_NO_SIGNER_CERTIFICATE_FOUND

no signature certificate found

INDETERMINATE_NO_CERTIFICATE_CHAIN_FOUND

no certificate chain found

INDETERMINATE_SIGNED_DATA_NOT_FOUND

signed data not found

OST

recognized

QUALIFIED

qualified

UNKNOWN

unknown error

VALID

valid