Qualified electronic signature (QES) in Switzerland, according to Swiss Signature Act ZertES:
Swisscom's CP/CPS provides that you can use the identification and the stored ID documentation for a maximum of 5 years for electronic signing, shorter if the validity period of the presented ID card/passport ends before the five years or if the identification method for the auditor does not allow five years.
The retention period by Article 11.1 ZertES (activity journal) applies: "The recognized providers shall keep the registrations relating to their activities and the supporting documents relating to them for eleven years." Swisscom also understands this period as a retention period for the documents submitted in the identification process, particularly a copy of the ID.
The 1-year reserve was added as a "safety buffer" to avoid RA agencies being able to calculate the 11 years differently. This would mean that Swisscom would no longer have documentation in specific cases, especially in applying Article 17 ZertES (Unlimited Liability).
- In summary, the archival time is 17 years, also disclosed in terms of use.
Qualified electronic signature (QES) in Europe, according to EU regulation eIDAS:
This is the same justification and derivation as in the case of QES in Switzerland, with the difference that in Austria, the legal retention period is 30 years. Article 10.1 of the SVG (Signature and Trust Services Act) provides:
Access rights and retention period
10. (1) At the request of courts or other authorities, a qualified TSP shall grant access to the documentation by Article 24(2) lit. h eIDAS-VO and its certificate database.
(2) […].
(3) The documentation is provided by the qualified TSP for 30 years, calculated from the date the qualified certificate entered at the end of the validity or, in the absence of such, 30 years from the date on which relevant information on the data issued and received by the qualified VDA in the course of its activities is incurred.
- In summary, the archival time is 36 years, also disclosed in the eIDAS terms of use.
Advanced electronic signatures (AES) in Switzerland and Europe, according to ZertES and eIDAS
Swisscom's CP/CPS provides that you can use the identification and the archived ID documentation for a maximum of 5 years, shorter if the validity period of the submitted card ends before the five years or if the identification procedure does not allow five years.
There are no legal retention periods in AES, as the retention periods are not regulated by law.
However, the ETSI standards provide for a period of 7 years. This information is derived from ETSI Directive EN 319 411-01:
6.4.6 Records archival
The following particular requirements apply:
NOTE: ETSI TS 101 533-1 [i.13] suggests provisions on how to preserve digital data objects.
a) The TSP shall retain the following for at least seven years after any certificate based on these records ceases to be valid:
i) log of all events relating to the life cycle of keys managed by the CA, including any subject key pairs
generated by the CA (see clause 6.4.5, item g));
ii) documentation as identified in clause 6.3.4.
The 1-year reserve was added as a "safety buffer" to avoid the possibility that Swisscom RA agencies could calculate the 11 years differently.
- In summary, the archival time is 13 years, also disclosed in the eIDAS terms of use.