BSI TR-03125 Preservation of Evidence of Cryptographically Signed Document

With the Technical Guideline BSI-TR 03125 "Preservation of Evidence of Cryptographically Signed Documents", BSI is providing a guide that describes how electronically signed data and documents can be stored in a trustworthy manner in the sense of legally valid preservation of evidence over long periods of time - until the end of the retention periods.

To the new version 1.2.2 of TR-03125

Description of the Technical Guideline BSI 03125 TR-ESOR (outdated Version 1.2)

The increasingly quicker “virtualisation” of business processes and documents in electronic form results in new challenges that did not exist in the “old world” of paper documents - or were at least significantly milder:

Electronic document in and of themselves can be neither perceived nor read. Furthermore, they do not in and of themselves offer any evidence for their integrity and authenticity and for protecting and keeping the legal claims of the issuer or third parties and proof of their correctness in electronic legal and business transactions. Rather, additional technical and organisational measures must be taken in order to generate and maintain these characteristics over the long term for the purposes of the long-term preservation of electronic documents.
Despite the ever-shorter information technology innovation cycles, the readability and availability of storage media and data formats must be guaranteed for the duration of the required long retention periods - without dependency on individual products and manufacturers.
Also and especially in the electronic world, the access to the data and documents must comply with the requirements for data protection and data security, even over long periods of time and when systems are changed.

Thus, both the administration and companies face the challenge of having to guarantee the readability, availability, integrity, and authenticity for increasing numbers of data and documents created, processed, and stored electronically, even in the distant future.
With the Technical Guideline BSI-TR 03125 “Preservation of Evidence of Cryptographically Signed Documents", BSI is providing a guide that describes how electronically signed data and documents can be stored in a trustworthy manner in the sense of legally valid preservation of evidence over long periods of time - until the end of the retention periods.
In doing so, TR 03125 is not intended to replace known and established requirements and definitions. Rather, the requirements for proper preservation must be complied with for electronically signed documents, too. They are a pre-requisite for TR 03125. The Reference Architecture of TR 03125 is thus not to be understood as a replacement for an archive system, but rather as a middleware that describes a possible execution of the requirements for the legally valid preservation of evidence of cryptographically signed documents during the legally required retention period.
The Technical Guideline is intended primarily for federal agencies. Furthermore, the Technical Guideline is a recommendation, because the need for the legally compliant preservation of evidence of cryptographically signed documents is increasingly gaining importance in nearly all public and private sectors. Electronic documents in the health care sector or medication approvals, electronic invoices and receipts in day-to-day business transactions, civil registers, digital technical documents for the type certificates of aeroplanes, and many other areas require adequate solutions in the scope of the advancing digitalisation of business processes. Even these few examples show the great relevance of the preservation of evidence of electronic documents.

In doing so, BSI used the following design criteria:

Consideration of the relevant national and international standards
Consistent and complete platform and manufacturer neutrality
Description of a multi-client capable reference architecture that is suitable for developing cross-application and cross-product archive infrastructure services
Orientation on execution by means of the inclusion of concrete help for developing components and interfaces (in particular in the realm of cryptographic security measures with the eCard-API-Framework)

Concretely, this Technical Guideline describes a differentiated catalogue of obligatory (shall), recommended (should), and optional (can) requirements with regard to all elements and areas in which there is a need to design in order for agencies and institutions to develop effective, sustainable, and economical technical scenarios for the storage of electronically signed documents and data with the preservation of evidence.
These are primarily

Recommended data and document formats
A recommended storage format for archival information packages
Recommendations for a reference architecture or alternative architectures
Requirements for components (upstream application systems) and modules (Cryptographic module) as well as their dependencies.

Now, providers and product manufacturers can develop solutions the comply with this Guideline on the basis of the specifications at hand.