It is well known to make use of public key cryptography to validate digital documents as originating from a particular user having access to related public and private keys. The same system can be used to allow only that user to access a document encoded with the public key. The use of public key cryptography is typically implemented by use of digital certificates. A digital certificate may be issued by a certification authority (CA) which checks the credentials or personal information/financial information (whatever information is particularly relevant) before issuing a certificate to that user. The certificate may then be provided to reliers or third parties to authenticate that the user is who they say they are. The relier takes it on trust that the CA has conducted whatever checks are necessary to issue the user with the certificate. Chains of certificates may be produced whereby a root CA issues a certificate to a second CA to certify that the second CA is trusted by the root CA. The second CA may then issue a certificate to a third CA on the basis that the third CA is trusted by the second CA. The third CA may then issue a certificate to a user, who may use the certificate with an independent party who trusts the validity of the certificate on the basis that the root authority is trusted and the relationships which the root authority keeps are also trusted.
Documents such as emails can be digitally signed by use of public key cryptography when a user encrypts a signature for an email using his private key. A third party can authenticate that signature by decrypting the signature with the public key.
A problem exists of how to package and maintain a digitally signed document as evidence which can be interpreted at a later date, for example in a court of law. Typically, a document retention period may be seven years, although at present a CA will not necessarily retain certification information for that period of time. An existing CA called VeriSign keeps different levels of certificates. VeriSign's level 2 and level 3 certificates are retained for five years. A CA such as VeriSign will only keep certification details, rather than any document which has been signed with a certificate issued by the CA. Furthermore, by making use of the reliance on the CA in the way described above disadvantages are found because reliance is placed on an outside party to prove the validity and meaning of signatures at later dates.