Under the eIDAS Regulation, specifications for formatting advanced electronic signatures for PDF documents are set under PAdES. PAdES is the electronic signature design for PDF Advanced Electronic Signatures.
Because PDF documents can be stored for long periods of time, there is a need for tools to ensure that electronically signed documents can also be stored for long periods of time. The validity of the signature should be maintained even if the signing key/certificate has expired or been revoked, the issuing CA no longer exists, or the cryptographic algorithms used to create the electronic signature are no longer trustworthy.
ETSI TS 103 172
To counter such problems, several standards, like the ETSI Technical Specification ETSI TS 103 172 – Electronic Signatures and Infrastructures (ESI); PAdES Baseline Profile was set in place to define how to archive PDFs under the PAdES standard.
PAdES Baseline Profile
The TS 103 172 defines PAdES Baseline Profiles that describe different PAdES signatures.
The following profiles relevant profiles are defined in the technical specifications:
1. B-Level - Defines a profile for short-term electronic signatures. Must include an electronic signature and the signing certificate.
2. T-Level - Like B-Level, but adds a time-stamp, respectively a time-mark that proves that the signature existed at a certain date and time.
3. LT-Level - Like T-Level, but adds VRI (Verification Related Information) data to the DSS (Document Security Store), like OCSP responses or CRLs and all certificates of the certificate chain, from the user certificate to the Root CA certificate. In short, this profile allows that a document signature can be validated, even after a long period of time, when the signing environment (e.g. signing CA) is not available anymore. The LT level is recommended for Advanced Electronic Signatures, however, the national laws have to be checked on a case by case basis.
4. LTA-Level - Like LT-Level, but adds a document time stamp and VRI data for the TSA (Time Stamping Authority) to the DSS. An LTA form may help to validate the signature beyond any event that may limit its validity This is what we recommend for Qualified Electronic Signatures. This profile conforms to the eIDAS regulations and supports the requirements from upcoming laws.
ETSI is currently very active in on this topic and further development in upcoming standards should be followed. Also, in some cases the newer standard ETSI EN 319 142-1 should be taken into account. This European norm defines very similar profiles as mentioned above. However, this European norm defines the profiles in more detail. The names of the profiles in this norm are:
- B-B
- B-T
- B-LT
- B-LTA
Long-Term with Archive Time-Stamps (LTA)
The LTA level, which is very similar to a former profile named LTV (long term validation), addresses digitally signed PDF documents that are stored for long periods. With the LTA level, time stamp tokens are incorporated into the PAdES signature that will allow for the long-term integrity and availability of the signed document.
To conform the LTA level, B, L and LT level requirements must be met in addition to the LTA requirements. Signatures that conform to the LTA level must have at least one document time-stamp applied to their profile. Before the document-time-stamp attribute is generated and incorporated into the signature profile, all validation material that is required for signature verification must be included. This material includes all certificates and OCSP or CRL status information that pertains to those certificates. This information is required to validate:
- The signing certificate
- Any attribute certificate used in the signature
- Any time-stamp token’s signing certificate that is already included in the signature
Using the PAdES Baseline LTA standard ensures the validity and integrity of signed PDF documents that might need to be accessed far in the future.
References and Further Reading
- Selected articles on Authentication (2014-17), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-17), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- Selected articles on eIDAS (2014-17), by Heather Walker, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- ETSI TS 103 172 – Electronic Signatures and Infrastructures (ESI); PAdES Baseline Profile (2013), by the European Telecommunications Standards Institute
- Trust Services and eID (retrieved 11.01.2016) by the European Commission
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2014) by the European Parliament and the European Commission
- Electronic Signatures and Infrastructures (ESI) - PDF Advanced Electronic Signature Profiles, Part 1: PAdES Overview - A Framework for PAdES (2009) by the European Telecommunications Standards Institute
Cover image: IMG_20121004_103630 courtesy of Karolina van Schrojenstein Lantman - Orlinska, Flickr (CC BY 2.0)