In order for advanced & qualified electronic signatures and seals to be valid and recognized throughout Europe, they must be based on one of the three ETSI standards according to the EU Commission’s Implementing Decision 2015/1506 — i.e., PAdES, XAdES, CAdES.
PAdES, XAdES, and CAdES are all equally reliable and valid from a compliance standpoint, but they differ for use cases, and each of them presents specific benefits and drawbacks, which we will analyze in this article.
Background information: Why are signature standards needed?
The EU eIDAS Regulation — which provides the legal framework for the cross-border enforceability of electronic signatures and other trust services — defines the legal requirements that electronic signatures and seals must meet to be considered advanced or qualified.
However, it does not specify the technical standards on which electronic signatures and electronic seals need to be built to meet those requirements.
The Regulation delegated to the EU Commission the adoption of implementing acts to define such technical standards. Moreover, eIDAS established that Member States must recognize and presume the validity of advanced electronic signatures and seals based on those standards.
To ensure a high level of security and interoperability of electronic identification and trust services throughout the EU, the Commission has taken into account the technical specifications drawn up by the European Telecommunications Standards Institute (ETSI) — an independent organization supporting the development of globally applicable standards in the IT field.
The EU Commission fulfilled its mandate with the Implementing Decision 2015/1506, which establishes that Advanced Electronic Signatures and Advanced Electronic Seals must comply with one of the three ETSI baseline profiles:
- PDF advanced electronic signature (PAdES), based on PDF signatures;
- XML advanced electronic signature (XAdES), based on XML signatures;
- CMS advanced electronic signature (CAdES), based on Cryptographic Message Syntax (CMS).
PAdES
PAdES stands for PDF Advanced Electronic Signature and can only be used to sign PDF documents.
When implementing PAdES to sign a PDF, the resulting signature will be in PDF format. More specifically, the signature will be directly applied to the PDF — i.e., encoded into it.
Consequently, it won’t be possible to update the content of the PDF after it has been signed; it will only be possible to apply an additional PAdES signature, which will create a new version of the PDF containing all the signatures.
Let’s suppose that multiple people need to sign a document:
- Signer 1 signs the original Document, thereby creating a new Document (Document V2). Document V2 contains Document V1’s content and Signer 1’s PDF signature embedded in it.
- Signer 2 then signs Document V2; by doing so, Document V3 is created. Document V3 contains the content of Document V2 with Signer 1 and Signer 2’s PDF signatures embedded in it.
- Signer 3 then signs Document V3, and Document V4 is created — and so on.
As a result, it’s not possible for multiple people to sign simultaneously. If multiple people try to sign at the same time, or within quick succession of each other, then all but one will need to wait.
There are many benefits of using PAdES:
PAdES signatures are directly applied to the PDF — i.e., encoded into it. Therefore, the signatures cannot be misplaced, as they remain part of the self-contained PDF files, which can be copied, stored, and distributed as simple electronic files.
PAdES allows for the addition of a visible graphic signature to the document (besides the cryptographic signature).
The resulting file, which contains the signature, is a PDF file that, as such, can be opened and viewed using any widely available PDF reader.
The PDF signatures can be validated using publicly available tools like Adobe Reader, which is beneficial when signing documents with a general audience, such as in a B2C or C2C context. Below is an example of PAdES signature validation with Adobe Reader.
The PDF signatures can also be validated using custom-built validation tools, like Penneo’s Validator, as well as official tools, such as the EU Commission’s Digital Signature Services (DSS) validation tool.
XAdES
XAdES stands for XML Advanced Electronic Signatures.
When using the XAdES standard, the resulting signature is in XML format.
XAdES standard can be used to sign XML-based electronic document formats, which is suitable for a large variety of business use cases. For example, a company’s board and auditor can use the XAdES standard to sign documents in iXBRL format and comply with ESEF reporting requirements when submitting their financial statements to the authorities.
XML files are both human-readable and machine-readable, which is optimal for storing data in a structured way and extracting information into other systems.
However, users need specific software to validate the XAdES signatures – which makes them not appropriate when signing documents with a general audience — i.e., in a business-to-consumer or consumer-to-consumer context, as a person receiving a XAdES signature file might not know how to validate it.
Additionally, it’s not as easy to validate a document signed with XAdES signatures — but it is possible to use the EU DSS Validator to verify the validity of the individual XAdES signatures.
CAdES
CAdES stands for CMS Advanced Electronic Signature.
Just like XAdES, CAdES standard can be used to sign most types of files. While being very versatile, CAdES signatures present a series of disadvantages:
- When using the CAdES standard, the resulting signature is in .p7m format; therefore, users need a specific software to view the signature and validate it.
- Just like PAdES, and unlike XAdES, it’s not possible for multiple people to sign at the same time as each signature creates a new .p7m envelope.
- Unlike PadES, the CAdES standard does not allow for the addition of a visible graphic signature on the document.
Below is a more detailed overview of the three signature standards and their features:
PAdES | XAdES | CAdES | |
---|---|---|---|
Stands for | PDF Advanced Electronic Signature | XML Advanced Electronic Signature | CMS Advanced Electronic Signature |
ETSI Standard | PAdES Baseline Profile ETSI TS 103 172 v.2.2.2. | XAdES Baseline Profile ETSI TS 103 171 v.2.1.1. | CAdES Baseline Profile ETSI TS 103 173 v.2.2.1. |
E-signature file format | XML | p7m | |
Signing by multiple people at the same time | NO | YES | NO |
Human-readable | NO | YES | NO |
Machine-readable | YES | YES | YES |
Visual representation of the signature on the document | YES | NO | NO |
Signature Validation | PAdES signatures can be validated using Adobe Reader, Penneo’s Validator, and the EU DSS Validator. Read more about the validation of documents signed via Penneo here. | A specific software is needed to open XML files. XAdES signatures can be validated using the EU DSS Validator and Penneo’s Validator. Read more about the validation of documents signed via Penneo here. | A specific software is needed to open the .p7m file and validate CAdES signatures. |
Benefits of using ETSI standards
Legal validity: eIDAS established that Member States must recognize and presume the validity of advanced electronic signatures and seals based on those standards.
Cross-border validation: PAdES, XAdES, and CAdES are all ETSI standards and are therefore recognized and used internationally — which means that it is possible to create an advanced electronic signature based on any of them in any Member state, and anybody across countries will be able to perform the signature validation.
Assessment and record of the Certificate status: Whenever a certificate is used as a part of the signing process, the ETSI standards provide for the verification of the status of the certificate at the time of signing. The digital signing software checks whether the certificate is valid, expired, or revoked, and the result of this check is added to the resulting XAdES/PAdES/CAdES signature.
Long-term validation (LTV): The main benefit of all three standards is that they support Long Term Validation (LTV), which is a signed document’s ability to stay valid for years or even decades after signing — even after the platform that created the document has become inaccessible. Documents signed using one of the above ETSI standards contain records of the certificates used for signing and their validity at the time of signature. At any time in the future, despite technological and other advances, it will be possible to verify that the signature was valid at the time it was made.
Content integrity: If the document is edited after the signing process is completed, then the signature is invalidated. Thus, a valid signature serves as proof of both who signed and what they signed.
Which signature standard should you use?
PAdES, XAdES, and CAdES are all equally valid internationally, but their individual characteristics make them most suitable for specific use cases.
If you need to sign PDF documents, PadES is the best option. Anybody can view the final signed PDF with a PDF reader and validate the signatures with Adobe Reader — whereas someone receiving an XML or .p7m file might not know how to open it.
If you need to sign non-PDF files and want to be able to easily export the signatures’ data into other systems, XAdES and CAdES are to be preferred.
Considering the pros and cons provided by each of these signature standards, some trust service providers offering electronic signature services employ both XAdES and PAdES standards in their signing processes to benefit from the advantages each of them brings. And that’s, for example, what Penneo does when creating electronic signatures.
Which standards does Penneo follow when creating advanced electronic signatures?
Penneo’s advanced electronic signatures and electronic seals are based on XAdES and PAdES standards.
Here is how the process works:
- PDF documents are sent for signature via Penneo to the signers
- Each signer can view the documents as PDFs and proceed to sign them
- When the signer proceeds to sign the documents, Penneo generates an XML structure of the document details, including hashes of the PDFs. This XML file is then signed. Whenever multiple documents are sent for signature together, this is done for all documents together, so that the signers only need to sign once.
- The resulting signature is an XAdES signature, and there will be as many XAdES signature files as there are signatures/signers
- Penneo embeds these XAdES signatures into the original PDF document/s as attachments
- Penneo also adds a visual representation of the signatures on a dedicated page, which becomes an integral part of the PDF itself as its last page. The signature page is readable with any PDF reader and printable, along with the rest of the document. Besides the graphic representation of the signatures, this final page also contains additional identifying information on each signer, such as
- their name, their role, the entity on whose behalf they sign if applicable, their IP address (in partially anonymized form), and
- a timestamp for each signature — i.e., a digital record of the time when each signature was applied – which is also cryptographically bound to the document as it’s included in the XML signature.
Below is an example of what the final page with the visual representation of the signatures would look like.
- Penneo uses the attachment capability to embed an audit log in the final document/s — a complete record of activities up until the conclusion of the signature process. It can be used as evidence (even in court), and by including it in the document, it’s by default available to all parties. Thereby, disputes can be handled without further input from Penneo. You can see the audit log as a .txt file by opening the document in Adobe Reader and clicking on the paperclip icon in the left tab.
- When all signers have signed the documents, Penneo seals the signed documents with the embedded XAdES signatures and audit trail according to the PAdES standard. This is done by applying qualified electronic seals — i.e., Penneo’s author signature — and it achieves the benefits of the PAdES standard. You can see the seal by opening the documents in Adobe Reader; it will appear as a blue bar at the top.
Penneo’s Seal
By applying the final seal to the documents following PAdES standards, it’s as if Penneo acted as the last and final signer of the documents. The seal is incorporated directly within the signed PDFs – as much as an ink signature becomes an integral part of a paper document.
This ensures that the documents never lose their legal reliability, as the complete self-contained PDF files contain everything you need to verify the signatures’ validity and remain valid for long periods. At the same time, PDFs can be copied, stored, and distributed as simple electronic files.
How to check the validity of signatures and seals based on XAdES and PAdES standards
As explained above, documents signed via Penneo are PDFs with attached XML signatures (based on XAdES standard) and sealed with a qualified electronic seal (based on PAdES standard).
The validity of documents signed via Penneo can be verified through Adobe Reader and Penneo’s Validator as a PAdES-compliant validation platform. Additionally, users can upload their documents on the EU DSS Validator to get information on the signature’s status, scope, and time, as well as on the certificate chain, timestamps, and LTV (Long Term Validation).
You can follow the steps described in this article to check the validity of your signatures created via Penneo.