Digital signatures are practically impossible to forge since they authenticate the signers and are embedded in the final document via PKI technology.

In this article, you will learn about the three methods for verifying digital signatures and checking whether a document is legally binding or not.

 

How to check the legal validity of a digital signature

When using Penneo to sign a PDF document, Penneo creates legally valid digital signatures in XML format (based on the XAdES standard) with digital certificates. These signatures are attached to the PDF document, which is then sealed with a qualified electronic seal (based on the PAdES standard).

As a result, the final PDF holds evidence that the digital certificates were valid at the time of signing and that the digital signatures are legally binding.

In case of a dispute, the signed documents themselves contain all the evidence required to prove the authenticity of both the document and each individual signature.

Below are three methods you can use to validate digitally signed documents (including the XAdES-based signatures and PAdES-based seals).

1. Verifying digital signatures via a PDF reader

When you open the document with a PDF reader, you can see several elements attesting that it is untampered and authentic (if that’s the case).

The first thing you see is the seal of the document. In Adobe Reader, the seal appears as a blue bar at the top.

Seal of the document

For documents signed via Penneo, the seal is a qualified electronic seal issued by Intesi Group, an EU Qualified Trust Service Provider certified under eIDAS standards.

The seal guarantees the probative value of the document. If the document is not legally valid, the bar will show the following text: Certification by Penneo A/S is invalid.

The qualified electronic seal is applied by Penneo at the end of the signing process. After the signers have signed the document, Penneo seals the signed document with the embedded XML signatures according to the PAdES standard. By applying the final seal to the document, it’s as if Penneo acted as the last and final signer of the document. The seal is incorporated directly within the signed PDF – as much as an ink signature becomes an integral part of a paper document.

This ensures that the document never loses its legal reliability, as the complete self-contained PDF file contains everything you need to verify the signatures’ validity and remain valid for long periods. At the same time, the PDF file can be copied, stored, and distributed as a simple electronic file.

You can click on the signature icon in the left tab or on the Signature Panel button to get additional details on the legal validity of the document seal.

Signature panel

You can read more about what Certified by Penneo A/S means – i.e., the document can’t be edited, the certificate has been issued by a QTSP, and so on.

You can also click on Certificate Details to read information about the digital certificate included in the document.

Certificate details

You can also click on the paperclip icon in the left tab if you want to view the digital signatures in XML format and the timestamps for each signature.

Signatures in XML format and timestamps

Here, you can also access the audit trail, where all the steps of the signing process are recorded. The audit trail is in a human-readable format so that it can be used as evidence in court. It shows the time and IP associated with each activity, from opening and viewing the document to signing it.

Audit trail

Although all these cryptographic elements are embedded within the PDF, they can look different in other PDF readers.

2. Verifying digital signatures via Penneo’s Validator

You can also use the Penneo Validator to check the validity of digital signatures created via Penneo. Just access the validation platform and upload the signed document by clicking on Choose document to check. The Penneo Validator validates both the individual signers’ XAdES signatures and the PAdES signature (Penneo’s seal) on the PDF document.

The Penneo Validator also validates that each XAdES signature belongs to that specific PDF document.

In the case that somebody tries to tamper with the document (for example, by removing the seal, replacing the attached XAdES signatures with new ones, and adding a new valid seal), the Penneo Validator would detect that the document has been compromised, and declare it invalid.

Similarly, it’s not possible to create a fake signed document by copying a XAdES signature from a legitimate signed document to another PDF, as the Penneo Validator would detect the manipulation and declare the document invalid.

Choose document to check

You will then see the validation results. Review the results and compare them with your document.

Validation results

If Social Security Number validation was enabled for a signer by the sender of the document, then you can also validate the signer’s identity by entering their social security number in the Check signer identity field and clicking Check. If the SSN you typed matches the SSN of the signer, the box will turn green; if it doesn’t, it will turn pink. Note that it will also turn pink if the Social Security Number validation feature wasn’t enabled for the signer.

3. Verifying digital signatures via the EU’s Commission Validation Platform

You can use the EU DSS Validator to verify the validity of PAdES and XAdES signatures. To validate a document signed via Penneo, upload the PDF to the EU DSS Validator and click Submit.

EU Validator

Below is an example of a Simple report, but you can click on the button Detailed Report to read more information about the document’s legal validity.

Validation result

When validating a document signed via Penneo through the EU DSS Validator, the validation result will show, under Signatures status, that there is 1 valid signature on the document – regardless of the actual number of signatures that have been applied to it.

That is because a standard PDF validator, such as the EU DSS Validator, is only able to run a PAdES validation on a PDF document. So, if we submit signed PDFs produced by Penneo to the EU DSS VAlidator, all the XAdES signatures that are embedded into the PDFs will be ignored, and only the author signature produced by Penneo will be validated. In other words, the only element validated will be Penneo’s final (PAdES-based) seal.

If you want to verify the validity of the individual XAdES signatures included in the PDF – you can follow the process explained below:

  1. Download the XML signatures — you can do so by opening the signed PDF in Adobe Reader, clicking on the paperclip icon, selecting all the files whose description contains Signature for (Name) and Signed data for (Name), and downloading them.

    Download the XML signatures

  2. Validate each signature separately by uploading the files into the EU DSS validator:
    • Use the Signature for (Name) file in the Signed file field
    • Use the Signed data for (Name) file in the Original file(s) field, whenever this file is available for the signer (this file won’t be present when using certain signing methods, including but not limited to QES via itsme®).

    Validate each signature separately

  3. Inspect the resulting report, which will tell you whether such signatures are valid.

    Inspect the resulting report

    • 3.1. Limitations

      The EU DSS Validator validates that each signature is valid, but does not validate that they belong to the specific PDF document.

      Suppose the seal is removed from a signed document, the signatures (attached XML files) are replaced with new ones, and a new valid seal is added. The result will still look valid in the EU DSS Validator (and in Adobe Reader, for that matter). That’s because both the new seal and the new signatures are valid.

      Penneo’s own Validator, however, will detect that the document has been compromised as it also validates the unique relationship between each XAdES signature (attached XML file) and the content of the PAdES-based PDF document.

    • 3.2. Why do the EU DSS Validator and Penneo’s validator not behave the same way?

      As mentioned above, the EU DSS Validator only runs PAdES validations. So when uploading a signed PDF with attached XML signatures and sealed with a PAdES seal, the EU DSS Validator will only reveal the validity of the PAdES seal. The only way to verify the validity of the XML signatures is by following the more complex process described above, which still doesn’t ensure that the signatures belong to the document.

      The Penneo Validator, instead, is custom-built to validate both the PAdES signature/s in the PDFs produced by Penneo and all the XAdES signatures that are embedded into the PDFs.

      Although standards exist for both XAdES and PAdES signatures, and Penneo fully adheres to both standards, a standard isn’t defined for how to embed XAdES signatures (XML format) in a PAdES document (PDF format) for visual presentation. Many signature providers do this, albeit in slightly different ways, which standard PDF validators don’t consider.

If you're looking to learn more, we have a few suggestions for you

9 expert tips for picking the perfect KYC solution

9 expert tips for picking the perfect KYC solution

eIDAS 2.0

eIDAS 2.0 and its impact on digital transactions and identity verification

EU unveils ambitious AML package

EU unveils ambitious AML package