PAdES - PDF Advanced Electronic Signature
What is PAdES? What does it have to do with PDF? What can PAdES do? For all these questions, there are detailed answers on the web. This article is meant to give a brief overview as a small guide in the jungle of terms.
The concept of digital signatures was introduced in PDF 1.3 and refined in later versions. The PDF Advanced Electronic Signature (PAdES) standard was published by ETSI (European Telecommunication Standards Institute) and is referred to in ISO-32'000-2. It is based on the digital signature concept of PDF and describes a set of profiles making these signatures compliant to the European eIDAS regulations, which are legally binding in all EU member states since July 2014.
Here is a brief overview of eIDAS and PAdES
ETSI TS 102 778: "Old" Technical Standard (TS) for PDF signatures. Also called "Legacy PAdES".
ETSI TS 103 172: "Newer" Technical Standard (TS) for PDF Signatures. This standard is referred to by the eIDAS Regulation.
ETSI EN 319 122-1: Standard for CAdES signatures, which are essentially CMS (PKCS #7) signatures with a few extensions. This standard is not used for PDF.
ETSI EN 319 142-1: Part 1 is the new European Norm (EN) for PDF signatures. It's based on CAdES, but very limited, so that the standards do not have much in common. Defines the baseline signature levels B-B, B-T, B-LT and B-LTA (see below).
ETSI EN 319 142-2: Part 2 defines additional signature profiles, especially PAdES-CMS, which also includes Legacy PAdES and other formats from ISO 32000-1.
ETSI TR 119 100: Describes how to use the signature standards (for CAdES, XAdES and PAdES). Also, how the validity of old signatures can be extended.
ISO 14533-3: Long term signature profiles for PDF Advanced Electronic Signatures (PAdES). This standard is referred to by PDF/A-4.
The Decision 2015/1506/EU of the eIDAS Regulation (Regulation (EU) N° 910/2014) still refers to the previous legacy PAdES baseline signature standard ETSI TS 103 172.
The baseline signature levels:
B-B: Defines a level for short-term electronic signatures. Must include an electronic signature and the signing certificate.
B-T: Like B-B, but includes a time-stamp, respectively a time-mark that proves that the signature existed at a certain date and time.
B-LT: Like B-T, but adds VRI data to the DSS, like OCSP responses or CRLs and all certificates of the trust chain, from the user certificate to the Root CA certificate. This level allows that a document signature can be validated, even after a long period of time, when the signing environment (e.g. signing CA) is not available anymore. The B-LT level is recommended for Advanced Electronic Signatures.
B-LTA: Like B- LT, but includes a document time stamp and VRI data for the TSA to the DSS. A B-LTA level may help to validate the signature beyond any event that may limit its validity This level is recommended for Qualified Electronic Signatures.
Types of electronic signatures:
Basic Level Electronic Signature: Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
Advanced Electronic Signature: The signatory can be uniquely identified and linked to the signature. The signatory must have sole control of the signature creation data (typically a private key) that was used to create the electronic signature. The signature must be capable of identifying if its accompanying data has been tampered with after the message was signed. In the event that the accompanying data has been changed, the signature must be invalidated.
Qualified Electronic Signature (QES): The service provider must provide a valid time and date for created certificates. Signatures that have expired certificates must be revoked immediately. Personnel employed by the qualified trust service provider must be appropriately trained. Software and hardware used by the service provider must be trustworthy and capable of preventing certificate forgery
And finally, a few abbreviations:
CA: Certification Authority
CMS: Cryptographic Message Syntax
CRL: Certificate Revocation List
OCSP: Online Certificate Status Protocol
PKCS: Public Key Cryptography Standards (e.g. PKCS #7)
TSA: Time-stamp Authority
VRI:Verification Related Information (e.g. OCSP, CRL)
DSS: Document Security Store (PDF)
XAdES: XML Advanced Electronic Signature
We have implemented the new PAdES standard in our software such that digital signatures in PDF can be easily created, updated and verified in applications that need to conform to the European eIDAS regulations. This implementation produces signatures which conform to all the mentioned PAdES standards without the need for a specific configuration. This makes it easy to use the tool because it does not require detailed knowledge about which standard to use.