What is PAdES?

In order for a signature to be considered secure and durable, it needs to be able to stand on its own, outside of the service provider where the signing was performed. An independent third party (eg adobe reader) must be able to verify the correctness of a signature, without the help of special tools and even after the service provider that created the signed document has disappeared from the market. The security and quality of the format must also be so good that it can be used for a longer period of time.

PAdES (PDF Advanced Electronic Signature) is one such format. It is based on a standard PDF technology and can thus be read by all PDF readers. The signature is automatically verified using Adobe Reader. The document is protected against alteration, meets the requirements of eIDAS and is an internationally accepted standard for electronically signed documents.

Signed and locked with certificate from TSP

In order for Adobe Reader to verify the PAdES file, it must be locked and signed by a qualified certificate issued by a Trust Service Provider (TSP) from The European Union Trust List (EUTL).
The EUTL is a public list of over 200 active and former Trust Service Providers (TSPs) accredited to deliver the highest level of eIDAS compliance. Among other things, these providers offer digital seals for businesses and timestamp services that can be used to create qualified electronic signatures based on digital signature technology.

TellusTalk has such a certificate that is used to lock and sign our PAdES files. You can get your own qualified certificate for you or your company, you can read more about it here.

Durable signature – well into the future with LTA (Long Term Archival)

In order for the signed document to be considered durable for a longer period of time, ETSI has defined a standard (ESTI TS 103 172) with several levels of techniques to ensure that the PAdES document can be verified over time. Each level is based on the next level meeting the level below and additional requirements.
– B level: The lowest level, used for signatures that do not need to be archived for a long time. Must include an electronic signature and a certificate.
– T-level: Like the B-level and that a time stamp is added to prove that the signature existed at a certain time. If you want to know if the certificate was valid, you can search for it online in lists that handle certificates.
– LT-level: Like the T-level and that VRI (Verification Related Information) is also added directly to the document that verifies the entire certificate chain at the time of signing. This level is the lowest recommended for “Advanced signatures” such as eID (BankID)-signatures.
– LTA level: As the LT level and also adding an additional time stamp to the document. This level is the one recommended for “Qualified Signatures”. This is also the only level that fully complies with the eIDAS regulations and has support for future legislation in electronic signatures.

LTA is very similar to an older profile that was called LTV (Long Term Validation)

TellusTalk uses the highest level, LTA (Long Term Archival), which includes, among other things, a time stamp that proves the certificate was valid at the time of signing. This means that the signature is considered valid even when the certificate has expired in the future.