What do the B, T, LT and LTA levels in PAdES mean for digital signatures?

While reading about digital signatures, you may have come across the term “PAdES” (PDF Advanced Electronic Signatures). It’s a set of restrictions and extensions to PDF to make it suitable for electronic signatures within eIDAS.

PAdES and its four levels of baseline signatures are defined in technical detail in ETSI EN 319 142-1 and ETSI EN 319 142-2.

Below, we break them down into simpler terms.

PAdES-B-B level

This is a basic signature. It remains valid as long as the certificate used to sign it is also valid (i.e. not expired or revoked).

PAdES-B-T level

This signature is an extension of the basic signature. It includes a cryptographic timestamp token to prove that the signed document existed at a given point in time.

PAdES-B-LT level

This signature builds on the previous one by incorporating all materials required to validate the signed document. This typically includes signing certificates, timestamp certificates, and revocation data (like CRL and OCSP responses). This makes it possible to validate the signed document using the contents of the file itself.

PAdES-B-LTA level

This signature provides long-term availability and integrity of validation material. It builds on the previous level by adding a cryptographic timestamp token to the document itself and the validation material (also called a “document timestamp”).

This establishes evidence that the validation material existed at that point in time, letting a signature validator determine that no certificates were revoked or expired at the time the signature was created.

In theory, it’s possible to periodically add further document timestamp tokens. This lets a document signature remain valid long after initial certificates–and even signing algorithms–have expired or were deemed insecure.

The four PAdES levels: Compared

Here’s how the four levels of baseline signatures compare:

Level

Description

Validation

PAdES-B-B 

Basic signature

Signing certificate

PAdES-B-T 

Signature with a timestamp

Everything in PAdES-B-B, plus:

Cryptographic timestamp token

PAdES-B-LT

Signature with validation for all materials

Everything in PAdES-B-T, plus:
Signing certificates, Timestamp certificates
Revocation data

PAdES-B-LTA

Signature with long-term integrity

Everything in PAdES-LT, plus:

Document timestamp token


What PAdES level should you choose for document signatures?

Now that you know the difference, the natural question is: “What PAdES level should I be applying to my document signatures?” 

In short, this depends on two main factors:

  1. How long do you need the signature to remain valid?
  2. How business-critical is the validity of the signature?

For simple documents like invoices–where validity can be proven by the subsequent payment of the invoice itself–a basic signature (B) or signature with time (T) should be sufficient.

For signatures that might need to be validated in the distant future, like investment agreements, you would need at least a PAdES-B-LT level. We recommend implementing PAdES-B-LTA for such cases, because the technical implementation differences between the last two levels are minor.

Author
Our blog

Latest blog posts

The latest industry news, interviews, technologies, and resources.

How Cryptography Is Used in Digital Identity

Cryptography enables secure online interactions while keeping your identity and personal information safe. You don’t need to grasp the complex math...

What is biometric authentication?

Biometric authentication is a security measure that requires people to verify their identity by providing a unique biometric feature. The word...

How Does Identity Theft Work?

As more private and public services move online, we upload more data to the web. Personal information now resides on hundreds, if not thousands, of...

Sign up for our blog

Stay up to date on industry news and insights