What do the B, T, LT and LTA levels in PAdES mean for digital signatures?

While reading about digital signatures, you may have come across the term “PAdES” (PDF Advanced Electronic Signatures). It’s a set of restrictions and extensions to PDF to make it suitable for electronic signatures within eIDAS.

PAdES and its four levels of baseline signatures are defined in technical detail in ETSI EN 319 142-1 and ETSI EN 319 142-2.

Below, we break them down into simpler terms.

PAdES-B-B level

This is a basic signature. It remains valid as long as the certificate used to sign it is also valid (i.e. not expired or revoked).

PAdES-B-T level

This signature is an extension of the basic signature. It includes a cryptographic timestamp token to prove that the signed document existed at a given point in time.

PAdES-B-LT level

This signature builds on the previous one by incorporating all materials required to validate the signed document. This typically includes signing certificates, timestamp certificates, and revocation data (like CRL and OCSP responses). This makes it possible to validate the signed document using the contents of the file itself.

PAdES-B-LTA level

This signature provides long-term availability and integrity of validation material. It builds on the previous level by adding a cryptographic timestamp token to the document itself and the validation material (also called a “document timestamp”).

This establishes evidence that the validation material existed at that point in time, letting a signature validator determine that no certificates were revoked or expired at the time the signature was created.

In theory, it’s possible to periodically add further document timestamp tokens. This lets a document signature remain valid long after initial certificates–and even signing algorithms–have expired or were deemed insecure.

The four PAdES levels: Compared

Here’s how the four levels of baseline signatures compare:





Basic signature

Signing certificate


Signature with a timestamp

Everything in PAdES-B-B, plus:

Cryptographic timestamp token


Signature with validation for all materials

Everything in PAdES-B-T, plus:
Signing certificates, Timestamp certificates
Revocation data


Signature with long-term integrity

Everything in PAdES-LT, plus:

Document timestamp token

What PAdES level should you choose for document signatures?

Now that you know the difference, the natural question is: “What PAdES level should I be applying to my document signatures?” 

In short, this depends on two main factors:

  1. How long do you need the signature to remain valid?
  2. How business-critical is the validity of the signature?

For simple documents like invoices–where validity can be proven by the subsequent payment of the invoice itself–a basic signature (B) or signature with time (T) should be sufficient.

For signatures that might need to be validated in the distant future, like investment agreements, you would need at least a PAdES-B-LT level. We recommend implementing PAdES-B-LTA for such cases, because the technical implementation differences between the last two levels are minor.

Our blog

Latest blog posts

The latest industry news, interviews, technologies, and resources.

Kindred: Fast and Compliant MitID Integration

Kindred is one of the largest online gambling groups in the world, with a portfolio of well-known brands such as Unibet and Maria Casino.


How to Authenticate Callers with Twilio, CIBA, and...

In this tutorial, we’ll create a minimal implementation of Twilio’s Voice API along with Swedish BankID in telephone calls to demonstrate simple and...

View all posts

Sign up for our blog

Stay up to date on industry news and insights