While reading about digital signatures, you may have come across the term “PAdES” (PDF Advanced Electronic Signatures). It’s a set of restrictions and extensions to PDF to make it suitable for electronic signatures within eIDAS.
PAdES and its four levels of baseline signatures are defined in technical detail in ETSI EN 319 142-1 and ETSI EN 319 142-2.
Below, we break them down into simpler terms.
PAdES-B-B level
This is a basic signature. It remains valid as long as the certificate used to sign it is also valid (i.e. not expired or revoked).
PAdES-B-T level
This signature is an extension of the basic signature. It includes a cryptographic timestamp token to prove that the signed document existed at a given point in time.
PAdES-B-LT level
This signature builds on the previous one by incorporating all materials required to validate the signed document. This typically includes signing certificates, timestamp certificates, and revocation data (like CRL and OCSP responses). This makes it possible to validate the signed document using the contents of the file itself.
PAdES-B-LTA level
This signature provides long-term availability and integrity of validation material. It builds on the previous level by adding a cryptographic timestamp token to the document itself and the validation material (also called a “document timestamp”).
This establishes evidence that the validation material existed at that point in time, letting a signature validator determine that no certificates were revoked or expired at the time the signature was created.
In theory, it’s possible to periodically add further document timestamp tokens. This lets a document signature remain valid long after initial certificates–and even signing algorithms–have expired or were deemed insecure.
The four PAdES levels: Compared
Here’s how the four levels of baseline signatures compare:
|
Level |
Description |
Validation |
|
PAdES-B-B |
Basic signature |
Signing certificate |
|
PAdES-B-T |
Signature with a timestamp |
Everything in PAdES-B-B, plus: Cryptographic timestamp token |
|
PAdES-B-LT |
Signature with validation for all materials |
Everything in PAdES-B-T, plus: |
|
PAdES-B-LTA |
Signature with long-term integrity |
Everything in PAdES-LT, plus: Document timestamp token |
What PAdES level should you choose for document signatures?
Now that you know the difference, the natural question is: “What PAdES level should I be applying to my document signatures?”
In short, this depends on two main factors:
- How long do you need the signature to remain valid?
- How business-critical is the validity of the signature?
For simple documents like invoices–where validity can be proven by the subsequent payment of the invoice itself–a basic signature (B) or signature with time (T) should be sufficient.
For signatures that might need to be validated in the distant future, like investment agreements, you would need at least a PAdES-B-LT level. We recommend implementing PAdES-B-LTA for such cases, because the technical implementation differences between the last two levels are minor.
