ETSI PAdES - explored and explained

Posted by Liaquat Khan on Apr 10, 2013 12:59:00 PM

Within Europe a new digital signature format “PAdES” is gaining traction. PAdES stands for “PDF Advanced Electronic Signatures” and is a set of standards published by ETSI (TS 102 778 parts 1 to 5) to support European requirements for electronic signatures. The purpose is specifically for creation of long-term signatures that are verifiable for years or even decades.

Current PDF signature challenges

You may ask why the current PDF signatures (as specified in ISO 32000 and ISO 19905 and implemented in most PDF software products) are not good enough. This is a good question and indeed they are, to the extent that the PAdES specifications use these. In fact the current specifications as defined within PAdES Part 2 (see below) are exactly the same. The other parts of PAdES go a step further and incorporate all the features of the XAdES (ETSI TS 101 903) and CAdES (ETSI TS 101 733) specifications as applicable to PDFs.

The reason for the new standard is that existing PDF signatures cannot be extended for the purpose of very long-term verification. When current PDF signatures are created the signer’s certificate status is embedded before signing and then the whole signature is timestamped. It is not possible to add additional information, in particular the adding of fresh archive timestamps. Thus existing PDF signatures can only be verified up to the lifetime of the embedded timestamp. With PAdES Part 4 and 5, the initial timestamp can later be refreshed with additional timestamps, creating a chain of timestamps that enable document signatures to be verified for decades into the future.

PAdES specifies the use of CAdES signature formats for signing the PDF content. PAdES also specifies the use of XAdES signature formats for signing the XML content within a PDF (see PAdES Part 5 link below). So the use of CAdES and XAdES within PDF signatures will now allow these signatures to be extended by either the signer or Relying Parties to ensure that signatures can be verified for as long as is necessary.

Will PAdES become an ISO standard?

The new PDF features defined in PAdES Parts 3 to 5 need extensions to the existing PDF standard and will be submitted to the ISO 32000 committee to consider including in the next release of PDF, ISO 32000-2, expected to be published in late 2011 or early 2012. As such, updates to existing PDF software will be needed to support the new profiles spelled out in Parts 3 through 5.

How do PAdES relate to PDF/A?

ISO 19005, PDF/A is the sub-set of PDF specifications for long-term archiving purposes. These specifications help to ensure PDF documents are self-contained and can be rendered will into the future. PAdES helps in ensuring that PDF signatures can be verifiable over this period. So PDF/A is independent of PAdES, however the two specifications are complementary for long-term archive purposes.

Ascertia’s products fully support PDF/A compliant digital signatures and recommends that PDF documents are first converted to PDF/A and then a PAdES signature is applied.

What are Ascertia’s plans for supporting PAdES?

ADSS Signing Server and PDF Sign&Seal desktop products already support PAdES Part 2 signatures. The following sections explain how to configure these options.

Ascertia R&D is working on the other parts of PAdES and plans to release these later in 2010. Ascertia plans to participate in ETSI interoperability 'Plug tests' later in 2010 to test interoperability between implementations.

Note the general use of Part 3 to 5 of PAdES will be limited until these are also supported in the freely available Adobe® Reader. It’s currently uncertain when Adobe Inc will do this, possibly not until 2011 when ISO32000-2 is released.

Configuring PAdES part 2 signatures in PDF Sign&Seal

Configuring PAdES Part 2 Signatures in PDF Sign&Seal

 

Step 1: Configuring PAdES part 2 signatures in ADSS Server

Configuring PAdES Part 2 Signatures in ADSS Server (Step 1)

 

Step 2: Configuring PAdES part 2 signatures in ADSS Server

Configuring PAdES Part 2 Signatures in ADSS Server (Step 2)

 

Summary

PAdES is fast becoming a recognised acronym within European signature industry. It will be an important future standard and various legislations may mandate this. PAdES consists of 5 different parts, current PDF software supports PAdES Part 2 which is based on ISO 32000.

Later parts of PAdES allow the signature to be extended for long term verification by allowing ability to embed a chain of timestamps. These later parts of PAdES will eventually become a part of ISO 32000-2 (possibly in 2011/12).

Ascertia products currently support PAdES Part 2 and enhancements are due later in 2010.

References to PAdES Specifications

PAdES specifications consist of five parts: