e-Signatures Demystified: Understanding PAdES for Secure PDF Signatures

1、What is PAdES?

1.1 One-sentence Definition PAdES (PDF Advanced Electronic Signature) is an international standard designed for advanced electronic signatures on PDF documents. It is more than just placing a signature stamp on a PDF; it ensures that the signed PDF file can still be verified and trusted many years later, through a complex but standardized data structure and mechanism.

2、Core Functions of PAdES Ordinary electronic signatures face three major risks over time:

Certificate Expiry: Digital certificates used for signing are usually valid for 1-3 years. After expiration, how can we validate the original signature? Algorithm Cracking: Cryptographic algorithms that are secure today may be broken by more powerful computers in the future. Material Loss: Materials needed to verify signatures, such as Certificate Revocation Lists (CRL), may become unavailable if their servers close. PAdES solves these issues by defining different levels of signatures:

PAdES-B-B (Basic Level): Proves the signer’s identity and document integrity. PAdES-B-T (With Timestamp): Adds a trusted timestamp to prove that the signature existed at a certain point in time, preventing post-signature denial. PAdES-B-LT (Long-Term Validation): Embeds all the materials required for validation (certificates, revocation lists, etc.) directly into the PDF, ensuring validation even if external servers are shut down. PAdES-B-LTA (Long-Term Validation with Archiving): Regularly generates new timestamps with more secure algorithms, covering the entire signature package to combat risks of outdated algorithms, ensuring permanent validity. Generally, PAdES-B-T (with timestamp) is sufficient for basic electronic signature requirements (since the likelihood of a CA closing down is small, certificate status verification is generally supported).

3、Components of PAdES A PAdES signature includes a complete “trust package” embedded in the PDF file:

Signature Value: The core cryptographic signature value. Signer’s Certificate: The electronic ID proving the signer’s identity. Trusted Timestamp: Issued by an authoritative institution, proving the signature time. Verification Data (DSS - Document Security Store): Certificate Chain: The certificate of the signer’s issuing CA. Revocation Information: A list proving that the certificate was not revoked at the time of signing. Archive Timestamp: At the LTA level, a new timestamp is periodically applied to “reinforce” the entire signature package.

4、The Relationship Between PAdES, CAdES, and XAdES

PAdES is not an isolated standard; it, along with CAdES and XAdES, forms the “three pillars” of ETSI’s (European Telecommunications Standards Institute) Advanced Electronic Signature standards. These three standards share the same core philosophy: ensuring long-term validity and trust for electronic signatures. However, they target different file formats and application scenarios, each with its own unique features.

CAdES (CMS Advanced Electronic Signature) is a versatile standard that applies to any file format and is particularly effective when files require detached signatures. XAdES (XML Advanced Electronic Signature) specializes in signing XML data, enabling granular, element-level signatures for structured data. In contrast, PAdES (PDF Advanced Electronic Signature) focuses on PDF files, emphasizing the seamless integration of signatures into documents. This integration not only ensures document integrity but also provides a visually appealing user experience that makes the presence of the signature easily noticeable.

While all three standards support various signature levels (B-B, B-T, B-LT, and B-LTA) aimed at ensuring long-term validity, they rely on the same infrastructure, including PKI (Public Key Infrastructure) and timestamping services (TSA). They also adhere to similar legal frameworks, such as the EU’s eIDAS regulation for Advanced Electronic Signatures.

In short, if you need to sign a file, you can select the appropriate standard based on the file format: use CAdES for any file, XAdES for XML data, and PAdES for PDF documents.

5、PAdES vs Chinese Standard GB/T 31308.3-2023

China’s GB/T 31308.3-2023 standard is a recently introduced national standard that is technically identical to the international PAdES standard (ETSI EN 319 142). Both standards share the same core mechanisms, signature levels, and goals: ensuring the long-term validity and legal enforceability of PDF electronic signatures. While the technical specifications are the same, some differences emerge when it comes to cryptographic algorithms and trust root requirements.

The international PAdES standard typically uses widely adopted cryptographic algorithms such as RSA, ECDSA, and SHA-2, while GB/T 31308.3 strongly recommends and prioritizes the use of domestic cryptographic algorithms (e.g., SM2, SM3, SM9). Furthermore, while PAdES relies on internationally recognized Certificate Authorities (CAs) and Time-Stamping Authorities (TSAs), GB/T 31308.3 requires the use of domestic service providers that are certified in China for commercial encryption products and CA licensing.

In terms of application, PAdES is commonly used for cross-border electronic contracts and international trade documents, meeting global market demands and supporting international mutual recognition. On the other hand, GB/T 31308.3 is primarily applied within China for government documents, financial contracts, and judicial evidence, aligning with national policies, industry standards, and legal compliance, such as the Electronic Signature Law and Cryptography Law.

To summarize, while international PAdES can be considered an “international passport,” the GB/T 31308.3 standard is the “Chinese special edition” of this passport. Both have identical technical specifications, but when “entering China” (i.e., applying in China), they must comply with Chinese laws (Cryptography Law) and use designated “anti-counterfeiting technologies” (domestic cryptographic algorithms).

6、Conclusion PAdES is one of the foundational technologies for building long-term trust in the digital age. Through its integration with CAdES and XAdES, it provides a comprehensive solution for different application scenarios, ensuring that electronic signatures from data to documents can withstand the test of time.

For businesses, understanding and adopting PAdES (or the domestic GB/T 31308.3) means:

Legal Protection: Signed electronic contracts have stronger judicial evidence power. Cost Efficiency: Achieving a fully paperless process, making contract management, archiving, and verification more convenient. Long-Term Compliance: Meeting long-term archiving requirements for electronic signatures under both domestic and international regulations.