Overview
Digital signature technology relies on internationally recognized standards to ensure signatures are secure, verifiable, and legally valid over time. This page covers the key technical standards implemented or planned for Documenso.Documenso implements PDF digital signatures using ISO 32000, X.509 certificates, and RFC 3161
timestamps. Support for PAdES and other advanced standards is planned.
PDF/A for Archival
PDF/A is an ISO-standardized version of PDF designed for long-term archival of electronic documents. Unlike standard PDFs, PDF/A files are self-contained and do not rely on external resources.Key Characteristics
- All fonts embedded - Ensures consistent rendering across systems
- No external content - All resources contained within the file
- No encryption barriers - Content remains accessible long-term
- Embedded metadata - Uses XMP format for standardized metadata
- Device-independent color - Includes ICC profiles for accurate color reproduction
Conformance Levels
| Level | Description | Use Case |
|---|---|---|
| PDF/A-1 | Based on PDF 1.4; most restrictive | Maximum compatibility |
| PDF/A-2 | Based on PDF 1.7; adds features like transparency | Modern documents |
| PDF/A-3 | Allows embedding arbitrary file formats as attachments | Documents with source files |
| PDF/A-4 | Based on PDF 2.0; latest version | Future-proof archival |
Why PDF/A Matters for Signing
For signed documents intended for long-term storage, PDF/A ensures the document remains readable and verifiable years or decades after signing. This is especially important for:- Legal contracts with long validity periods
- Government records
- Financial documents requiring multi-year retention
- Medical records
Documenso supports PDF/A output for long-term archival needs. Self-hosted deployments can
configure PDF/A compliance requirements.
PAdES (PDF Advanced Electronic Signatures)
PAdES is a set of standards (ETSI EN 319 142) that defines profiles for electronic signatures in PDF documents. It builds on the PDF signature capabilities defined in ISO 32000 and adds requirements for long-term validity.PAdES Signature Profiles
| Profile | Description | Validity Period |
|---|---|---|
| PAdES-B | Basic signature with signing certificate | While certificate valid |
| PAdES-T | Adds a trusted timestamp | Extended beyond cert |
| PAdES-LT | Adds validation data (certificates, revocation info) | Long-term |
| PAdES-LTA | Adds long-term archival timestamps | Indefinite |
How PAdES Works
Implementation Status
Status: Planned - Full PAdES support is under development.
- ✓ Basic PDF signatures (ISO 32000)
- ✓ X.509 certificates
- ✓ RFC 3161 timestamps
- ⏳ PAdES-B baseline profile (planned)
- ⏳ PAdES-T with trusted timestamps (planned)
- ⏳ PAdES-LT with validation data (planned)
- ⏳ PAdES-LTA archival timestamps (planned)
XAdES (XML Advanced Electronic Signatures)
XAdES (ETSI TS 101 903) is the XML equivalent of PAdES, defining advanced electronic signatures for XML documents.XAdES Profiles
| Profile | Description | Equivalent to |
|---|---|---|
| XAdES-BES | Basic Electronic Signature | PAdES-B |
| XAdES-T | With timestamp | PAdES-T |
| XAdES-C | With complete validation data | PAdES-LT |
| XAdES-X | Extended with additional timestamps | Enhanced LT |
| XAdES-X-L | Extended long-term | Enhanced LT |
| XAdES-A | Archival with periodic re-timestamping | PAdES-LTA |
Use Cases
XAdES is used for:- XML-based business documents (invoices, purchase orders)
- Government submissions requiring XML format
- Healthcare documents in XML format
- Cross-border e-commerce within the EU
Status: Not currently planned - Documenso focuses on PDF signatures. XAdES may be considered for
future releases based on demand.
ISO 32000 (PDF Standard)
ISO 32000 is the international standard that defines the PDF format. It specifies the technical foundation for digital signatures in PDF documents.Signature Capabilities
ISO 32000 defines:- Signature field dictionaries - Structure for signature placement
- Appearance streams - Visual representation of signatures
- Cryptographic handlers - Supported signature algorithms
- Certificate embedding - Including signer certificates in PDFs
- Timestamp embedding - RFC 3161 timestamp support
- Incremental updates - Preserving original document with signature
- Modification detection - Detecting changes after signing
Signature Algorithms
ISO 32000-2 (PDF 2.0) supports:- RSA with SHA-256, SHA-384, SHA-512
- ECDSA (Elliptic Curve Digital Signature Algorithm)
- DSA (Digital Signature Algorithm)
Document Modification Detection Permissions
| Permission | Changes Allowed After Signing |
|---|---|
| Level 1 | No changes allowed |
| Level 2 | Form filling and signing allowed |
| Level 3 | Form filling, signing, and annotations |
Documenso uses ISO 32000 Level 1 (no changes allowed) to ensure signed documents remain tamper-proof.
X.509 Certificates
X.509 is the standard format for public key certificates used in digital signatures. These certificates bind a public key to an identity and are issued by Certificate Authorities (CAs).Certificate Structure
A typical X.509 certificate contains:| Field | Description |
|---|---|
| Subject | Identity information (name, organization, etc.) |
| Issuer | The CA that issued the certificate |
| Public Key | The signer’s public key |
| Validity Period | Not before / not after dates |
| Serial Number | Unique identifier for the certificate |
| Signature Algorithm | Algorithm used by CA to sign the certificate |
| Extensions | Additional attributes (key usage, policies, etc.) |
Key Usage Extensions
For document signing, certificates typically include:- Digital Signature - Certificate can be used for signing
- Non-Repudiation - Signer cannot deny having signed
- Key Encipherment - (optional) For encryption use cases
Certificate Validation
Validating a certificate involves:- Chain validation - Verify chain up to trusted root CA
- Expiration check - Certificate is within validity period
- Revocation check - Certificate not revoked (via CRL or OCSP)
- Purpose check - Certificate authorized for document signing
Qualified Certificates
Under eIDAS regulations, qualified certificates have additional requirements:- Issued by a Qualified Trust Service Provider (QTSP)
- Stricter identity verification
- Specific certificate policies
- Government oversight and audit
Self-hosted Documenso deployments can configure custom X.509 certificates for signing. See
Signing Certificates for setup instructions.
RFC 3161 (Timestamping)
RFC 3161 defines the Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). Timestamps prove that a document existed in a specific state at a particular point in time.Timestamp Token Contents
A timestamp token contains:- Hash of the signed data - Cryptographic fingerprint
- Time of issuance - From trusted time source (typically atomic clock)
- TSA identifier - Identity of Time Stamping Authority
- TSA signature - Digital signature from the TSA
- TSA certificate - Certificate used by TSA
Why Timestamps Matter
Timestamp Authorities
A Time Stamping Authority (TSA) is a trusted third party that issues timestamps. TSAs:- Maintain highly accurate time sources (atomic clocks)
- Operate audit-logged timestamp services
- Issue timestamped responses with their own digital signature
- May be regulated (qualified TSAs under eIDAS)
Implementation in Documenso
Documenso supports RFC 3161 timestamps. Self-hosted deployments can configure custom TSA
endpoints.
- Free public TSAs (e.g., FreeTSA.org)
- Commercial TSA services
- Private/internal TSA for air-gapped deployments
What Documenso Implements
Documenso implements digital signatures with the following characteristics:Currently Supported
- ✓ PDF signatures - Using ISO 32000 standard
- ✓ X.509 certificates - For signer identification
- ✓ RFC 3161 timestamps - Trusted timestamping
- ✓ Tamper detection - Any modification invalidates signature
- ✓ Signature visualization - Visual signature representations
- ✓ Multiple signatures - Sequential and parallel signing
Planned Features
- ⏳ PAdES compliance - Full PAdES-B/T/LT/LTA support
- ⏳ PDF/A output - Archival-grade document format
- ⏳ Long-term validation - Embedded validation data
- ⏳ Certificate chain embedding - Self-contained validation
Configuration for Self-Hosted
Self-hosted deployments can configure:- Custom signing certificates (.p12 format)
- Certificate passwords and key storage
- Timestamp authority endpoints
- Hardware Security Module (HSM) integration
- Signature appearance and placement
Regulatory Frameworks
These technical standards support compliance with various regulatory frameworks:eIDAS (EU)
- PAdES for Advanced and Qualified Electronic Signatures
- X.509 certificates from Qualified Trust Service Providers
- RFC 3161 timestamps from qualified TSAs
ESIGN / UETA (US)
- Technology-neutral; standards not mandated
- PDF signatures widely accepted
- Timestamps enhance legal validity
21 CFR Part 11 (FDA)
- Requires secure digital signatures
- Audit trails and timestamps essential
- Certificate-based authentication
Best Practices
Related
- Signature Levels - SES, AES, and QES explained
- E-Sign Compliance - ESIGN, UETA, eIDAS regulations
- Signing Certificates - Certificate configuration and setup
- Security - Security practices and measures