The PAdES standard (ETSI TS 102 778) profiles support for PDF 1.7 format (ISO 32000-1) digital signatures for including advanced digital signatures in PDF documents. It also extends this support as it defines additional data structures for maintaining signature validity over time. It is planned for the ISO 32000-1 extensions defined by PAdES to be included in ISO 32000-2.
Specifically, PAdES (ETSI TS 102 778) defines the following profiles:
- PAdES-CMS: This profile defines a CMS/PKCS#7 digital signature based on ISO 32000-1, which requires that the /ByteRange key of the digital signature dictionary covers the entire file and that the /subFilter key only contains the values adbe.pkcs7.detached and adbe.pkcs7.sha1. In addition, this profile recommends including a time-stamp as an unsigned attribute of the CMS/PKCS#7. The TrustedX digital signature services currently support signing PDF documents using this PAdES profile.
- PAdES-BES and PAdES-EPES: This profile defines CAdES-BES (ETSI TS 101 733) and CAdES-EPES (ETSI TS 101 733) digital signatures that require that the /ByteRange key of the digital signature dictionary covers the entire document and that the /subFilter key contains the value ETSI.CAdES.detached. Use of the/Cert key is prohibited. Both digital signature types allow including a time-stamp, which would, in fact, make them CAdES-T (ETSI TS 101 733) digital signatures. So, the PAdES-BES and PAdES-EPES digital signatures have the same characteristics as the CAdES-BES, CAdES-EPES and CAdES-T digital signatures. The TrustedX digital signature generation service currently supports signing PDF documents using this PAdES profile.
- PAdES-LTV: This profile constitutes an extension of ISO 32000-1 as it defines two structures that support extending digital signature validity for any length of time. On the one hand, it defines the DSS (Document Security Store) dictionary for storing all the validation data (CA certificates, CRLs and OCSP responses) required to validate the document digital signatures, and on the other, it defines the Document Time-stamp dictionary, which is an ISO 32000-1 digital signature dictionary whose /subFilter key has the value ETSI.RFC.3161 and which contains a time-stamp for the entire PDF document, including the DSS dictionary containing all the validation data for the signatures. This time-stamp maintains, while it is valid, the proof value for the validation data of the digital signatures. I.e., it maintains their strength beyond their expiry date. Furthermore, before the first time-stamp expires, the DSS and Document Time-stamp structures can be reused to maintain the proof value of this stamp and so maintain the digital signature's validity. In this case, the DSS dictionary contains the validation data of the first time-stamp, and the Document Time-stamp dictionary contains a second time-stamp that, again, covers the entire document. Thus, by repeating the addition of a DSS dictionary that contains the validation data of the last time-stamp and the addition of the Document Time-stamp dictionary, the validity of digital signatures in PDF documents can be maintained for any length of time. By using the PAdES-LTV profile on the PDF documents that contain the digital signatures generated as per the PAdES-BES and PAdES-EPES profiles, digital signatures with the same long-term characteristics as the CAdES-XL and CAdES-A (ETSI TS 101 733) are obtained. The TrustedX digital signature generation service currently supports updating PDF documents using this PAdES-LTV profile.
- PAdES-XML: This profile comprises a set of profiles that describe how to use the XAdES (ETSI 101 903) digital signatures in PDF documents. Specifically, a distinction is made between any XML documents signed as per XAdES and XFA forms signed as per XAdES.