by lrosenth

Created

January 19, 2009

According to the European Union definitions, PDF (ISO 32000-1) supports Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES). There has been some confusion on this point and I will explain this more in this blog.

Background

The European Union (EU) is going through a very interesting and exciting time of trying to bring together many hitherto independent countries into, well, a European Union. There is particular interest in government-to-constituent electronic communications and in conducting business transactions across the EU electronically. So the EU is pushing the electronic envelope in many ways that by the nature of their activity is very “standards” oriented. This is in contrast to, say the US where various government agencies and various business are approaching these things less from a standards view and more from a view of what works and what is available. At least these are my observations, for what they are worth. This is not to say that the US is not interested in standards but just that the EU seems to be nearly consumed by a standards consciousness.

Electronic signatures (e-signatures) play an important role in assuring trustworthy and legally sound communication between governments and those governed and for businesses conducting electronically assisted transactions with other businesses and with customers also on a sound and legal basis.

The Directive 1999/93/EC of the European Parliament and of the Council, dated December 13, 1999, about a Community Framework for Electronic Signatures, is commonly referenced as the test(s) that electronic signature technology has to pass to be used in various legally binding manners within the EU. In fact, all EU countries have agreed to accept “Qualified Electronic Signatures” (QES) on a par with plain old ink-on-paper signatures and other electronic signatures including “Advanced Electronic Signatures” (AES) “cannot be denied legal effectiveness or admissibility as evidence”.

PDF digital signatures can be AES and QES

One reason I bring all this up is that PDF digital signatures can be QES according to the EU definitions, provided that the certificates used are “Qualified Certificates” (QC). PDF digital signatures can also be AES.

A lot of this has to do with establishing a hierarchy of trusted “Certification Service Providers” (CSPs). In practice these are Internet servers that deliver certificates that establish an association between people and their public keys.  I want to make the most important point that since PDF digital signatures are based upon the same PKI (Public Key Infrastructure) standards that these CSPs use then PDF can provide AES and QES. PDF is very suitable for conducting business in the EU and now with PDF an international standard (ISO 32000-1) the EU owns PDF just as much as anyone else. Certainly, Adobe no longer owns PDF.

Meeting requirements

Here is a key quote from the 1999/93/EC Directive (Article 2.2):

“advanced electronic signature” means an electronic signature
which meets the following requirements:

(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using means that the signatory can maintain
under his sole control; and
(d) it is linked to the data to which it relates in such a
manner that any subsequent change of the data is
detectable;

All of these properties can be satisfied by a PDF digital signature. The standardized PKI Certificates can satisfy the (a) through (c) and (d) is satisfied by typical PKI signing technology using message digests. More background about PKI and PDF signatures is provided in my previous blogs. The QES add to these requirements additional ones about the quality of the certificates used and the CSPs and is spelled out in Annex I and II of the Directives. PDF can use these qualified certificates and hence can support QES also.

Watch the wording

PDF digital signatures have many optional choices and exactly which ones are used for any given signature depends upon the software used and in some cases on the signers choices. For example, which signer certificate and who issued it are the signers choice. I have tried to word my claims carefully by saying “PDF digital signatures can be” QES and AES since it is possible to chose options that will not satisfy the EU requirements.

ETSI/ESI and Electronic Signatures

European Telecommunications Standards Institute (ETSI) is recognized by the European Commission as a European Standards Organization. Its Electronic Signatures and Infrastructure Technical Committee (ESI) has established standards as its title suggests, in particular CAdES (CMS Advanced Electronic Signatures:TS 101 733 ) and XAdES (XML Advanced Electronic Signatures:TS 101 903 ). These standards were carefully crafted to follow the European Commission Directives and have become relatively synonymous with those directives.

PDF digital signatures and CAdES share the same infrastructure. They both use the Cryptographic Message Syntax (CMS) including particularly PKCS#7. PDF also allows the use of PKCS#1 and other schemes so this is a point where we must say that PDF supports PKCS#7 but not exclusively. We note that the European Directive is not so specific that it spells out the use of these technologies but CAdES and PDF have made these implementation choices.

There are some very particular differences in the exact way that PDF uses PKCS#7 and the way that CAdES uses it. Since some people associate CAdES synonymously with the European Directive they conclude that these differences make PDF not comply with the directives. The fact is that CAdES and the European Directive are not the same thing and although CAdES is an outstanding standard that follows the directives it is not, nor will it be, the only technology that follows the directives. The difference between PDF digital signature and those of CAdES are very minor and the European Directives does not give enough technical detail to distinguish between them.

ETSI/ESI and ISO 32000-1

ETSI has recently established a Task Force (TF) within ESI to establish standards common between CAdES, XAdES and PDF digital signatures as specified in ISO 32000-1. This TF is in the process of making sure that these technologies come together to everyone’s satisfaction and they will make special efforts to make sure there is no doubt that they follow the European Directives as they evolve. In particular, they will spell out and standardize which choices for PDF (ISO 32000-1), assure that the signatures are AES or QES. They also plan to work with the ISO working group on any changes for the future digital signature technology in PDF (anticipated as ISO 32000-2).

This is good news for both ETSI/ESI and the ISO PDF working group.  It is especially good for users who want to use standard digital signatures.

I think I have one more blog article in me about digital signatures, so stay tuned for a few more details about PDF digital signatures and how they work.

Jim King (contact: jking@adobe.com)