A standard digital signature says "this person signed this." But what if their certificate expires in 5 years? What if the certificate authority shuts down in 10? PAdES solves the time problem: it packages the signer's certificate, a trusted time-stamp from a government-approved authority, and certificate revocation status inside the PDF itself. In 2050, when a lawyer opens the contract, the PDF contains every piece of proof needed to verify the signature — without any internet connection, without any third-party service that may have long since disappeared.
What Is PAdES?
PAdES (PDF Advanced Electronic Signatures) is a family of signature profiles defined in ETSI EN 319 132, the European standard for advanced electronic signatures in PDF format. It was created to satisfy the EU's eIDAS regulation — the legal framework that defines when a digital signature has the same legal standing as a handwritten one.
The fundamental problem PAdES solves is long-term verifiability. A standard PKCS#7 signature embedded in a PDF proves that the document was signed with a particular cryptographic key. But it does not prove:
- Exactly when the document was signed (the signer could backdate)
- Whether the signer's certificate was still valid at the moment of signing
- Whether the signature will remain verifiable after the certificate expires or the CA shuts down
- Whether the signature remains secure if future computing power breaks current encryption algorithms
PAdES addresses all four problems through a series of escalating signature levels.
PAdES vs. standard PDF signature: Adobe Acrobat's default "Sign" feature produces a basic PKCS#7 digital signature — not PAdES. For EU legal compliance and long-term verifiability, a PAdES-capable signing solution is required (e.g., DocuSign, SignServer, dedicated QES providers).
PAdES Signature Levels
| Level | What It Adds | Use Case |
|---|---|---|
| PAdES-B-B (Basic) | Cryptographic hash of document + signer's certificate | Basic identity proof — short-lived purposes |
| PAdES-B-T (Time) | Trusted time-stamp from a TSA (Time-Stamp Authority) | Proves exact signing time — contracts, invoices |
| PAdES-B-LT (Long-Term) | CRL/OCSP revocation data + full certificate chain embedded | Long-lived contracts — offline verification |
| PAdES-B-LTA (Archival) | Periodic re-sealing time-stamps (reseal every 5–10 yrs) | 50+ year legal documents — property deeds, wills |
Real-World Examples
30-Year Warehouse Lease in Germany
A construction company signs a 30-year warehouse lease using PAdES-B-LTA. In 2050, when the lease is ending a decade early and the tenant contests the original terms, the opposing lawyer opens the PDF. Even though the original company's signing server was decommissioned in 2035, the PDF contains the archival time-stamp chain that proves the signature was made validly at the exact second in 2025 — fully verifiable without any external service.
Doctor's Prescription Verified by Pharmacy
A doctor in Spain issues a digital prescription using PAdES-B-LT. The pharmacy instantly verifies that the doctor's medical registration certificate was active at the exact second the prescription was signed — even though the doctor's annual certificate was due for renewal the following week. The embedded OCSP response proves validity at the moment of signing, without any call to an external validation service during the pharmacy's verification.
EU Cross-Border Contract Dispute
A French company and a Polish supplier sign a multi-year supply agreement. A dispute arises three years later in a Warsaw court. The judge uses the PAdES-B-LT embedded data to verify: the French director's qualified certificate was valid, the time-stamp proves the contract was signed two months before the disputed shipment occurred, and the signature has not been tampered with — all proven without any external systems. The case resolves in two weeks instead of two years.
Why PAdES Is the Gold Standard
Legal Non-Repudiation
Time-stamp and revocation data embedded in the PDF makes it impossible for a signer to claim the certificate had expired or the signing date was different. Legally defensible in court.
eIDAS Compliance
PAdES Qualified Electronic Signatures (QES) have the same legal standing as a handwritten signature across all 27 EU member states under eIDAS regulation.
Self-Contained
A PAdES-B-LT PDF is a closed package. Every piece of proof needed to verify the signature is inside the file — no third-party server, no internet, no expiring validation service. Verifiable forever.
Future-Proof Archival
PAdES-B-LTA re-sealing time-stamps renew the signature's cryptographic protection against future quantum computing threats before existing algorithms are broken.
Visual Identity
PAdES supports visible signature appearances — showing a digital representation of a handwritten signature while the cryptographic proof operates invisibly behind it.
International Use
Non-EU jurisdictions including the UK (post-Brexit), Switzerland, Turkey, and many others align their electronic signature laws with eIDAS — making PAdES widely accepted globally for cross-border contracts.
PAdES vs. Standard PDF Signature
| Aspect | Standard PDF Signature | PAdES |
|---|---|---|
| Legal status (EU) | Simple / Advanced e-sig only | ✓ Qualified Electronic Signature (QES) |
| Trusted time-stamp | ✗ Not embedded | ✓ From accredited TSA |
| Certificate revocation proof | ✗ Not included | ✓ CRL/OCSP embedded (LT level) |
| Offline verification | ✗ Requires live CA access | ✓ Fully offline (LT/LTA level) |
| 50-year verifiability | ✗ Certificate expires | ✓ With LTA re-sealing |
| Non-repudiation strength | Weak — signer can dispute time | ✓ Strong — exact time embedded |
Common Mistakes to Avoid
- Using a basic PDF signature and calling it PAdES compliant. Acrobat's default "Sign" feature produces PKCS#7 — not PAdES. For EU eIDAS QES compliance you need a dedicated PAdES-capable solution or a Qualified Trust Service Provider (QTSP).
- Signing at PAdES-B-B level for long-term contracts. B-B provides only basic cryptographic proof — no time-stamp, no revocation data. For anything that needs to be verifiable beyond the certificate validity period, use PAdES-B-LT or higher.
- Not upgrading to LTA before archiving. PAdES-B-LT signatures should be upgraded to B-LTA before archival if the document lifetime exceeds the trust level of the original hash algorithm (typically before 10 years for SHA-256). Many organisations store LT-signed PDFs for decades without re-sealing and then discover verification failures.
- Signing documents that will receive further edits. Once a document is PAdES signed, modifications break the signature unless they are performed in a PAdES-compliant "document authentication" mode (approval signature). Always finalise document content completely before applying the PAdES signature.
- Confusing PAdES with DocuSign or similar service-based e-signatures. Many popular e-signature platforms produce simple electronic signatures (click-to-sign) — not PAdES with embedded cryptographic proof. Always verify the signature type when legal compliance is required.
Frequently Asked Questions
PAdES (PDF Advanced Electronic Signatures, ETSI EN 319 132) is the EU-standard for signing PDFs. It embeds a trusted time-stamp, signer certificate, and revocation proof inside the PDF — signatures are legally binding under eIDAS and verifiable offline for decades.
B-B: Basic signature. B-T: + Trusted time-stamp. B-LT: + Embedded CRL/OCSP revocation data (offline-verifiable). B-LTA: + Periodic re-sealing archival time-stamps (50+ year verifiability).
A standard PDF signature proves identity. PAdES additionally proves signing time (immune to backdating), certificate validity at time of signing, and provides all verification data offline in the file — no external server or internet required to verify.
PAdES QES (Qualified Electronic Signature) is required for the highest-tier eIDAS signature that equals a handwritten signature in all EU member states. For lower-tier Advanced Electronic Signatures, PAdES-B-T or B-LT is strongly recommended for legal defensibility.
Yes — PAdES-B-LT and B-LTA embed all validation data (certificate chain, CRL/OCSP, time-stamps) directly in the PDF. Complete offline verification is possible with no external services. This self-contained nature is one of PAdES's key advantages.
PAdES-B-LTA (Archival) adds periodic re-sealing time-stamps every 5–10 years. This protects the signature if future computing advances render the original hash algorithm insecure — the re-timestamp proves integrity was intact before that point. Essential for 25+ year archival of legal contracts.
Sign PDFs Securely — Free
PDFlyst's Sign PDF tool lets you add digital signatures to your PDFs in seconds.
Sign PDF — Free