The Stack Archive

Why PDF/A is critical for secure, trusted digital signatures

Tue 5 Jul 2016


liaquat-khan1Liaquat Khan, Technical Director, Ascertia and SigningHub, details what organisations should be looking out for when considering e-signature solutions…

Our world is becoming more digital by the day. And even if the digitisation of business processes is not an easy undertaking, a recent global study released by the Association for Information and Image Management (AIIM) revealed that 57% of companies are committed to digital transformation, and ‘paper-free’ is an essential starting point. At the same time, 79% of organisations agreed that all businesses should have a mechanism for e-signatures.

Projects implementing e-signatures (including digital signatures) usually focus on the business benefits of cost-cutting, efficiency and improved user experience. Often, however, the initial driver for e-signing projects can be compliance and regulations.

Nowadays, a lot of information only exists digitally, but will documents still be legible in the years to come and furthermore, under court scrutiny?

Until now, one of the the strongest solutions that guarantees data consistency for digitally signed documents is PDF/A. The PDF/A standard aims to enable the creation of PDF documents with a visual appearance that will remain the same over any period of time. These files are software-independent and unrestricted by the systems used to create, store and reproduce them. Additionally, PDF/A ensures that the documents can be retrieved and rendered with a consistent, predictable result each time they are viewed. In addition, the standard prevents many processing problems that can occur with password-protected PDF documents or when printing files.

What does this mean for a business?

In some circumstances, the fact that there is a cryptographic signature on a document which indicates that a person signed it is not enough if it can be proven that when the user viewed the document the content was different, i.e. when the user viewed the document they saw something else and what was cryptographically signed was something different.

But due to PDF/A’s strong security standards, the signer cannot claim they signed a different document to the one being queried because the fonts are embedded inside the document and not dynamically linked specifically to prevent misrepresentation later.

Businesses should address the potential threat scenarios by ensuring they have put countermeasures in place

There are also safeguards to counter Man-In-The-Middle (MITM) or Man-In-The-Browser (MITB) threats – industry best practice recommends that the document is signed initially by the e-signature service provider before it is presented to the user. This locks the document’s integrity and the user can verify the service provider has sent the document without it being changed by anyone in the middle. This gives assurance to users that the document is authentic and is ready to be signed by them.

While PDF/A ensures that the digitally signed document is tamper resistant, there are other significant threats that organisations should take into consideration when selecting a digital signature solution. To implement legally-binding signatures, businesses should address the potential threat scenarios by ensuring they have put countermeasures in place that mitigate the risks.

Some of the most important questions organisations should consider when deciding if an e-signature solution can be trusted and whether signed documents are valid under court scrutiny are:

  • Does the signature identify the signer?
  • Can the user make their signature mark on the document?
  • Can the signer’s intention to sign be proven?
  • Can the signature be verified many years into the future?
  • Is there a complete audit trail?

If the user can answer ‘Yes’ to all of these questions, then the organisation can rest assured that an independent adjudicator can have no reasonable doubt on who signed and whether they knew the implications of their actions at the time.

At the same time, it is important to note that legally-binding e-signatures are not just about the technology, organisations need to take a holistic approach and look at the complete process of viewing and signing documents, ensuring that they have put in place countermeasures that mitigate risks and enhance growth opportunities.


business feature
Send us a correction about this article Send us a news tip