Companies using electronic processes to do business need to have full security controls and mechanisms fully compliant with EU regulations to protect all their transactions. So a file format for signatures which includes evidence for its validity even if the signer attempts to repudiate the signature and makes sure the signature cannot be changed without the owner knowing about it is necessary.
This is where XAdES (XML Advanced Electronic Signature) comes in.
# What is XAdES?
XAdES is the technical implementation of one output file format for electronic signatures. Simply put, it is a way of storing the result of an electronic signature.
It is a structured file format and the format is called XML. XML formats have defined rules for how you store information about the signature. This format needs to contain information about the signer, the original document, and what was in it, the electronic signature applied to the document, timestamps, and other important data, and these are all stored and embedded into this document format.
It is just one type of file format for storing electronic signatures. Other examples include CAdES (CMS Advanced Electronic Signatures) and PAdES (PDF Advanced Electronic Signatures). These are all used for advanced and qualified digital signatures.
XAdES is a European ETSI standard (European Telecommunications Standards Institute) and is therefore used internationally and means that anybody will be able to perform the signature validation. This provides lots of benefits over a lot of other proprietary formats, as it is a common format across countries and can be used by anyone.
# What are the benefits of XAdES?
XML formats for electronic signatures remain valid over long periods of time and are legally binding if in compliance with the eIDAS regulation (Electronic Identification, Authentication, and Trust Services) under EU law. It can also include evidence that the signature is completely verified.
The advantages of using the XML format are:
1. It supports long-term validation - XAdES may have a timestamp attached to the signature which allows for long-term validity of the signature. This also includes storing additional validation information within the XAdES file.
2. It contains the status of the certificate - As a certificate may be revoked for a number of reasons (for example compromised keys, or misconduct), the issuer (Certificate Authority) is required to maintain a list of revoked certificates. Whenever a certificate is used as part of a signature process, the status of this certificate is checked, and the result of this check is added to the XAdES, proving that the certificate was valid at the time of signing.
3. It contains all events related to the signature process - all the signature information available for the signature is included. This means:
- It is uniquely linked to the signatory as the signer’s identity is fully verified.
- Only the signatory has control of the data used to create the signature.
- If any data attached to the signature has been changed after signing, it can be traced.
4. It doesn’t depend on the trust service provider (TSP) you use - You can use any TSP to validate this type of file format as it is based on open standards.
# What are the differences between a XAdES and a PAdES?
PAdES is another file format like XAdES except it also has the visual representation and is encoded as a PDF, for example, a PDF containing an advanced electronic signature and qualified electronic signature.
The advantage with PAdES is that it can be viewed by anyone with a basic PDF viewer, but only specific viewers (such as Adobe Reader) can validate and view the signature. Whereas if someone receives an XML document, they may not know how to open it to view it.
However, if you want to pull out information and embed it into your business system, an XML format is much more suited to this. The XAdES file or even multiple XAdES files can also be assembled to a PAdES. What some trust service providers (TSPs), for example, Signicat, do is have the XAdES, the legal document itself, and turn it into a PAdES so it can be easily viewable by the user.
All factors coded into XAdES allow it to be used as a qualified electronic signature. With all of these features, qualified electronic signatures have the highest level of security in a courtroom. This is due to the verification of identities, and the tracing of all events and any changes made to the signature. This is why XAdES and PAdES are used in trust service providers’ solutions including Signicat and are the most commonly used formats for implementing electronic signatures.