eIDAS standard can have multiple digital signature profiles. These mean how much proof is embedded into the signature metadata for later validation.

Following table contains summary of supported eIDAS digital signature profiles

XAdESCAdESPAdES
STANDARDBASELINESTANDARDBASELINESTANDARDBASELINE
XAdES-BESXAdES-BCAdES-BESCAdES-BPAdES-BESPAdES-B
XAdES-EPESCAdES-EPESPAdES-EPES
XAdES-TXAdES-TCAdES-TCAdES-TPAdES-TPAdES-T
XAdES-XLXAdES-LTCAdES-XLCAdES-LTPAdES-XLPAdES-LT
XAdES-AXAdES-LTACAdES-ACAdES-LTAPAdES-LTVPAdES-LTA

STANDARD profiles are “old” and we are not looking into these.

  1. XAdES-BASELINE-B and CAdES-BASELINE-B and PAdES-BASELINE-B – In this case we have most importantly digest and signature value in the metadata. This assures that the document contents is not modified but we cannot be entirely sure when the file was signed as usually local computer time is used which can be set to anything we want. For same reason we do not know if the certificate was valid when signing. However we can be sure that the file was not modified if we believe that the signer private key is stored securely.
  2. XAdES-BASELINE-T and CAdES-BASELINE-T and PAdES-BASELINE-T- Extension of the previous and now there must be timestamp included in the digital signature metadata. If we use Qualified time stamp then we know when the signature was created. One of the best Qualified time stamp trust service providers in whole Europe is SK ID Solutions AS
  3. XAdES-BASELINE-LT and CAdES-BASELINE-LT and PAdES-BASELINE-LT – All of the above with certificate and its validation information included. This also means that OCSP request is done after timestamping is completed. If you have root CA-s downloaded then you can fully verify the signature even offline.
  4. XAdES-BASELINE-LTA and CAdES-BASELINE-LTA and PAdES-BASELINE-LTA – This signature profile supports multiple timestamps in later dates to make sure that signature is valid even later when previous crypto algorithms might have become too weak.
Categories: