PDF Certification with Long-Term Validation (LTV)

What is 'Certified PDF'

When you Certify a PDF you freeze your PDF document in time, and identify yourself as the person responsible.

A Certified PDF presents as a blue horizontal bar along the top of the document in PDF Reader

First some background on the background technology. The mechanism behind Certification is a freely available and widely used encryption technology called public-key encryption.

Public-key controls much of how the electronic world does secrecy. Anyone can use this technology to send information securely across a network while guaranteeing the source of the information and that it was not altered during the transfer; the building blocks to verifying data.

Public-key encryption can be organised into a structure called 'Public Key Infrastructure' (PKI), a structure of keys and certificates to better identify people, and verify their data.

An important element of PKI is how it verifies the person who transfers data. This is a done by creating a hierarchy, whereby one certificate can be produced from another. You can test a certificate and know the parent certificate it came from, thereby producing a chain of certificates (each verifiable and tied to someone's 'key'), connected together from a trusted root source.

What Does it Do for a PDF?

Those elements in cryptography enable us to prove what has happened to a PDF in a way that helps us to form legally binding contracts.

The certificate-chain element of PKI is where identity can be proved. Anyone can create a PKI key and certificate file and claim to be anyone. Adobe incorporated handling for PKI certificate chains, but also built Reader to check whether an applied certificate was the offspring of only one very well protected 'parent'. This means that when you apply a certain type of certificate, derived from Adobe's 'parent certificate', Reader can confirm it, and mark that particular PDF as 'Certified'.

The certificate 'chain' viewable in PDF Reader

When Legalesign 'Certifies' a PDF this is exactly what happens. We could apply any key/certificate and Adobe Reader would recognise it and add it to the PDF. But since Legalesign went through a process to prove who we are to a third party issuer, who themselves had approval from Adobe, we gained access to a special certificate issued from one of the original sources. Adobe Reader checks whether our certificate falls into this special category and, since it now knows the sender has had their identity proven to get that certificate, it can then apply the special "Certified" mark.

All of that means that when you see a document that is Certified you can be confident the issuer is who it says it is. If not, the issuer could be anyone.

To make the most of this technology, we need to do more for contract formation. PDFs can be edited like any other document. A Certification means little without knowing what time it happened, and what was in the document itself.

The solution is that Certificate incorporates a guarantee of time that, together with the document content, is bound up with the encryption effort that creates the valid Certification.

Whenever you open a Certified PDF document it takes a little longer than you might expect, and this is because Adobe Reader is checking the Certificate is valid.

The validating effort goes back to the core purpose of public-key cryptography to securely transfer data that was described earlier, but rather than transmitting the data over a network, with Certification, you are effectively transmitting that data through time. The data element is the PDF content and the certificate is bound up in the PDF. Adobe Reader opens and validates the data and certificate in a similar (probably precisely similar) way as if you used public-key encrypted data just sent to you over a network.

Why Does it Matter?

If you are seeking to form a contract all of this makes you feel a lot better about what you are doing. With a Certified PDF you can now confidently say its content is authentic, and since you can be sure it is from Legalesign you can also be sure it went through a strong eSignature process.

That process within Legalesign incorporates many other important measures, such as an audit log (a record of every action in connection with that document) before finally, with the Certification event, giving you a cast iron guarantee of the time of the final signing and everything therein.

A central benefit of using an eSignature service is your guarantee, to everyone, that you cannot have tampered with document content. When you use Legalesign, or any eSignature service, one upshot is that you can confidently affirm you could not have changed the document. Once sent it is beyond your control. But there is a caveat, you could fall into a dependence on the service you used. If you need to justify a document then you will need that service to explain what happened on your behalf. Not so with Certification. Using eSignature with Certification means you can both assert your non-interference, but also have zero reliance on the service itself. Certification means your signed document is its own verification.

Long-Term Validation (LTV)

LTV gives your Certified PDF longevity. Not all eSignature software is made equal when it comes to LTV. Lacking LTV puts a countdown on your document's verification; when the certificate behind the Certification event becomes invalid (all certificates are time limited), your PDF will stop being marked as Certified. Yes, this means that if your PDF lacks LTV you will need to go back to your eSignature service, perhaps pay them a due, again, to get your PDF re-certified.

LTV gives a guarantee of time in the Certification in a way that can be confirmed later, whatever the status of Legalesign's own certificate. LTV is gained when the timestamp element is not provided by us (the machine doing the Certification) but from an external trusted source, in doing so it gives the procedure a completeness that removes later dependence on our certificate. When Adobe Reader recognises that within the Certification it marks the documents with Long-Term Validation.

But when you have a Legalesign Certified PDF with LTV, the LTV gives you a long-term stamp of confirmation that affirms the integrity of your document, exactly when the signing occurred and a verification of all events in the audit log appended within your document, and all this irrespective of Legalesign itself and any time that has passed.

The LTV mark in Adobe Reader

Certified PDF and Contracts

How is all this helpful with the law for formation of contract? It goes back to the fundamental rationale for all written contracts, anywhere, which is to be able to confirm what was agreed. This is what Certified PDF with Long Term Validation through Legalesign enables you to do in one of the strongest ways currently available.

This note started by quoting one of the four elements that set the standard for advanced electronic signature:

"it [the advanced electronic signature] is linked to the data signed therewith in such a way that any subsequent change in the data is detectable."

Fulfilling that important element of advanced electronic signature is what PDF Certification with LTV is all about. If you made it to the end of this article I hope you will re-read that short but critical element of the eIDAS Regulation with a fresh depth of perspective and understanding; how it connects to the core purpose of written contracts and contract formation, and how that links to electronic signature, Certification technology, contracts and what we offer for your contract process here at Legalesign.