PDF Certification with Long-Term Validation (LTV)

Why does Certified PDF with Long-Term Validation (LTV) matter
for electronic signatures and contracts?

This article explains what Certified PDF with Long-Term Validation (LTV) is, how it works, and why it helps our customers meet one of the four key pillars of eIDAS advanced electronic signature, quoted above, and goes to the formation of effective contracts in general.

"it [the electronic signature] is linked to the data signed therewith in such a way that any subsequent
change in the data is detectable."

- Article 26 (d), Regulation (EU) 910/2014 (also known as ‘eIDAS’)

What is 'Certified PDF'

When you Certify a PDF you freeze your PDF document in time, and identify yourself as the person responsible.

image of certified pdf blue blanner

A Certified PDF presents as a blue horizontal bar along the top of the document in PDF Reader

First some background on the background technology. The mechanism behind Certification is a freely available and widely used encryption technology called public-key encryption.

Public-key controls much of how the electronic world does secrecy. Anyone can use this technology to send information securely across a network while guaranteeing the source of the information and that it was not altered during the transfer; the building blocks to verifying data.

Public-key encryption can be organised into a structure called 'Public Key Infrastructure' (PKI), a structure of keys and certificates to better identify people, and verify their data.

An important element of PKI is how it verifies the person who transfers data. This is a done by creating a hierarchy, whereby one certificate can be produced from another. You can test a certificate and know the parent certificate it came from, thereby producing a chain of certificates (each verifiable and tied to someone's 'key'), connected together from a trusted root source.

What does it do for a PDF?

Those elements in cryptography enable us to prove what has happened to a PDF in a way that helps us to form legally binding contracts.

The certificate-chain element of PKI is where identity can be proved. Anyone can create a PKI key and certificate file and claim to be anyone. Adobe incorporated handling for PKI certificate chains, but also built Reader to check whether an applied certificate was the offspring of only one very well protected 'parent'. This means that when you apply a certain type of certificate, derived from Adobe's 'parent certificate', Reader can confirm it, and mark that particular PDF as 'Certified'.

PDF Reader detail on a certified pdf

The certificate 'chain' viewable in PDF Reader

When Legalesign 'Certifies' a PDF this is exactly what happens. We could apply any key/certificate and Adobe Reader would recognise it and add it to the PDF. But since Legalesign went through a process to prove who we are to a third party issuer, who themselves had approval from Adobe, we gained access to a special certificate issued from one of the original sources. Adobe Reader checks whether our certificate falls into this special category and, since it now knows the sender has had their identity proven to get that certificate, it can then apply the special "Certified" mark.

All of that means that when you see a document that is Certified you can be confident the issuer is who it says it is. If not, the issuer could be anyone.

To make the most of this technology, we need to do more for contract formation. PDFs can be edited like any other document. A Certification means little without knowing what time it happened, and what was in the document itself.

The solution is that Certificate incorporates a guarantee of time that, together with the document content, is bound up with the encryption effort that creates the valid Certification.

Whenever you open a Certified PDF document it takes a little longer than you might expect, and this is because Adobe Reader is checking the Certificate is valid.

The validating effort goes back to the core purpose of public-key cryptography to securely transfer data that was described earlier, but rather than transmitting the data over a network, with Certification, you are effectively transmitting that data through time. The data element is the PDF content and the certificate is bound up in the PDF. Adobe Reader opens and validates the data and certificate in a similar (probably precisely similar) way as if you used public-key encrypted data just sent to you over a network.

Why does it matter?

If you are seeking to form a contract all of this makes you feel a lot better about what you are doing. With a Certified PDF you can now confidently say its content is authentic, and since you can be sure it is from Legalesign you can also be sure it went through a strong eSignature process.

That process within Legalesign incorporates many other important measures, such as an audit log (a record of every action in connection with that document) before finally, with the Certification event, giving you a cast iron guarantee of the time of the final signing and everything therein.

A central benefit of using an eSignature service is your guarantee, to everyone, that you cannot have tampered with document content. When you use Legalesign, or any eSignature service, one upshot is that you can confidently affirm you could not have changed the document. Once sent it is beyond your control. But there is a caveat, you could fall into a dependence on the service you used. If you need to justify a document then you will need that service to explain what happened on your behalf. Not so with Certification. Using eSignature with Certification means you can both assert your non-interference, but also have zero reliance on the service itself. Certification means your signed document is its own verification.

Long-Term Validation (LTV)

LTV gives your Certified PDF longevity. Not all eSignature software is made equal when it comes to LTV. Lacking LTV puts a countdown on your document's verification; when the certificate behind the Certification event becomes invalid (all certificates are time limited), your PDF will stop being marked as Certified. Yes, this means that if your PDF lacks LTV you will need to go back to your eSignature service, perhaps pay them a due, again, to get your PDF re-certified.

LTV gives a guarantee of time in the Certification in a way that can be confirmed later, whatever the status of Legalesign's own certificate. LTV is is gained when the timestamp element is not provided by us (the machine doing the Certification) but from an external trusted source, in doing so it gives the procedure a completeness that removes later dependence on our certificate. When Adobe Reader recognises that within the Certification it marks the documents with Long-Term Validation.

But when you have a Legalesign Certified PDF with LTV, the LTV gives you a long-term stamp of confirmation that affirms the integrity of your document, exactly when the signing occurred and a verification of all events in the audit log appended within your document, and all this irrespective of Legalesign itself and any time that has passed.

PDF Reader detail on a certified pdf

The LTV mark in Adobe Reader

Certified PDF and Contracts

How is all this helpful with the law for formation of contract? It goes back to the fundamental rationale for all written contracts, anywhere, which is to be able to confirm what was agreed. This is what Certified PDF with Long Term Validation through Legalesign enables you to do in one of the strongest ways currently available.

This note started by quoting one of the four elements that set the standard for advanced electronic signature:

"it [the advanced electronic signature] is linked to the data signed therewith in such a way that any subsequent change in the data is detectable."

Fulfilling that important element of advanced electronic signature is what PDF Certification with LTV is all about. If you made it to the end of this article I hope you will re-read that short but critical element of the eIDAS Regulation with a fresh depth of perspective and understanding; how it connects to the core purpose of written contracts and contract formation, and how that links to electronic signature, Certification technology, contracts and what we offer for your contract process here at Legalesign.

ISO 27001 Certified Crown Commercial Supplier Advanced Electronic Signature
High performing software G2 Capterra Legalesign user reviews Read Legalesign reviews on G2 Crowd

I would recommend that anyone looking for an document signing solution to have a good look at Legalesign. The system is very reliable and has great functionality + via their API you can achieve excellent levels of integration with existing software. However, the best part is without doubt their customer service. A lot of online providers shout about their support, these people actually exceed what you expect. I hope this review does not sound too over the top, but try them, you will see what I mean.

P. Savine, Judson Savine

I needed an esign product that would be easy and simple to use, only a few documents but going out regularly, individually and in batches. Legalesign is absolutely great. The tracking is ideal as I can instantly spot all those people who haven't actioned )(or those that say they have and they really haven't). Sending documents takes seconds, and the batch process is really fabulous, today sending 60 contracts out took me less than 30 seconds - it makes a big difference. Support is great too, and always on hand. Would thoroughly recommend.

S. Patterson, Kids Bee Happy

Legalesign has an easy to use interface. You can customize a lot of the features, email design, copy, etc. It looks really professional when you take advantage of all they have to offer. The customer service is fantastic. Any question I have, the team is on instantly. We switched over from Docusign after having our account executive change multiple times and to try and save money. We have been very happy we made the jump!

A. Patzius. Influence & Co.