PDF Certification with Long-Term Validation (LTV)

Why does Certified PDF with Long-Term Validation (LTV) matter for electronic signatures and contracts?

"it [the electronic signature] is linked to the data signed therewith in such a way that any subsequent change in the data is detectable." Article 26 (d), Regulation (EU) 910/2014 (also known as ‘eIDAS’)

This article explains what Certified PDF with Long-Term Validation (LTV) is, and why it matters for electronic signature and formation of contract.

What is 'Certified PDF'

When you Certify a PDF you freeze your PDF document and identify yourself as the person responsible. You can look back and know the contents of the PDF at the moment in time it was Certified.

image of certified pdf blue blanner

A Certified PDF presents as a blue horizontal bar along the top of the document in PDF Reader

The mechanism behind this process is the freely available and widely used encryption technology called public-key encryption. Public-key controls much of how the electronic world does secrecy. A full explanation is beyond this note, but for our purposes it uses files called 'keys' and 'certificates' to pass information securely across a network; guaranteeing the source of the information, that it was encrypted en route, and that it was not altered during the transfer.

Public-key encryption can be organised into a structure called 'Public Key Infrastructure' (PKI), an arrangement of those files to better identify individuals. Public-key technology is based around 'key' and 'certificate' files that contain informations about who the sender says they are, as well as the data itself. PKI provides a procedure to verify the sender using a facility whereby one certificate can be produced from another, creating a hierarchy. You can test a certificate and know the parent certificate it came from: a chain of certificates, each tied to someone's 'key', from a trusted source.

What does it do for a PDF?

Those elements in cryptography enable us to prove a lot about what has happened to a PDF in a way that helps us to form legally binding contracts.

First, this technology meant Adobe could make a feature within Adobe Reader that allows PKI technology to be applied so the PDF could tell us that a person did something. Unspectacular perhaps, but with PKI now in play, we can move a long way forward with only a couple more steps.

The certificate-chain element of PKI is where identity can be proved. Anyone can create a PKI key and certificate file and claim to be anyone. By using a certificate chain Adobe built Reader to check whether an applied certificate was the offspring of only one very well protected 'parent'. That being the case, when you apply that certificate Adobe Reader marks it 'Certified'.

PDF Reader detail on a certified pdf

The certificate 'chain' viewable in PDF Reader

When Legalesign 'Certifies' a PDF this is exactly what happens. We could apply any key/certificate and Adobe Reader would recognise it and add it to the PDF. But since Legalesign went through a process to prove who we are to a third party issuer, who themselves had approval from Adobe, we gained access to a special certificate issued from one of the original sources. Adobe Reader checks whether our certificate falls into this special category and, since it now knows the sender has had their identity proven to get that certificate, it can then apply the special "Certified" mark.

All of that means that when you see a document that is Certified you can be confident the issuer is who it says it is. If not, the issuer could be anyone.

To make the most of this technology, we need to do more for contract formation. PDFs can be edited like any other document. A certification means little without knowing what time it happened, and what was in the document itself.

Fortunately, Adobe put some thought into it and incorporated a guarantee of time and of the exact document content at the same moment as Certification and bound it all up with the encryption effort that creates the valid Certification.

Whenever you open a Certified PDF document it takes a little longer than you might expect, and this is because Adobe Reader is checking the Certificate is valid.

The validating effort goes back to the core purpose of public-key crytography, but rather than transmitting the data over a network, it's transmitted through time. The data element is the PDF content and the certificate is bound up in the PDF. Adobe Reader opens and validates the data and certificate in a similar (probably precisely similar) way as if you used public-key encrypted data just sent to you over a network.

Why does it matter?

If you're seeking to form a contract all of this makes you feel a lot better about what you are doing. With a Certified PDF you can now confidently say its content is authentic, and since you can be sure it is from Legalesign you can also be sure it went through a strong e-signature process.

That process is the incorporation of many other helpful measures, such as an audit log (a record of every action in connection with that document) before finally, with the Certification event, giving you a cast iron guarantee of the time of the final signing and everything therein.

An important benefit is the independence you retain. When you use Legalesign, or any e-signature service, one upshot is that you can confidently affirm you could not have changed the document: once sent, it is beyond your control. But that creates a dependence on the service you used. If you need to justify a document then you will need that service to explain what happened on your behalf. Not so with Certification. Using e-signature with Certification means you can both assert your non-interference, but also have zero reliance on the service itself. Certification means your signed document is its own verification.

Long-Term Validation (LTV)

LTV gives your Certified PDF longevity. Not all e-signature software is made equal when it comes to LTV. Lacking LTV puts a countdown on your document's verification; when the certificate behind the Certification event becomes invalid (all certificates are time limited), your PDF will stop being marked as Certified. Yes, this means that if your PDF lacks LTV you will need to go back to your e-signature service, and pay them a due, again, to get your PDF re-certified.

PDF Reader detail on a certified pdf

The LTV mark in Adobe Reader

LTV gives a guarantee of time in the Certification in a way that can be confirmed later, whatever the status of Legalesign's own certificate. LTV is is gained when the timestamp element is not provided by us (the machine doing the certification) but from an external trusted source, in doing so it gives the procedure a completeness that removes later dependence on our certificate. When Adobe Reader recognises that within the Certification it marks the documents with Long-Term Validation.

But when you have a Legalesign Certified PDF with LTV, the LTV gives you a long-term stamp of confirmation that affirms the integrity of your document, exactly when the signing occurred and a verification of all events in the audit log appended within your document, and all this irrespective of Legalesign itself and any time that has passed.

Certified PDF and Contracts

How is all this helpful with the law for formation of contract? One could say the fundamental rationale for all written contracts, anywhere, is to be able to confirm what has been agreed. This is what Certified PDF with Long Term Validation through Legalesign enables you to do in one of the strongest ways currently available.

Although a mere 20 words in a document of some 20,000, one of the most powerful expressions of this concept, and one that expresses this rationale as a core principle in law, is part d of Article 26 of EU Regulation 910/2014 (also known as eIDAS, the key European legal text on e-signature); one of four requirements for an "advanced electronic signature".

"it [the advanced electronic signature] is linked to the data signed therewith in such a way that any subsequent change in the data is detectable."

If you made it to the end of this article I hope you will re-read that element of eIDAS with a fresh depth of perspective and understanding about how it connects with electronic signature, contracts and what we offer for your contract process here at Legalesign.

ISO 27001 Certified Crown Commercial Supplier Advanced Electronic Signature
high performing software G2 Capterra Legalesign reviews Read Legalesign reviews on G2 Crowd

I would recommend that anyone looking for an document signing solution to have a good look at Legalesign. The system is very reliable and has great functionality + via their API you can achieve excellent levels of integration with existing software. However, the best part is without doubt their customer service. A lot of online providers shout about their support, these people actually exceed what you expect. I hope this review does not sound too over the top, but try them, you will see what I mean.

P. Savine, Judson Savine

I needed an esign product that would be easy and simple to use, only a few documents but going out regularly, individually and in batches. Legalesign is absolutely great. The tracking is ideal as I can instantly spot all those people who haven't actioned )(or those that say they have and they really haven't). Sending documents takes seconds, and the batch process is really fabulous, today sending 60 contracts out took me less than 30 seconds - it makes a big difference. Support is great too, and always on hand. Would thoroughly recommend.

S. Patterson, Kids Bee Happy

Legalesign has an easy to use interface. You can customize a lot of the features, email design, copy, etc. It looks really professional when you take advantage of all they have to offer. The customer service is fantastic. Any question I have, the team is on instantly. We switched over from Docusign after having our account executive change multiple times and to try and save money. We have been very happy we made the jump!

A. Patzius. Influence & Co.