Long Term Validation (LTV) – Standards & Security

When signing paper documents you implicitly trust the fact that the signature will be verifiable for several years into the future. Similarly in the electronic world, digitally signed documents must be verifiable at a later date. For example, in many jurisdictions and regulated industries, business documents need their authenticity to be verifiable for at least 7 to 10 years, whilst specialist applications may require verification for 15 or 20+ years. Not all signing solutions are capable of offering a long-term validation capability. This is an area we have invested in heavily by following the latest advanced, long-term digital signature standards as explained below:

Standard Description SigningHub
PAdES Part 2 Original PDF standard, ISO 32000-1. Supports embedded signature evidence information for Long-Term Validation (LTV).
PAdES Part 4 Corresponds with the latest EU Qualified Signature Standards (CAdES-X-Long and CAdES-A). Unique ability to extend the lifetime of signed documents by embedding additional protective timestamps at a later date.
XAdES-X-Long The XML long-term signature format used for Microsoft Office documents. SigningHub supports this when signing Word documents via the SigningHub Word app.
PDF/A ISO standard (ISO 19005) specifically designed for long-term accessibility and rendering of document with no dependency on external references.
IETF LTANS Evidence Record Syntax (ERS) Long-Term Archive & Notary Service (LTANS) is a set of specifications from the IETF for secure long-term archiving . Ascertia provides both LTANS Server and client functionality and this can be tightly coupled with SigningHub for a complete, long-term secure solution.

An effective signing solution should also meet these business requirements:

A separate trusted timestamp should be embedded to provide independent evidence of when each user’s signature was created

Trusted independent evidence that the signer’s unique signing key was valid at the time of signing (using OCSP and/or CRL standards) should be embedded

Documents should be able to be downloaded, stored locally and verified offline