Signed document formats

​The E-Signing service supports SDO and PAdES signature formats to maintain non-repudiation and integrity control of the signed data.

The SDO (Signed Data Object) and PAdES (PDF Advanced Electronic Signatures) document format is described on this page. 

SDO

A digitally signed document is often represented in formats that are challenging to visualize for the customer. Digitally signed documents also require a compilation of data to be able to prove in a future conflict that a specific person actually signed this specific document at a proven time in the past.

The SEID SDO is a XML based data package designed to act as a self-contained validation of one or more digital signatures on one or more documents. The reason for this format is to be able to confirm non-repudiation and integrity of the signed document independent of time. Thus the result of a digital signing process can be packaged into a SEID SDO format to simplify validation, traceability and visualization of the signed document.

The SEID SDO is based upon ETSI TS 101 733 (CAdES) and ETSI 101 903 (XAdES). The SEID SDO format is described here: Kva er SEID-prosjektet​ (in Norwegian only)

A comparable format is PAdES which uses Acrobat reader to visualize the digital signature embedded in a .pdf document. The Nets E-Signing service produces both a SDO and a PAdES file (if requested) as the result of a digital signing process.

The format is structured as an SDOlist with one or more SDOs. Each SDO consist of:

  • One document
  • One or more signatures 
  • One seal 
  • Signing time or validation time

 

A seal is an automatic signature over the document and the signatures to maintain package integrity. The sealing is performed by use of a signing certificate that is customer specified. Example of supported certificate types are Norwegian BankID organisation certificate, Danish NemID VOCES and Nets AS Intermediate CA (issued by Nets AS Root CA). For details on supported sealing certificates, use the Contact us form to contact support. Default will be the primary organisation certificate issued to the customer. There is no dedicated fee for use of alternative sealing certificate, but most certificates have a cost for signing and thus the use of sealing certificate may influence the total cost. Note that some SDO receivers may have restrictions on which certificate issuer to use for SDO sealing.

The E-Signing service can also make partial SDOs available. A Partial SDO is a SDO including only one document and one signer. A partial SDO is generated after each sign process in a sign order. The partial SDO is available using the GetDocuments message.
Nets offers a SDO validator to view and validate SDOs. Read more about the E-Signing validator.  

PAdES​

PAdES is a standard for signed documents, and the standard is maintained by ETSI (ETSI TS 319 142). Information about electronic signature standards can be found here: PAdES (PDF Advanced Electronic Signature) Baseline Profile

As a customer of the E-Signing service you may choose to get the signed documents in the PAdES format. E-Signing supports two different PAdES versions:

To retrieve the signed documents in accordance with PAdES standard there are two ways to do so in E-Signing. Firstly, you may request the document using the GetPAdES XML message, or secondly request the generation of a signed document based on a SDO using the GeneratePAdES XML message. The retrieval of the document from E-Signing with the GetPAdES message is available for 90 days after the sign order has been completed.

PAdES - generated based on SDO

E-Signing uses the PAdES B-T signature level. PAdES signatures contain a signature timestamp from a timestamp authority (TSA).

A PDF signed document from E-Signing may only be generated from a PDF file (and not from a text or XML document signed through E-Signing). When generating the PDF signed document, the E-Signing service is appending the following to the original document:

  • A document reference on each side of the document
  • A last page with the document reference and information about the signer(s) of this particular document.
  • An extract of the signature from each signer (as an “attachment” in the document)

The document is certified using a certificate issued to Nets Branch Norway from Buypass and timestamped using the TSA service from Firmapro (https://www.firmapro.com/).

The last page added by Nets may look like this:

PAdES_3.PNG

The last page is available in several languages. See language element description in GetPAdES request for an overview. English is default language if nothing is specified.

The default format for signed documents through E-Signing is still SDO, and this document should always be used in case of conflicts. The signed PDF document (PAdES) only includes extracts of the original signatures and not the entire signature.

Note: The use of this function may have an extra cost. If it is not already priced in your agreement, please contact sales.esecurity@nets.eu to retrieve the price list and an offer.  

Norwegian BankID PAdES

BankID offers PAdES as an output format when signing PDF documents and this is supported in the E-Signing service. The document may be signed by several signers. Each signature will be applied directly to the PDF document and it is visualised with a BankID seal including the signers name and the signature date.

BankID PAdES - 2 signers - full page.PNG

As each signer's signature time is collected from the signer's computer time, Nets applies a timestamp to the document after all signers have signed the document.

Note: It will not be possible to get a SDO when BankID PAdES is used. In addition, the last page that is added when generating a PAdES from a SDO will not be added to the signed document.

Read more on about the Norwegian BankID PAdES and how to use the functionality.