What is Long Term Validation (LTV)?
PAdES (PDF Advanced Electronic Signatures) is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for Advanced Electronic Signature. PAdES recognizes that digitally-signed documents may be used or archived for many years – even many decades. At any time in the future, in spite of technological and other advances, it must be possible to validate the document to confirm that the signature was valid at the time it was signed – a concept known as Long-Term Validation (LTV).
When LTV is enabled, the certificates sign-time status is captured and stored inside the PDF document. This is indicated within the signature details if it is LTV enabled or not. This verification certificate remains in the file itself so that its validity can be determined even at some later date, regardless of whether the certificate has expired, revoked, or the issuing authority no longer exists. Because the record is stored inside the signed document, it is also authenticated by the documents signature, further reducing the chances for error or fraud.
LTV helps reduce dependencies on external systems and reduces the potential for future ambiguity around expired or revoked certificates.
Does DocuSign use LTV?
DocuSign eSignatures are not LTV enabled but we understand that certain industries require the ability to verify the validity of a signature at the time of signing due to standards like PAdES (PDF Advanced Electronic Signatures). DocuSign digitally seals PDF documents with a certificate issued by Entrust. When Adobe Reader opens our PDF documents, it validates the certificate used for the digital seal. Since we haven’t enabled LTV, Adobe Reader makes a call to Entrust to make sure our certificate is still valid. If it’s valid, Adobe Reader calls Entrust to check the current status of our certificate via online certificate status protocol (OCSP) or certificate revocation list (CRL). As the sign-time is not captured inside the PDF document, Adobe Reader is not capable to base its verification on that time and rather uses the current time. If the time of verification is posterior to the expiration of the Entrust certificate, it cannot be validated. The yellow warning sign does not mean that the underlying document and electronic signatures affixed to the document are invalid. Re-downloading the document will affix a new Digital Signature.
How do I ensure my DocuSign documents are valid?
Upon opening a DocuSign PDF, Adobe Reader will try to validate the certificate attached to the signature. If the certificate has expired Entrust will not be able to provide a response that the signature is valid. Adobe Reader will then display a yellow warning sign to users stating "At least one signature has problems."
The alert means that Adobe Acrobat is not capable of determining if a signature's certificate was valid at the time of signing. DocuSign maintains this validity as long as the documents are retained in DocuSign and is not reliant on Adobe's ability to verify the signature certificate. When you download PDF documents from DocuSign's platform, we digitally sign the PDF documents with our certificate issued by Entrust to create tamper-evident digital seals. If someone tries to change anything in a digitally sealed PDF document, PDF Readers (e.g. Adobe Reader, Nitro PDF, etc.) realize the digital seal has been broken and displays a separate warning message to the user.
If the certificate applied at the time of signing of the document has already expired, the only way to reacquire the Adobe signature validity is to re-download the document from DocuSign. Optionally, once downloaded and saved, the steps from the before mentioned article can be taken to make the document LTV enabled. Please note that documents that have been purged can not be re-downloaded.
DocuSign is currently investigating the possibility of having LTV enabled eSignatures for a future release.