The technology behind digital signatures
Understand the cryptographic foundations, standards, and trust frameworks that make digital signatures legally binding and tamper-proof.
The three pillars of digital signing
Every legally valid digital signature rests on three fundamental pillars: Integrity, Identity, and Intent. Together, they ensure that a signed document is authentic, attributable, and binding.
Integrity
of the documentIntegrity guarantees that the document has not been altered after signing. ValidSign uses cryptographic hash functions (SHA-256) to create a unique digital fingerprint of the document. Any modification, even a single character, invalidates the signature. The hash is embedded in the signature container, making tampering mathematically detectable.
Identity
of the signerIdentity ensures that the signer is who they claim to be. ValidSign supports multiple levels of identity verification, from email and SMS authentication to government-issued digital identities like DigiD, eHerkenning, and BankID. For qualified signatures, identity is verified through accredited Trust Service Providers using face-to-face or video identification.
Intent
to signIntent proves that the signer deliberately agreed to the content of the document. ValidSign captures explicit consent through interactive signing ceremonies. The signer must actively click to sign, acknowledge the document, and confirm their action. Every step is logged in a tamper-proof audit trail with timestamps, IP addresses, and authentication evidence.
How digital signatures work
A step-by-step look at the cryptographic process that ensures authenticity, integrity, and non-repudiation for every signed document.
Document Preparation
The document is uploaded and a SHA-256 hash is calculated, a unique 256-bit fingerprint that represents the exact content of the document.
Key Generation
A public/private key pair is created using RSA-2048 or ECDSA P-256. The private key remains exclusively under the signer's control; the public key is embedded in a digital certificate.
Signing
The document hash is encrypted with the signer's private key, creating the digital signature. Only the corresponding public key can decrypt and verify this signature.
Certificate Binding
The signature is bound to a digital certificate (X.509) that links the public key to the signer's verified identity, issued by a Certificate Authority in a trusted chain.
Packaging
The signature, certificate, and an RFC 3161 timestamp are embedded in the document using PAdES (PDF Advanced Electronic Signatures) format, creating a self-contained signed document.
Verification
Anyone can verify the signature using the signer's public key from the certificate. The verifier checks the hash, certificate validity, timestamp, and trust chain, all in one operation.
Standards & signature formats
ValidSign supports all major signature formats defined by ETSI, ensuring interoperability and long-term validity across systems and borders.
PDF Advanced Electronic Signatures
PAdES is the standard for embedding electronic signatures in PDF documents, defined by ETSI (European Telecommunications Standards Institute). ValidSign uses PAdES-BES (Basic Electronic Signature) for standard signatures and PAdES-LTV (Long-Term Validation) for signatures that remain verifiable decades after creation.
XML Advanced Electronic Signatures
XAdES is designed for XML-based documents and workflows. It supports detached, enveloping, and enveloped signature types, making it ideal for structured data exchanges between enterprise systems.
CMS Advanced Electronic Signatures
CAdES extends Cryptographic Message Syntax (CMS) for advanced signatures. It supports detached signatures that exist separately from the signed data, making it suitable for binary files and large datasets.
Associated Signature Containers
ASiC is a container format (based on ZIP) that bundles one or more documents with their associated signatures and timestamps. It provides a portable, self-contained package for signed content.
| Format | ETSI Standard | Primary Use Cases | Description |
|---|---|---|---|
| PAdES PDF Advanced Electronic Signatures | ETSI EN 319 142 | PDF documents, contracts, invoices, HR forms | PAdES is the standard for embedding electronic signatures in PDF documents, defined by ETSI (European Telecommunications Standards Institute). ValidSign uses PAdES-BES (Basic Electronic Signature) for standard signatures and PAdES-LTV (Long-Term Validation) for signatures that remain verifiable decades after creation. |
| XAdES XML Advanced Electronic Signatures | ETSI EN 319 132 | XML workflows, e-invoicing, government filings, UBL documents | XAdES is designed for XML-based documents and workflows. It supports detached, enveloping, and enveloped signature types, making it ideal for structured data exchanges between enterprise systems. |
| CAdES CMS Advanced Electronic Signatures | ETSI EN 319 122 | Binary data, detached signatures, email (S/MIME), large files | CAdES extends Cryptographic Message Syntax (CMS) for advanced signatures. It supports detached signatures that exist separately from the signed data, making it suitable for binary files and large datasets. |
| ASiC Associated Signature Containers | ETSI EN 319 162 | Document bundles, archival, multi-document packages | ASiC is a container format (based on ZIP) that bundles one or more documents with their associated signatures and timestamps. It provides a portable, self-contained package for signed content. |
ETSI standards framework
The European Telecommunications Standards Institute (ETSI) defines the technical standards that govern electronic signatures across Europe. These standards ensure interoperability, security, and legal compliance.
| Standard | Scope |
|---|---|
| ETSI EN 319 102 | Procedures for Creation and Validation of AdES Digital Signatures |
| ETSI EN 319 122 | CAdES Digital Signatures |
| ETSI EN 319 132 | XAdES Digital Signatures |
| ETSI EN 319 142 | PAdES Digital Signatures |
| ETSI EN 319 162 | Associated Signature Containers (ASiC) |
| ETSI EN 319 401 | General Policy Requirements for Trust Service Providers |
| ETSI EN 319 411 | Policy and Security Requirements for Trust Service Providers Issuing Certificates |
| ETSI EN 319 421 | Policy and Security Requirements for Trust Service Providers Issuing Time-Stamps |
eIDAS regulation & trust services
The eIDAS Regulation (EU No 910/2014) establishes a comprehensive legal framework for electronic identification and trust services across the European Union.
What eIDAS means for digital signatures
The eIDAS Regulation creates a single legal framework for electronic signatures, seals, timestamps, and other trust services across all 27 EU member states. It ensures that an electronic signature created in one member state is legally recognized in all others, eliminating barriers to cross-border digital transactions.
Trust Service Providers (TSPs)
TSPs are organizations authorized to create and manage digital certificates, timestamps, and other trust services. Qualified TSPs are supervised by national authorities and undergo regular conformity assessments. ValidSign partners with accredited EU-based Qualified Trust Service Providers.
Qualified Trust Lists (QTL)
Each EU member state publishes a Qualified Trust List that identifies its approved Qualified Trust Service Providers. These lists are the authoritative source for verifying the qualification status of TSPs and their services, ensuring transparency and accountability.
Mutual recognition across the EU
A qualified electronic signature created in any EU member state has the legal equivalent of a handwritten signature in all 27 member states. This mutual recognition is fundamental to the functioning of the EU digital single market.
Three signature levels under eIDAS
Simple Electronic Signature (SES)
Any electronic data attached to or logically associated with other data used to sign. Admissible as evidence but carries the lowest presumption of authenticity.
Advanced Electronic Signature (AES)
Uniquely linked to the signatory, capable of identifying them, under sole control, and linked to data so changes are detectable. Meets Article 26 requirements.
Qualified Electronic Signature (QES)
An AES created by a QSCD and based on a qualified certificate from a Qualified TSP. Has the legal equivalent of a handwritten signature in all EU member states.
Cryptographic foundations
The security of digital signatures rests on well-established cryptographic primitives. Here are the key technologies that make it all work.
Hash functions (SHA-256)
A one-way mathematical function that converts any input, regardless of size, into a fixed 256-bit output. Even the smallest change in input produces a completely different hash. It is computationally infeasible to reverse the hash or find two different inputs that produce the same output (collision resistance).
Public Key Infrastructure (PKI)
The system of digital certificates, Certificate Authorities (CAs), and registration authorities that verify and authenticate the identity of parties in a digital transaction. PKI creates a hierarchical trust model: Root CA issues to Intermediate CAs, which issue end-entity certificates to individuals and organizations.
Asymmetric encryption (RSA, ECDSA)
Public/private key pairs where the private key signs data and the public key verifies the signature. ValidSign supports RSA-2048 (widely deployed, proven security) and ECDSA P-256 (equivalent security with shorter keys, better performance). The private key never leaves the secure signing environment.
Timestamping (RFC 3161)
A cryptographic proof from a trusted Time Stamping Authority (TSA) that a signature existed at a specific point in time. This is critical for long-term validation. Even if a certificate expires or is revoked after signing, the timestamp proves the signature was valid at the time of creation.
Certificate chains
A hierarchy of trust: Root CA (self-signed, embedded in operating systems and browsers) issues Intermediate CA certificates, which issue end-entity certificates to signers. Each certificate in the chain is signed by its parent, creating a verifiable path from the end-entity back to the trusted root.
Root CA → Intermediate CA → End-entity CertificateValidSign's implementation
How ValidSign turns these standards and technologies into a production-grade digital signing platform trusted by thousands of organizations.
EU-hosted PKI infrastructure
All cryptographic operations are performed within EU data centers. Private keys are generated and stored in FIPS 140-2 Level 3 certified Hardware Security Modules (HSMs), ensuring keys never exist in plain text outside the secure boundary.
PKIoverheid integration
ValidSign integrates with PKIoverheid, the Dutch government's PKI framework, through both KPN and Cleverbase. This enables qualified signatures that are recognized by Dutch government organizations. Cleverbase offers cloud-based qualified certificates, no physical token needed, ideal for remote and hybrid work environments.
Qualified timestamping
Every signature includes an RFC 3161 timestamp from an accredited Time Stamping Authority (TSA). These qualified timestamps provide irrefutable proof of when a document was signed, independent of the signer's certificate validity period.
Long-Term Validation (LTV)
ValidSign embeds all validation data (certificates, CRLs, OCSP responses, and timestamps) directly in the signed document (PAdES-B-LTA). This means signatures can be verified decades after creation, even if the original Certificate Authority no longer exists.
SCAL2 for remote qualified signatures
ValidSign implements Sole Control Assurance Level 2 (SCAL2) as defined in CEN EN 419 241-2. This ensures that only the authorized signer can activate their private key for remote qualified signatures, providing the same security guarantees as a physical smart card.
See ValidSign in action
Experience the complete signing workflow, from document upload to legally binding signature.