CAdES-A

CMS Advanced Electronic Signatures (CAdES) is a format specified in the ETSI TS 101 733 standard. It is intended for electronic signatures applied on business documents, such as e-invoices.

Sovos can create and validate the CAdES-EPES, CAdES-T, and CAdES-A formats. Among them, CAdES-A is particularly advantageous to use because:

• It is the only format that carries along all the information needed to prove that a signature was valid at the time of signing.

• It securely timestamps the information to protect the invoice from any future events such as certificate expiry, Certificate Authority (CA) key compromise, cessation of CA operations, and unavailability of historical services.

• When a signing operation is performed to create a CAdES-A, a validation operation is also performed on behalf of the supplier. This ensures that they have long-term, verifiable information to archive. However, if you use a signing operation to create a CAdES-T, the signature validation is not performed and no audit details element is returned.

• It lets you use the Sovos Audit page for long-term validation of a supplier’s e-invoices.

S/MIME

S/MIME defines how to send and receive secure MIME data. The standard defines a MIME body part that is cryptographically enhanced according to Cryptographic Message Syntax (CMS) or PKCS #7. A number of email clients and Enterprise Resource Planning (ERP) or Enterprise Application Integration (EAI) systems support S/MIME out of the box, making it a convenient format for enveloping signed e-invoices.

When signing an S/MIME message, the input data must first be MIME-encoded. The SBDH for the signing request must reflect this encoding by including the Signing.InitialContentEncoding scope information, setting Signing.DocumentFormat to the actual document format (e.g., XML), and setting Signing.SignatureFormat to "SMIME".

XAdES-A, XMLcon, and cXML

XML Advanced Electronic Signatures (XAdES) is a format specified in the ETSI TS 101 903 standard and is intended for electronic signatures applied to business documents such as e-invoices.

Sovos can create and validate both XAdES-T and XAdES-A formats. Opting for the XAdES-A profile over the XAdES-T profile offers advantages, following the same principles outlined above for CAdES-A.

Sovos defaults to using the canonical XML version 1.0 canonicalization algorithm when creating XAdES signatures. However, following the recommendations of the Italian administrative body DigitPA, you must use canonical XML version 1.1 when applying a Qualified Electronic Signature (QES) to an Italian e-invoice.

UBL-enveloped digital signature

Universal Business Language (UBL) is a family of formats for expressing various business documents in XML. The UBL signature profile defines an enveloped signature as an extension to any of the available business documents and is appended to the root element, regardless of the document type. The UBL format also features support for all the standard XAdE-S types and a basic non-XAdE-S signature.

Signing and validating PDFs

There are two signature formats available for signing PDF documents:

PDF signature

A standard based on basic CMS signatures

PAdES (PDF Advanced Electronic Signatures)

A standard that defines a more advanced signature profile than the PDF Signature format

Sovos supports both formats and also supports PDF signatures that appear in the Adobe Reader signature panel and on-page signatures. We recommend using the visible signature box feature only for Indian e-documents, as it is a common practice there. For the other countries, use only signatures that appear in the Adobe Reader signature panel.

Considerations to make when using the PDF signature or the PAdES format:

PDF signature

Sovos can create and validate PDF signatures. When the signature size is allocated, it cannot be changed. This means that it is not possible to first sign a PDF with an embedded CAdES-T signature and then validate it to include a CAdES-A signature. This is because the size allocated for CAdES-T is too small to fit the substantially larger CAdES-A signature.

Note: The PAdES signature format resolves this limitation.

You can create and validate PDF signatures in the following ways:

• Sign the PDF using a signing operation with the scope information Signing.AuditCategory set to "CADESA", and then validate the signed PDF with a SignatureValidation operation with SignatureValidation.NewAuditData set to "CADESA". So both the signed and the validated PDF will include CAdES-A signatures.

• Sign the PDF with a CAdES-T signature, which you need when the CAdES-A signature size is considered too large. Although smaller, CAdES-T does not provide any of the benefits of CADEs-A. To validate the PDF or CAdES-T, you should execute a SignatureValidation operation with the scope information SignatureValidation.AuditCategory set to "EVIDENCE" or the inclusion of the SignatureValidation.CreateAuditDetails element, or both.

In addition, consider these scenarios:

• If you set SignatureValidation.AuditCategory to "EVIDENCE" in the SignatureValidation operation, detached evidence data is returned. This data should be archived along with the PDF or CAdES-T and uploaded along with the PDF or CAdES-T to the Sovos Audit Page for future audits.

• If the SignatureValidation.CreateAuditDetails scope information is used in the SBDH, the operation returns the AuditDetails XML element as a response. This element can be processed through an XSLT stylesheet to generate a validation report, which can be archived along with the PDF/CAdES-T.

  Note:

  In this scenario, you cannot have a future audit of the PDF or CAdES-T using the Audit Page.

To check the validity of the PDF Signatures, you can use Adobe Reader or Acrobat v6 or higher — as long as the CA is pre-configured in Adobe Reader, which is often not the case.

PAdES

Sovos has the capability to create and validate PAdES signatures. We support three profiles of the PAdES format:

PAdES-LTV

This profile is created for PDF signatures when AuditCategory is set to "PADESLTV".

PAdES-EPES with signature timestamp

This profile is created for PDF signatures when AuditCategory is set to "PADESEPES". We recommend the PAdES-EPES signature format instead of PDF or CAdES-T.

PAdES-EPES without signature timestamp

This profile is created for PDF signatures when the parameter AuditCategory is set to "CADESEPES".

You can extend a PAdES-EPES into the PAdES-LTV format if you add validation information. This eliminates the need for detached evidence data. In this case, a signature timestamp is added to both the PDF or CMS signature and the LTV object. When signing a PAdES-EPES for the supplier, and then validating it to PAdES-LTV for the buyer, two timestamps are applied in the PAdES signature: one signature timestamp and one document timestamp.

You can check the validity of the PAdES signatures with Adobe Reader or Acrobat v10 (or higher) — as long as the CA is pre-configured in Adobe Reader, which is often not the case.

The PAdES-LTV signature includes timestamped validation data, such as OCSP responses, CRLs, or both. This means you can do an offline validation using Adobe Reader v10 or higher.

Important:

Because PAdES is a relatively new standard, support for this format is not yet widely implemented in other applications. This may cause interoperability issues when using third-party applications for validation.

On-page signature box

Sovos supports the creation of on-page signatures. Each signature appears in a signature box that also has a logo and signature information, and the image with that box is integrated into the PDF document at a resolution of 72 dpi. This signature box has a fixed size and, by default, is located on the first page of the PDF document. However, you can change its position by setting coordinates in the provided SBDH scope information.

To activate the on-page signature box feature, you must include the following scope information in the SBDH.

<Scope>
 <Type>Signing.PDFSignatureOrigin</Type>
 <sbd:InstanceIdentifier/>
 <Identifier>100,100</Identifier>
</Scope>

The numbers separated by a comma (",") are the X and Y coordinates, which determine the location of the signature box on the PDF. For instance, if someone sets the coordinates to "0,0", this places the signature box in the lower-left corner of the PDF, while the coordinates "595, 842" place it in the upper-right corner of an A4 page.

Example PDF with an on-page signature box resulting from this request:

Clicking the signature box shows the signature panel in Adobe Reader and activates its standard signature and certificate validation features.

Detached signatures

Sovos supports creating and validating detached CMS signatures.

You should archive the detached signature along with the original document and upload it to the Sovos Audit Page at the same time as the original document.