Login

Internal versus external signatures - CAdES, XAdES or PAdES? A comparison of internal and external signatures. (Part 2)

Data in XML format, ZIP archives or huge files - it is not always possible to conveniently sign them with a standard PAdES signature. In such situations, it is worth reaching for an external signature (e.g. XAdES or CAdES) - find out what it consists of and when it is the best solution.
CAdES, XAdES or PAdES? Comparison of internal and external signatures

In an earlier section we described PAdES and XAdES. Now it's time for CAdES - we look at how internal and external signatures work in this format and what applications it has in business.

A qualified electronic signature can be placed inside a document (internal signature) or as a separate file (external signature). Both forms provide the same level of security, but differ in terms of technology and practicality in use.

In the first part of this article, we described in detail the differences between internal and external signatures using the PAdES and XAdES formats as examples. Now, in turn, we will look at another format - CAdES - and provide practical advice on in which cases an external signature will work better, and in which cases an internal signature will work better.

CAdES format - CMS/PKCS#7 signature (internal or external)

CAdES (CMS Advanced Electronic Signature) is another qualified signature format, based on the Cryptographic Message Syntax (PKCS#7) standard.

In practice, CAdES most often takes the form of a cryptographic envelope with the extension .p7m, .p7s or .sig, which contains the signed data or references to it. This format is versatile in terms of file types - it allows signing any binary data: text documents (DOC/XLS), images, PDF files, ZIP archives, and even large data sets or executable files. Thanks to this versatility, CAdES is sometimes used in communication between IT systems and in business solutions requiring the signing of unusual files.

In the case of CAdES, we can deal with an internal (surrounding) signature - then a single .p7m file is created, which contains the original document together with the signature. Such a file is consistent and easy to upload as a single item, but requires special software to open (the average user will not open a .p7m without a dedicated application). Alternatively, CAdES can act as an external signature - in which case the original file remains unchanged, and a signature file (e.g., with a .p7s or .sig extension) is generated separately, similar to XAdES. Both methods are eIDAS-compliant; the choice depends on your needs. Many signature programs (e.g. Certum) allow you to choose either "external signature" or "internal signature" in CAdES format.

Advantages of the CAdES format

  • Any file type - CAdES can be used to sign virtually any type of electronic data. It is the best choice if we need to sign a file that cannot be easily covered by another format (e.g. a non-standard binary format).

  • One extension for different data - a .p7m signature file can contain a document of any format, making it easy to standardize. Whether signing a PDF or AVI, the result is .p7m.

  • Compact signature - CAdES generates a relatively small data overhead. A signature (regardless of the size of the original) typically has a volume of a few kilobytes. It is memory-efficient and quick to verify, thanks to a defined, binary signature structure.

  • Popularity in systems - although end users are less likely to consciously choose CAdES, the format is widely used inside applications and services (e.g. for signing data packets, electronic invoices, server-to-server communications). Its advantages are appreciated by automated solutions - e.g., signing and verifying a large number of table files can be implemented precisely in CAdES for efficiency.

Limitations of the CAdES format

  • Requires dedicated reading software - the person receiving the .p7m file will not preview its contents without using a special signature verification application. For an untrained recipient, this can be confusing - the signature file will not open like a regular document, raising questions of "how to sign/read it?". It is necessary to use a verification tool (such as the signature provider's program).

  • No visible seal in the document - the CAdES signature is completely separated from the content of the document, it does not offer any graphical representation of the signature in the content itself (you cannot see the "signature" on the printout or file preview). If you care about the visual effect of the signature on the document, CAdES will not provide this.

  • Difficulties with multiple signatures - in a scenario where several people are to sign the same document, CAdES in-house variant generates a "matrix" phenomenon. This means that each successive signature creates a new .p7m file, containing the previous signed file inside - nested envelopes of signatures. As a result, handling multiple signatures on a single document becomes cumbersome (successive layers of signatures). In XAdES or PAdES format there is no such problem - there you can add signatures without wrapping the file in successive layers.

  • Less popular among users - most people associate PDF signing (PAdES) or possibly .xml files with signing (XAdES). CAdES as .p7s/.p7m is less intuitive for the average user. As a result, if you send a counterparty a signed document in CAdES format, he or she may not know how to open or verify it - instruction is sometimes necessary. That's why CAdES is more often used in established business relationships or inside systems, where parties know how to handle such a signature.

When to use an internal signature and when to use an external one?

The choice between internal and external signatures depends on the context of use of the document and the requirements of the recipient. Here are some practical tips:

  • Documents for people (e.g., contracts, letters in PDF) - when sending a signed document to a person who is simply to read it and be sure of its authenticity, an internal signature in PAdES format works best. The recipient receives a single PDF file, which he or she can easily open, and the program (such as Acrobat Reader) will immediately show information about the validity of the signature. This is the easiest way to sign a document in business and government. An external signature in this case could only complicate the situation (you would have to attach two files and explain how to verify them).

 

  • Documents in formats other than PDF - if we need to sign a non-PDF file, we have a choice of XAdES or CAdES. Here the decision internal vs. external depends on the circumstances. If the document is to go to an office or system that requires a specific format (e.g., many e-government platforms only accept XAdES signatures as a separate file when XML is used), then we use an external XAdES signature as required. On the other hand, when we sign, for example, a Word file for internal company use, internal CAdES can be considered - there will be a .p7m file containing the document, which colleagues will verify in their software. However, if the recipient of such a file may have difficulty opening the .p7m, an alternative is to sign externally (a separate .sig) and leave the original DOCX - but then again, you need to make sure that the two parts are not separated.

 

  • Large files - for large documents (link) (tens of MB) it is often recommended to use an external signature. Why? Because with an internal signature, a new file is created containing the entire original plus the signature, which doubles the amount of data to be transferred and stored. An external signature, on the other hand, is tiny (on the order of a few/tens of kB) and can be transferred separately. In practice, vendors indicate that the external signature will better handle files larger than ~25 MB. For files of that size, an internal signature could be troublesome (e.g., it won't fit into the email attachment limit or the platform will refuse to accept a file that is too large). Using an external signature, we transfer the large original file without modification, and the signature as a separate small file - which is sometimes a practical solution.

 

  • Formal and system requirements - It's always a good idea to check what formats and types of signatures are accepted by the recipient or the system to which you are submitting the document. Some institutions explicitly specify that, for example, PDF documents should be signed with PAdES, and XML forms - with an external XAdES signature (a separate file), or require a specific standard (e.g. ASiC). In such situations, the decision is imposed by requirements in advance. Fortunately, most e-signature software allows you to easily switch the format and type of signature according to your needs - just select the appropriate options before signing.

In summary, an internal signature works well where you value single-file convenience and readability(mainly PDF/PAdES for typical documents), while an external signature is indispensable in scenarios that require flexibility - with different file formats, automated data processing or very large attachments. However, regardless of the method chosen, both types of signatures guarantee the same level of security and legal validity derived from a qualified certificate.

It's crucial that the recipient can verify the signature - so always provide all necessary files and instructions when using less obvious forms (such as .xades or .p7m). With this knowledge, we can consciously choose the format and signature type best suited to the situation, ensuring both convenience and compliance.

 

SimplySign and Certum Mini qualified signatures

If you have any concerns or questions, please contact us

+48 22 417 05 55

We will answer your questions, find a date that suits you and an advisor in Gdansk, Gdynia, Krakow, Warsaw or Wroclaw.

You can also write an email from us [email protected]. 

Check also:

  • Qualified Stamps, Qualified Signatures

KSeF in sole proprietorships and small companies: qualified signature, stamp, and invoice automation

  • Qualified stamps

KSeF offline mode: two QR codes and invoice authenticity assurance (KSeF Type 2 Certificate)

  • Qualified stamps

Two strategies for managing KSeF in a company: ZAW-FA or company e-stamp

  • Qualified Stamps, Qualified Signatures

Secure KSeF with qualified signature – a guide to ERP integration for companies and automatic e-invoice delivery

See all

Do you need help?

Info
Learn more Add to cart
Info
Learn more Add to cart

Find what you're looking for