If you have any concerns or questions, please contact us
We will answer your questions, find a date that suits you and an advisor in Gdansk, Gdynia, Krakow, Warsaw or Wroclaw.
You can also write an email from us [email protected].
In earlier post we discussed the two basic electronic signature formats - XAdES and PAdES - most commonly used for qualified e-signatures. Continuing this topic, we will address another important issue: internal and external signatures.
Whether an electronic signature is embedded in a file or saved as a separate file is of great practical importance - especially when signing large files or working with complex ICT systems.
In this article, we explain what qualified internal and external signatures are and what they mean in the context of different formats (PAdES, XAdES, CAdES). We outline their main pros and cons, and suggest when it's a good idea to use each of these solutions.
An internal signature is one that is incorporated directly into the document being signed. To put it simply: when you sign a file with an internal signature, you get a single file, containing both the content of the document and the signature information (certificate, timestamp, etc.). The type of internal signature is available in PAdES and XAdES standards, among others - both allow you to place an e-signature inside the signed file. For example, the PAdES signature always saves the signature together with the PDF in one file, while XAdES can embed the signature as an element in the XML structure of the original document.
The external signature, on the other hand, is a separate file - once the document is signed, you get two (or more) files: the original document and a separate file with the digital signature. This external file (e.g., with an extension of .xades or .sig) contains cryptographic data confirming the signature, but does not contain the contents of the original document. Such qualified external signatures can be created in XAdES or CAdES formats. In practice, this means that to verify the signature and content, the recipient must have both parts - the document and the signature file. The absence of either will make it impossible to verify the authenticity of the signature and the contents of the document.
The difference between internal and external signatures boils down to the way the signature is placed - either inside the signed file or as a separate companion file.
However, it is important to emphasize that legally the two types are equivalent. Both qualified internal and external signatures meet the requirements of the eIDAS regulation and are considered legally binding. Thus, the choice of signature type mainly affects technical and usability issues - e.g., ease of storage, verification or transmission of documents - rather than the legal force of the e-signature itself.
Both types of signatures support add-ons like timestamps, signature policies, etc., enhancing long-term security.
PAdES (PDF Advanced Electronic Signature) is a qualified signature format designed exclusively for PDF files. In this standard, the electronic signature (and the signer's certificate) is embedded in the structure of the PDF - it becomes an integral part of the document. As a result, everything needed for verification is contained in a single file that can be opened in popular programs like Adobe Reader. What's more, PAdES makes it possible to add a visual representation of the signature on the document page (e.g., a graphic seal or signature information), which increases readability and makes the e-signature more similar to a handwritten signature on paper.
XAdES (XML Advanced Electronic Signature) is a universal electronic signature format, based on the XML standard. Itsadvantage is flexibility - virtually any type of file can be signed using XAdES: from text documents (DOCX, ODT), to PDF, images (JPEG, PNG), spreadsheets, ZIP files, to binary or XML data. In the case of structured data (XML), XAdES is even preferred because it allows computer systems to both verify the signature and automatically parse the contents of the document. For this reason, XAdES is sometimes required for electronic submission of forms and applications to institutions (e.g., PIT tax returns, Social Security applications), where data from the document is to be loaded into the computer system.
XAdES offers both internal and external signature modes. If you are signing an XML file, the XAdES signature can be embedded as an element inside that file (internal/external signature). On the other hand, for other file types (e.g., PDF, DOCX, JPG), an external XAdES signature is usually used - the signature will result in the original file plus a separate .xades file containing the signature. This separation causes some inconveniences: when signing, for example, a PDF in XAdES format, you always have to provide the recipient with two files and make sure that they verify the signature along with the document. Omitting the signature file or incorrectly associating it with the document will result in the signature not being considered valid. It is true that it is possible to create a single .xades file containing both the signature and the encoded content (e.g., a PDF in binary form) - this is known as a surrounding signature - but such a file is not directly readable by the user (you have to extract the original document from it first), so it is not very convenient in practice.
Continued - in the second part of the article we will discuss the CAdES format and practical tips for choosing the type of signature.
You are welcome!
If you have any concerns or questions, please contact us
We will answer your questions, find a date that suits you and an advisor in Gdansk, Gdynia, Krakow, Warsaw or Wroclaw.
You can also write an email from us [email protected].
