What are digital signatures and electronic signatures, and PAdES?

Let’s put an end to the confusion around digital signatures and electronic signatures once and for all.

You see, when you scribble your signature, or upload a picture of your signature into a PDF contract, and email it to a client, you haven’t “signed” anything. You’ve just decorated a document. You might as well have pasted a JPEG of a cartoon dog.

90% of the corporate world fundamentally misunderstands what makes a document legally binding, tamper-proof, and secure. And most of the executives use the term ‘electronic signature’ and ‘digital signature’ interchangeably, as if they are the exact same thing. They aren’t. An electronic signature on a PDF is like a digital decoration or a sticky note. And digital signature is a cryptographic part of the document itself.

In this Geekswipe edition, let’s explore how this actually works.

So, electronic and digital signatures aren’t the same thing?

No they aren’t. And the difference is the reason why one holds up in international court of law while the other will get you laughed out of the room during a dispute.

Electronic signature

An Electronic Signature (commonly known as e-signature) is a legal concept. It is broadly defined as any electronic sound, symbol, or process attached to a document to indicate the intent to sign. Clicking “I Agree” on a Terms of Service? E-signature. Typing your name at the bottom of an email? E-signature. Pasting that photograph of your handwritten signature? That’s an electronic signature too!

E-signature in its sole existence provides zero proof that the document hasn’t been altered since you signed it. If I take your electronically signed PDF and casually change the invoice amount from $10,000 to $100,000, your signature is still sitting there, looking perfectly happy.

Digital Signature

A Digital Signature, on the other hand, is a mathematical guarantee.

It uses the Public Key Infrastructure (PKI). When you digitally sign a PDF, a cryptographic algorithm takes the entire file, every single character, space, and hidden metadata bit, and hashes it into a unique digital fingerprint. It then encrypts that hash using your personal private key, backed by a verified digital certificate.

Well, that’s a lot to unpack, I know. PDF is a complicated beast.

To put it in layperson terms, once the electronically signed PDF is digitally signed, and if I try to change that $10,000 to $100,000, the underlying byte structure changes. The hash breaks. Any standard PDF reader, viewing the PDF, detects this and flashes a massive red warning that the document has been tampered with, and the signature is instantly invalidated.

So in summary, an electronic signature proves intent. A digital signature proves identity and integrity.

So, what is a digital seal?

If a digital signature is for a meat-bag like us (a natural, breathing human), a digital seal is for a faceless corporation (a legal entity).

Think about it. You don’t want your poor accounting intern, Dave, personally signing a batch of 50,000 automated invoices. When Dave quits next month, do those invoices lose their chain of trust?

No. You use a digital seal.

Under frameworks like the EU’s eIDAS regulation, a digital seal operates on the exact same cryptographic principles as a digital signature, but the digital certificate is issued to the organisation itself (or commonly to the software companies that orchestrate the electronic signature process and keep tabs of the records). A digital seal guarantees the origin and the integrity of the data. It tells the recipient, “Yes, Omnicorp Inc. actually issued this document, and no, nobody intercepted it and altered the routing numbers.”

PAdES Profiles (aka how paranoid you want to be)

You digitally sign a contract today. It’s rock solid. But what happens in ten years when the certificate authority (a syndicate of companies that the world trusts) that issued your identity goes bankrupt? Or when the specific cryptographic algorithm you used is cracked?

Does your contract suddenly become void?

This is where the PDF Advanced Electronic Signatures (PAdES) standard comes in. PAdES is a set of profiles defined by European Telecommunications Standards Institute (ETSI) that dictate exactly how cryptographic data is embedded into a PDF to ensure it survives the test of time.

It operates in levels of escalating paranoia!

PAdES-B-B (Basic)

This is the ground floor. It simply embeds the signature and the certificate into the PDF. It proves that the certificate was mathematically valid at the exact moment of signing. But if that certificate expires a year later, verifying it becomes a nightmare.

PAdES-B-T (Time)

Basic + a cryptographic Timestamp. Instead of relying on your computer’s local clock (which anyone can change), this level hits a trusted Time Stamping Authority (TSA) server (usually provided by the Certifying Authority for free). It permanently injects a cryptographic proof of the exact millisecond the document existed in that state.

PAdES-B-LT (Long Term)

Now we are getting serious. What if the server that holds the certificate revocation list (a list that says whether your ID was stolen) goes offline in five years? PAdES-B-LT fixes this by downloading all the validation material (certificates, Online Certificate Status Protocol (OCSP) responses, Certificate Revocation Lists (CRL)) and embedding them directly into the PDF file itself.

The PDF becomes a self-sufficient time capsule. It never needs to phone home to the internet to prove its validity.

PAdES-B-LTA (Long Term Archival)

This is the doomsday prep tier for long-term archival. It takes the LT profile and slaps a brand new “document timestamp” over the entire package, including the validation material.

Why? Because cryptography decays.

Over decades, algorithms become weak. PAdES-B-LTA allows you to periodically re-timestamp the document with newer, stronger algorithms before the old ones are compromised. A contract signed in 2026 can be systematically refreshed to remain mathematically airtight in 2075.

But note that these profiles will not magically protect the PDF from data decay like bit rot. PDFs are a file container. You need a filesystem like ZFS to protect PDF from bit flips.

Are PDF signatures evolving?

The PDF format is practically ancient in internet years, but the cryptography behind it is in a state of constant evolution. There are two major shifts happening right now that most people are completely blind to.

Incremental saving

Right now, the biggest threat to a digitally signed PDF is human error and ignorance. If you open a signed PDF, add a comment, and click ‘Save As’, your computer rewrites the entire byte structure of the file from scratch. The original cryptographic hash is thrown out the window. The digital signature dies.

The future of PDF software development is forcing strict adherence to ‘Incremental Saves’.

Incremental saving appends new data (like a second person’s signature) to the end of the file without touching the original byte sequence. A standard PDF viewer would show – “The original contract is untouched, but this new layer contains a valid annotation”.

Post-quantum cryptography

Every digital signature today relies on asymmetric cryptography, mostly algorithms like RSA or Elliptic Curve (ECDSA).

Here is the inconvenient truth! A sufficiently powerful quantum computer will break these algorithms in seconds. For example, a quantum algorithm like Shor’s algorithm will derive your private key from your public key, allowing anyone to forge a perfectly valid digital signature in your name.

The digital signature industry knows this.

The most critical future development happening in PAdES right now is the migration toward Post-quantum cryptography (PQC). We are looking at a near-future where standards will mandate quantum-resistant algorithms (like lattice-based cryptography) for any document requiring Long Term Archival (LTA) status.

At work, I am currently dealing with digital seals and PAdES LTA profiling for an e-signature company. And note this as when I say this as a product manager in the industry. If your digital document infrastructure isn’t preparing to support quantum-resistant embedded signatures within the next few years, you are essentially building a bank vault out of wet cardboard.