Zefort Sign e-signature technical information

This article describes on a technical level how Zefort implements electronic signatures and how the implementation corresponds to industry standards. For more information on our security practices, see www.zefort.com/security or contact security@zefort.com.

PDF signature page

While the person creating the signing request in Zefort may upload a document in various formats, Zefort always automatically converts the document to PDF format.

After the signatures have been completed by all parties, Zefort adds a new signature summary page to the end of the document. Each signature is visible on the page, showing the name of each signer, date and time of the signature and the authentication level used to verify the signer’s identity.

In basic email authentication, the name shown on the signature page is the name defined in Zefort when creating the signature request.

In strong authentication, the name shown on the signature is fetched from the authentication service being used.

PDF cryptographic seal

In addition to the visible signatures, the signed PDF is cryptographically sealed and protected against tampering and modifications.

Zefort embeds digital signatures, one for each signer. The signatures are standard PDF digital signatures. The PDF format defines two types of digital signatures: approval and certification. To allow for multiple signatures, Zefort always uses PDF approval signatures. After the final signature, no more signatures can be added and the document is locked to prevent further modifications.

The resulting PDF also conforms to the “PDF Advanced Electronic Signature” (PAdES) specification.

A signed document can be viewed in any regular PDF reader. Some readers, such as Adobe Reader, show that the document is signed, check the cryptographic integrity of the signatures, and verify that the certificates are valid.

Each digital signature is a PAdES Baseline-LT (B-LT) level electronic seal, backed by a qualified certificate. This means the signature provides Long-Term Validation (LTV). The signatures incorporate all the material or references to material required for validating the signature.

Signatures also include an embedded qualified timestamp, to reliably indicate the date and time when the signature was created.

Verifying signatures made with Zefort Sign

In practice, the standards-based approach Zefort has taken means that anyone in possession of a document signed with Zefort will be able to verify the signatures without any co-operation from Zefort, using standard methods and tools.

You can validate a signature in your PDF reader application, such as Adobe Reader, or online at DSS Demonstration WebApp (europa.eu).

Use of third party data processing

Zefort may use third party vendors to host hardware and software to generate the digital signatures. However, under no circumstances does Zefort send entire documents to such third parties, only SHA256 digests of the material being signed.

Zefort uses third parties for timestamping; either a qualified trust service provider or other trusted timestamp service provider.

For strong user authentication, Zefort uses identification brokering services from Telia Finland Oyj.

For more information about Zefort security practices, including third party data processors, see Zefort practices on Security & Compliance.