Skip to content

E-Signatures: Aadhaar e-Sign, eIDAS and ESIGN / UETA

The legal and technical landscape of electronic signatures across the major jurisdictions: India's Aadhaar e-Sign and the IT Act 2000 s.3A digital-signature provisions, the EU eIDAS regulation's three signature tiers (simple electronic, advanced electronic, qualified electronic) and the Trust Service Provider model, the US ESIGN Act 2000 and UETA, the UK Electronic Communications Act 2000, the PKI infrastructure (certificate authorities, OCSP and CRL revocation checking, hash algorithms) the digital signatures rest on, and the verification workflow a forensic examiner runs on a contested signed document.

Last updated:

Share

Electronic signatures are legally and forensically distinguished by jurisdiction and technical tier. India's Aadhaar e-Sign binds each signing event to a biometric or OTP authentication through UIDAI and issues a short-validity certificate that expires within 30 minutes, making Long-Term Validation (LTV) data essential for later verification. The EU's eIDAS Regulation 910/2014 creates three tiers (Simple, Advanced, and Qualified), with the Qualified Electronic Signature requiring a hardware-backed QSCD and a certificate from a Trusted List TSP. The US ESIGN Act 2000 and UETA are technology-neutral: no cryptographic method is mandated, and the platform audit trail is the primary forensic resource for contested signatures.

Electronic signature forensics is jurisdiction-sensitive: the legal weight of a signature depends on which statutory framework applies, which tier the document claims, and whether the technical implementation matches that tier. A typed name under US UETA carries no cryptographic assurance. A qualified electronic signature under EU eIDAS Regulation 910/2014 requires a hardware-backed QSCD and a qualified certificate from the EU Trusted List. Both are called "electronic signatures" in commerce, but they are technically distinct categories with different evidentiary implications.

Key takeaways

  • EU eIDAS Regulation 910/2014 defines three tiers: Simple Electronic Signature (SES), Advanced Electronic Signature (AdES), and Qualified Electronic Signature (QES), each with distinct technical requirements and legal effects.
  • India's Aadhaar e-Sign generates a short-validity (30-minute) certificate per signing event, tied to biometric or OTP authentication via UIDAI; Long-Term Validation (LTV) data embedded at signing time is essential for offline historical verification.
  • The US ESIGN Act 2000 and UETA are technology-neutral: no cryptographic method is mandated, and platform audit trails are the primary forensic resource for contested signatures.
  • A PDF ByteRange signature covers only the bytes specified at signing; an incremental update appended afterward is not covered, but does not invalidate the mathematical signature over the originally signed content.
  • Post-Brexit, EU Trusted List mutual recognition no longer applies automatically in UK proceedings; a claimed QES from an EU TSP requires expert evidence of technical validity rather than statutory equivalence.

The examiner's role in contested-signature cases is to determine: what tier of electronic signature is present (or absent) on the document; whether the technical implementation is consistent with the claimed tier and jurisdiction; whether the cryptographic chain remains intact; and whether the timing of the signature is corroborated or contradicted by other evidence in the document and the surrounding metadata. The structural analysis of the PDF that contains these signatures, incremental update detection, ByteRange coverage, XMP versus information-dictionary discrepancies, is covered under PDF metadata forensics and document image authentication. This requires fluency across PKI (Public Key Infrastructure) architecture, the specific statutory framework of the relevant jurisdiction, and the examination workflow for each signature type encountered in casework.

Three signature families dominate international contested-document casework: the Aadhaar e-Sign framework used in India (with its distinctive Aadhaar authentication step and the role of the Controller of Certifying Authorities); the eIDAS three-tier system governing EU member states; and the ESIGN Act plus UETA framework governing US electronic commerce, alongside the UK's Electronic Communications Act 2000 which survived Brexit and continues to govern UK electronic signature validity. Understanding all four is essential for any examiner who works in a jurisdiction that receives commercial documents, contracts, or official records from international counterparties. The same PKI certificate chains also secure the chip data in ICAO 9303 travel documents, making this framework directly relevant to passports, visas, and driving licences: ICAO 9303 and security printing casework.

By the end of this topic you will be able to:

  • Distinguish the three eIDAS signature tiers (SES, AdES, QES) by their technical requirements and legal effects across EU member states.
  • Describe the Aadhaar e-Sign workflow, explain why short-validity certificates always appear expired at verification time, and explain the role of LTV data in historical verification.
  • Explain why a US ESIGN Act-based signature may carry no cryptographic hash on the document and identify what the examiner must assess instead.
  • Trace the four-layer examiner workflow for a contested electronically signed document: document integrity, certificate chain, revocation status, and TSA timestamp.
  • Apply post-Brexit implications to cross-border EU/UK documents where EU Trusted List mutual recognition no longer operates automatically.

PKI Foundations: Certificates, CAs, Hash Algorithms, and Revocation

Public Key Infrastructure (PKI) is the cryptographic architecture that makes digitally verifiable electronic signatures possible. The core concept is asymmetric cryptography: each participant in the system holds a key pair consisting of a private key (kept secret, used to sign) and a public key (distributed widely, used to verify). A signature is created by computing a cryptographic hash of the document being signed (SHA-256 or SHA-384 in current best practice; SHA-1 is deprecated for new signatures across all major frameworks) and encrypting that hash with the signer's private key. The resulting ciphertext is the signature. Any recipient who holds the signer's public key can decrypt the ciphertext, compare the decrypted hash with a freshly computed hash of the received document, and verify that the document has not been altered since signing.

The problem PKI solves is not the cryptographic operation but the identity binding: how does the verifier know that the public key they hold actually belongs to the claimed signer, rather than to an attacker who has substituted their own key? The answer is the X.509 digital certificate: a data structure that binds a public key to a named identity (the subject) and is itself signed by a Certificate Authority (CA). The CA's own certificate is either self-signed (a root CA) or signed by a higher CA (an intermediate CA). The resulting chain from the signer's certificate up through intermediate CAs to a root CA is the certificate chain. A verifier who trusts the root CA (because it is pre-installed in their operating system's trust store, or is on a government-mandated trusted list) can verify every link in the chain.

Hash algorithm choice matters forensically. SHA-1 collision attacks were practically demonstrated in 2017 (the SHAttered attack, CWI Amsterdam and Google Research). Documents signed with SHA-1 certificates before 2016 were issued in a context where SHA-1 was still widely considered acceptable, but signatures on documents claimed to be from before 2010 that use SHA-256 may be anachronistic if the claimed authoring application did not support SHA-256 at that date. NIST deprecated SHA-1 for generating new digital signatures in SP 800-131A (2011), disallowing it after 2013; FIPS 186-4 (2013) continued to list SHA-1 as a permitted hash function. The CA/Browser Forum required all publicly trusted CAs to stop issuing SHA-1 certificates after January 2016. The examiner should verify that the hash algorithm used in each certificate in the chain is consistent with the claimed issuance date.

Revocation is the mechanism by which a CA declares that a certificate is no longer valid before its scheduled expiry date (typically because the private key was compromised, or the certificate was issued incorrectly). Two revocation mechanisms exist. The Certificate Revocation List (CRL) is a signed list of revoked certificate serial numbers published by the CA at a URL embedded in the certificate's CRL Distribution Points extension; verifiers download the CRL and check whether the certificate's serial number appears. The Online Certificate Status Protocol (OCSP) is a real-time query protocol in which the verifier sends the certificate's serial number to the CA's OCSP responder and receives a signed "good", "revoked", or "unknown" response. In PDF signature contexts, OCSP stapling embeds the OCSP response alongside the signature at signing time, preserving the revocation status as of the signing date even if the OCSP responder is later taken offline.

India: IT Act 2000 Section 3A and the Aadhaar e-Sign Framework

India's foundational electronic signature legislation is the Information Technology Act 2000, which established the concept of the digital signature (section 3, using asymmetric cryptography and a hash function) and the electronic signature (section 3A, introduced by the IT Amendment Act 2008, which broadened the definition to include any technique that is reliable and appropriate for the purpose). The Controller of Certifying Authorities (CCA), operating under the Ministry of Electronics and Information Technology (MeitY), is the root trust anchor for India's PKI hierarchy and maintains the National Repository of Digital Certificates (NRDC).

Aadhaar e-Sign is a specific electronic signature service authorised under the UIDAI (Unique Identification Authority of India) framework and the Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015. The workflow is as follows: the user is authenticated by their Aadhaar number and either a biometric (fingerprint or iris scan) or an OTP (one-time password sent to the Aadhaar-registered mobile number); upon successful authentication, UIDAI's Aadhaar Signing Service (ASP and ESP, Application Service Provider and e-Sign Service Provider) generates a temporary signing key pair on behalf of the user, obtains a short-validity certificate (typically valid for 30 minutes) from a licensed Certifying Authority, signs the document with the temporary private key, and immediately discards the private key. The resulting signature is backed by a CA certificate whose subject identity is drawn directly from the UIDAI's Aadhaar database.

The forensic significance of this architecture is substantial. First, the signature certificate's subject name and Aadhaar identity are bound at the time of each signature event, not at a one-time certificate issuance; the signer cannot deny awareness of the specific signing event. Second, the UIDAI logs each signing transaction (date, time, document hash, Aadhaar number) with a retention period sufficient for evidentiary access under court order. Third, the short certificate validity means that an Aadhaar e-Sign certificate presented for verification will always show as expired when verified without a trust anchor configured to accept historical OCSP staples or long-term validation (LTV) data embedded at signing time. The examiner must understand LTV validation and the role of archived OCSP responses to correctly verify older Aadhaar e-Sign documents.

In the Bharatiya Sakshya Adhiniyam (BSA) 2023 (which replaced the Indian Evidence Act 1872), electronic records and electronic signatures are addressed in sections 57 to 59. Section 63 of the BSA provides for the admissibility of electronic records in evidence subject to an electronic record certificate (the former section 65B certificate under the Indian Evidence Act). Courts have interpreted the Supreme Court's ruling in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) as requiring the person producing the certificate to be able to speak to the electronic record's integrity, which the Aadhaar e-Sign log and the LTV-embedded OCSP response together support.

Aadhaar e-Sign workflow: user authenticates via biometric or OTP; UIDAI ASP generates a temporary key pair; a Certifying Auth
Aadhaar e-Sign workflow: user authenticates via biometric or OTP; UIDAI ASP generates a temporary key pair; a Certifying Authority issues a short-validity certificate; the document is signed and the private key discarded. The UIDAI transaction log is the primary evidence record.

EU eIDAS: Three Tiers, the Trusted List, and the QSCDs

EU Regulation 910/2014 (eIDAS) establishes three tiers of electronic signature, each with distinct technical requirements and legal effects. The Simple Electronic Signature (SES) is any data in electronic form that is attached to or logically associated with other data, and that the signatory uses to sign. A scanned handwritten signature, a typed name, a click-wrap agreement checkbox: all qualify as SES. SES carries no cryptographic assurance; its legal weight depends entirely on context and the broader evidentiary record.

The Advanced Electronic Signature (AdES) must meet four requirements under eIDAS Article 26: it is uniquely linked to the signatory; it is capable of identifying the signatory; it is created using electronic signature creation data (the private key) that the signatory can use with a high level of confidence under their sole control; and it is linked to the signed data in such a way that any subsequent change in the data is detectable. In practice, an AdES is implemented via a PKI signature with an appropriate certificate, but the certificate does not need to be a qualified certificate from the Trusted List. Most commercial electronic signature platforms (DocuSign, Adobe Sign, Skribble, SignNow) issue signatures at the AdES level in EU deployments.

The Qualified Electronic Signature (QES) carries the highest technical bar and the most significant legal effect. Under eIDAS Article 25(2), a QES has the equivalent legal effect of a handwritten signature across all EU member states. A QES must: be created by a Qualified Signature Creation Device (QSCD); be backed by a qualified certificate issued by a Trust Service Provider (TSP) on the EU Trusted List; and include a timestamp from a qualified timestamping authority on the Trusted List. A QSCD is a hardware or software device (most commonly a hardware security module, a USB token such as SafeNet eToken, or a remote HSM operated by the TSP) that stores the private key such that it cannot be extracted, ensuring that the key is under the sole control of the signatory.

The EU Trusted List (the EUTL, maintained by the European Commission at the esignature.europa.eu portal) lists all TSPs per member state that are permitted to issue qualified certificates or provide qualified timestamping. An examiner verifying a claimed QES must confirm that the issuing CA appears on the EUTL as a qualified TSP for the relevant service type at the claimed signing date: TSPs can be added to or removed from the list, and a certificate issued by a TSP after its removal from the list does not carry QES status.

TierTechnical basisCertificate requiredLegal effect (EU)Typical use
Simple Electronic Signature (SES)Any data linked to signature act (typed name, click, image)None requiredNot equivalent to handwritten; admissible but weight depends on contextConsumer click-wrap, email sign-off, informal commercial agreements
Advanced Electronic Signature (AdES)Asymmetric cryptography; detectable alteration post-signing; key under signatory's sole controlAny PKI certificate; not required to be qualifiedAdmissible; weight depends on certificate quality and contextCommercial contracts, regulated documents in many member states
Qualified Electronic Signature (QES)AdES requirements plus QSCD for key storage plus qualified certificate from EUTL TSPQualified certificate from Trusted List TSP mandatoryLegally equivalent to handwritten signature in all EU member statesNotarial acts, real estate transactions, regulated financial contracts

United States: ESIGN Act 2000 and UETA

The Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. § 7001 et seq.) was enacted in 2000 and established a federal baseline: no electronic signature may be denied legal effect solely because it is in electronic form. The Uniform Electronic Transactions Act (UETA), adopted in its model form by 49 US states and the District of Columbia (New York uses its own Electronic Signatures and Records Act, ESRA), provides the state-level parallel: an electronic record or electronic signature satisfies a requirement for a signature under applicable state law.

Neither ESIGN nor UETA mandates any specific technology. A handwritten signature on a tablet, a biometric voice signature, an asymmetric-key digital signature, a shared-secret OTP confirmation: all can constitute valid electronic signatures under ESIGN/UETA, provided the parties have agreed to transact electronically and the signer has demonstrated intent to sign. This technology-neutral approach differs substantially from eIDAS, which creates distinct legal tiers by technology type. The forensic consequence is that a US examiner investigating a contested electronic signature must evaluate: the evidence of the signatory's intent (click-to-agree logs, audit trails, email chains); the integrity of the document from the time of signing (hash logs, audit trail hashes); and the reliability of the electronic signature system's own record-keeping.

Commercial electronic signature platforms operating in the US market (DocuSign, Adobe Acrobat Sign, HelloSign, PandaDoc) maintain detailed audit trails including: the signatory's IP address, geolocation, device fingerprint (user-agent string), email address used for notification, timestamp of each signing event, and a hash of the signed document at the time of signing. These audit trails are themselves electronic records subject to the same evidence admissibility rules and are a primary forensic resource in contested-signature litigation. In federal court, ESIGN audit trail evidence is typically introduced under Federal Rule of Evidence 803(6) (records of a regularly conducted activity) through a qualified witness from the platform provider.

Courts have generally accepted electronic signature audit trails as reliable. In Nortek Controls Corp. v. Acuity Brands Inc. (US District Court, N.D. Cal., 2019), the court accepted a DocuSign audit trail as establishing that the signatory had electronically signed the document at the claimed time. In Phison Electronics Corp. v. Kingston Technology Co. (C.D. Cal., 2017), the court examined the authenticity of an electronically signed NDA. In the UK, the Law Commission's 2019 report "Electronic Execution of Documents" confirmed that ESIGN-equivalent simple electronic signatures satisfy UK law requirements in most commercial contexts under the Electronic Communications Act 2000, provided the parties intended to be bound.

UK Electronic Communications Act 2000 and Post-Brexit Status

The Electronic Communications Act 2000 (ECA 2000) is the primary UK legislation governing electronic signatures. Section 7 provides that electronic signatures are admissible in evidence in relation to any question as to the authenticity or integrity of a communication or data, and section 7(2) defines an electronic signature as anything in electronic form that is incorporated or logically associated with the electronic communication and purports to be used to authenticate the communication. This definition is functionally equivalent to eIDAS SES and ESIGN Act definitions: broad, technology-neutral, and focused on intent to authenticate rather than technical method.

Following the UK's departure from the EU, the eIDAS Regulation was retained in UK domestic law as "UK eIDAS" by the European Union (Withdrawal) Act 2018, but mutual recognition of EU qualified signatures and EU Trusted List TSPs no longer operates automatically. A qualified electronic signature issued by an EU TSP on the EU Trusted List is not automatically recognised as a QES for UK legal purposes post-Brexit; the UK's own Conformity Assessment Bodies and TSP framework (operated under the DCMS and the National Cyber Security Centre, NCSC) apply independently. The Law Commission's 2019 report and subsequent consultations have confirmed that the UK does not intend to legislate a tiered QES regime equivalent to eIDAS; the broad ECA 2000 approach continues to apply.

For forensic examiners handling documents that have crossed between EU and UK jurisdictions, the key practical implication is that a QES under EU eIDAS may need to be presented to a UK court via expert evidence establishing its technical validity, rather than relying on automatic statutory equivalence. Similarly, a UK electronic signature does not automatically carry QES status in an EU member state court. In practice, most high-value cross-border contracts use platforms certified under both the EU Trusted List and the UK CAB framework, or fall back to wet-ink signatures for documents where QES equivalence is legally material.

Examiner Workflow: Verifying a Contested Signed Document

The examiner workflow for a contested electronically signed document proceeds through four layers that must be addressed in sequence, because failures at a lower layer affect the interpretation of findings at higher layers.

The first layer is document integrity: has the document been altered since it was signed? For cryptographically signed documents (PDF with PKCS#7 signature, XML with XMLDSig, CMS-signed email), the hash verification at this layer is deterministic: re-compute the hash over the ByteRange or the canonicalised XML, compare with the decrypted signature value. For non-cryptographically signed documents (ESIGN audit trail-based signatures), this layer requires obtaining the platform's tamper-evident audit log and the hash of the document as recorded at signing time.

The second layer is certificate chain verification: is the signer's certificate validly issued by a CA that the applicable jurisdiction trusts? This requires traversing the full certificate chain (end-entity, intermediates, root) and verifying that each certificate was signed by its issuer, that no certificate was expired at the time of signing, and that the root CA is on the appropriate trust list (Windows root store, Mozilla NSS, Apple Trust Store, the EU Trusted List, India's NTR operated by the CCA, or a jurisdiction-specific equivalent).

The third layer is revocation status at signing time: was the certificate revoked before the document was signed? For OCSP, this requires either a stapled OCSP response embedded in the signature (verifiable without network access) or access to archived OCSP responses from the CA or a trusted OCSP archiver. For CRL-based systems, the relevant CRL as of the signing date must be retrieved. In long-term archival contexts (documents signed years before the examination), the examiner must rely on LTV (Long-Term Validation) data embedded at signing time under the PAdES-LTV profile (ETSI EN 319 102-1) or equivalent.

The fourth layer is timestamp authenticity: does the embedded timestamp from the TSA accurately record the signing time? The TSA timestamp is itself a cryptographic structure: the TSA signs a hash of the signature value and a time value using its own certificate, which must also be verified against a trusted root. The TSA timestamp is the primary evidence for the signing time and takes precedence over the document's EXIF creation date, the PDF information dictionary's ModDate field, and any other metadata that is not cryptographically protected.

  1. Establish jurisdiction and claimed tier
    Identify from context (contract terms, issuing institution, document type) which signature framework governs the document and what tier the signature claims (SES, AdES, QES under eIDAS; digital signature under IT Act 2000; ESIGN audit-trail signature in the US; ECA 2000 signature in the UK). This determines what the examiner must verify to assess whether the claimed tier is achieved.
  2. Extract the signature structure
    For PDF: use a PDF forensic tool to locate the signature dictionary, extract the ByteRange, the PKCS#7 container, and any embedded LTV data or OCSP staples. For XML: locate the xmldsig:Signature element and the Reference elements with their digest values. For email: extract the S/MIME signature from the MIME envelope.
  3. Verify document integrity hash
    Recompute the hash over the signed byte range or canonicalised content using the algorithm specified in the signature (SHA-256, SHA-384, etc.). Compare with the decrypted hash value from the signature. A mismatch proves post-signing modification. A match proves the signed content has not been altered.
  4. Verify the certificate chain
    Extract all certificates from the signature container. Build the chain from end-entity to root. Verify each certificate's signature using its issuer's public key. Check that no certificate was expired at the time of signing. Confirm the root CA against the appropriate trust list for the claimed jurisdiction and signature tier.
  5. Verify revocation status at signing time
    If LTV data or an OCSP staple is embedded, verify the OCSP response's signature and confirm the certificate's status was 'good' at the time of signing. If not embedded, retrieve the archived OCSP response or the relevant CRL from the CA's archive or a trusted OCSP archiver service.
  6. Verify the TSA timestamp
    Verify the TSA's own certificate chain and confirm the timestamp token's cryptographic integrity. Record the timestamp value as the authoritative signing time. Compare against the document's other date indicators (PDF ModDate, EXIF, audit log) and note any discrepancies.
  7. Document and report
    For each layer, record the result (pass, fail, or unable to determine with reason). If any layer fails, specify the failure mode and its forensic significance for the contested claim. Do not conflate a certificate expiry (a layer-2 finding) with a document tampering event (a layer-1 finding).
Four-layer verification sequence for a contested electronically signed document: each layer must pass before the next is inte
Four-layer verification sequence for a contested electronically signed document: each layer must pass before the next is interpreted. Layer 1 failure (hash mismatch) proves post-signing modification.
Layer 1: Document Integrity. Recomputehash over ByteRange or canonicalised XML.Match = content unaltered since signing.FAIL: Hash mismatch proves post-signingmodification. Stop and report. Do notproceed to Layer 2 without qualifying thefinding.mismatchpassLayer 2: Certificate Chain. Traverseend-entity through intermediates to rootCA. Confirm each cert valid at signingtime; root on trust list.FAIL: Broken chain or untrusted root meanssigner identity is unverified. Recordissuer and jurisdiction gap.chain breakpassLayer 3: Revocation Status at SigningTime. Check OCSP staple or archived CRL asof signing date. LTV data required forhistorical documents.FAIL: Certificate revoked before signingevent. Signature was created with aninvalid credential. Note revocation datevs. claimed signing date.revokedpassLayer 4: TSA Timestamp Authenticity.Verify TSA certificate chain and tokenintegrity. TSA time = authoritativesigning time, overrides PDF ModDate.FAIL: Invalid or absent timestamp. Signingtime unestablished; rely on audit trail orcontextual corroboration. Note discrepancywith PDF ModDate.invalid or absentAll layers pass: signature iscryptographically valid for the claimedtier and jurisdiction.Verification layer (action + criterion)Failure mode + forensic significanceAll-pass outcome
Four-layer verification sequence for a contested electronically signed document: each layer must pass before the next is interpreted. Layer 1 failure (hash mismatch) proves post-signing modification. Layer 2 failure (broken certificate chain) means the signer identity is unverified. Layer 3 failure (certificate revoked before signing) voids the signature. Layer 4 failure (invalid TSA timestamp) leaves signing time unestablished.
Key terms
Public Key Infrastructure (PKI)
The system of hardware, software, policies, and standards that manage digital certificates and public-key encryption. Provides the trust architecture underpinning all cryptographic electronic signatures: key pairs, Certificate Authorities, X.509 certificates, and revocation mechanisms.
X.509 certificate
A digitally signed data structure that binds a public key to a named identity (subject) and is issued by a Certificate Authority. Contains the subject's name and public key, validity period, issuing CA's name and signature, and extension fields for usage constraints and revocation endpoints.
Qualified Electronic Signature (QES)
The highest tier of electronic signature under EU eIDAS Regulation 910/2014. Created by a Qualified Signature Creation Device (QSCD), backed by a qualified certificate from a Trusted List TSP, and carrying the legal equivalent of a handwritten signature in all EU member states.
QSCD (Qualified Signature Creation Device)
A hardware or remote HSM-based device that stores the signer's private key such that it cannot be extracted, ensuring sole control under eIDAS Article 26(c). USB hardware tokens and remote HSMs operated by Trust Service Providers are common implementations.
OCSP (Online Certificate Status Protocol)
A real-time certificate revocation protocol in which the verifier queries the CA's OCSP responder with the certificate's serial number and receives a signed response indicating whether the certificate is currently good, revoked, or unknown.
Long-Term Validation (LTV)
A PDF signature profile (PAdES-LTV, ETSI EN 319 102-1) in which the OCSP responses, CRL data, and TSA certificate chain information are embedded alongside the signature at signing time, enabling full offline verification of revocation status years after the signing event.
Aadhaar e-Sign
India's authentication-linked electronic signature service in which the user's Aadhaar biometric or OTP authentication triggers the generation of a short-validity signing certificate by a licensed Certifying Authority, which is used to sign the document and then immediately discarded. Authorised under the Electronic Signature Rules 2015.
EU Trusted List (EUTL)
The authoritative list maintained by the European Commission listing all Trust Service Providers per EU member state that are supervised to issue qualified certificates, qualified timestamps, or other qualified trust services. Used to establish whether a claimed QES certificate was issued by an authorised TSP.
ESIGN Act (Electronic Signatures in Global and National Commerce Act)
US federal legislation (2000) providing that no electronic signature may be denied legal effect solely because it is in electronic form. Technology-neutral: does not mandate any specific cryptographic method. State-level parallel is the Uniform Electronic Transactions Act (UETA).
TSA timestamp (Timestamp Authority)
A cryptographically protected record of the time at which a signature was created, issued by a Timestamp Authority (TSA) whose own certificate is on a trusted list. The TSA signs a hash of the signature value together with the current time, providing non-repudiable evidence of the signing time.
Practice
Question 1 of 5· 0 answered

Under EU eIDAS Regulation 910/2014, which of the following is the minimum technical requirement that distinguishes an Advanced Electronic Signature (AdES) from a Simple Electronic Signature (SES)?

Can the same document carry both an Aadhaar e-Sign and an eIDAS qualified signature?
Yes. A PDF supports multiple independent signature dictionaries, each covering its own ByteRange. An Indian party can sign first with Aadhaar e-Sign, then an EU party can add a QES as a second incremental update with a ByteRange covering the entire file including the first signature. Each signature must be verified independently against its own trust chain and jurisdiction framework. The examiner should confirm that the second signature's ByteRange covers the first signature's bytes, so that any tampering with the first signature would also break the second.
Why is a PDF signature with an embedded TSA timestamp more reliable than one without?
Without a TSA timestamp, the signing time can only be established from the PDF ModDate field or the verifier's local clock, both of which are manipulable. A TSA timestamp is a cryptographic structure issued by a Timestamp Authority trusted by the applicable framework (EU Trusted List, India CCA, RFC 3161-compliant TSA). The TSA signs a hash of the signature value together with its clock reading; any discrepancy between the claimed time and the TSA-recorded time would require compromising an audited HSM. In European PAdES-B-LT and PAdES-B-LTA profiles the TSA timestamp is mandatory. This timestamping discipline is particularly important for [Aadhaar e-Sign verification](/topics/questioned-document/e-signatures-aadhaar-esign-eidas-and-esign-ueta) where the signing certificate expires within 30 minutes of issuance.
What is the examiner's role when a US ESIGN-based signature carries no cryptographic hash on the document file itself?
Because the ESIGN Act is technology-neutral, a document signed via a commercial platform audit trail may have no cryptographic signature on the PDF at all. The examiner's analysis shifts to the platform's tamper-evident audit log: does it record the signatory's IP address, device fingerprint, timestamp, and a hash of the document at signing? Is the log's hash-chain internally consistent? The audit trail is introduced in federal court under FRE 803(6) through a qualified witness from the platform provider. The broader framework for how such evidence is weighed and communicated is covered under [conclusion scales: SWGDOC, ENFSI, and courtroom language](/topics/questioned-document/conclusion-scales-swgdoc-enfsi-and-courtroom-language).

Test yourself on Questioned Document with free, timed mocks.

Practice Questioned Document questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.