Building the Documenso Part 3: Read Part 1 and Part 2

AES, QES, and the Future of Signing Infrastructure

Digital signatures look like a solved problem.

Tools like DocuSign have existed for decades, and most organizations today are comfortable signing documents online.

But the infrastructure underneath digital signing is surprisingly rigid.

Most platforms bundle three layers into a single system:

• the document workflow
• the trust provider infrastructure
• the pricing model

If you want stronger signature types like AES or QES, you usually have to rely on the trust providers integrated by the platform itself.

This architecture works well for simple SaaS use cases, but it creates several problems in more advanced environments:

• strong vendor lock in
• transaction based pricing models
• limited infrastructure flexibility
• difficulty integrating local trust providers

We started working on AES and QES support in Documenso. That work made something clear to us.

The real opportunity is not just supporting these signature types.

It is separating the signing platform from the trust infrastructure.

This article explains where Documenso stands today, how AES and QES support fits into our roadmap, and why we believe the digital signature ecosystem is about to change.

A Quick Recap of eIDAS Signature Levels

For readers not deeply familiar with the European regulatory framework, it is worth briefly reviewing the different signature levels defined under eIDAS.

The regulation defines three main types of electronic signatures with increasing levels of assurance.

Level 1: Simple Electronic Signatures (SES)

Simple electronic signatures are the most basic form of digital signing.

This can be as simple as typing your name into a document or placing an image of a signature on a PDF.

Technically, SES does not even require a cryptographic signature on the document itself.

Level "1.5": Cryptographically Sealed SES

This is not an official eIDAS level, but it represents what most of the market implements today.

Platforms like DocuSign and Documenso seal the final document with a cryptographic signature after signatures are inserted.

This ensures that the document cannot be modified afterward.

The cryptographic signature typically contains the name of the signing service that sealed the document.

For example:

“This document was sealed by Documenso after the signatures were inserted.”

This approach provides strong tamper protection while keeping the signing process simple.

Level 2: Advanced Electronic Signatures (AES)

AES adds stronger identity guarantees.

The cryptographic signature includes verified information about the signer.

For example:

“This document was sealed after Timur Ercan <timur@documenso.com> signed it.”

The signing platform must ensure that the identity associated with the signature is correct.

Level 3: Qualified Electronic Signatures (QES)

QES is the highest assurance level defined by eIDAS.

The identity of the signer must be verified by a regulated Qualified Trust Service Provider (QTSP). The cryptographic signature itself must also be generated on certified hardware operated by that provider.

Legally, QES signatures are considered equivalent to handwritten signatures in the EU.

Documenso Today

Today Documenso supports what we internally call level 1.5.

Documents are cryptographically sealed after signatures are inserted, ensuring strong tamper protection while maintaining a simple signing experience.

This model represents the vast majority of digital signatures used globally today.

However, enterprise deployments increasingly require stronger identity guarantees and regulatory compliance.

As eIDAS continues to become an international reference regulation, even providers outside the EU are beginning to move up the trust hierarchy.

This is where AES and QES support becomes important.

Our Roadmap

Our roadmap for 2026 introduces three different approaches to supporting higher assurance signatures.

The reason for this is simple.

AES and QES are used in very different operational environments, and the infrastructure requirements vary significantly depending on the use case.

Local AES Signatures

The first approach is enabling AES signatures directly inside Documenso environments.

AES and QES are often discussed together because both involve stronger identity guarantees. However, the infrastructure requirements are very different.

With the introduction of LibPDF in Documenso, we now support arbitrary PDF signature formats. This gives us the technical foundation required to generate AES compliant signatures directly within the platform.

The missing piece is identity verification.

We are currently exploring several mechanisms to support this, including:

• SSO based identity verification
• second factor authentication
• enterprise identity providers tied to employee records

If implemented successfully, organizations will be able to generate AES signatures directly inside their own infrastructure.

This means AES signatures can be created locally without routing every signature through a third party signing provider.

In advanced enterprise environments, especially in self hosted setups, this can be a powerful capability.

Because the signing operation happens inside the organization’s own infrastructure, AES signatures no longer need to be priced per transaction through a third party trust provider.

Partner Powered AES and QES

For fully regulated signing environments we will integrate with external trust providers.

In this model the cryptographic signature itself is generated on certified hardware operated by a partner provider.

The resulting signature is then returned to Documenso and embedded in the document.

This allows us to support compliant AES and QES signatures in both cloud deployments and self hosted installations.

To keep this architecture flexible, our goal is to support the CSC 2.0 standard.

CSC is a standardized protocol that allows signing platforms to interact with multiple trust service providers.

Supporting this standard allows us to integrate multiple QTSPs over time instead of locking the platform into a single vendor.

Enabling Local QTSP Ecosystems

Another interesting development is that several certificate providers have reached out to us.

These organizations already operate compliant certificate infrastructures in their local markets but lack a modern document signing platform.

In these scenarios Documenso can act as the signing layer powered by their certificate infrastructure.

Instead of only issuing certificates, these providers can offer full signing platforms on top of Documenso.

In other words, Documenso becomes infrastructure for local QTSP ecosystems.

Rather than competing with trust providers, we enable them to build signing solutions on top of their existing certificate infrastructure.

The Long Term Vision: Let’s Sign

There is one final piece of the roadmap that goes beyond 2026.

Our mission has always been to build an open ecosystem where anyone can run their own signing infrastructure. That includes both end users and service providers.

Ultimately we want to take this one step further.

Our long term goal is to join the list of QTSPs ourselves and issue QES compliant certificates.

In other words, to build something similar to Let’s Encrypt but for document signing certificates.

We call this vision Let’s Sign.

Today becoming a QTSP requires significant regulatory overhead, time, and capital. Once companies enter that circle, the market structure tends to reinforce per signature pricing even though technically the signing operation is little more than a secure API request to dedicated hardware.

The other major barrier is identity verification.

However, the landscape is changing quickly.

Automated identity verification using facial recognition and AI based passport validation is already reducing the need for manual human verification in many cases.

European eID initiatives could streamline this even further.

If these trends continue, a new generation of QTSPs could operate with dramatically lower costs and potentially shift digital signing away from per signature pricing toward infrastructure style pricing.

In other words, the document signature world may finally get its “SMS → WhatsApp” moment.

What Comes Next

AES and QES support will roll out across the Documenso platform in 2026.

But more importantly, these capabilities move us closer to a broader goal.

An open signing ecosystem where organizations can run their own signing infrastructure, integrate local trust providers, and build signing platforms on top of Documenso.

Step by step, we are building the infrastructure to make that possible.

Stay tuned.

In the meantime, you can check out LibPDF, the open source PDF signing engine that powers Documenso.