5

Context

My overall goal is to make a set of PDFs available, in such a way that users can be assured of the provenance of the documents (i.e., they came from the origin that they are expected to come from). I'm thinking about doing this by digitally signing the PDFs on the server. These signatures won't be in risk of expiring, because the server can just reissue new signed PDFs when the certificate is updated. Using SSL to serve the documents wouldn't be enough, because the files can be passed on to third parties, who don't want/need to access the server.

Problem

The expiration issue arises because some of these PDFs will already have one or more digital signatures (e.g., created for legal purposes). My question is, if the server signs the PDFs, will it also be ensuring the continued validity of the previous signatures, even after they expire, as long as the latest signature is valid?

I'm asking more on the theoretical side, although I plan to implement what I describe using iText, so any pointers on how to use it for my purpose are also welcome.

Filipe Correia
  • 5,415
  • 6
  • 32
  • 47

1 Answers1

3

No, in a PDF all signatures should be validated independently. If you open a PDF with multiple signatures In Adbobe Reader all signatures are validated and you are going to get a warning message if one of the signature validations fails.

If you want to prevent against signature validation issues (for instance a validation failure due to signing certificate expiration) you should look at the PAdES standard (PDF Advanced Electronic Signature) Part #4 (PAdES-LTV Profile - PAdES Long Term Validation). This section of the standard deals with maintaining a proof of the validation across time in order to be able to revalidate the signatures in the future.

I don't know iText very much but it seems that PAdES-LTV is supported since I found this code sample : How to apply verification according to PAdES-LTV

Jcs
  • 13,279
  • 5
  • 53
  • 70
  • I had to put this project on hold for some days, but I'm eager to try this out. Will report back shortly after. It does make me raise a couple of issues that I hope to understand better after some experimentation. – Filipe Correia Jan 02 '12 at 12:18
  • I've found [another sample](http://bouncy-castle.1462172.n4.nabble.com/How-sign-a-Pdf-with-Pades-standard-td3717892.html), which might also come in handy. – Filipe Correia Jan 10 '12 at 15:04
  • Thanks for clearing this up, it definitely seems to be the right direction to go. Unfortunately, only the latest version of iText supports PAdES, and it's license is AGPL, which i won't be able to use in this project. – Filipe Correia Jan 12 '12 at 15:17