 |
FAQ - PDF-Signatures
General Information» What is a PDF-Signature?
» Which other signature formats do exist?
Applications
» What are the main features of a PDF signature?
» Which versions and standards of PDF do exist?
» How can I sign forms with Adobe® Reader®?
» How do the PDF revisions correlate with the signatures?
» Which keys and certificates can be used?
» What is required to verify a PDF-Signature?
» Which options does Adobe® Reader® offer?
» What are self-signed signatures?
» What are certification signatures?
Signature Law
» Are digital signatures recognised legally?
» Which types of signatures are possible with PDF?
» How can PDF-documents be created, signed and verified?
» Are there known weaknesses of PDF signatures?
Signature Format
» Which standards are supported by PDF signatures?
» Where can I find further Information?
General Information
F: What is a PDF-Signature?
A: The Portable Document Format (PDF) allows to digitally sign a document by inserting a cryptographic signature value in the file. When viewing the document, such a signature is in most cases represented by a signature field containing the name and further attributes of the signer. It may also contain a graphic like a scanned handwritten signature. It is also possible to create invisible signatures for a PDF document. By using digital signatures, later modifications of a document may be proven definitely. Under certain conditions, a digital signature is legally equivalent to a handwritten signature.
F: Which other signature formats do exist?
A: The most common signature format is PKCS#7. It is used in PDF, S/MIME and so called detached signatures. A different popular format is PGP, which may be used for files and e-mails. XML-DSig offers an XML based format for digital signatures. It is used in Microsoft Office 2007 and OpenOffice 3. These examples provide the most popular formats. There is a huge number of other formats, which are in many cases proprietary and have not been pulished.
Applications
F:What are the main features of a PDF signature?
A: PDF is a wide-spread document format with an open specification (currently PDF Reference 1.6). Since the layout of a document has been fixed exactly, it is guaranteed that the signer sees the document exactly like the receiver sees it ("What you sign is what you see"). The process of signing of a document is also understandable for users without technical expertise, because the digital signature is shown as a graphic element within the original file.
F: Which versions and standards of PDF do exist?
A: Besides the ordinary PDF Format (ISO 32000-1) there are further versions defined in PDF/X (ISO 15929 and 15930), PDF/E (ISO 24517-1) and PDF/A (ISO 19005-1). Because of its purpose as an archive format combined with the support of PDF signatures, PDF/A is an interesting alternative to other archiving formats.
F: How is it possible to sign forms with Adobe® Reader®?
A: An important application of PDF signatures are forms. The author of a form designs form fields that later have to be filled by a user. Filling and siging a form originally requires a licensed Acrobat version. Only by applying Reader Extension rigthts to a PDF by Acrobat Professional or Adobe® LiveCycle Reader Extensions the free Adobe® Reader® may also be used.
F: How do the PDF revisions correlate with the signatures?
A: A major characteristic of the PDF-format is the concept of document revisions. If a signed document is changed later, the signature does not become invalid, like in other formats. Instead, a new revision is created, and the signature remains valid with the hint "document was changed". This behaviour can irritate the users easily, because it is not obvious what has been changed. Older versions of Acrobat are even displaying the signatures in changed documents as valid without the hint.
F:Which keys and certificates can be used?
A: PDF-Signatures are based on PKCS#7 and make use of X.509 certificates. The private keys may be imported form a PKCS#12 file or a smartcard may be accessed using PCKS#11. On Windows also the Windows certificate store may be used. Here, a CSP (Crypto Service Provider) may be used for accessing a smartcard or crypto device.
F: What is required to verify a PDF-Signature?
A: For the verification of a signature, the receiver needs Adobe Reader 6 or higher and a trusted certificate of the Certification Authority (CA) which issued the signature certificate.
F: Which options does Adobe® Reader® offer ?
A: The free Adobe® Reader® is able to verify all PDF standard conform signatures. For revocation checking OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) are supported, the latter can be retrieved via HTTP or LDAP. The certificate validation is done according to PKIX. In addition to the cryptographic verification of the signature the user can view addition signature details and track changes made to the document. This feature differs considerably between Acrobat versions. For example, some Acrobat Versions show the signature status as part of the graphical representation. The verification behavior also changes when certifying signatures are used.
F: What are Self-Signed-Signatures?
A: Apart from PKI-based certificates PDF also supports so called "Self-Signed"-Certificates. These certificates are not issued by a CA, and have to be transmitted to the receiver in a secure manner. The receiver has to trust each self-signed certificate explicitly.
F: What are certification signatures?
A: Adobe® uses the term "certifying" to say that the author of a document confirms that he has created it by using his signature. He can assign certain rights, for example he can permit or forbid changes on the document. If somebody fulfils some forbidden changes on the document, the certification-signature becomes invalid.
Signature Law
F: Are digital signatures recognised legally?
A: The signature law differentiates basic, advanced and qualified signatures. The qualified signature is equal to a handwritten signature except for some cases. Due to the high security requirements and the associated high costs qualified signatures are so far used rarely. In processes where they are not required because of formal requirements, advanced signatures are sufficient.
F: Which types of signatures are possible with PDF?
A: Adobe® Acrobat® creates advanced signatures. It is possible to use qualified signatures with PDF. These signatures are created by special signature applications which adher to the German signature law and document this by publishing a declaration of manufacturer.
F: How can PDF-documents be created, signed and verified?
A:
The most widely used software for PDF documents is Adobe®
Acrobat®. The conversion of various document types into
PDF can be done with Acrobat® Distiller and other
products as well as Open-Source software like Ghostscript. In addition, it is possible to
use the integrated direct conversion offered by MS Office 2007 and OpenOffice without any
addition software.
PDF documents can be signed and verified with Adobe®
Acrobat®. Other PDF viewers sometimes show signature
fields as simple
graphics without doing any verification of the signature itself.
In addition to the Adobe® products there are a variety
of signature
centered application from many different manufacturers. The
pdfGate
products from Secardeo allow the automatic
creation and verification of PDF signatures and make it possible to realize PDF based signature
workflows.
F: Are there known weaknesses of PDF signatures?
A: Some Acrobat versions have shown weaknesses or errors in the implementation of the signature functionality. For example, the German version of Acrobat 7 has a translation error in the signatures dialog which incorrectly describes a valid signature as invalid by stating that the document has been altered.
Signature Format
F: Which standards are supported by PDF signatures?
A: The PDF signatures are specified in the PDF standard (ISO 32000-1). The signatures are in the PKCS#7 format (RFC3852). Alternatively, a "raw signature format" can be used by creating a PKCS#1 object. The used certificates follow ITU-T X.509v3. In addition, the PDF standard allows time stamps (RFC 3161) and revocation information (CRL according to RFC 3280 and OCSP according to RFC 2560) to be embedded into the PDF, as well as the use of different hash algorithms and RSA key lengths.
Miscellaneous
F: Where can I find more information?
A:
The PDF standard and Adobe® specific extensions:
http://www.adobe.com/devnet/pdf/pdf_reference.html
PDF/A Competence Center:
http://www.pdfa.org
