is it possible to use ECDSA signature with SHA256 in PDF 1.4?

First of all, PDF versions before 1.7 are not properly standardized, the very first standardized generic PDF version is 1.7 as ISO 32000-1:2008.

Ok, there are the Adobe PDF References for the PDF variations approximately 1.7; but Adobe individual described on the iText subscriber list that PDF Referrals aren’t “normative” in nature – they don’t (typically) make final, conclusive declarations – simply sort of basic ones. Hence, you might not individually determine whether a given statement holds true for a given PDF version, Adobe might later decree that the opposite was the case.

The PDF Reference 1.4 serves as a basis for the specification of PDF/A -1 as ISO 19005-1:2005 which to a particular degree elevates this PDF Recommendation to a semi-normative level. Hence, let us work under the assumption that PDF 1.4 is certainly “specified” by the PDF Referral 1.4.

I am actually presently coping with an online application (type of SaaS) which enables users to send out kinds to their very own buyers.

Of all, a bit of history – the genuine concerns are at the bottom.

Consumer’s customer opens up web-form (the party being asked to authorize is the only person in deep room to recognize the direct web link).
Ticks a handful of boxes and also enters text message.
Clicks “Indication” which opens an HTML5 signature pad (mobile phone) or a simple input (Personal Computer) to kind their title.

The form of factor that is actually being actually “authorized” performs not require a totally certified electronic trademark and an electronic signature will certainly suffice.

You may obviously establish your very own security device, generate a PDF viewer or even a lowest of plugins for the generally made use of PDF viewers to assist your body, and roll these programs out to your consumers.

Precisely what I performed is actually successfully authorize the PDF inning agreement with the specifications (utilizing tcpdf): that involved to begin with making the PDF and at that point including the signature to the/ Sig dictionary, at that point producing an absorb around all byte-ranges, the document is actually authorized along with the lovely perk of the signature finishing up being void if also a single byte is altered.

If you desire existing Adobe Audience as-is to verify the signature, you have actually come to go the X509 PKI procedure.

A PDF is generated for download and also kept the web server (in addition to timestamp, IP, and a married couple of other littles information).

These kinds are simple, tiny arrangements for little bit of tasks where their clients state “Yeah sure, I’ll do this and listed below’s my verification”.

When using your own certificate for signing, always remember to properly fill the reason field so it indicates that your signature is applied as a counter signature to ensure validatability in c# http://www.iditect.com/tutorial/sign-pdf/

With that in location I don’t see your signature doing any damage.

The question is how much excellent it does.

Because he did, obviously the user still can claim that he signed something different …! He signed the web form, not the PDF. Thus, you might have to provide evidence that the PDF reflects exactly what the web form showed anyways, that the user signed something equivalent.

You need to make him sign personally in a manner that is commonly accepted to not allow tampering if you desire real non-repudiation by the user. To puts it simply, your user has to use proper digital signatures himself. Everything else is open to claims of forgery.

I see that suppliers such as RightSignature et al. also do not really (digitally) indication documents, however rather base it around an electronic signature along with an audit path. That said, they do some hashing/digesting of sorts which I don’t rather understand how it’s possible without following the PDF specifications. for signatures.

While the PDF is a near pixel-perfect representation of the online type (it’s an A4 file home builder), you’re ideal that they didn’t in fact sign the PDF. I believe, due to all this, I will go the traditional electronic signature route together with a sort of audit log of the user’s actions that caused acceptance. Possibly, that (potentially even the original HTML representation) might be embedded in the PDF as XML.

Leave a Reply

Your email address will not be published. Required fields are marked *