First of all, PDF versions before 1.7 are not properly standardized, the very first standardized generic PDF version is 1.7 as ISO 32000-1:2008.
Ok, there are the Adobe PDF References for the PDF variations approximately 1.7; but Adobe individual described on the iText subscriber list that PDF Referrals aren’t “normative” in nature – they don’t (typically) make final, conclusive declarations – simply sort of basic ones. Hence, you might not individually determine whether a given statement holds true for a given PDF version, Adobe might later decree that the opposite was the case.
The PDF Reference 1.4 serves as a basis for the specification of PDF/A -1 as ISO 19005-1:2005 which to a particular degree elevates this PDF Recommendation to a semi-normative level. Hence, let us work under the assumption that PDF 1.4 is certainly “specified” by the PDF Referral 1.4.
Of all, a bit of background – the actual concerns are at the bottom.
I’m presently dealing with a web-based app (sort of SaaS) which enables users to send out kinds to their own consumers.
These kinds are easy, small agreements for little tasks where their customers state “Yeah sure, I’ll do this and here’s my confirmation”.
The sort of thing that is being “signed” does not need a totally certified digital signature and an electronic signature will be sufficient.
User’s client opens web-form (the celebration being asked to sign is the only person in deep space to understand the direct link).
Ticks a few boxes and enters text.
Clicks “Indication” which opens an HTML5 signature pad (mobile) or an easy input (PC) to type their name.
A PDF is produced for download and kept on the server (together with timestamp, IP, and a couple of other bits of details).
So exactly what I did is effectively sign the PDF inning accordance with the specs (using tcpdf): that entailed first creating the PDF and then adding the signature to the/ Sig dictionary, then producing a digest across all byte-ranges, the document is signed with the charming benefit of the signature ending up being invalid if even a single byte is changed.
You can obviously develop your own security system, create a PDF viewer or a minimum of plugins for the typically utilized PDF viewers to support your system, and roll these programs out to your users.
If you desire existing Adobe Reader as-is to verify the signature, you’ve got to go the X509 PKI method.
When using your own certificate for signing, always remember to properly fill the reason field so it indicates that your signature is applied as a counter signature to ensure validatability in c# http://www.iditect.com/tutorial/sign-pdf/
With that in location I don’t see your signature doing any damage.
The question is how much excellent it does.
Because he did, obviously the user still can claim that he signed something different …! He signed the web form, not the PDF. Thus, you might have to provide evidence that the PDF reflects exactly what the web form showed anyways, that the user signed something equivalent.
You need to make him sign personally in a manner that is commonly accepted to not allow tampering if you desire real non-repudiation by the user. To puts it simply, your user has to use proper digital signatures himself. Everything else is open to claims of forgery.
I see that suppliers such as RightSignature et al. also do not really (digitally) indication documents, however rather base it around an electronic signature along with an audit path. That said, they do some hashing/digesting of sorts which I don’t rather understand how it’s possible without following the PDF specifications. for signatures.
While the PDF is a near pixel-perfect representation of the online type (it’s an A4 file home builder), you’re ideal that they didn’t in fact sign the PDF. I believe, due to all this, I will go the traditional electronic signature route together with a sort of audit log of the user’s actions that caused acceptance. Possibly, that (potentially even the original HTML representation) might be embedded in the PDF as XML.