Digital signatures in PDF/A

Digital signatures are still not very widely used and the the knowledge about them is often fuzzy. This article tries to give an overview about this huge and complex topic.

The term digital signature refers to implementations of the more generic concept of an electronic signature on digital computers. The electronic signature is more used in conjunction with the legal aspect of such signatures. The functions of an electronic signature is to
  1. Replace the handwritten signature
  2. Ensure the integrity of a document (electronic seal)
  3. Convey the authenticity of the signer (electronic identity)
In the most countries electronic signatures are subject to the national legislature, e.g. in ZERTES Switzerland.

A digital signature is a cryptographic method to implement the above functions. In most cases the the signer owns a digital certificate and a private key. The private key is stored on a secure token or on a hardware security module (HSM). It is used to create the digital signature. The signer's certificate contains the corresponding public key and can be used to verify the signature.

PDF defines three types of signatures:
  1. Document signature: Any user of the document can apply such a signature and a document can be signed multiple times. Each user can add annotations to the document before it is signed. Each signature creates a specific revision of the document at the moment it is applied. This revision can later be reliably restored.
  2. Modification Detection and Prevention (MDP) signature: The author of the document can add a signature connected with specific action rights such as filling out forms which do not invalidate the integrity of a document. Only one such signature can be added to a document.
  3. Usage Rights (UR) signature: Any software can add these types of signature to enable specific reader functions such as the known Acrobat Reader Extensions.
The signatures themselves are a mixture of PDF objects and strings in a cryptographic message syntax. In order to provide maximum interoperability the embedding of a digital signature must follow specific rules which are listed here:
  •  PDF/A-1 is based on PDF 1.4 and does not specifically define any rules. The PDF/A Competence Center created therefore a document called Tech. Note. #6. I happen to be the editor of this document. You can get it from the PDF Association website.
  • PDF/A-2 and PDF/A-3 is based on PDF 1.7 which refers to the PAdES standard.
As it is always the case with blog posts this article is far from being in depth or even complete. The main goal is to invite you to post questions and start discussions. So, please post a comment and share your thoughts with others.