PDF Advanced Electronic Signatures (PAdES) Leonard Rosenthol PDF Standards Architect Adobe Systems Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 1 White Master ETSI TS 102778 ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 2 ETSI TS 102778 – PAdES (PDF Advanced Electronic Signatures) Part 1: General features of PDF Signatures Introduction to profiles Part 2: PAdES Long Term PAdES-LTV Profile Part 5: PAdES Enhanced PAdES-BES and PAdES-EPES Profiles Part 4: PAdES Basic - CMS Profile based on ISO 32000-1 Technically as in Phase 1 deliverable (Originally TS 102778-1) Part 3: PAdES Overview – A framework document for PAdES PAdES for XML Content Profiles for XAdES signatures of XML content in PDF files ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 3 PAdES Profiles: Part 2 - Basic Compatible with ISO 32000-1 PKCS #7 Signature Codifies Acrobat implementation details Recommendations Signature Time-stamp CRL and/or OCSP Response Under consideration as normative for PDF/A-2 ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 4 PAdES Profiles: Part 3 - Enhanced CAdES Signature Protects against certificate substitution New signature handler ETSI.CAdES.detached Signature time-stamp (-T) (Recommended) Optional Signature Profile (- EPES) Explicit Policy ESignatures To be submitted as proposal for 32000-2 ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 5 PAdES Profiles: Part 4 - Long Term (for documents stored beyond certificate lifetime) PKCS#7 or CAdES Signature as per Part 2 or part 3 Appended to PDF Validation Data CA Certificates OCSP Responses Document Time-stamp Protects data integrity beyond expiration of user signing certificate Validation Data Equivalent to CAdES-A Time-stamp To be submitted as proposal for 32000-2 ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 6 PAdES Profiles: Part 4 – VERY Long Term (for documents stored beyond time-stamp lifetime) if document is to be stored beyond time-stamp lifetime Can be repeatedly applied New TSA certificate & keys Improved algorithms & key length Anytime a validation is done, any updates can be added. Validation Data (Sig) Equivalent to CAdES-X-Long Time-stampTS1 (2009) Validation Data (TS1) To be submitted as proposal for 32000-2 Time-stamp TS2 (2015) ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 7 Part 4 – Technical Details Validation Data – LTV Based on Acrobat 9.1’s implementation of “DSS” (Document Security Store) New dictionary off the Catalog Contains all objects used at time of validation Certs CRLs OCSPs Document TimeStamp Variant of existing Signature dictionary /Type/DocTimeStamp /Subfilter/ETSI.RFC3161 Contents are the return from the timestamp server ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 8 8 PAdES Profiles: Part 5 - XFA Signatures XFA (part of ISO 32000-1) already supports signatures based on the W3C XML DigSig standard. TS 102778-5 extends this to support the full capabilities of XAdES signatures in BES, EPES and T forms. Signed XML Content – XML data signed with XAdES Signature – Mapped to PDF Forms using XFA <xfa:datasets> <itema>coffee</itema> <itemb>….</itemb> ……. <ds:Signature> ……. </ds:Signature> ….. </xfa:datasets> To be submitted as proposal for 32000-2 ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 9 PAdES Profiles: Part 5 - XFA Long Term TS 102778-5 also adds support for the long term forms of XAdES(A & XL) through the use of the same validation data & time-stamp features in profile 4. Validation Data Signed XML Content <xfa:datasets> <itema>coffee</itema> <itemb>….</itemb> ……. <ds:Signature> ……. </ds:Signature> ….. </xfa:datasets> Time-stamp (2009) – XML data signed with XAdES Signature – Mapped to PDF Forms using XFA – Long term validity of both XML & PDF Signature can be preserved using LTV extensions to file To be submitted as proposal for 32000-2 ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 10 ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 11