[
https://issues.apache.org/jira/browse/PDFBOX-1847?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13935714#comment-13935714
]
John Hewson edited comment on PDFBOX-1847 at 3/14/14 10:02 PM:
---------------------------------------------------------------
1. Ok, will use Java's SHA-256
2. Ok, will use the a 32-bit range instead.
3. :)
4. Ok, will remove the header
5. Yes, please do. The IOExceptions are fine, it's just the fact that
ClassCastException should not be thrown by bouncy castle (but it could be
possible).
6. I would advise against using your own sources of entropy, SecureRandom is
already able to provide cryptographically secure random numbers and the
document hash is almost certainly less random than the randomness produced by
SecureRandom, e.g. the hash is always the same when the document contents are
the same. In fact, if multiplying by the hash causes the value to overflow you
will actually loose entropy resulting in lower security.
was (Author: jahewson):
1. Ok, will use Java's SHA-256
2. Ok, will use the a 32-bit range instead.
3. :)
4. Ok, will remove the header
5. Yes, please do. The IOExceptions are fine, it's just the fact that
ClassCastException should not be thrown by bouncy castle (but it could be
possible).
6. I would advise against using your own sources of entropy, SecureRandom is
already able to provide cryptographically secure random numbers and the
document hash is almost certainly less random than the randomness produced by
SecureRandom, e.g. the hash is always the same when the document contents are
the same. In fact, if multiplying by the hash causes the value to overflow you
will actually loose entropy, decreasing security.
> TSA Time Signature
> ------------------
>
> Key: PDFBOX-1847
> URL: https://issues.apache.org/jira/browse/PDFBOX-1847
> Project: PDFBox
> Issue Type: Improvement
> Components: Signing
> Affects Versions: 2.0.0
> Reporter: vakhtang koroghlishvili
> Assignee: John Hewson
> Fix For: 2.0.0
>
> Attachments: CreateSignature-updated.java.patch,
> TSATimeSignature.patch, resultOfSigning.jpg
>
>
> When we was signing document, we was using time from our time. For more
> security we can use Time Stamp server.
> "Trusted timestamping is the process of securely keeping track of the
> creation and modification time of a document. Security here means that no one
> — not even the owner of the document — should be able to change it once it
> has been recorded provided that the timestamper's integrity is never
> compromised."(wiki)
--
This message was sent by Atlassian JIRA
(v6.2#6252)
