First, Adobe Acrobat and Reader will IMMEDIATELY invalidate a ByteRange that is more than 2 pairs. So anything with multiple ranges won't validate.
Second, ETSI/ESI STF364 is going to be working on the "parallel signatures problem" during Phase 3 of their work. The current thoughts to address the problem revolve around the use of multiple signerInfos inside of a single PKCS#7 block, just as it is done in CAdES. Leonard On 5/22/09 6:38 PM, "Aldo Buratti" <[email protected]> wrote: Many thanks for your quick replies. I was not able to find all those detailed references without your help .. I understand that the free/wild use of ByteRange could create signatures hard to validate, or even hard to visualise (.. what the hell the user has signed ? ..). However, these recommendations are just practical constraints imposed for an easy/robust validation procedure. My hope is that the validation procedure could be extended for handling these cases. My experiment is an hacking work aimed to demonstrate a practical solution to the parallel-signatures problem. Of course this solution works only if the (Acrobat) validator acknowledges this uncommon use of ByteRange. Try to imagine a certified document with 2 or more empty signature fields (like the one attached in my original email). Suppose each signature could be appended as a revision-block of exactly N bytes. Let's say there're 3 signers S1, S2, S3 working independently. Then, the 2nd signer could sign the original certified document by simply appending 1 dummy-blocks of N bytes (for the unknown S1's signature) , and then its own signature. (this signature's byterange should of course exclude the dummy-block) In a similar manner, the 3rd signer should sign the original document by appending 2 dummy-blocks (for S1 and S2) before its signature ... At the end we could collect the 3 pdfs signed by S1, S2 and S3, cut the signature blocks and paste them together in a new definitive pdf (like the one I attached in my original email). Resuming: * All the signers sign have a copy of the same certified document and they work in parallel, independently. It's not important the time- order of the signatures; it is important only the spatial-order of the signatures, that is, signer Sn should append n-1 dummy-blocks before its signature. * The signed copies are collected and merged in a single pdf containing the original certified document and all the signatures. What do you think ? Should we consider valid such document or can you highlight some vulnerabilties ? Thanks in advance for your precious help. Aldo ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com _______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/ -- Leonard Rosenthol PDF Standards Architect Adobe Systems Incorporated
------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
