OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss-comment] DSS for PDF

Hello Pim,

We have developed a DSS profile for signing PDF documents in the native
format including optional parameters which allow you to create the
signature field itself and to specify the page #, coordinates and size
of the field as well as specifying its appearance settings including
graphical signature image, signer name, date/time format, etc.

We have also added protocol elements to handle the related tasks of:
- enumerating and verifying all existing signature fields in a PDF
document including retrieving all the above attributes (signature field
name, location, etc).
- clearing and/or removing a signature field
- inserting an empty signature field
- signing an existing empty signature field

All the above work is going to be contributed to the new DSS-X so it can
be standardized as part of the future "Visual Signatures" DSS profile or
another profile as the TC will see fit.

Specifically to the issues you raised:
- We propose that the document type will be indicated using the MimeType
attribute of the Base64Data element:

<InputDocuments>
  <Document>
    <Base64Data MimeType="application/pdf"> ... </Base64Data> 
  </Document>
</InputDocuments>

Our implementation can handle other file types (DOC/TIFF and ODF/OOXML
in the future) so the profile is not PDF specific.

- Selecting an existing signature field to sign is done using a new
Optional Input called SignatureFieldName (string type).

- The type of the returned file is again indicated using the MimeType
attribute:

<OptionalOutputs>
  <DocumentWithSignature>
    <Document>
      <Base64Data MimeType="application/pdf"> ... </Base64Data>
    </Document>
  </DocumentWithSignature>
</OptionalOutputs>

But notice that in the case of PDF, the PDF spec specifies a method of
adding content to PDF files by appending data only. In fact this is
mandatory in case the file is already signed in order not to break
existing signatures. This allows for improved performance by returning
only the new "tail" bytes that needs to be concatenated to the original
file by the client. To support this we propose to add a new Optional
Input called ReturnPDFTailOnly of type boolean which if set would change
the behavior such that instead of returning the above
DocumentWithSignature element, the server would return the "tail" in the
SignatureObject element inside a Base64Signature subelement.

Thanks,

- Uri

Uri Resnitzky
Chief Scientist
ARX
http://www.arx.com


> -----Original Message-----
> From: Pope, Nick [mailto:Nick.Pope@thales-esecurity.com] 
> Sent: Wednesday, 04 July, 2007 14:06
> To: 'Pim van der Eijk'; dss-comment@lists.oasis-open.org; 
> dss-dev@lists.oasis-open.org
> Subject: RE: [dss-comment] DSS for PDF
> 
> Pim,
> 
> I believe the existing DSS protocol can support PDF signing, 
> although there is no specific DSS profile for this use case.  
> As you are probably aware there is a new follow on TC 
> concerned with DSS (called DSS-X) which will be working on a 
> number of new DSS profiles.  I know that PDF signing is of 
> interest to a number of founding members of the DSS-X so this 
> could be a potential activity for this new group.  If you 
> have specific proposals in this area you would like to submit 
> to the new DSS-X TC they would probably be received with 
> great interest.
> 
> Nick
> 
> > -----Original Message-----
> > From: Pim van der Eijk [mailto:lists@sonnenglanz.net]
> > Sent: 04 July 2007 11:55
> > To: dss-comment@lists.oasis-open.org; dss-dev@lists.oasis-open.org
> > Subject: [dss-comment] DSS for PDF
> > 
> > 
> > Hello,
> > 
> > In a project we are looking at applying DSS to sealing (and in the 
> > future,
> > signing) of PDF documents.
> > DSS can sign arbitrary binary documents using an XML 
> digital signature.
> > However, we are looking at having the service return PDF documents 
> > with the electronic signature added inside a modified document, 
> > conform the PDF standard, rather than as a separate XML digital 
> > signature of the BLOB.
> > There does not seem to be a DSS profile to support this PDF 
> specific 
> > type of processing.
> > Is that correct?
> > 
> > Some products seem to support PDF signing.  Is there any 
> information 
> > on how they support this in DSS?
> > 
> > Here's how we are thinking of using it:
> > The PDF document to be signed could be passed in the request as:
> > 
> >     <dss:InputDocuments>
> >         <dss:Document ID="doc2">
> >             <dss:Base64Data> .. </dss:Base64Data>
> >         </dss:Document>
> >     </dss:InputDocuments>
> > 
> > The profile name could then indicate a request to do PDF 
> specific signing.
> > Or, we could extend the DSS schema using something like the 
> following:
> > 
> >     <dss:InputDocuments>
> >         <dss:Document ID="doc2">
> >             <dss:Base64PDF> .. </dss:Base64PDF>
> >         </dss:Document>
> >     </dss:InputDocuments>
> > 
> > What would be the best approach?
> > 
> > An embedded signature could be requested using something like:
> > 
> > <dss:OptionalInputs>
> >     <dss:SignaturePlacement>
> >         ...
> >     </dss:SignaturePlacement>
> > </dss:OptionalInputs>
> > 
> > The dss:SignaturePlacement element from DSS 1.0 now allows a 
> > dss:XpathAfter or a dss:XpathFirstChildOf element content.
> > It looks as if for PDF signing this should be extended with 
> elements 
> > to specify the requested type of PDF signature.
> > For instance, the signature field in which the document (ordinary) 
> > signature is to be placed could be encoded using something like:
> > 
> > <dss:OptionalInputs>
> >     <dss:SignaturePlacement>
> > 
> > 
> <dss:PDFSignatureFieldName>SecondReviewer</dss:PDFSignatureFieldName>
> >     </dss:SignaturePlacement>
> > </dss:OptionalInputs>
> > 
> > This hypothetical example would request a signature to be placed in 
> > the PDF signature field name for a "second reviewer".
> > 
> > The signed PDF could be returned using the following structure:
> > 
> >     <dss:OptionalOutputs>
> >         <dss:DocumentWithSignature>
> >             <dss:Document><dss:Base64Data> ...
> > </dss:Base64Data></dss:Document>
> >         </dss:DocumentWithSignature>
> >     </dss:OptionalOutputs>
> > 
> > Or again explicitly encode the fact that the dss:Document is a PDF
> > document:
> > 
> >     <dss:OptionalOutputs>
> >         <dss:DocumentWithSignature>
> >             <dss:Document><dss:Base64PDF> ...
> > </dss:Base64PDF></dss:Document>
> >         </dss:DocumentWithSignature>
> >     </dss:OptionalOutputs>
> > 
> > 
> > To encode that we would be using an extension for PDF, one approach 
> > would be to have a distinct profile ID, like 
> > "urn:ourproprietaryextensions:dss:1.0:profiles:pdfeseal".
> > But it looks as if the PDF versus other document types 
> distinction is 
> > orthogonal to profiles.
> > PDF documents can also be signed, sealed, signed using Xades, be 
> > signed subject to German signature law etc.
> > So some way to use another mechanism than profile name seem 
> appropriate.
> > Comments welcome.
> > 
> > Pim

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]