1

Can I map the specialized specifications of PDF's certificate-based signatures into the [XML DSIG Core] standard?

I'm imagining PDF as an "XML file analog", to be mapped into the W3C's ecosystem.

... Expressing in another words, is Adobe's PDF signature thingy in any way compatible with general-purpose file-signing tools specified at [XML DSIG Core]?

Notes:

As @SteffenUllrich suggested, a "real-world use case" will be fine... But this question is about simplifications and abstractions, so the better is to (only) imagine a use case.

Use case: a published article of a government gazette. The article is a digital document with legislation content. The publsisher house must to publish in two formats, PDF and EPUB (or other XML-based format), both with the same signers, and they using the same tools and same certificates.

The technical staff of the publisher house must to answer the present question, to ensure to auditors (as well as citizens, lawyers, etc.) that both signatures (XML and PDF) will use the same tools and will have the same level of reliabilty.

The "analogy map" is also to move from the "strange Adobe-centric universe" to the W3C's ecosystem view.

Of couurce, each format have different fingerprints (different checksums)... Imagine the PDF and EPUB as products of the same matrix (the content must be the same), they are like "twin sons" that will use same infrastructure whenever possible, reducing production costs and audit costs.

... In the real-world the "twin sons" like XHTML and PDF are producs from a XML matrix, by XSLT and Prince convertions, and, after convertion adding a commom workflow to use digital certification (signatures).

Peter Krauss
  • 129
  • 5
  • *"GPG can be used to check PDF's certificates, .."* - what you claim here is not what the link actually shows. It is not showing how gpg can be used to verify a PDF signature based on the PDF standard. Instead only a detached file signature is validated which has nothing to do with the PDF standard but can be used for any kind of data, i.e. no matter if PDF or not. – Steffen Ullrich Jun 04 '18 at 13:16
  • Hi @SteffenUllrich, I edited deleting the PS, that was only a PS, perhaps with wrong hypothesis... Now, also with a correct link to Adobe's specs, the text of the question is better? (please remove downvote if positive or comment to be detele the question if it is problematic) – Peter Krauss Jun 04 '18 at 13:35
  • The wrong reference is fortunately gone. But I'm not sure what you are actually asking. PDF signatures are quite clearly not XML and I don't know what kind of mapping you envision. It might make sense to add the actual real-world use case of what you are trying to achieve so that one can understand the problem you are trying to solve. – Steffen Ullrich Jun 04 '18 at 13:39
  • Thanks @SteffenUllrich, I edited with a kind of use case. We can enhance it, with more edits and comments, if necessary. – Peter Krauss Jun 04 '18 at 13:57
  • These questions appear to come from a strange Adobe-centric universe. Why must we describe things that are not PDF in terms of their relationship to PDF? –  Jun 04 '18 at 14:03
  • Hi @WumpusQ.Wumbley, the answer must to use W3C's view, not "strange Adobe-centric universe" view... See my last edit reinforcing it. – Peter Krauss Jun 04 '18 at 14:22

1 Answers1

1

The publsisher house must to publish in two formats, PDF and EPUB (or other XML-based format), both with the same signatures, and authors using the same tools and same certificates.

Given that the PDF and EPUB content is different (i.e. different bytes) it is impossible for both to have the same signature. But since they are probably generated from the same source document one could create a signature for this common source document. If the instructions on how to create the PDF and EPUB from this source are relevant one could also sign these instructions together with the source document.

If it is relevant that both the PDF and the EPUB have signatures which can be verified in the reader applications then one must generate signatures which match the different standards used in PDF and EPUB. It is probably possible that the same certificates can be used for this. But it might be that there is no single tool yet which can handle both PDF and EPUB and create signatures in the appropriate formats - in which case it should not be too hard to use two different tools with the same certificate.

But this question is about simplifications and abstractions, so the better is to (only) imagine a use case.

Abstracting this use case again the OP is essentially asking if it is possible to have the same signature for essentially the same content but provided in different formats, i.e. different bytes. In this case the answer is no, i.e. since the bytes are different the signature will be different too. It is also not possible to derive one signature from the other.

It is possible though to use the same X509 certificate to add a format-specific signature to the various formats which then can be verified in readers supporting such signatures (not all do). This is at least true if the signature is based on X509 certificates (it commonly is) and the common X509 certificate fits the requirements for signing in both formats (which have usually the same requirements).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Sorry my English, I changed use case text to "the same signers", so same persons and similar process for both documents. – Peter Krauss Jun 04 '18 at 14:28
  • The answer for this updated question is already contained in my answer: the same certificate can be used and the signing process is probably very similar, i.e. it involves the document which should be signed and one needs to provide the certificate and the matching public key and maybe also the password for the key (or a PIN in case the key is on a smart card). – Steffen Ullrich Jun 04 '18 at 14:40
  • Thanks Steffen, I edited again adding "twin sons" ;-) ...But your answer is good, I'll read it later, carefully. Perhaps there are no link/reference or good answer with all mappings and details to W3C's view, expanding your answer about "signing process is probably very similar". – Peter Krauss Jun 04 '18 at 14:51
  • @PeterKrauss: very similar means it might differ from the user interface and maybe workflow since different tools might be needed. But how it works in general and what it requires the user to provide is the same. – Steffen Ullrich Jun 04 '18 at 15:50