[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Fw: [dss-x] Visual Signatures profile
Hello, The PDF signing scenario I have seen most interest in is: - Create a PDF document with predefined signature fields, each with their associated label ("Employer", "Employee" etc.), in an automated process or using the user interface of a PDF tool - Use a DSS-PDF service to certify the PDF document (applying a Modification Detection and Prevention signature), to allow it to be signed and annotated, but not substantially changed - Then, use a DSS-PDF to sign an indicated signature field. This could be handled without major extensions to DSS: - Applying the MDP signature could be the default operation, in the absence of other optional inputs ("Seal this document"), triggered by the MIME type of the document to be signed - To sign a named signature field, the name of the field could be added as an optional input ("Put my signature in field <Name>") I.e. the action of adding, deleting signature fields would not have to be part of the core PDF related functionality. Issues/comments: - A DSS client may not have any understanding of PDF. It should be able to issue a request like "Seal this document, unless it already has a valid seal" - A client should be able to send a PDF document a receive a list of all signatures, signature fields and their status. The request would be something like "Tell me who, if anyone, signed this document and validate their signatures". The response would be something like: "Document is sealed by <DSSserver>, the <Employer> field is signed by <Signatory> and that signature is valid, the <Employee> field is not yet signed" - PDF has limits on the number of signatures of certain types that can be in a particular document (at most one MDP signature, at most two usage rights signatures). It should not be possible to put a signature in a field that already has a signature in it, or to add a signature if the document already contains a maximum number of signatures of that type) - It would be great if the operation of signing a named field would not require the PDF document to be checked out from a document management system, so that various signature fields can be signed in a parallel workflow. Perhaps this is more a tool design issue than a protocol issue. - A server could link the name of a signature field to a role or to an individual. When signing, the server could communicate with an access control product, e.g. using XACML ("A requester claiming to be <Person>, identity authenticated by <IdP> using a SAML assertion in the DSS request, wants to sign this document as an <Employer>. Please check if <Person> is a member of the <Employer> group"). Pim -----Original Message----- From: Andreas Kuehne [mailto:kuehne@trustable.de] Sent: 01 April 2008 13:45 To: lrosenth@adobe.com Cc: dss-x@lists.oasis-open.org Subject: RE: Fw: [dss-x] Visual Signatures profile > The first three items in your simple approach are fine - nothing > "problematic" there. Hey, good start ;-) > The fourth, however, is the one that starts to introduce some > complexity. In order to "lock down" a PDF after signing, you need to > use what it called a "certifying signature" along with "MDP" > (modification, detection and prevention) rules. > Doing so, of course, will prevent any future signing - which would > be problematic if the form really requires parallel or sequential > sigs. However, MDP rights allow you to prevent all changes EXCEPT > other signing - so perhaps that's the route to consider... Hmm, I'm not quite sure what you are talking about. I just meant that this profile doesn't do anything more than filling out the signature field, nothing fancy. No update of visible fields with e.g. signing time nor inserting a gold shimmering 'seal' icon. I don't intend to apply any right management functions regarding future changes of the document. For me the signature is sufficient ! Greetings Andreas > > -----Original Message----- > From: Andreas Kuehne [mailto:kuehne@trustable.de] > Sent: Tuesday, April 01, 2008 5:28 AM > To: Leonard Rosenthol > Cc: dss@lists.oasis-open.org > Subject: Re: Fw: [dss-x] Visual Signatures profile > > Hi Leonard ! > > Konrad said something very important yesterday : > > 'Think of requirements, not of existing solutions !' > > I hope I remember it correctly ... but it's true anyway. 2D barcodes > are funny stuff to impress my kids and colleagues, but our real use > case is > : Mass signing of PDF invoice documents. That's not a tricky > requirement at all, but I just can't do it using DSS right now ! > > So I would like to go for a signing profile for PDF documents starting > with the core's successful keep-it-simple approach in mind : > > - One signature at a time > - Pre-configured signature field included in the document > - DSS's signature placement enhanced to be a pointer into a PDF doc > - No update of the PDF beyond the signature field > > Same for Verification. I have no experience with timestamps in PDFs, > maybe the simple signature approach will fit ?? > > This would introduce a new profile with focus on PDF as a signature > container format, independent from the visual signature efforts. Does > this makes sense to you ? > > More sophisticated profiles may aggregate this functionality, but > that's not my use case. > > > Opinions welcome > > Andreas > > ___________________________________________________ Andreas Kühne phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868 IDirectors Andreas Kühne Heiko Veit Company UK Company No: 5218868 Registered in England and Wales --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]