Mailinglist Archive: opensuse (878 mails)

< Previous Next >
Re: [opensuse] Signing PDFs
On Thu, Aug 6, 2015 at 12:39 PM, Carlos E. R.
<robin.listas@xxxxxxxxxxxxxx> wrote:

And you as the creator of this document shouldn't send one that isn't
editable, and is digital signed in such a way that at least it's
provable that the document has been altered since it was signed. So if
some company asks for a PDF with a handwritten signature, you should
still digital sign it with at least your own self-signed cert, to
encrypt it, prevent it from being edited, and thus able to prove
whether it's been modified since signing.

Ah. Didn't think of that.

How would you create such a signature in Linux? :-?

I've been too lazy to try to figure it out.

I've used self-signed certificates generated in Acrobat to do this.
The document is not encrypted, but it is hashed, the hash is signed,
and the signed hash and public key go into the PDF. So at the other
end they can confirm/deny if it's been tampered with since signing. It
doesn't conclusively prove I signed it though, since it's self-signed.

Of course, there's some chance it's intercepted. Modified. And then
resigned with a faked self-signed key in my name. And sent from an
account with a spoofed email address. So, it's like - next to b.s.

I think the recipient would need a policy that requires DMARC/DKIM
emails from source to accept such PDFs, and then archive the entire
email original source. But really we need a better way to do this with
verifiable keys rather than self-signed.

You can also disallow
printing and copying of such a PDF (within the limits of software
honoring this policy, obviously the fact it's being displayed at all
means anyone could do an end run around the no printing policy).

Why? They may have need to print in order to file in paper. :-?

Just to hassle them for having asked for a digital document only to
(try and) print it out at their end. You know, mind game.

"Oh you were planning on printing a paper copy on your end? Huh,
that's weird. OK fine I'll send another PDF you can print." And then
at least I know I'm dealing with a crackpot, with email record of the
clueless. The thing is, I've never been asked. So these PDFs just seem
to vanish into the digital equivalent of paper filing cabinets where
documents are buried. Until there's a lawsuit no one cares I think.

But honestly if they're that antiquated they want to print a PDF on
paper, why not just ask for a fax in the first place? (I haven't been
asked for a fax in ~2 years in my business, and it's was probably 1-2
years before that for the time before. I always get a chuckle when it
happens though. "Yes, here is the fig leaf...")

Chris Murphy
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups