pdf-issues icon indicating copy to clipboard operation
pdf-issues copied to clipboard
verified publisher icon pdf-association

Add explicit file format requirements for incremental updates on signed files?

Open MatthiasValvekens opened this issue 4 years ago • 2 comments

To @petervwyatt's point on #131: it's true that the DocMDP permission levels for updates to signed files are only defined in very vague terms. I also appreciate that the validation of such incremental updates is not within the scope of ISO 32000, and that there's an ongoing ETSI project to standardise some of that.

However, would it be in scope for ISO 32000 to make the requirements more explicit on the file format side of things? For example, ISO 32000 could say things like:

  • "Incremental updates to a PDF document containing a DocMDP level 1 signature shall (should?) only override dictionaries X, Y and Z."

  • "Incremental updates to a PDF with any certifying signature shall not redefine any object IDs that reference stream objects."

This is not a proposal to add specific text, but rather an example of what such requirements might look like. What validators do with this information is of course up to them, but it would make this area of the specification amenable to formalisation in something like the Arlington PDF model, for example.

Thoughts?

MatthiasValvekens avatar Dec 02 '21 17:12 MatthiasValvekens

Conceptually, sure, we could do this...

However, I don't believe that there are "raw" file format requirements here.

I think we need to complete (well, start) the work at ETSI to get a full understanding of all the requirements here.

lrosenthol avatar Dec 02 '21 17:12 lrosenthol

However, I don't believe that there are "raw" file format requirements here.

I also don't think it's possible to precisely state every allowed operation in terms of precise file format requirements (that just wouldn't be practical to write down), but I don't think it's too much of a stretch to believe that we could make some universal statements in ISO 32000.

Whether those would still add value to the standard is another question, which we probably can't answer yet.

I think we need to complete (well, start) the work at ETSI to get a full understanding of all the requirements here.

That's certainly a fair point. Perhaps the outcome of that project will obviate the need for any file format clarifications in ISO 32000.

In the interest of avoiding any misunderstandings: my question was more about whether requirements of this type would be appropriate to add to ISO 32000, I wasn't trying to suggest that we start working on text right now. :)

MatthiasValvekens avatar Dec 02 '21 18:12 MatthiasValvekens