pdf-association
Discourage the use of SHA1 for all PDF versions
The hash algorithm SHA1 has been considered insecure for a number of years now, and in particular for PDF signatures this can easily be exploited, see shattered.io for example.
In ISO 32000-2 "SHA1 has been deprecated with PDF 2.0" (see footnote d in table 260). But for PDF 1.7 and lower there is no restriction in respect to SHA1 usage yet.
While discussing #601 in the Cryptography & Provenance TWG, the question came up whether one could and should similarly deprecate or at least discourage SHA1 usage in PDF 1.7 (or even all 1.x versions), too. This issue shall serve to allow discussion of this question by itself.
According to the ISO 32000-2 Terms and definitions, a part of ISO 32000 is called "deprecated" if it "should not be written into a PDF 2.0 document, and should be ignored by a PDF processor" (ISO 32000-2 section 3.1.5).
Thus, in this context we probably should not try to "deprecate SHA1 with PDF 1.7" because the term "deprecate" in ISO 32000-2 is defined to refer to PDF 2.0.
My personal opinion on this:
I think the list of algorithms in ISO 32000-2 (table 260) should be considered an indication of which algorithms a validating PDF processor should at least be able to process, not a list of which algorithms - and parameters - it should consider secure and applicable for secure signatures. For assessing algorithm strengths, a validating PDF processor should rely on the latest agreed information on algorithm security, e.g. SOG-IS, ECCG, ETSI, or NIST publications.
Also there may be very good reasons for a validator to accept SHA1 based PDF signatures; if a PDF with such a signature is known to have existed in its current form since e.g. 2007 (when SHA1 still was generally accepted), there is no reason not to validate the signature positively if it's cryptographically sound.
Similarly, a signing PDF processor should make use of the latest agreed information on algorithm security, too, when selecting an algorithm to use for signing.
Furthermore, if we discourage the use of SHA1 in ISO 32000-2 and so create the impression that we want to maintain a list of secure algorithms here, we should take a look at other algorithms (with parameters) in that table, too. For example the "RSA - Up to 1024-bit (PDF 1.3)" entry might then be perceived to imply that RSA with a key size of up to 1024 bits is a secure choice for signatures.
Thus, deprecation or discouragement of SHA1 for security reasons for me is not really necessary in ISO 32000-2. Instead I'd favor adding a note to indicate that assessment of the algorithm strengths is not the focus of this document.
Maybe even generically wording such a note since the essence of the statement is timeless and will likely apply to today's best crypto at some point in the future! i.e. the PDF specification needs to continue to define how to process any extant PDF with "old" crypto in perpetuity and does not make any statements about appropriateness of algorithms.
The C&P TWG observes that ISO 32000-2 is focused on PDF 2.0 and, therefore, cannot be changed in respect to earlier PDF versions.
One proposed option around this would be a PDF/Association publishing to recommend against the use of SHA-1 (and other weak algorithms) also in PDF-1.x. This option is to be discussed.
The C&P TWG observes that ISO 32000-2 is focused on PDF 2.0 ...
Not 100% true as it covers clarifications for 100s of legacy features. If the intention is merely some generic informative text about any crypto becoming weak over time, then 32K is the best place. If you want to describe specific aspects or update as crypto evolves then, yes, a separate dedicated PDF Association publication would be better.
C&P TWG agrees that some generic guidance here would be useful. Wordsmithing needed.