The signature info is not being displayed correctly, when the pdf is digitally signed by a Pseudonym Certificate

1
votes

Background:

  • I have written a java program using itext library to sign PDF with ikey.

  • I have two ikeys, one with a Common Name certificate, and the other has a Pseudonym certificate.

Description:

When I open the pdf signed by the Common Name cert in Acrobat Reader, it displays the blue ribbon meaning it's a valid signature, and in the Signature Panel it shows "Certified by Jane Doe". Everything is perfect.

However, if the certificate is a Pseudonym certificate, it displayed "Certified by %s". In spite of the blue ribbon and the validation info all display correctly.(Not allowed to attach image, so put Screenshot here: http://imgur.com/lpvOKLz)

Questions:

  1. Is this an issue with the Acrobat Reader, that it cannot display correct "Certified by" info if the pdf is signed by a Pseudonym certificate?
  2. Any suggestion is appreciated.
1
pdfcertificateitextdigital-signatureacrobat
Can you share the PDF in question?mkl
@mkl Many thanks for looking at this issue.I've sent it to your emailGnaix
I took a look at your file and could not find anything wrong in its signature; neither could I find a hint in ISO 32000-1 indicating that pseudonym certificates might be forbidden here. I assume, therefore, that Adobe Reader signature status display code simply forgot to consider the possibility of pseudonym signatures (most likely because Adobe generally has use cases targeted at specific persons, not roles or functions, in mind). Probably Leonard (the person Bruno most likely asked) knows more. You might want to try using the Name entry of the signature dictionary. I haven't checked thismkl

1 Answers

0
votes

I have seen Certified by %s before. See my book about digital signatures figure 2.23. I quote:

As expected, Alice’s certification signature is invalid after Carol tried to sign the document using a second certification signature, but the output is kind of strange. In the signature panel, we see ‘Certified by %s’ instead of ‘Certified by Carol’, and there’s a looking glass instead of a red cross. These situations are rather exotic and should be avoided. Let’s focus on real life examples, and combine signing with form filling.

This quote is about the results of some experiments that conflict with the ISO specification / PAdES. You may have found another conflict.

In my book, I describe a situation where there are two certification signatures. This doesn't make sense as it is explicitly forbidden to add two certification signatures. It is also implied in the specs that the certification signature is always the first signature, although Adobe Reader doesn't complain (yet) if it isn't.

I can easily imagine that using a pseudonym certificate is also one of those exotic cases where Adobe Reader doesn't really know what to do. What is the sense of signing a document anonymously? Who should Adobe Reader pick as the authorized signer?

The fact that I've seen %s before, tells me (without even looking at your PDF) that %s is an artifact from Adobe Reader. I wrote some of the signing functionality in iText and I'm sure that we don't put the %s there.