Signing PDFs using iTextSharp with certificate, reliable for at least 7 years
Question
I'm receiving files and I convert them to PDF/ A . Then I want to sign them using an reliable signing method. What I try to achieve is the following.
The certificate...:
- will be applied on a self-made document (ie I have full control over the content)
- verifies the origin of the document (in this case, me)
- verifies there has nothing been changed (since the certificate/sign was applied)
- is reliable for at least 7 years (eg high quality algorithm)
This results in the following workflow.
I generate a document. I put the sign/certificate on it. A user downloads the pdf from our website. Then he downloads the certificate I provide to verify the sign on the document. The result is that the sign is valid/invalid.
The question is: How to Sign using iTextSharp and What do I need to get a certificate that is reliable for 7 years ?
Edit: I've seen this document, but it gets me a little dizzy. There are so many options: http://itextpdf.com/book/digitalsignatures/
1 answers
solution1
1 2013-04-15 12:13:28
The first thing you need is a certificate that is valid for more than 7 years. You'll need a certificate that is stored on hardware (USB, HSM, smart card) and that is either CDS or AATL approved.
Even if you find a certificate that is valid for more than 7 years, you're not 100% sure it will remain valid during that period. Certificates can be revoked if they are compromised. For instance: when the person who signed the document loses his USB token. Signing using a Hardware Security Module should be more reliable.
As for algorithms: you should at least use SHA-2 and an encryption key of at least 2048 bits, but nobody will guarantee you that these algorithms will be safe for the next 7 years. In that sense, your question probably should be downvoted because it doesn't really make sense: you're expecting us to have a crystal ball.
However: if you read the final chapter of my book (the one that makes you dizzy), you'll see that it's always possible to extend the life of a signed document, by adding a Document Security Store (DSS) and a Document-Level Timestamp. That final signature (the Document-Level Timestamp) will typically use the most trusted algorithms of the moment. For instance: in a couple of years, you'll probably be able to use SHA-3.
Note that the type of signatures and the encryption algorithms also have an impact on the PDF/A version. Currently, you need at least PDF/A-2 for future-proof signatures.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.