PDF/PGP Verification originated and is prototyped in the SavaPage Community. It has no formal status outside, but could become a more widely accepted Open Standard. This Feature Preview is offered to provoke feedback on the verification method and reference implementation. Please share your experiences and requirements.
Many organizations who are bound to legal and regulatory requirements use PKI based services to verify authenticity and integrity of PDF documents. X.509 is the “de facto” standard for this security measure.
While some have a self-imposed X.509 policy, most organizations are not aware of security issues or are deterred by PKI requirements, that include third-party Certificate Authorities (CAs), Time Stamping Authorities (TSAs), and PDF signature-compliant PDF readers.
For those organizations PDF/PGP Verification is a simple OpenPGP based PKI alternative. It works as follows:
The PDF document is signed by including its detached OpenPGP signature as PDF comment.
The PDF is verified by stripping the comment OpenPGP signature, and using it to verify the remainder PDF.
Organizations can easily use their own Web Site to implement a PDF/PGP Verification Service. This is the use-case:
Published PDF documents are PDF/PGP signed and have a visible URL link to the Verification Service at the top of the first page.
A User, who received the PDF through whatever channel, wants to verify its authenticity and integrity, and clicks the link.
The Web App opens in the browser and invites the user to upload the PDF for verification.
The User trusts the Secure Connection and Website Identity (SSL certificate) and uploads the PDF.
The Web App uses the Public OpenPGP Key of the trusted signer to verify the uploaded PDF and communicates the verdict to the User.
SavaPage implements a reference PDF/PGP Verification Service where PDF documents are signed and verified with the server's OpenPGP Key Pair.
PDF/PGP Verification will surely not hold against stringent certificate-based legal and regulatory requirements. On the other hand, for many organizations it will lower the threshold to adopt a simple and pretty-good security policy.