Kind of security for signature removal

Report · Feb 24, 2023

I realize that Acrobat only allows the person who added a digital signature to remove it. Is this is implemented in a way that no software by any vendor could remove it, similar to a document open password? Or is it implemented in a way that Adobe products will not remove it, but some other vendor could create software that would delete it, similar to a permissions password?

My use case is a notary public. The person who created a document signs it. The notary signs to witness the signature of the creator, and gives the file back to the creator. Later, some unknown person removes the creator signature, making it appear the notary didn't do his/her job properly.

Report · Feb 24, 2023

"Or is it implemented in a way that Adobe products will not remove it, but some other vendor could create software that would delete it, similar to a permissions password?"

This is correct.

Report · Feb 26, 2023

My use case is a notary public. The person who created a document signs it. The notary signs to witness the signature of the creator, and gives the file back to the creator. Later, some unknown person removes the creator signature, making it appear the notary didn't do his/her job properly.

If the notary signed using a digital signature, the removal of the previous signature will invalidate the notary signature. In your use case it will be clear that the document has been manipulated afterwards, so the notary won't be blamed.

(Of course assuming the notary uses trustworthy software to sign. Furthermore, exploits of bugs in the signature validator used - e.g. Adobe Acrobat - may in the short term seem to indicate differently; eventually, though, an analysis of the PDF will show what happened.)

Report · Feb 26, 2023

In my experiment, I found that I could clear the first signature using Adobe Reader and the second signature remained valid.

Report · Feb 26, 2023

In my experiment, I found that I could clear the first signature using Adobe Reader and the second signature remained valid.

Then there is an issue with the way the second signature is applied. Can you share example documents illustrating the issue for analysis? (with first signature, with first and second signature, with second signature but first removed)

Report · Feb 26, 2023

Later, some unknown person removes the creator signature, making it appear the notary didn't do his/her job properly.

By @Geber

The notary uses a raised seal that will only be in the original document, not in a copy. They have also entered it in a book that has been signed by the notary and the person who is getting the document notarized.

Report · Feb 26, 2023

I intended to discuss pdf documents which are electronically signed, and provided to the signer and the ultimate recipients in electronic form. Of course a raised seal cannot be applied to an electronic document. (Well, I suppose you could apply it to a DVD but then the DVD would be destroyed.)

Report · Feb 26, 2023

Or is it implemented in a way that Adobe products will not remove it, but some other vendor could create software that would delete it
By @Geber

We cannot predict into the future as to what software other vendors could or might create. Of course it is possible.

Jane

Forum volunteer

Report · Feb 26, 2023

In the case of the basic, running text of the document, we know it is protected by the PKI signature such as RSA in combination with a symmetric key cipher such as AES. No vendor would be able to create software that would alter the running text without making the signature invalid, unless the vendor was able to defeat one of those two crypto algorithms. We all rely on those algorithms to be secure. In the case of a permissions password, it isn't a matter of cryptographic protection, it's just an instruction to Adobe software to not permit certain operations on the PDF. Other vendors have written software that ignores that instruction.

Report · Feb 26, 2023

If proper digital signatures are used by the parties (and not simple electronic ones as in normal Adobe Acrobat Sign or DocuSign workflows), then the second signature in particular cryptographically signs the whole source document including the first signature. Actually removing the first signature from the file, therefore, will invalidate the second one which every validator should show.

Alternatively the first signature may be "removed" by adding an incremental update in which the first signature field is cleared. This keeps the second signature (which covers the revision before that addition) cryptographically valid, so validators may show green in that regard. But every validator should show that changes have been applied to the document after the second signature, making clear that the notary's version of the document has been manipulated.

In regard to that second option I'd propose the notary locks the existing fields in the document when signing. That should make validators checking MDP display the second signatures as invalid even in that case.

Report · Feb 27, 2023

@MikelKlinkthanks for the explanation. For the strategy of "the notary locs the existing fields", I suppose that would be done in Adobe Acrobat Reader by checking the "lock document after signing" box while signing. This strategy is fine if there is only one signing session. But if the document must be sent to a different place for additional signatures by signers and an additional notary, it wouldn't work. In my experience, an need for multiple signing sessions only occurs for roughly 1% of documents that need notarization.

Report · Feb 27, 2023

For the strategy of "the notary locs the existing fields", I suppose that would be done in Adobe Acrobat Reader by checking the "lock document after signing" box while signing.

PDF-wise there also is the option to only lock certain fields, not the whole document. Unfortunately I do not see how to make use of that option in your use case with Adobe Acrobat.

Adobe Community

Kind of security for signature removal

1 Correct answer