An example of a certified document with allowed changes is shown here by highlighting the text All partners after certification. The figure is divided into the structure (left side) and actual view (right side). Original PDF depicts the PDF document before it is certified. Inc. Update 1 presents the PDF document after applying a certification. Inc. Update 2 shows changes on the document made after its signing and appended at the end of the file.
Certifications have two main differences to signatures. First, each PDF can have only one certification and must be the first in the document. Second, certifications define permissions that allow certain changes to the certified document. As depicted in the table below, certifications define a more flexible way to handle Incremental Updates, and allowed Incremental Update do not lead to a warning. The certifier chooses between three different permission levels (P) to allow different modifications.
- P1: No modifications on the document are allowed.
- P2: Filling out forms, and digitally signing the document are allowed.
- P3: In addition to P2, annotations are also allowed.
| Incremental Update | Signature | Certification: P1 | Certification: P2 | Certification: P3 |
|---|---|---|---|---|
| Add/change visible content | ❌ | ❌ | ❌ | ❌ |
| Fill out form inputs | ❗ | ❌ | ✅ | ✅ |
| Multiple signatures | ✅ | ❌ | ✅ | ✅ |
| Add/change annotations | ‼️ | ❌ | ❌ | ✅ |
✅ – Modification allowed
❌ – Modification not allowed
❗ Only allowed when adding a signature at the same time
‼️ Leads to warnings in most PDF applications
Allowed and Prohibited Changes
At the beginning of our analysis, we investigated which modifications can be included or removed within certified documents with respect to the defined modification permissions (i.e., P1, P2, and P3). Without any surprises, annotations are allowed only in certified documents with P3 and form modifications – in P2 and P3. We determined three different categories with respect to possible changes on the document.
Changing Static Content: Independent of the defined permissions (P1, P2, P3), the static text content cannot be changed. This restriction includes changes such as adding/removing/switching pages, replacing fonts, and replacing the text or images within a page.
Changing Forms: We wondered which changes on forms are allowed if the permission is set to P2 or P3. According to the specification, it is only allowed to modify the value of the form field. The modification of its appearance, for example, its position, color, and font, must not be allowed. Forms can also be used to insert digital signatures.
Adding/Removing/Modifying Annotations: Annotations can be added if the permission is set to P3. According to the specification, there is no restriction on the type of annotation. In contrast to the specification, our analysis reveals that not all annotations are allowed.
Danger Level
We estimated the danger level for each modification and define four levels: High, Medium, Low, and None.
- High: The highest level results from the fact that the modification allows the insertion of text indistinguishable from the original one. Thus, a user opening a document cannot detect the inserted annotation and interprets the newly added content as part of the certified document.
- Medium: The level Medium covers modifications capable of hiding content. The user is then unable to detect that the modifications overlay some part of the document, for example, an important point of a contract.
- Low: Annotations with the level Low are potentially able to hide content of the original PDF, but the modification is visible for the user. For such modifications we abuse features like annotation icons shown in the PDF. Since the icon can be exchanged, one can define an icon overlaying content. Nevertheless, we could not find a way to change the icon without invalidating the certification. A residual risk remains, but we consider this to be low.
- None: All modifications which are not allowed to be used in certified documents have the level None.