Locking a signed PDF using iTextSharp after Long Term Validation(LTV) has been added using LtvTimestamp

Question

Is it possible to stop any annotations and / or signatures being added after a PDF has had LTV added using LtvTimestamp?

I've tried adding PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED on the initial signing but adding LTV invalidates that signature.

Any help would be greatly appreciated.

Answer 1

In general

First of all, no, it is not possible to stop any annotations and / or signatures being added after a PDF has had LTV added in general because one can easily program a utility adding annotations or signature fields ignoring permissions.

So let's assume we are talking about tools respecting permissions. But even in that case the question is according to which specification the permissions are interpreted.

Permissions as in ISO 32000-1

What changes are or are not allowed in ISO 32000-1, has been described in this answer.

ISO 32000-1 does not know about PAdES-4 LTV information or document time stamps. it sees the latter as normal signatures using a non-interoperable format and has no interpretation for the former.

Thus, if the initial signature is a certification signature "with form fill-in and digital signatures allowed" and there already is exactly one empty signature field, you may add a document time stamp in that empty field and no later signatures or annotations are allowed.

Unfortunately, though, adding the validation related information (which is one major reason for LTV'ing after all) strictly speaking is not allowed in any certified document.

Thus, a tool interpreting permissions strictly according to ISO 32000-1 can be persuaded not to allow signature or annotation additions after the document time stamp. But such a tool likely is not your target tool as it neither allows LTV VRI nor is it likely to be able to handle document time stamps let alone interpret the whole as a "signed document with LTV".

Permissions as in ISO 32000-1 modified as per PAdES part 4

PAdES part 4 changes the situation by properly specifying document time stamps and LTV VRI, and by ruling

DocMDP restrictions (see ISO 32000-1 [1] clause 12.8.2.2) shall not apply to incremental updates to a PDF document containing a DSS dictionary and associated VRI, Certs, CRLs and OCSPs. [...]

When evaluating the DocMDP restrictions (see ISO 32000-1 [1], clause 12.8.2.2) the presence of a Document Timestamp dictionary item shall be ignored.

(ETSI TS 102 778-4 V1.1.2 "Annex A (normative): ISO 32000-1 LTV Extensions")

Thus, if a document which is

• either "Certified with no changes allowed" with LTV validation related information and a document time stamp added
• or "Certified with form fill-in and digital signatures allowed" with LTV validation related information and a document time stamp added without any remaining empty signature fields (probably enforced by field locking)

is processed by a tool interpreting permissions according to ISO 32000-1 modified as per PAdES part 4, this tool will:

• accept the VRI addition and properly handle them and the document time stamp, and
• not accept or create further signatures or annotations.

But it will accept further VRI and document time stamp additions!

Permissions as in ISO 32000-2 (draft)

The latest draft I have available here essentially integrates the PAdES part 4 additions. Thus, the situation is essentially the same as in case of ISO 32000-1 modified as per PAdES part 4.

The new option to change the MDP permissions as part of field locking may be used to have a more lax situation before adding the document time stamp.

Adobe Acrobat Reader DC V 2015.007.20033

How this software interprets permissions, has yet to be analyzed...