Chapter 14, Security, Control, and Digital Signatures
XFA Specification
Signed Forms
408
Authenticity
Achieving this purpose results in a "trusted document" or a "document of record".
Authenticity provides confidence that a document does not take on a different appearance after being
signed. The XFA grammar and the PDF language provide a number of capabilities that can make the
rendered appearance of a form or PDF document vary. These capabilities could potentially be used to
construct a document that misleads the recipient of a document, intentionally or unintentionally. These
situations are relevant when considering the legal implications of a signed XFA form or PDF document.
Therefore, it is necessary to have a mechanism by which a document recipient can determine whether the
document can be trusted.
Using XML digital signatures for authenticity
XML digital signatures can establish the authenticity of a form, by incorporating in the signature relevant
parts of the form and certificates that identify the sender, and by using private-key encryption.
XFA does not provide a native facility for authenticating a document; however, it does build on the PDF
certification facility. Thus, it is possible to verify the authenticity of an XFA form enclosed in a PDF
document.
When used to establish a document of record, the XML digital signature does not of itself ensure that the
user was given the chance to see and agree to the form. However since the template is included in the
signature, and all scripts are located in the template, it is possible to confirm by analysis that the user did
give consent. As with document-of-record signatures, such analysis depends upon the client software
being trustworthy.
Using PDF Digital signatures for authenticity
Authenticity includes ensuring the integrity of the form and verifying the identity of the sender. With
forms intended for fill-in, authenticity may be required in a form that is then fill-in and signed. For example,
an accounting firm might send a financial report to another agency for comments and signatures. The
accounting firm would want to ensure the recipient of its identity (authenticity) and prevent the financial
report from being modified (integrity), with the exception of fields set aside for text comments and the
signature of the recipient. After adding comments to the designed fields, the recipient would sign the
document. The signature would be associated with the current state of the document. Although further
modifications to the comment fields would be allowed, they would not be associated with the signature
field.
PDF MDP signatures support the kind of form fill-in and signature described in the above paragraph.
Starting with XFA 2.4 it is possible for a template to invoke prototypes from external documents. These
external prototypes can in turn invoke prototypes from other documents and so on. To ensure the
authenticity of the document the PDF processor resolves all prototype references before generating the
signature. The resulting PDF has vestigial prototype references (it still contains the URLs of the external
prototypes) but it no longer has any dependence upon the external documents.
Non- Repudiability
Non-repudiation is a document security service that prevents the signer of the document from denying
that they signed the document. Such a service is often driven by authentication and time-stamping from a
trusted third-party.
Non- repudiable security is the same as document of record, with the additional verification that the
person signing the form cannot deny signing the form. Using PDF signatures to establish non-