SIGNATURES AND PERMISSIONS At the PDF language level, a signature may be hooked up to one or more permission handlers.

Permissions may be specified by TransformMethod (FieldMDP, DocMDP, or UR3) which use a TransformParams array to specify signature characteristics and document permissions or by /Lock in the field dictionary. Permissions can be: * Set by the author via seed values or with field properties that restrict user actions after signing. * Set by the signer when certifying to allow no changes; form fill-in & signing; or form fill-in, signing, & annotations. * Set by the signer using an approval signature under certain conditions. * Document or field-level. * A grantor of rights such as signing with an approval signature to Adobe Reader users via UR3. * A cause of invalid signatures if permissions are violated.
TransformMethod N/A (none) FieldMDP FieldMDP DocMDP UR3 Sig Type Approval Approval Both Certification Approval obj<<Permissions dictionary /Perms</DocMDP (obj ID)> /Perms</UR3> Notes Any number allowed. Can lock document during signing under certain conditions. Adobe Reader users can only sign when usage rights are enabled via UR3. Signer can lock document when signing if the field is last unsigned field and it contains no no seed values which prohibit locking or other locking rules. Authors set permissions via the form fields Digital Signature Properties dialog. Set during certification. First signature only. By default, FieldMDP present. MDP seed value set on field will force use of certification signature. Acrobat authors grant rigths (e.g. signing with approval signatures) to Reader users. obj<<Field dictionary /FT (field type e.g. /Sig) /Lock /SV (optional: seed value)
obj<< Seed value dictionary /Type (SV) /Ff (Specify required entries) /Filter (Signature handler) /SubFilter (Signature encoding) /DigestMethod (Algorithm) /V (SV parser capability) /Reasons (Signing reasons list) /MDP (Force certification sig) /TimeStamp (TS dictionary) /LegalAttestation (Attestations) /AddRevInfo (Embed rev status) /Cert (Certificate SV dictionary) obj<< Certificate SV dictionary /Type (SVCert) /Ff (Specify required entries) / Subject (Identify certificates) . . . Other stuff . . . obj<< Signature reference dict. /Type /SigRef /TransformMethod FieldMDP DocMDP UR3 /TransformParams

obj<<Field lock dictionary /Type /SigFieldLock /Action /All /P 1 Doc locked on approval sig. FieldMDP TransformParams /Actions/(All | Inc. | Exc.) TransformMethod sets what TransformParams are used.

/SigFlags (optional: 1 or 2) /V (if signed, a sig dict. obj ID)

obj<< Signature dictionary /Filter (signature handler) /SubFilter (signature format) /ByteRange (document range) /Contents (PKCS sig value) /Type Sig . . . Other stuff . . . /Reference (1-n sig ref dicts)

/Fields/(Field names) /P (1) Field level permissions DocMDP TransformParams Allow sign, annots, etc. /P (1 | 2 | 3 ) Certification signature UR3 TransformParams /V /2.2
1 2 3 4

/Document/[FullSave] /Form/[form field rights] /Signature/[Modify] /Annots/[annot rights] /EF/[embedded file rights] /FormEX/[form field rights]

5 6

1-6 define usage rights