[ https://issues.apache.org/jira/browse/PDFBOX-1847?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13935714#comment-13935714 ]
John Hewson edited comment on PDFBOX-1847 at 3/14/14 10:02 PM: --------------------------------------------------------------- 1. Ok, will use Java's SHA-256 2. Ok, will use the a 32-bit range instead. 3. :) 4. Ok, will remove the header 5. Yes, please do. The IOExceptions are fine, it's just the fact that ClassCastException should not be thrown by bouncy castle (but it could be possible). 6. I would advise against using your own sources of entropy, SecureRandom is already able to provide cryptographically secure random numbers and the document hash is almost certainly less random than the randomness produced by SecureRandom, e.g. the hash is always the same when the document contents are the same. In fact, if multiplying by the hash causes the value to overflow you will actually loose entropy, decreasing security. was (Author: jahewson): 1. Ok, will use Java's SHA-256 2. Ok, will use the a 32-bit range instead. 3. :) 4. Ok, will remove the header 5. Yes, please do. The IOExceptions are fine, it's just the fact that ClassCastException should not be thrown by bouncy castle (but it could be possible). 6. I would advise against using your own sources of entropy, SecureRandom is already able to provide cryptographically secure random numbers and the document hash is almost certainly less random than the randomness produced by SecureRandom, e.g. the hash is always the same when the document contents are the same. In fact, if multiplying by the hash causes the value to overflow you will actually loose entropy and decrease security. > TSA Time Signature > ------------------ > > Key: PDFBOX-1847 > URL: https://issues.apache.org/jira/browse/PDFBOX-1847 > Project: PDFBox > Issue Type: Improvement > Components: Signing > Affects Versions: 2.0.0 > Reporter: vakhtang koroghlishvili > Assignee: John Hewson > Fix For: 2.0.0 > > Attachments: CreateSignature-updated.java.patch, > TSATimeSignature.patch, resultOfSigning.jpg > > > When we was signing document, we was using time from our time. For more > security we can use Time Stamp server. > "Trusted timestamping is the process of securely keeping track of the > creation and modification time of a document. Security here means that no one > — not even the owner of the document — should be able to change it once it > has been recorded provided that the timestamper's integrity is never > compromised."(wiki) -- This message was sent by Atlassian JIRA (v6.2#6252)