Handling document catalog dictionary in an encrypted doc not specified

[lrosenthol]

The current spec does not state anything about whether the document catalog dictionary can be in a ObjStm in an encrypted document. Allowing it to be so would prevent the use of cleartext metadata (since you need to be able to read the catalog w/o decryption), so most implementations do NOT put it in one in that case, nor can they read such a file.

Recommend we put a specific SHALL in the spec to address this case.

[mkl-public]

Wouldn't a catalog in a non-encrypted object stream (with an Identity Crypt filter) also allow cleartext metadata?

[petervwyatt]

Can you please be more precise? Are you proposing that the DocCatalog "shall not" be in an ObjStm under all conditions, only if there is an Encrypt dict, or some other condition(s)? Or do you mean that in order to have clear-text Metadata, the DocCatalog "shall not" be in an ObjStm?

[MatthiasValvekens]

PDF DigSig TWG is on board with a blanket prohibition on putting the catalog inside an encrypted ObjStm (i.e. cleartext object streams in otherwise encrypted documents are fair game), predicated on the assumption that such documents don't really circulate today because most mainstream PDF viewers wouldn't be able to read them.

[petervwyatt]

Proposed solution wording in 2 places:

1. new bullet in the bulleted list of what is not allowed in object streams in 7.5.7 Object streams

   • The document catalog (see 7.7.2 Document catalog dictionary) in an encrypted document

2. to be added as a new 2nd paragraph (after the only paragraph) in section 7.7.2 Document catalog dictionary:

   For encrypted documents, the catalog dictionary shall not be in an object stream (see 7.5.7 Object streams).

[mkl-public]

@petervwyatt

The catalog only needs to be forbidden in encrypted object streams. There is no need to disallow it in not encrypted ones.

[petervwyatt]

PDF TWG agree