We would like to thanks the CERT-Bund team for their great support during the responsible disclosure process. We also want to acknowledge the vendor teams which reacted to our report and fixed the vulnerable implementations.
We would like to acknowledge Florian Zumbiehl who found an interesting attack related to pdf signatures in PDF viewer back in 2010.
We want to acknowledge the research of John Heasman and his team @ DocuSign for finding one variant of the Signature Wrapping attack independently of our research. They tested and reported their attack against the following products:
We also want to acknowledge the great contribution of Detlef Hühnlein (ecsec GmbH) and Herbert Leitold (A-SIT) for giving us a lot of information regarding the usage of PDF signatures in the wild and explaining us the legal aspects of digitally signed documents.