My organization has some Confidential (as in statutory requirements confidential) documents that go out to certain people and committee groups prior to their release into public domain. These documents need to be accounted for during this timeframe to prevent their "early" release. This has been done historically, by all the interested parties holding a meeting in a closed room, the documents passed out, the meeting held, and then they are collected as everyone leaves the room. I have been tasked with duplicating the same kind of policy mechanism using our publically facing web server (Debian 5.0.6 on Xen HVM running Apache2).
I immediately dislike the idea of keeping confidential material on a web server that is accessible by the entire world just on principle alone but we will put that concern aside for a minute. These documents need to be 1) accessible to only the interested parties, 2) the content of the documents protected somehow, 3) not able to be printed by the people that view it, 4) not able to be saved for re-distribution later.
I think using .PDFs is the best solution for this. I can constrain the ability to print, and edit the documents. Judicious use of .htaccess and SSL can prevent the whole world from downloading them. It's the single use, non-distribution part that I cannot think of a decent way to implement. Once they're downloaded, they're downloaded. And nothing I can think of, can prevent someone from passing the document to someone who shouldn't have it along with the password to read it. What I need is a single-use policy mechanism, like a one-time password for .PDFs. Use the password once and then we just rely on Adobe's encryption (for better or for worse).
Anyway, I'm kind of at an end on how to accomplish this, and I was hoping some of the good folks here could help me generate some ideas so I can present the pros and cons of this project to the boss.
Thank you kindly.
EDIT: It's been noted numerous times that any technical system to do this is easily circumnavigated by things like dictating the information out of the document to someone, taking a picture or screenshot or something like that. This threat already exists in the "closed room" model, although it's certainly much smaller. We can more or less trust the people on the other end, just not their computers.
Best Answer
Relying on any kind of "DRM" protections in PDF files (or any other kind of file) assumes that the reader software and computers where the reading is occurring are "trusted". This is a bad idea.
You can use authentication and encryption to limit "use" to authorized parties, but that only works when the authorized parties keep their passwords and keys secure. If you're not disseminating hardware tokens then, odds are, passwords or keys can be fairly easily compromised.
Setting all that technical stuff aside, if the confidentiality data is so important that it's traditionally disseminated in closed-door meetings with copies being collected after the meeting is over then it's not appropriate to protect it with "DRM". You cannot (and never will be able to) replicate that kind of functionality, with respect to confidentiality, with "DRM".
I'd make it clear to your supervisors that any "solution" that involves sending the data out of your control is going to result in breaches of confidentiality, period. It doesn't matter how many DRM controls you put on the documents in an electronic form, that won't stop somebody from taking pictures of their screen with a camera, dictating the content out loud, etc.
If the closed-door meetings are just an old formality and the level of confidentiality isn't really that critical then you might get by w/ an encryption solution. I'd think hard about using hardware tokens to keep the private keys secure in such a situation. The PCs of your end user consumers should be considered untrusted and not a safe place to store key material.