Glossary
At a glance
Section titled “At a glance”This glossary defines the NextPDF terms you see across the documentation, including signature profiles, encryption modes, HyperText Markup Language (HTML) pipeline layers, accessibility structures, the event model, and privacy operations in the commercial editions. Each term has its own anchor, so other pages can link directly to the definition. Definitions paraphrase the canonical signed glossary and the standards NextPDF implements; consult the cited standard when you need exact normative wording.
AES-GCM
Section titled “AES-GCM”Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) is an authenticated encryption mode that combines AES in counter mode with a Galois-field message authentication code, providing confidentiality and integrity in one pass. ISO 32000-2 introduces it through ISO/TS 32002 as the preferred authenticated encryption scheme, replacing Advanced Encryption Standard Cipher Block Chaining (AES-CBC).
authenticated decryption
Section titled “authenticated decryption”Authenticated decryption verifies an integrity tag before returning plaintext. NextPDF keeps a structural decryption failure, such as a configuration or transport problem, separate from a failed integrity check, where content did not verify. It branches on the exception class instead of collapsing the two conditions into one.
CMS Advanced Electronic Signatures (CAdES) is the European Telecommunications Standards Institute (ETSI) signature profile family for arbitrary binary content, defined by ETSI EN 319 122. It builds on the Request for Comments (RFC) 5652 Cryptographic Message Syntax (CMS) structure with attributes for timestamping and long-term validation. PDF Advanced Electronic Signatures (PAdES) uses the CAdES attribute model and embeds it inside the Portable Document Format (PDF) signature dictionary.
CJK coverage
Section titled “CJK coverage”Chinese, Japanese, and Korean (CJK) coverage is the proportion of Unicode blocks a CJK script needs that a font’s Unicode map covers. NextPDF estimates coverage by sampling code points and flags blocks below a 50 percent threshold as missing ranges. The figure supports font selection; it is not a byte-exact audit.
Cryptographic Message Syntax (CMS) is the RFC 5652 signature container that wraps the signed-data structure used by CAdES and PAdES. NextPDF emits CMS SignedData blobs and embeds them as the Contents of the PDF signature dictionary.
context-aware exception
Section titled “context-aware exception”A context-aware exception is a NextPDF exception that implements ContextAwareExceptionInterface and exposes a getContext() method. The method returns a snake_case map of primitive diagnostic fields you can serialize into a log or application performance monitoring (APM) payload without parsing the message string.
Cross-reference table
Section titled “Cross-reference table”A cross-reference table maps each indirect object number at the end of a PDF file to its byte offset. NextPDF prefers cross-reference streams, the PDF 2.0 form, because they compress better and integrate cleanly with object streams.
CSS module
Section titled “CSS module”A Cascading Style Sheets (CSS) module is a World Wide Web Consortium (W3C) work product that defines one slice of CSS, such as Selectors, Values, Fonts, or Flexbox. The NextPDF HTML pipeline implements a curated subset of CSS modules pinned to fixed Editor’s Draft versions, documented in the CSS coverage audit.
De-identification
Section titled “De-identification”De-identification is the general process of removing or reducing the link between data and the person it concerns. NextPDF Enterprise performs pattern-scoped de-identification through redaction, line suppression, or reversible pseudonymization. It is not anonymization and does not eliminate residual re-identification risk. Remaining attributes can still carry risk.
degradation policy
Section titled “degradation policy”A degradation policy decides what NextPDF does when a capability runs in degraded mode. A strict policy throws on a compliance, semantic, or blocking impact. A balanced policy throws only on a blocking impact. A permissive policy records a warning and never throws.
A data encryption key (DEK) is a collection-scoped key whose metadata the key management system (KMS) provider factory returns. The Enterprise local provider derives it with HKDF-SHA256 and returns metadata only, never the raw key bytes.
The Document Security Store (DSS) is a PDF 2.0 catalog entry that aggregates the certificates, certificate revocation lists (CRLs), Online Certificate Status Protocol (OCSP) responses, and timestamp tokens needed to validate every signature in the document. PAdES B-LT and B-LTA populate it, and validators consult it before reaching out to the network.
FIPS mode
Section titled “FIPS mode”Federal Information Processing Standards (FIPS) mode is a configured state in which NextPDF Core runs against a host OpenSSL build that has loaded a FIPS-validated provider. NextPDF itself is not FIPS-certified; the mode constrains which primitives Core invokes so the validated provider handles the cryptographic work. A best-effort three-state probe reports the host posture as active, absent, or indeterminate, and treats indeterminate as not proven.
font subsetting
Section titled “font subsetting”Font subsetting builds a reduced font program that contains only the glyphs a document references. It rebuilds the required font tables and preserves the original glyph numbering so an Identity CIDToGIDMap stays valid. Subsetting names the operation; font subset names the resulting program.
Hash-based Message Authentication Code (HMAC)-based Key Derivation Function (HKDF) is the key-derivation function the Enterprise local KMS provider uses, in its HKDF-SHA256 form, to derive a collection-specific data encryption key from a configured root key.
A hardware security module (HSM) is a tamper-resistant device that stores private keys and performs signing without ever exposing the key to host memory. NextPDF Enterprise integrates with hardware security modules through the Public-Key Cryptography Standards #11 (PKCS#11) abstraction and a controller/worker driver model.
html pipeline
Section titled “html pipeline”The html pipeline is the four-layer rendering pipeline under src/Html/ that converts HTML and CSS into PDF content streams. Its layers are CSS parsing, style state, layout, and paint (ADR-010). It is the engine’s largest and highest-risk subsystem.
Incremental update
Section titled “Incremental update”An incremental update is a PDF revision appended after the original bytes, leaving the earlier content unchanged so existing signatures stay valid.
A key management system (KMS) is a cloud-hosted key vault, such as AWS KMS, Google Cloud KMS, or Azure Key Vault, that signs on behalf of a tenant using keys it never releases. NextPDF Enterprise treats a key management system as an alternative deferred-signer backend alongside hardware security modules.
layout
Section titled “layout”Layout is the third layer of the ADR-010 four-layer HTML pipeline. It computes box positions and sizes from resolved styles, produces a paint plan, and never emits PDF operators directly. It lives under the flex, float, context, and table layout helpers in src/Html/.
listener provider
Section titled “listener provider”The NextPDF\Event\ListenerProvider component maps an event class to a priority-ordered list of listener callables. It walks the event’s class hierarchy and interfaces so a listener registered on a parent type observes every subtype. Its state is instance-scoped with no static state, so workers stay isolated.
Long-term validation (LTV) is the property of a signed PDF that lets the signature stay verifiable indefinitely, even after signer credentials expire or revocation services disappear. NextPDF achieves it by capturing revocation material in the Document Security Store and renewing archival timestamps before each prior timestamp’s algorithm weakens.
Optical character recognition (OCR) turns page images into machine-readable text. This is a separate problem category from PDF generation. NextPDF generates and structurally inspects documents instead of interpreting pixels into meaning, so OCR work belongs to a dedicated pipeline.
output intent
Section titled “output intent”An output intent is a PDF catalog entry that declares the intended output condition for the document, typically an International Color Consortium (ICC) profile that characterizes the target printing device or display color space. PDF/A-4 requires it for documents that use device-dependent color, and PDF/X profiles require it to declare the printing condition.
PDF Advanced Electronic Signatures (PAdES) is the ETSI signature profile family for PDF documents, defined by ETSI EN 319 142. It builds on CMS and CAdES with PDF-specific encoding rules. It comprises four baseline levels (B-B, B-T, B-LT, B-LTA) that progressively add timestamps and long-term validation material to the embedded signature.
PAdES B-T
Section titled “PAdES B-T”PAdES B-T is the PAdES baseline that adds an RFC 3161 timestamp token over the signature value, proving the signature existed at the timestamped instant. It builds directly on PAdES B-B.
pades level
Section titled “pades level”A PAdES level is a signature conformance tier, for example B-B, B-T, B-LT, or B-LTA, that determines which material a signature carries. NextPDF fails closed when a requested level is unreachable, raising SignatureLevelUnreachableException rather than silently producing a lower level while advertising the higher one.
Paint is the fourth layer of the ADR-010 four-layer HTML pipeline. It consumes the paint plan from layout and emits PDF operators through the writer. It is the only layer permitted to call into the drawing primitives.
permission flags
Section titled “permission flags”Permission flags are a bit field in the PDF encryption dictionary that controls which operations an authenticated reader may perform: low- or high-resolution printing, content copying, annotation modification, form filling, and assembly. The document author sets it when encrypting with a user password or certificate. NextPDF exposes a typed PermissionFlags value object.
Personally identifiable information (PII) is any data that can identify a natural person on its own or combined with other information, including name, address, tax identifier, biometric data, and email address. NextPDF Pro’s redaction feature irrecoverably removes PII regions from a PDF so that no downstream tool can recover the data.
PKCS11
Section titled “PKCS11”Public-Key Cryptography Standards #11 (PKCS#11) is the OASIS cryptographic-token interface, currently at version 3.1, that gives applications a stable application programming interface (API) for talking to hardware security modules and smart cards. The NextPDF Enterprise signer-driver subsystem uses PKCS#11 as the lowest-common-denominator path to hardware keys.
Pseudonymization
Section titled “Pseudonymization”Pseudonymization replaces an identifying value with an alias. It is reversible by definition and uses a separately held mapping. NextPDF Enterprise derives deterministic, format-aware pseudonyms from an HMAC over the original value and a per-session seed. It seals the original-to-pseudonym map at rest with AES-256-GCM under a versioned key. It is not anonymization and must not be presented as irreversible.
PSR-14
Section titled “PSR-14”PHP Standard Recommendation 14 (PSR-14) is the PHP Framework Interop Group (PHP-FIG) standard that defines an event dispatcher, a listener provider, and stoppable events. The NextPDF Event module follows this model and declares duck-type-compatible interfaces, so the engine carries no psr/event-dispatcher runtime dependency.
PSR-20
Section titled “PSR-20”PHP Standard Recommendation 20 (PSR-20) is the PHP-FIG standard that defines a clock interface whose single read operation returns the current time as an immutable date-time value. The NextPDF SystemClock implements it; injecting a fixed clock removes wall-clock nondeterminism from reproducible output.
retained vs streaming
Section titled “retained vs streaming”Retained vs streaming describes whether a renderer builds an in-memory representation of the whole document before emitting output (retained) or processes tokens as they arrive (streaming). NextPDF is streaming end-to-end, where competing engines such as dompdf are retained.
revocation assertion
Section titled “revocation assertion”A revocation assertion is the certificate-status statement an OCSP responder or CRL provides, embedded for long-term-validation signature levels. NextPDF refuses to treat a non-successful OCSP response as a positive trust assertion; an unknown or error status is never promoted to good.
RFC 3161 timestamp
Section titled “RFC 3161 timestamp”An RFC 3161 timestamp is a TimeStampToken that a Time-Stamping Authority issues over a hash of the data being timestamped. PAdES B-T uses it to bind a signature to a verifiable instant. NextPDF embeds it as a CMS SignedData blob inside an unsigned attribute on the signer info.
Searchable PDF
Section titled “Searchable PDF”A searchable PDF carries an invisible text layer over the page images of a scanned document, so the page becomes text-selectable and searchable. NextPDF Enterprise orchestrates this by driving an injected OCR backend, with rasterization and text injection delegated to a separate sidecar. The result is a derived document: existing signatures are invalidated and compliance must be re-validated. The feature asserts no OCR accuracy or extraction recall.
single-pass streaming
Section titled “single-pass streaming”Single-pass streaming is the HTML pipeline rendering model (ADR-001) in which the tokenizer produces a token list in one pass and the parser consumes it left to right, emitting content-stream operators without building a retained Document Object Model (DOM) tree. Input-side memory is bounded by nesting depth rather than element count, with a hard cap on the element total. Lookahead uses bounded pre-scan index arrays, not a retained DOM.
stoppable event
Section titled “stoppable event”A stoppable event is a lifecycle event a listener can halt: calling stopPropagation() makes the dispatcher skip the remaining listeners for that dispatch cycle. Every NextPDF lifecycle event is stoppable because AbstractEvent implements StoppableEventInterface, mirroring the PSR-14 stoppable-event semantics.
structure tree
Section titled “structure tree”A structure tree is the tree of semantic elements that gives a tagged PDF its logical reading order and accessible structure. It is rooted at the document catalog under /StructTreeRoot. NextPDF builds the structure tree on the fly while tokens flow through the HTML pipeline.
Tagged PDF
Section titled “Tagged PDF”A tagged PDF carries a parallel logical structure tree alongside the visual content stream, so assistive technology reads the structure rather than the visual layout, per ISO 32000-2 section 14.7.
typed wither
Section titled “typed wither”A typed wither is a dedicated, type-safe copy method on an immutable object, for example Config::withPageSize(), that reconstructs the object with named arguments and returns a new instance. NextPDF uses typed withers instead of a generic with(string, mixed) setter so that static analysis and integrated development environments (IDEs) stay accurate.
value object
Section titled “value object”A value object is an immutable, equality-by-value domain primitive with no identity and no input/output (I/O). NextPDF models geometry such as PageSize, Dimension, Position, and Margin as final readonly value objects, so instances are safe to share. Every transformation returns a new instance.
The Validation-Related Information (VRI) dictionary under the Document Security Store maps a specific signature’s hash to the certificates, CRLs, and OCSP responses used to validate it at the time of long-term augmentation. It is optional but recommended for archival verifiers.