Ralf Hauser created PDFBOX-3047:
-----------------------------------
Summary: LTV-fix offline signature
Key: PDFBOX-3047
URL: https://issues.apache.org/jira/browse/PDFBOX-3047
Project: PDFBox
Issue Type: Improvement
Components: Signing
Reporter: Ralf Hauser
This is a complement to PDFBOX-2776
<<A PDF signature may not be successfully verified unless its collateral
validation components are preserved, e.g., certificates, CRLs, time stamp
tokens, revocation lists, and OCSP responses. To facilitate long term signature
validation (LTV), PDF supports the ability to collect validation information to
verify a signature at a later time if it has been verified once as being valid.
Some of this information, i.e. certificates, CRLs and OCSP responses, when not
already present in the signature, shall be stored in a document security store
(DSS), see 12.8.4.3, "Document Security Store (DSS)". When storing this type of
information and, when not already present in the signature, it shall be stored
in a document time-stamp dictionary, see 12.8.5, "Document time-stamp (DTS)
dictionary (PDF 2.0)". This will provide the information needed to verify a
signature as this was done when that signature was first verified. >>
If someone signs a pdf off-line, there should be a pdf-box routine that can
possibly even be run on the command-line to amend a document with OCSP/CRL info
for the signing certificate chain plus a verification time-stamp. The latter
might even be interesting for an online signature that already has a timestamp
but might be lacking other info.
There should be a clear interface to obtain
a) ocsp responses
b) crls
c) timestamps
such that other (pre-existing) solutions can be tied to this routine
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
