[jira] [Commented] (PDFBOX-2776) support "Long Term Validation" signature extensions (LTV)

Tue, 27 Oct 2020 03:35:03 -0700 


    [ 
https://issues.apache.org/jira/browse/PDFBOX-2776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17221299#comment-17221299
 ] 

Michael Klink commented on PDFBOX-2776:
---------------------------------------

{quote}[[email protected]]>Seems that provider shortLivedCrlAsLTV-sig.pdf solve 
it with a small, long-lasting CRL ...{quote}

Yes, CAs _can_ help, the SwissCom operates a signing service that returned full 
CMS containers with a matching Adobe's Revocation Information signed attribute. 
By the way, the long lasting CRL is not the special thing here (it is for the 
CA certificate which you may trust explicitly anyways) but the embedded OCSP 
response (for the user certificate) is.

But that only helps if you have a nice enough CA. In general you cannot count 
on that.



> support "Long Term Validation" signature extensions (LTV)
> ---------------------------------------------------------
>
>                 Key: PDFBOX-2776
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-2776
>             Project: PDFBox
>          Issue Type: Improvement
>          Components: Signing
>    Affects Versions: 2.0.0
>            Reporter: Ralf Hauser
>            Priority: Major
>             Fix For: 3.0.0 PDFBox
>
>         Attachments: certified_368835_Sig_de_201026171017_LTV.pdf, 
> nonSigPdf-sig1.pdf, notCertified_368835_Sig_en_201026090509.pdf, 
> notCertified_368835_Sig_en_201026090509_report.png, shortLivedCrlAsLTV-sig.pdf
>
>
> in recent acrobat readers, every signature is commented w.r.t. "LTV"
> ETSI TS 102 778-4 V1.1.2 (2009-12) Technical Specification
> referenced as part 4 in
> http://en.wikipedia.org/wiki/PAdES 
> It would be great if pdf signatures created with PDFBox would assist in 
> creatign those.
> Target test setup: 
> 1) input of an unsigned PDF-1.5 document
> 2) signature with
> a) local key pair
> b) hsm
> c) remote signature service (e.g. via soap)
> 3) add ocsp response for LTV (crls typically are larger)
> ==> Result: signed pdf where acrobat reader claims it to be "LTV enabled"
> see also PDFBOX-1848
> more in 
> http://stackoverflow.com/questions/26090558/ltv-enabled-signature-in-pdf



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to