[
https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258760#comment-17258760
]
Michael Klink commented on PDFBOX-5070:
---------------------------------------
{quote}Then, the OCSP responses lifetime does not start after signature
time.{quote}
In plain ISO 32000-1 style signatures you indeed have to gather OCSP responses
before signing; not because of some lifetime considerations but because in such
signatures they are to be stored in a signed attribute.
But in true PAdES signatures there is nothing bad about an OCSP response
lifetime starting after signing time as long as it is not after signing
certificate lifetime. On the contrary, by retrieving OCSP information early the
response lifetime might even end before signing time which would be really bad.
----
There may be one exception in the eIDAS region, according to
[DSS-2043|https://ec.europa.eu/cefdigital/tracker/browse/DSS-2043] Estonia
makes use of the "suspended" certificate status and, therefore, requires OCSP
responses to be from a time near the signature time according to a signature
time stamp. To support this scenario, though, one should first ask Estonian
authorities for best practices before starting to implement something without
guidance.
> LTV: allow to gather OCSP responses before signing
> ---------------------------------------------------
>
> Key: PDFBOX-5070
> URL: https://issues.apache.org/jira/browse/PDFBOX-5070
> Project: PDFBox
> Issue Type: Improvement
> Components: Signing
> Affects Versions: 2.0.23
> Reporter: Ralf Hauser
> Priority: Minor
>
> Then, the OCSP responses lifetime does not start after signature time.
> This obviously only can work if the signing cert serial# is known prior to
> signing (see PDFBOX-2776 comment-17220875 )
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
