[ 
https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258760#comment-17258760
 ] 

Michael Klink commented on PDFBOX-5070:
---------------------------------------

{quote}Then, the OCSP responses lifetime does not start after signature 
time.{quote}

In plain ISO 32000-1 style signatures you indeed have to gather OCSP responses 
before signing; not because of some lifetime considerations but because in such 
signatures they are to be stored in a signed attribute.

But in true PAdES signatures there is nothing bad about an OCSP response 
lifetime starting after signing time as long as it is not after signing 
certificate lifetime. On the contrary, by retrieving OCSP information early the 
response lifetime might even end before signing time which would be really bad.

----

There may be one exception in the eIDAS region, according to 
[DSS-2043|https://ec.europa.eu/cefdigital/tracker/browse/DSS-2043] Estonia 
makes use of the "suspended" certificate status and, therefore, requires OCSP 
responses to be from a time near the signature time according to a signature 
time stamp. To support this scenario, though, one should first ask Estonian 
authorities for best practices before starting to implement something without 
guidance.

> LTV: allow to gather OCSP responses before signing 
> ---------------------------------------------------
>
>                 Key: PDFBOX-5070
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5070
>             Project: PDFBox
>          Issue Type: Improvement
>          Components: Signing
>    Affects Versions: 2.0.23
>            Reporter: Ralf Hauser
>            Priority: Minor
>
> Then, the OCSP responses lifetime does not start after signature time.
> This obviously only can work if the signing cert serial# is known prior to 
> signing (see PDFBOX-2776 comment-17220875 )
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to