[
https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17273531#comment-17273531
]
Michael Klink commented on PDFBOX-5070:
---------------------------------------
Another remark concerning the proposal to _gather OCSP responses before
signing_...
A comment to [DSS-2361|https://ec.europa.eu/cefdigital/tracker/browse/DSS-2361]
reminded me of TS 119 102-1, in particular of
{panel:title=5.2.5.4 Processing (5.2.5 Revocation freshness checker)}
When there is information about the signing time, the *validation time*
parameter corresponds to a time when it is known the signature already existed
(this can also be the time when a signed document has been received for
example). If the maximum accepted freshness is then set to zero (0), the
algorithm ensures that *revocation information is only accepted if it has been
issued after that point in time*.
{panel}
I.e. when validating according to eIDAS (which this ETSI TS is about), OCSP
responses to embed must be collected *after signing*, even *after first
timestamping* the signature, so _the OCSP responses lifetime does -not- start
after signature time._
> LTV: allow to gather OCSP responses before signing
> ---------------------------------------------------
>
> Key: PDFBOX-5070
> URL: https://issues.apache.org/jira/browse/PDFBOX-5070
> Project: PDFBox
> Issue Type: Improvement
> Components: Signing
> Affects Versions: 2.0.23
> Reporter: Ralf Hauser
> Priority: Minor
>
> Then, the OCSP responses lifetime does not start after signature time.
> This obviously only can work if the signing cert serial# is known prior to
> signing (see PDFBOX-2776 comment-17220875 )
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
