Hello Martin, On 2018-11-30 12:11 p.m., Martin Bartosch wrote: > From the previous communication I am trying to put things together. Actually > it is really not easy to help people on this mailing list if they don’t > provide context to their questions. No worries... I appreciate that you take the time to help! > I understand you want to sign PDF documents in a way that the signature can > be verified correctly by the relying party (e. g. a person using Acrobat > Reader to read the document). > > You also wish to embed a timestamp in the PDF signature, so that the relying > party performs the certificate validity check not based on the current > (reading) time but at signature generation. This is common practice with > document signing but requires a trusted timestamping service as you found out.
I was looking for an opensource TSA project... OpenTSA.org seems dead. So I guess most people are using a commercial/free solution for TSA. I'm going to try this one: https://sourceforge.net/projects/phptsa/ I searched the source for OpenXPKI for such a functionality and found none before sending the previous mail. I was wondering if it was possible to embed the timestamp server URL in the certificate created by OpenXPKI... In a similar way that you can do with the CRL's. That way, I could automatically have the timestamp check done. > > From a previous mail on this list I also deduce you want to achieve that the > relying party will be able to verify the document signature without having to > perform local modifications, such as importing your Root CA certificate as > trusted. I quickly gave up on that idea... Like you pointed out in a previous mail, getting a certificate signing token from a public CA would be too expensive. We'll find a way to push the installation of our CA's certificate on workstations (either manually, or with automation). > You will need the following: > - a Digital Certificate which is capable of document signing (i. e. correct > key usage/certificate profile) > - the document signing certificate must be trusted by the relying party > - this means that the document signing certificate is issued by a public CA > or by a subordinate CA which is trusted as per the commonly accepted trusted > Root Certificates in people’s operatings systems > - a RFC 3161 time stamping server trusted by the relying party > - a software component which can compose a PDF signature based on the above > components, using the document signer certificate and the timestamping > service to generate a PDF signature > > OpenXPKI is none of those. > OpenXPKI is a trustcenter software which creates and manages Digital > Certificates, it does not do document signing. > OpenXPKI could act as a subordinate CA to a publicly trusted CA, or it could > act as a proxy to the public API of a public CA, allowing you to request > certifiates from this public CA. Got it! Thanks again for your help ;-) Best regards, Luc. -- Luc Lalonde, analyste ----------------------------- Département de génie informatique: École polytechnique de MTL (514) 340-4711 x5049 [email protected] ----------------------------- _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
