This is a complement to PDFBOX-2776
<<A PDF signature may not be successfully verified unless its collateral validation components are preserved, e.g., certificates, CRLs, time stamp tokens, revocation lists, and OCSP responses. To facilitate long term signature validation (LTV), PDF supports the ability to collect validation information to verify a signature at a later time if it has been verified once as being valid. Some of this information, i.e. certificates, CRLs and OCSP responses, when not already present in the signature, shall be stored in a document security store (DSS), see 126.96.36.199, "Document Security Store (DSS)". When storing this type of information and, when not already present in the signature, it shall be stored in a document time-stamp dictionary, see 12.8.5, "Document time-stamp (DTS) dictionary (PDF 2.0)". This will provide the information needed to verify a signature as this was done when that signature was first verified. >>
If someone signs a pdf off-line, there should be a pdf-box routine that can possibly even be run on the command-line to amend a document with OCSP/CRL info for the signing certificate chain plus a verification time-stamp. The latter might even be interesting for an online signature that already has a timestamp but might be lacking other info.
There should be a clear interface to obtain
a) ocsp responses
such that other (pre-existing) solutions can be tied to this routine