Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-3047

LTV-fix offline signature

Agile BoardAttach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Signing


      This is a complement to PDFBOX-2776

      <<A PDF signature may not be successfully verified unless its collateral validation components are preserved, e.g., certificates, CRLs, time stamp tokens, revocation lists, and OCSP responses. To facilitate long term signature validation (LTV), PDF supports the ability to collect validation information to verify a signature at a later time if it has been verified once as being valid. Some of this information, i.e. certificates, CRLs and OCSP responses, when not already present in the signature, shall be stored in a document security store (DSS), see, "Document Security Store (DSS)". When storing this type of information and, when not already present in the signature, it shall be stored in a document time-stamp dictionary, see 12.8.5, "Document time-stamp (DTS) dictionary (PDF 2.0)". This will provide the information needed to verify a signature as this was done when that signature was first verified. >>

      If someone signs a pdf off-line, there should be a pdf-box routine that can possibly even be run on the command-line to amend a document with OCSP/CRL info for the signing certificate chain plus a verification time-stamp. The latter might even be interesting for an online signature that already has a timestamp but might be lacking other info.

      There should be a clear interface to obtain
      a) ocsp responses
      b) crls
      c) timestamps
      such that other (pre-existing) solutions can be tied to this routine



          This comment will be Viewable by All Users Viewable by All Users


            Unassigned Unassigned
            hauser@acm.org Ralf Hauser




                Issue deployment