[
https://issues.apache.org/jira/browse/PDFBOX-2776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17221299#comment-17221299
]
Michael Klink edited comment on PDFBOX-2776 at 10/27/20, 10:43 AM:
-------------------------------------------------------------------
{quote}[~hau...@acm.org]>Seems that provider shortLivedCrlAsLTV-sig.pdf solve
it with a small, long-lasting CRL ...{quote}
Yes, CAs _can_ help, the SwissCom has been operating a signing service that
returns full CMS containers with a matching Adobe's Revocation Information
signed attribute for a number of years now. By the way, the long lasting CRL is
not the special thing here (it is for the CA certificate which you may trust
explicitly anyways) but the embedded OCSP response (for the user certificate)
is.
But that only helps if you have a nice enough CA. In general you cannot count
on that.
One can hope that [~lrosenthol] (see his recent comment in PDF-3017) returns
either with a hint how to persuade Adobe Acrobat that the DSS addition to the
no-changes-allowed document are ok or with a confirmation that a soon to come
Adobe Acrobat update will allow DSS additions to no-changes-allowed documents
without further ado.
was (Author: mkl):
{quote}[~hau...@acm.org]>Seems that provider shortLivedCrlAsLTV-sig.pdf solve
it with a small, long-lasting CRL ...{quote}
Yes, CAs _can_ help, the SwissCom has been operating a signing service that
returns full CMS containers with a matching Adobe's Revocation Information
signed attribute for a number of years now. By the way, the long lasting CRL is
not the special thing here (it is for the CA certificate which you may trust
explicitly anyways) but the embedded OCSP response (for the user certificate)
is.
But that only helps if you have a nice enough CA. In general you cannot count
on that.
> support "Long Term Validation" signature extensions (LTV)
> ---------------------------------------------------------
>
> Key: PDFBOX-2776
> URL: https://issues.apache.org/jira/browse/PDFBOX-2776
> Project: PDFBox
> Issue Type: Improvement
> Components: Signing
> Affects Versions: 2.0.0
> Reporter: Ralf Hauser
> Priority: Major
> Fix For: 3.0.0 PDFBox
>
> Attachments: certified_368835_Sig_de_201026171017_LTV.pdf,
> nonSigPdf-sig1.pdf, notCertified_368835_Sig_en_201026090509.pdf,
> notCertified_368835_Sig_en_201026090509_report.png, shortLivedCrlAsLTV-sig.pdf
>
>
> in recent acrobat readers, every signature is commented w.r.t. "LTV"
> ETSI TS 102 778-4 V1.1.2 (2009-12) Technical Specification
> referenced as part 4 in
> http://en.wikipedia.org/wiki/PAdES
> It would be great if pdf signatures created with PDFBox would assist in
> creatign those.
> Target test setup:
> 1) input of an unsigned PDF-1.5 document
> 2) signature with
> a) local key pair
> b) hsm
> c) remote signature service (e.g. via soap)
> 3) add ocsp response for LTV (crls typically are larger)
> ==> Result: signed pdf where acrobat reader claims it to be "LTV enabled"
> see also PDFBOX-1848
> more in
> http://stackoverflow.com/questions/26090558/ltv-enabled-signature-in-pdf
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
