> Anyway, I would expect an OCSP response to be an _un_signed property of the > signature.
http://www.adobe.com/devnet/acrobat/pdfs/PDF32000_2008.pdf section #12.8.3.3.1 states that: The PKCS#7 object should contain the following: •Time stamp information as an unsigned attribute (PDF 1.6): The timestamp token shall conform to RFC 3161 and shall be computed and embedded into the PKCS#7 object as described in Appendix A of RFC 3161. The specific treatment of timestamps and their processing is left to the particular signature handlers to define. •Revocation information as an signed attribute (PDF 1.6): This attribute may include all the revocation information that is necessary to carry out revocation checks for the signer's certificate and its issuer certificates. ***Since revocation information is a signed attribute***, it must be obtained before the computation of the digital signature. This means that the software used by the signer must be able to construct the certification path and the associated revocation information. If one of the elements cannot be obtained (e.g. no connection is possible), a signature with this attribute will not be possible. > In some paranoid environments the OCSP response has to be some hours younger > than the signature. Moreover the signer doesn't know anything about the OCSP > response, so why should the signer do any signed statement about it ? Same > for the TSP, could be added as an unsigned propertylater on. You just need to > take care about reserving enough space in the PDFs signature field. I agree it's possible to embed the timestamp info this way, but from what I understand you can't do that with the OCSP response? regards, Andrius > > Greetings > > Andreas > > > > ----- Original Message ---- > From: Andrius Juozapaitis <andri...@gmail.com> > To: Post all your questions about iText here > <itext-questions@lists.sourceforge.net> > Sent: Monday, August 10, 2009 10:27:19 AM > Subject: [iText-questions] Multiple digital signatures > > Hey, > > One of our clients needs digital signing of pdf documents, he has all > the ocsp/tsp services inhouse. I've already implemented this using > using iText 2.1.7 - works like a charm, thanks Paulo! > > Now, they want something else: instead of applying > signature-ocsp-timestamp in one transaction, they want a possibility > to split it into two: 1) sign the pdf with a digital signature 2) > apply the ocsp and timestamp information *for the certificate that was > used in the first signature* in a second signature, without requiring > the digital smartcard using in the first step. Now, I am pretty sure > that's impossible, as OCSP information is a signed attribute [1] - so > you can't modify the first signature without invalidating it, and you > can't create a second signature without an original digital smartcard, > as revocation information is stored for the certificate, that the > document is being signed with. > > Am I on the right track here? > > Best regards, > Andrius Juozapaitis > > [1] http://www.adobe.com/devnet/acrobat/pdfs/PDF32000_2008.pdf section #12.8.1 > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > iText-questions mailing list > iText-questions@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/itext-questions > > Buy the iText book: http://www.1t3xt.com/docs/book.php > Check the site with examples before you ask questions: > http://www.1t3xt.info/examples/ > You can also search the keywords list: http://1t3xt.info/tutorials/keywords/ > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > iText-questions mailing list > iText-questions@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/itext-questions > > Buy the iText book: http://www.1t3xt.com/docs/book.php > Check the site with examples before you ask questions: > http://www.1t3xt.info/examples/ > You can also search the keywords list: http://1t3xt.info/tutorials/keywords/ > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
