Michael is correct that ISO 32000 only supports inclusion of the OCSP at the time of signing - it can't be added after the fact.
However, the multiple part PAdES standard, how offers a solution. While Part 2 (which is based on ISO 32000-1) has the same issue that pure 32000 does - the new Part 4 defines a standard for incorporating additional validation information (CRL, OCSP and even Certs) at any future time. Called LTV (long term validation) it is fully supported by Acrobat/Reader 9.1. Leonard -----Original Message----- From: mkl [mailto:m...@wir-sind-cool.org] Sent: Monday, August 10, 2009 5:31 AM To: itext-questions@lists.sourceforge.net Subject: Re: [iText-questions] Multiple digital signatures Hi Andreas & Andrius, Andreas Kuehne-2 wrote: > > Anyway, I would expect an OCSP response to be an _un_signed property of > the signature. In some paranoid environments the OCSP response has to be > some hours younger than the signature. Moreover the signer doesn't know > anything about the OCSP response, so why should the signer do any signed > statement about it ? > That indeed is what one would expect, especially as many standards on advanced signatures recommend a grace period to permit certificate revocation information to propagate through the revocation processes (e.g. XAdES and CAdES) which implies inclusion as unsigned attributes (e.g. in XAdES as UnsignedSignatureProperties/CompleteRevocationRefs). But there also is the school that recommends retrieving OCSP responses right before signing and including them as signed attributes. The standards on PDF signatures (ISO-32000, PAdES) unfortunately adhere to this procedure, at least when talking about signature interoparability. Thus, Andrius to me seems to be right on track, at least as long as interoparability with other applications handling PDF signatures is a target. Andreas Kuehne-2 wrote: > > Same for the TSP, could be added as an unsigned property later on. You > just need to take care about reserving enough space in the PDFs signature > field. > In general, there are two types of included timestamps, those hashing the document and those hashing the signature. The former ones are included as signed attributes, the latter ones (obviously) as unsigned ones. ISO32000 and PAdES only encompass the latter type. Andrius Juozapaitis wrote: > > 1) sign the pdf with a digital signature > 2) apply the ocsp and timestamp information *for the certificate that was > used in the first signature* in a second signature, without requiring the > digital smartcard using in the first step. > That sounds like something quite individualistic; as you mentioned yourself, the OCSP information cannot be included in the original signature after creation in a way that adheres to the applicable standards (ISO32000 and PAdES). Therefore it is highly unlikely the Adobe Reader or Acrobat will ever support revocation information included like that by default. Of course you can do this differently and include the data as unsigned attributes. You must be aware, though, that you probably can use that information only in your own applications, including plugins for Adobe Reader and Acrobat. Regards, Michael. -- View this message in context: http://www.nabble.com/Multiple-digital-signatures-tp24896084p24896793.html Sent from the iText - General mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/