[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[
https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17273531#comment-17273531
]
Michael Klink commented on PDFBOX-5070:
---
Another remark concerning the proposal to _gather OCSP responses before
signing_...
A comment to [DSS-2361|https://ec.europa.eu/cefdigital/tracker/browse/DSS-2361]
reminded me of TS 119 102-1, in particular of
{panel:title=5.2.5.4 Processing (5.2.5 Revocation freshness checker)}
When there is information about the signing time, the *validation time*
parameter corresponds to a time when it is known the signature already existed
(this can also be the time when a signed document has been received for
example). If the maximum accepted freshness is then set to zero (0), the
algorithm ensures that *revocation information is only accepted if it has been
issued after that point in time*.
{panel}
I.e. when validating according to eIDAS (which this ETSI TS is about), OCSP
responses to embed must be collected *after signing*, even *after first
timestamping* the signature, so _the OCSP responses lifetime does -not- start
after signature time._
> LTV: allow to gather OCSP responses before signing
> ---
>
> Key: PDFBOX-5070
> URL: https://issues.apache.org/jira/browse/PDFBOX-5070
> Project: PDFBox
> Issue Type: Improvement
> Components: Signing
>Affects Versions: 2.0.23
>Reporter: Ralf Hauser
>Priority: Minor
>
> Then, the OCSP responses lifetime does not start after signature time.
> This obviously only can work if the signing cert serial# is known prior to
> signing (see PDFBOX-2776 comment-17220875 )
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17270841#comment-17270841 ] ASF subversion and git services commented on PDFBOX-5070: - Commit 1885873 from Tilman Hausherr in branch 'pdfbox/trunk' [ https://svn.apache.org/r1885873 ] PDFBOX-5070: sign as a stream so that huge files can be processed > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17270837#comment-17270837 ] ASF subversion and git services commented on PDFBOX-5070: - Commit 1885872 from Tilman Hausherr in branch 'pdfbox/trunk' [ https://svn.apache.org/r1885872 ] PDFBOX-5070: use new method > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17270836#comment-17270836 ] ASF subversion and git services commented on PDFBOX-5070: - Commit 1885871 from Tilman Hausherr in branch 'pdfbox/trunk' [ https://svn.apache.org/r1885871 ] PDFBOX-5070: add method that returns TSA certificate > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17268774#comment-17268774 ] ASF subversion and git services commented on PDFBOX-5070: - Commit 1885723 from Tilman Hausherr in branch 'pdfbox/trunk' [ https://svn.apache.org/r1885723 ] PDFBOX-5070: refactor to keep TimeStampToken a bit longer > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17268773#comment-17268773 ] ASF subversion and git services commented on PDFBOX-5070: - Commit 1885722 from Tilman Hausherr in branch 'pdfbox/branches/2.0' [ https://svn.apache.org/r1885722 ] PDFBOX-5070: refactor to keep TimeStampToken a bit longer > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17268750#comment-17268750 ] ASF subversion and git services commented on PDFBOX-5070: - Commit 1885721 from Tilman Hausherr in branch 'pdfbox/trunk' [ https://svn.apache.org/r1885721 ] PDFBOX-5070: improve javadoc > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17268749#comment-17268749 ] ASF subversion and git services commented on PDFBOX-5070: - Commit 1885720 from Tilman Hausherr in branch 'pdfbox/branches/2.0' [ https://svn.apache.org/r1885720 ] PDFBOX-5070: improve javadoc > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17268129#comment-17268129 ] Tilman Hausherr commented on PDFBOX-5070: - Lets try the smallest thing first, which is getting a dummy timestamp signature. - TSAClient.getTimeStampToken() has a wrong javadoc / parameter name (it's not an "imprint") - it would be better that it returns a TimeStampToken (CreateSignedTimeStamp.sign() will have to be changed) - ShowSignature has (non resusable) code to extract the certificates from the TimeStampToken - The nonce isn't really good in TSAClient (SecureRandom is not static), the code in OCSPHelper is better > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[ https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17267756#comment-17267756 ] Ralf Hauser commented on PDFBOX-5070: - Initial thoughts how to implement this: 1) the LTV info (preferrably ocspResp from AddValidationInformation.addOscpData() or super-short CRLs) should be retrieved before setting the M Date in the SIG dictionary (see PDFBOX-5076 whether this should be set at all in the case an rfc3161 timestamp is added) in PDSignature.setSignDate() in Create*Signature*.java examples 2) possibly already at this time, also a fake ValidationSignedTimeStamp should be requested to learn what the tsa's Certificate is (unless we have a solid guess ahead of this) 3) in which data structure should that be held until it is handed over to AddValidationInformation.java ? Would CertInformationCollector be a viable candidate ? > LTV: allow to gather OCSP responses before signing > --- > > Key: PDFBOX-5070 > URL: https://issues.apache.org/jira/browse/PDFBOX-5070 > Project: PDFBox > Issue Type: Improvement > Components: Signing >Affects Versions: 2.0.23 >Reporter: Ralf Hauser >Priority: Minor > > Then, the OCSP responses lifetime does not start after signature time. > This obviously only can work if the signing cert serial# is known prior to > signing (see PDFBOX-2776 comment-17220875 ) > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
[jira] [Commented] (PDFBOX-5070) LTV: allow to gather OCSP responses before signing
[
https://issues.apache.org/jira/browse/PDFBOX-5070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17258760#comment-17258760
]
Michael Klink commented on PDFBOX-5070:
---
{quote}Then, the OCSP responses lifetime does not start after signature
time.{quote}
In plain ISO 32000-1 style signatures you indeed have to gather OCSP responses
before signing; not because of some lifetime considerations but because in such
signatures they are to be stored in a signed attribute.
But in true PAdES signatures there is nothing bad about an OCSP response
lifetime starting after signing time as long as it is not after signing
certificate lifetime. On the contrary, by retrieving OCSP information early the
response lifetime might even end before signing time which would be really bad.
There may be one exception in the eIDAS region, according to
[DSS-2043|https://ec.europa.eu/cefdigital/tracker/browse/DSS-2043] Estonia
makes use of the "suspended" certificate status and, therefore, requires OCSP
responses to be from a time near the signature time according to a signature
time stamp. To support this scenario, though, one should first ask Estonian
authorities for best practices before starting to implement something without
guidance.
> LTV: allow to gather OCSP responses before signing
> ---
>
> Key: PDFBOX-5070
> URL: https://issues.apache.org/jira/browse/PDFBOX-5070
> Project: PDFBox
> Issue Type: Improvement
> Components: Signing
>Affects Versions: 2.0.23
>Reporter: Ralf Hauser
>Priority: Minor
>
> Then, the OCSP responses lifetime does not start after signature time.
> This obviously only can work if the signing cert serial# is known prior to
> signing (see PDFBOX-2776 comment-17220875 )
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
