You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Ralf Hauser (JIRA)" <ji...@apache.org> on 2015/11/05 11:11:27 UTC

[jira] [Commented] (PDFBOX-3047) LTV-fix offline signature

    [ https://issues.apache.org/jira/browse/PDFBOX-3047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14991449#comment-14991449 ] 

Ralf Hauser commented on PDFBOX-3047:
-------------------------------------

For somebody who would like to face this challenge, we would offer EUR 1000.-
If interested, pls contact fixLTV-PDFBOX3047@p4u.ch

> LTV-fix offline signature
> -------------------------
>
>                 Key: PDFBOX-3047
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-3047
>             Project: PDFBox
>          Issue Type: Improvement
>          Components: Signing
>            Reporter: Ralf Hauser
>
> This is a complement to PDFBOX-2776
> <<A PDF signature may not be successfully verified unless its collateral validation components are preserved, e.g., certificates, CRLs, time stamp tokens, revocation lists, and OCSP responses. To facilitate long term signature validation (LTV), PDF supports the ability to collect validation information to verify a signature at a later time if it has been verified once as being valid. Some of this information, i.e. certificates, CRLs and OCSP responses, when not already present in the signature, shall be stored in a document security store (DSS), see 12.8.4.3, "Document Security Store (DSS)". When storing this type of information and, when not already present in the signature, it shall be stored in a document time-stamp dictionary, see 12.8.5, "Document time-stamp (DTS) dictionary (PDF 2.0)". This will provide the information needed to verify a signature as this was done when that signature was first verified. >>
> If someone signs a pdf off-line, there should be a pdf-box routine that can possibly even be run on the command-line to amend a document with OCSP/CRL info for the signing certificate chain plus a verification time-stamp. The latter might even be interesting for an online signature that already has a timestamp but might be lacking other info.
> There should be a clear interface to obtain 
> a) ocsp responses
> b) crls
> c) timestamps 
> such that other (pre-existing) solutions can be tied to this routine



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org