QESeal LTV validation

42
June 18, 2022, at 02:20 AM

I had issues some months ago with signed PDFs and LTV. Acrobat Reader showed that the signature is LTV enabled and after some months it started to say otherwise, the signature is not LTV enabled and will expire in around 1 year after the signing.

Now I'm working on an a new implementation and just wanna make sure that the LTV won't disappear this time. I got some tips about using the DSS library also to validate my signatures. Adobe says this time also that the signature is LTV enabled. The DSS validator is complaining about one thing: The signed attribute: 'signing-certificate' is absent! I have checked and it's right because there is no signing-certificate attribute in the ASN1 structure but there is signing certificate V2. I tried to also add the signing-certificate attribute but then I got some other issues. I may have done this the wrong way though. Is there a need for having both? Should/can I ignore this warning? How can one be sure about the LTV? Is there some other way for validation?

Answer 1

First off, the term "LTV enabled" is not as well defined as one might wish for. As has been mentioned a number of times here on stack overflow (e.g. here, here, or here), Adobe Acrobat displays that a given signature is "LTV enabled" if during validation it observed that it did not need to access remote sources to retrieve information it required for validation.

Thus, whether or not Adobe Acrobat considers your signature LTV enabled, depends on the (closed!) algorithms of the Adobe signature validation code and the configuration of the signature validation in Adobe Acrobat.

Both these factors are subject to change!

In essence, therefore, you cannot be "sure about the LTV"!

Nonetheless, you can try your best to provide as much relevant validation related information and fix it in time. This improves your chances that your signatures are and will continue to be considered LTV enabled by Adobe Acrobat.

Now concerning your questions:

signing-certificate ... signing-certificate V2 ... Is there a need for having both?

To begin with, these attributes are not required by Adobe Acrobat validation routines. (Not yet, that is.) So this is not (yet?) relevant for your objective.

If you are interested nonetheless - no. If your signature algorithm relies on SHA-1 for hashing (which it of course should not!), you should use the plain signing-certificate attribute (in CMS called ESSCertID). If it relies on a different, more advanced algorithm, you should use the newer signing-certificate-V2 attribute (in CMS called ESSCertIDv2) and use the same hash algorithm as in your signature algorithm.

Only if your signatures will also be verified by older (well, ancient) software that supports ESSCertID but not yet ESSCertIDv2, you might consider adding both attributes.

In the context at hand, by the way, eSig DSS does support both ESSCertID and ESSCertIDv2. Thus, if it says that the signing attribute is missing, that means that there is something fishy about the signing-attribute V2 you saw in your signature...

Should/can I ignore this warning?

In respect to Adobe's "LTV enabled" profile, you currently can ignore the warning for now. And whether or not Adobe will start requiring that attribute by default in the future and (if yes) how exactly, is hard to tell.

How can one be sure about the LTV? Is there some other way for validation?

As mentioned above, you can not be sure about the "LTV enabled" status of your signatures.

Considering the screen shot you shared, though, it mentions that your PDF signature reached only a BASELINE-T equivalent level. In particular, you did not reach a BASELINE-LT equivalent, let alone a BASELINE-LTA equivalent here. Thus, as far as ETSI conform validation goes, the required revocation information were not all found in your PDF.

Adobe's validation rules (currently) are very lax in comparison with the ETSI rules, so it might display "LTV enabled" nonetheless. Unless you want to improve your signatures to BASELINE-LT at least, though, using eSignature DSS won't help you as validation tool...

Rent Charter Buses Company
READ ALSO
Java Streams: Find first for multiple filter predicates

Java Streams: Find first for multiple filter predicates

I have a Collection<Product> and a Collection<Predicate<Product>>The Predicates are a simple combination of boolean flags

30
what is the impact on Kafka topic partitions log when consumed using multiple Consumer groups?

what is the impact on Kafka topic partitions log when consumed using multiple Consumer groups?

My question is more related to performance rather than how they consume data in consumer groupsWe know that kafka create single PARTITION LOG on filesystem, which is accessed by all consumer group's consumer on that partition

48
how can I use the principle in memory cache?

how can I use the principle in memory cache?

1)I currently have to issue a kinit jumreg@JEMRUGCOM and enter a password to get a ticket

52
How to call manually Response.Listener in Android?

How to call manually Response.Listener in Android?

I have the following method that runs some web services commands in Android

41