LTV

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

LTV

jvr968

I'm testing the example part3.chapter12.TimestampOCSP

I have used the pkcs12 keystore to sign the document signature is valid and timestamp is added and LTV is activated.

1.- When the document is signed with pkcs12 is possible to deactive LTV?

I have changed the keystore. Key and certificates used to sign the document are from a smartcard(pkcs11). Then document is signed and validated, timestamp is added but LTV is not activated.

2.- Which is the reason?

At signature details has been written the signature is not activated for LTV and will expire after(smartcardcertificate expirationdate), not after(timestamp certificate expiration date).

3.- Will show, the document, a green check mark in the signature after the (smartcard certificate expiration date), isnt it?, timestamp works on this issue.

Regards.


------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|

Re: LTV

iText mailing list
Op 9/01/2013 23:00, jv r schreef:
>
> I'm testing the example part3.chapter12.TimestampOCSP
>
> I have used the pkcs12 keystore to sign the document signature is
> valid and timestamp is added and LTV is activated.
>

OK...

> 1.- When the document is signed with pkcs12 is possible to deactive LTV?
>

???
You may want to rephrase that question; currently it sounds as if you
want to remove LTV. That doesn't make sense, does it?

> I have changed the keystore. Key and certificates used to sign the
> document are from a smartcard(pkcs11). Then document is signed and
> validated, timestamp is added but LTV is not activated.
>

Any signed document of which all signatures are valid can be LTV-enabled
by adding a DSS.
Since Adobe Acrobat / Reader XI, the signature panel now shows a (IMHO
misleading) message if the signature is LTV-enabled or not. After some
experiments, I found out that Reader says the document is LTV-enabled if
you sign the document adding ALL the verification information for ALL
the certificates involved. If for instance, you don't add a CRL for an
intermediery certificate, you'll get a message that the document isn't
LTV-enabled.

> 2.- Which is the reason?
>
> At signature details has been written the signature is not activated
> for LTV and will expire after(smartcardcertificate expirationdate),
> not after(timestamp certificate expiration date).
>

I'm sorry, I have no idea what you're saying here.

> 3.- Will show, the document, a green check mark in the signature after
> the (smartcard certificate expiration date), isnt it?, timestamp works
> on this issue.
>

Again, I don't have a clue what you mean.

If you sign with a CDS or AATL certificate, you will get a green check
mark without any extra manual intervention by the end user as long as:
- the certificate isn't expired
- there's a valid timestamp that signs the VRI
Once the certificate of the timestamp expires, you need to add a DSS and
a document-level timestamp.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
mkl
Reply | Threaded
Open this post in threaded view
|

Re: LTV

mkl
In reply to this post by jvr968
jvr968,
jvr968 wrote
I'm testing the example part3.chapter12.TimestampOCSP

I have used the pkcs12 keystore to sign the document signature is valid and timestamp is added and LTV is activated.

1.- When the document is signed with pkcs12 is possible to deactive LTV?
What exactly do you mean by "LTV" is activated? That sample does not use mechanisms defined in the PAdES-LTV profile or the section "Long term validation of signatures" in the ISO 32000-2 draft.

Or do you mean LTV more in general, like "adding a time stamp is an initial step to guarantee long term validatability"? In that case simply set the "withTS" parameter of the signPdf call of that sample to false if you don't want LTV.

jvr968 wrote
I have changed the keystore. Key and certificates used to sign the document are from a smartcard(pkcs11). Then document is signed and validated, timestamp is added but LTV is not activated.
Please supply sample PDFs. And explain what you mean by "LTV is activated" or "LTV is not activated".

I don't understand your following items, either.

If you want support for LTV in PDF (LTV as described in PAdES-LTV), have a look at http://itextpdf.com/book/digitalsignatures, especially section 5.4 "PAdES-4: Long-Term Validation (LTV)".

Regards,   Michael
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: LTV

iText mailing list
Op 10/01/2013 9:51, mkl schreef:
> Please supply sample PDFs. And explain what you mean by "LTV is activated"
> or "LTV is not activated".
Hi Michael,
I still need to update the white paper so that the screen shots match
with Adobe Reader XI. It seems that Adobe introduced a line to the
signature panel indicating if the PDF is "LTV-enabled" or not.
I'm not 100% sure what is meant by "LTV-enabled", but after doing some
experiments, I think a PDF is LTV-enabled according to Adobe when all
the VRI is present. Either all the Certificates, CRLs and a timestamp
need to be present in the detached signature, or a DSS with the complete
set needs to be present in an appended update of the PDF.

I could be wrong, though.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
mkl
Reply | Threaded
Open this post in threaded view
|

Re: LTV

mkl
Bruno,
1T3XT BVBA wrote
I still need to update the white paper so that the screen shots match with Adobe Reader XI.
A neverending task, I presume... ;)

But if the original poster wanted to refer to messages of a specific version of a specific pdf reader, he would have had better chances to be helped if he mentioned these details... *sigh*
1T3XT BVBA wrote
It seems that Adobe introduced a line to the signature panel indicating if the PDF is "LTV-enabled" or not. [...]
Sounds like Adobe marketing made up that word. After all, any signed PDF can be introduced in a LTV workflow as long as the signature can be positively validated (unless encryption implicitly prohibits LTV processing) and, therefore, can be called "LTV-enabled".

Regards,   Michael
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: LTV

iText mailing list
Op 10/01/2013 10:41, mkl schreef:
>> the PDF is "LTV-enabled" or not. [...]
> Sounds like Adobe marketing made up that word.
I find it very confusing. I'm happy to hear I'm not the only one.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: LTV

Leonard Rosenthol-3
Our customers asked that we clearly identify a PDF that contained LTV (vs.
one that did not).   That was that term that we determined was simple and
clear in conveying that message.

Leonard

On 1/10/13 4:44 AM, "iText Info" <[hidden email]> wrote:

>Op 10/01/2013 10:41, mkl schreef:
>>> the PDF is "LTV-enabled" or not. [...]
>> Sounds like Adobe marketing made up that word.
>I find it very confusing. I'm happy to hear I'm not the only one.
>
>--------------------------------------------------------------------------
>----
>Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>MVPs and experts. ON SALE this month only -- learn more at:
>http://p.sf.net/sfu/learnmore_122712
>_______________________________________________
>iText-questions mailing list
>[hidden email]
>https://lists.sourceforge.net/lists/listinfo/itext-questions
>
>iText(R) is a registered trademark of 1T3XT BVBA.
>Many questions posted to this list can (and will) be answered with a
>reference to the iText book: http://www.itextpdf.com/book/
>Please check the keywords list before you ask for examples:
>http://itextpdf.com/themes/keywords.php


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: LTV

iText mailing list
Op 10/01/2013 13:22, Leonard Rosenthol schreef:
> Our customers asked that we clearly identify a PDF that contained LTV (vs.
> one that did not).   That was that term that we determined was simple and
> clear in conveying that message.
So the following assumption is correct:
- not LTV-enabled: the PDF is signed correctly, but doesn't contain all
the VRI necessary to validate offline.
- LTV-enabled: the PDF is signed correctly and contains all necessary
certificates, a valid CRL or OSCP response for every certificate, and a
timestamp.

LTV-enabled doesn't refer to the presence of a DSS and/or a
Document-Level Timestamp (which was what I assumed).

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
mkl
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: LTV

mkl
In reply to this post by Leonard Rosenthol-3
Leonard,
Leonard Rosenthol wrote
Our customers asked that we clearly identify a PDF that contained LTV (vs. one that did not).   That was that term that we determined was simple and
clear in conveying that message.
IMHO it conveys the wrong message. Being XXX-enabled generally is an on/off matter, an item remains XXX-enabled until someone explicitly XXX-disables it. A PDF stops being LTV-enabled (at least it should stop, otherwise that would be even more misleading) as soon as the validity of the outermost timestamp ends.

On the other hand an indication "LTV information sufficient until <DATE>" / "LTV information not sufficient" in my opinion would be very useful.

Regards,   Michael
Reply | Threaded
Open this post in threaded view
|

Re: LTV

Leonard Rosenthol-3
In reply to this post by iText mailing list
Here is my understanding (I'll double check with the engineer when he gets
in).

LTV enabled means that all information necessary to validate the file
(minus root certs) is contained within.  So this statement of yours would
be true.

        the PDF is signed correctly and contains all necessary certificates,
        a valid CRL or OSCP response for every certificate


But since the only way for that statement to be true is for the presence
of DSS, you must have DSS for LTV-enabled to appear.  No timestamp
(regular or document level) is required.
 

Leonard


On 1/10/13 7:46 AM, "iText Info" <[hidden email]> wrote:

>Op 10/01/2013 13:22, Leonard Rosenthol schreef:
>> Our customers asked that we clearly identify a PDF that contained LTV
>>(vs.
>> one that did not).   That was that term that we determined was simple
>>and
>> clear in conveying that message.
>So the following assumption is correct:
>- not LTV-enabled: the PDF is signed correctly, but doesn't contain all
>the VRI necessary to validate offline.
>- LTV-enabled: the PDF is signed correctly and contains all necessary
>certificates, a valid CRL or OSCP response for every certificate, and a
>timestamp.
>
>LTV-enabled doesn't refer to the presence of a DSS and/or a
>Document-Level Timestamp (which was what I assumed).
>
>--------------------------------------------------------------------------
>----
>Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>MVPs and experts. ON SALE this month only -- learn more at:
>http://p.sf.net/sfu/learnmore_122712
>_______________________________________________
>iText-questions mailing list
>[hidden email]
>https://lists.sourceforge.net/lists/listinfo/itext-questions
>
>iText(R) is a registered trademark of 1T3XT BVBA.
>Many questions posted to this list can (and will) be answered with a
>reference to the iText book: http://www.itextpdf.com/book/
>Please check the keywords list before you ask for examples:
>http://itextpdf.com/themes/keywords.php


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|

Re: LTV

Leonard Rosenthol-3
In reply to this post by mkl
Enabled for LTV has nothing to do with validity.

You may have set up everything for LTV BUT then someone else invalidated
the signature.  

Leonard

On 1/10/13 7:52 AM, "mkl" <[hidden email]> wrote:

>Leonard,
>
>Leonard Rosenthol wrote
>> Our customers asked that we clearly identify a PDF that contained LTV
>>(vs.
>> one that did not).   That was that term that we determined was simple
>>and
>> clear in conveying that message.
>
>IMHO it conveys the wrong message. Being XXX-enabled generally is an
>on/off
>matter, an item remains XXX-enabled until someone explicitly XXX-disables
>it. A PDF stops being LTV-enabled (at least it should stop, otherwise that
>would be even more misleading) as soon as the validity of the outermost
>timestamp ends.
>
>On the other hand an indication "LTV information sufficient until <DATE>"
>/
>"LTV information not sufficient" in my opinion would be very useful.
>
>Regards,   Michael
>
>
>
>
>--
>View this message in context:
>http://itext-general.2136553.n4.nabble.com/LTV-tp4657297p4657317.html
>Sent from the iText - General mailing list archive at Nabble.com.
>
>--------------------------------------------------------------------------
>----
>Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>MVPs and experts. ON SALE this month only -- learn more at:
>http://p.sf.net/sfu/learnmore_122712
>_______________________________________________
>iText-questions mailing list
>[hidden email]
>https://lists.sourceforge.net/lists/listinfo/itext-questions
>
>iText(R) is a registered trademark of 1T3XT BVBA.
>Many questions posted to this list can (and will) be answered with a
>reference to the iText book: http://www.itextpdf.com/book/
>Please check the keywords list before you ask for examples:
>http://itextpdf.com/themes/keywords.php


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|

Re: LTV

iText mailing list
In reply to this post by Leonard Rosenthol-3
Op 10/01/2013 15:18, Leonard Rosenthol schreef:
> But since the only way for that statement to be true is for the presence
> of DSS, you must have DSS for LTV-enabled to appear.
I'm able to create signed PDFs without a DSS for which Adobe Reader
tells me it's LTV-enabled.
See attachment. No DSS, but the signature has a timestamp and there's a
CRL for all certificates except for the root certificate (that's a good
correction of my earlier statement; I should be more clear when
documenting this).

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php

hello_token.pdf (55K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: LTV

Leonard Rosenthol-3
In reply to this post by iText mailing list
Here is the info from my engineer:

1. "a valid CRL or OSCP response for every certificate" also includes
signatures over CRLs and OCSPs., not just the signature certificate.

        2. LTV may be enabled when all collaterals are embedded in the
signatures and not DSS (I just fixed a bug that did not handle this case
correctly). In this case there may be no DSS. However, this is very
unusual, because signatures over CRLs and OCSPs do not contain embedded
rev info which is Adobe extension. Yet, this is a distant possibility.



On 1/10/13 7:46 AM, "iText Info" <[hidden email]> wrote:

>Op 10/01/2013 13:22, Leonard Rosenthol schreef:
>> Our customers asked that we clearly identify a PDF that contained LTV
>>(vs.
>> one that did not).   That was that term that we determined was simple
>>and
>> clear in conveying that message.
>So the following assumption is correct:
>- not LTV-enabled: the PDF is signed correctly, but doesn't contain all
>the VRI necessary to validate offline.
>- LTV-enabled: the PDF is signed correctly and contains all necessary
>certificates, a valid CRL or OSCP response for every certificate, and a
>timestamp.
>
>LTV-enabled doesn't refer to the presence of a DSS and/or a
>Document-Level Timestamp (which was what I assumed).
>
>--------------------------------------------------------------------------
>----
>Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>MVPs and experts. ON SALE this month only -- learn more at:
>http://p.sf.net/sfu/learnmore_122712
>_______________________________________________
>iText-questions mailing list
>[hidden email]
>https://lists.sourceforge.net/lists/listinfo/itext-questions
>
>iText(R) is a registered trademark of 1T3XT BVBA.
>Many questions posted to this list can (and will) be answered with a
>reference to the iText book: http://www.itextpdf.com/book/
>Please check the keywords list before you ask for examples:
>http://itextpdf.com/themes/keywords.php


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|

Re: [SPAM] Re: LTV

iText mailing list
Op 10/01/2013 19:07, Leonard Rosenthol schreef:
> 1. "a valid CRL or OSCP response for every certificate" also includes
> signatures over CRLs and OCSPs., not just the signature certificate.
>
>          2. LTV may be enabled when all collaterals are embedded in the
> signatures and not DSS (I just fixed a bug that did not handle this case
> correctly). In this case there may be no DSS. However, this is very
> unusual, because signatures over CRLs and OCSPs do not contain embedded
> rev info which is Adobe extension. Yet, this is a distant possibility.
Thank you very much for this clarification!

In hindsight it's obvious that valid revocation info should be available
for the certificates involved in signing the CRLs and OCSP responses,
but I'm not sure if we took those into account. I think we did, but I'll
definately have to check.

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php