If the signature previous to LTV has a timestamp, that is, it was a PAdES-T, then the validation date that Adobe shows when validating the ES-T timestamp certificate is the current date instead of being the LTV timestamp date.
So, according to the paragraph of PAdES LTV standard (ETSI TS 102 778-4 V1.1.2) that I mentioned in the previous post, I think Adobe's LTV validation is mixing dates:
* it is validating the LTV timestamp certificate in LTV timestamp date instead of validating it in current date.
* it is validating the ES-T timestamp certificate in current date instead of validating it in LTV timestamp date.
Please, Steven.Madwin (I'm sorry, but you're the only one person I knew in Adobe related to cryptographic issues), could you make any comments about it ? Is this mix of dates real ? Or am I missing something?
Thanks a lot in advance,
Do you have access to the file and if so, is it allowable to send it to me (that is, it doesn't contain any proprietary information)?
With regard to your private message, I got the file you posted. Three things:
- The signatures don't look like they were created with Acrobat or Reader. When it comes to third-party signature creation apps there is not much I can help you with as far as how the signature gets created.
- In order for Acrobat to recognize the signature as being PADES compliant the /subFilter must be set to /ETSI.CAdES.detached, whereas the /subFilter value in the file you posted is /adbe.pkcs7.detached. That just gets Acrobat to check the PADES compliance level of the signature. Then, in order for the signature to meet the Basic compliance level the CMS object must conform to to RFC 5035. Additionally, if the signature is going to be -L compliant (Long Term Validation) the revocation information must be embedded in the DSS (this part you've got). Finally, if the signature is going to be -T compliant it must be timestamped (and again, this you've got).
- A timestamp is always validated in real time, it can't rely upon itself to provide the revocation time-slice. I noticed that you added a document timestamp about 35 minutes after the document signature was created. My guess is you were trying to see if Acrobat would pick that time to do the revocation checking on the signature timestamp, but as you found out it did not. Acrobat does not have the concept of timestamp chaining, and thus each timestamp signature is independent of all other signatures.