AdobeSign - Certifies documents without a trusted timestamp - how is that LTV enabled?

Report · Nov 16, 2020

I'm using AdobeSign with electronic signatures and in the end, after all the electronic signatures are done, we get a PDF document certified by AdobeSign that roots to AATL and the Adobe Root CA with an electronic signature page on the end. The problem is that Adobe certifies this document without a trusted timestamp - the Adobe-applied certification digital signature has "Signing time is from the clock on the signer's computer." (which I know is the time of the Adobe server not the time electronic signatures were applied).

If I have Preferences->Verification->Verify signatures using "Time at which the signature was created", then the certification signature displays as "LTV enabled".

If I have Preferences->Verification->Verify Signatures Using "Secure time (timestamp) embedded in the signature.", then I get this message "Signature is not LTV enabled and will expire after 2023/02/23..."

Is this AdobeSign certificate LTV-enabled or not? If not, then why doesn't Adobe put a trusted timestamp on their certification so that it's LTV enabled.

Report · Nov 16, 2020

I believe the AdobeSign signature contains a trusted timestamp, but the LTV information (certificate chains, revocation information) is not included in the PDF.

Report · Nov 16, 2020

Is this happening even if you have manually configured the default time stamp server?

Report · Nov 16, 2020

I think LTV (or the lack of it) is independent of time stamp server configuration.

Report · Nov 16, 2020

Yes you're right.

And Adobe will put a trusted timestamp because that is the default security verification mechanism in the absence of a timestamp server. Since LTV verification is not enabled that is what is happening. You still need to manually add a scured timestamp server and make it the default timestamp server.

The user also must ensure that certificate revocation is enabled in the preference settings.

The key thing is how to enable LTV if the user is employing a PKCS# token method, or just how to add this verification information.

This tutorial has everything broken down in very easy to follow slides: https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/

Just remember, if you have an Adobe Sign Individual Plan you'll not have access to this feature of configuring more than one timestamp servers.

Report · Nov 17, 2020

I am working for a company that has AdobeSign for Business and I am *electronically* not digitally signing via the AdobeSign web interface. When all of the electronic signatures are done, AdobeSign attaches a signature page to the PDF and then emails me a certified PDF with that electronic signature page. I open that certified PDF in Acrobat. The problem is that this certified PDF, signed by Adobe, does not have a trusted timestamp. Thus, the organization that needs to enable LTV and/or configure a trusted timestamp is Adobe - not me. Right? As the recipient of a certified PDF, opening it in Acrobat, I can't change whether or not LTV is enabled in that PDF, right?

Report · Nov 17, 2020

The last time I looked, the Certifying signature did have a trusted timestamp, but did not have LTV. Some countries use a different (non-Adobe) timestamp service, and I can't give an opinion about those. You can't add LTV because the document is certified "No Changes Allowed". You could ask Adobe to include LTV when certifying the document. If there is truly not a trusted timestamp, file a bug report.