Exit
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0

LTV-enabled signature became non-LTV signature in 2 hours (same machine)

Explorer ,
Mar 30, 2020 Mar 30, 2020

I have a problem with LTV signatures. Last thursday we have signed a document (7 signatures, 5 on my computer, 2 on different computers, all certificates from one CA). After each signature I checked the document (on my computer)and everything was OK (every signature was LTV-enabled). Few hours later and all the signatures (on my computer) are non-LTV. What is more - we checked the document on 5 different machines - 2 non-LTV, 3 LTV (Acrobat Reader DC everywhere)
I checked the \AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache directory on two computers (one with LTV and one with non-LTV) - no CRL for this CA.
This is a very important document - please help.

TOPICS
Security digital signatures and esignatures
2.9K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
1 ACCEPTED SOLUTION
Engaged ,
Apr 16, 2020 Apr 16, 2020

(I'm guessing) that's related to the fact that Acrobat caches a lot of CRL and OCSP responses while it is launched, without regard for which signature they apply to. The cache gets cleared when you exit Acrobat (and maybe at other times).

View solution in original post

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Mar 30, 2020 Mar 30, 2020

Hi barthmaul

 

We are sorry for the trouble, As described the LTV signatures become Non-LTV

 

Please refer to a similar discussion (https://community.adobe.com/t5/acrobat-reader/ltv-enabled-signatures-not-longer-ltv-enabled-after-up...) and see if that helps

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Apr 07, 2020 Apr 07, 2020

Hi Amal
to be honest that answer did not help me at all.
My file did not became "non-LTV" after an upgrade. We signed the document in Adobe Acrobat Reader DC 2019.010.20069 and everything was ok (LTV enabled). After two hours all the signatures became non-LTV (on the same PC, same version of DC). The same day we checked on 4 different computers :
1) 2019.021.20058 - non-LTV (2 weeks ago), LTV (today)
2) 2019.021.20058 - LTV
3) 2019.010.20069 - LTV
4) 20.006.20042.43423 - LTV (2 weeks ago), non-LTV (today)

 

If I understand correct - Adobe LTV-enabled signature is not the PAdES-E-LTV level signature (ETSI EN 319 142-2). It looks like there is no CRL / OCSP Response embedded in the signature.

Sorry, but in my opinion, this problem makes this solution totally useless - I don't know what will be the validation status for those signatures in the future.
What is more - this problem is 2 years old !!

I will try to prepare some test documents and send them to You.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Apr 07, 2020 Apr 07, 2020

OCSP has never been embedded in the signature. For LTV, the CRL and OCSP responses are saved in a "security store" dictionary external to the signature. Do you have a Timestamp authority configured? Are you verifying signatures at signature creation time or signature timestamp time? What is the expiration time of the signing certificates?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Apr 16, 2020 Apr 16, 2020

By "CRL / OCSP Response embedded in the signature" I mean "in the signed document" not "in the signature field".

There is no timestamp. All the certificates are valid (some of them will expire next week).

And I know the reason of the difference - if the option "verifying signatures using time at which the signature was created" is selected, then the signature is "LTV-enabled". If the option "verifying signatures using secure time (timestamp) embedded in the signature" is selected then the same signature is "non-LTV".

In my opinion this is not exaclty OK with the ETSI norm.

But I still don't understand why on my computer (with the "verifying signatures using secure time (timestamp) embedded in the signature" option selected) I had a LTV-enabled signature for first 2 hours.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Apr 16, 2020 Apr 16, 2020

(I'm guessing) that's related to the fact that Acrobat caches a lot of CRL and OCSP responses while it is launched, without regard for which signature they apply to. The cache gets cleared when you exit Acrobat (and maybe at other times).

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 14, 2023 Dec 14, 2023
LATEST

A digital signature showing as "LTV enabled" in the signature panel of Adobe reader becomes "not LTV enabled" if in 'Signature Verification Preferences' dialog that opens (In Edit > Preferences, under categories, select Signatures.. From the Verification box in the Digital Signatures panel, select More...)

 

, we deselect the Require certificate revocation checking to succeed... checkbox.

 

However, the same signature again becomes LTV enabled if we select Require certificate revocation checking to succeed... checkbox.

 

Is it a bug in Adobe Reader (latest version),

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines