Signature LTV prevention

Report · Jun 03, 2021

I would like to prevent a signature from ever becoming LTV enabled. Is this possible?

The use case is a certificate that is only valid for 1 year from date of issue.

In the thread https://community.adobe.com/t5/acrobat/how-to-add-an-ltv-enabled-signature/m-p/10392228 there is a great description on how to get a signature to become LTV enabled, and this is basically what I want to prevent. Ideally it would be a property of the Certificate, however I don't see any options for this.

Report · Jun 03, 2021

The idea of LTV is to enable validation of a signature at a time after the signing certificate has expired. This answers the question "was the signature valid at time of signing". You are asking that the signature (and the signed document) be invalid after the certificate expiration date. Is this what you really want?

Report · Jun 03, 2021

Yes, that's exactly the requirement.

Report · Jun 03, 2021

The document I need signed will have 1 digital signature that would need
LTV enabled, and another signature that ideally would expire after 1 year.

The document is a type of license that is only valid for 1 year, and I am
hoping to "enforce" this with a digital signature, so that the messaging is
clear - if Adobe indicates that all is well with the signatures, then the
document can be trusted and is current.

Hope this clarifies the requirement?

Report · Jun 04, 2021

I would like to prevent a signature from ever becoming LTV enabled. Is this possible?

No that is not really possible as long as the signature can be successfully verified at least once.

Being LTV-enabled essentially means that all information required for validation of the signature in question (X.509 certificates, revocation information, ...) are embedded in the PDF itself and need not be retrieved from elsewhere.

Thus, when users validate the signature successfully once, they can embed the information retrieved for validation into the PDF and so LTV-enable the signature.

You might object and argue that you can apply a certification signature with no-changes-allowed and so forbid embedding that information. But no, if you read the specification (ISO 32000-2) accurately, you'll find that even a certification with no-changes-allowed still allows LTV information to be added. Admittedly, Adobe Acrobat had (has?) the bug of not accepting such LTV additions in spite of the spec but they promissed to fix it.

Ok, two not too serious options exist:

If you are the person responsible for communicating the trust anchor of your CA to Adobe (AATL) or to the European trust lists (EUTL), you can after a year try to communicate to them that you have determined that your CA has been hacked a year ago and no certificate or revocation information by it can be trusted since then, you may cause all the signatures of your CA not to validate successfully anymore as the former trust anchor may not be trusted anymore. But that's nothing you can do very often... 😉

Alternatively you can exploit some weird properties of Adobe Acrobat: Generally Adobe Acrobat is quite lax when confronted with certain errors in the PDF file; except in one situation, that is: when validating a signed PDF with additions applied after signing, it sees these errors as something invalidating the signature.

Thus, if you create your signed PDF with such errors, your original PDF (without changes after signing) validates ok for the life time of the used certificates, but as soon as someone adds LTV information, Acrobat suddenly starts rejecting the signature because it sees your errors. (This obviously is no serious recommendation: Acrobat's - and other validator's - behavior to such errors is a moving target and can swing to either side...)

Report · Jun 11, 2021

Thanks for the great answer! Appreciate it