Signature validation problem

Report · Oct 13, 2022

Dear support team,

I have a PDF document with a digital signature, which can be validated on the website of the Austrian regulatory agency (https://www.rtr.at/TKP/was_wir_tun/vertrauensdienste/Signatur/signaturpruefung/Pruefung.en.html). But it can't be validated in Adobe Acrobat Reader. The message is:
"The signer's identity was valid when it was issued, but no revocation checks could be made to validate the identity at this time."

The signer certificate is expired, but the revocation information can be retrieved either with OCSP (http://ocsp.a-trust.at/ocsp) or with the corresponding CRL (http://crl.a-trust.at/crl/a-sign-premium-mobile-05).

The issuer is available (http://www.a-trust.at/certs/a-sign-premium-mobile-05.crt) and it is listed on the EU trusted list (https://esignature.ec.europa.eu/efda/tl-browser/#/screen/tl/AT/1/14). The corresponding CRL (http://crl.a-trust.at/crl/A-Trust-Root-05) is available, too.

The document does not contain confidential information, so I attached it. Do you have any hint, why this signature could not be validated?

Best regards,
Joel

Report · Oct 13, 2022

The signer certificate is expired, but the revocation information can be retrieved either with OCSP (http://ocsp.a-trust.at/ocsp) or with the corresponding CRL (http://crl.a-trust.at/crl/a-sign-premium-mobile-05).

In general certificate authorities are not required to keep revocation information for a certificate after its regular validity interval. A generic signature validator like Adobe Acrobat, therefore, may choose to not even request revocation information thereafter.

Yes, there are mechanisms by which CAs in their CRLs and OCSP responses can signal that they keep the revocation information for a longer time (and your CA does so), but as Acrobat doesn't even request them, it doesn't get those signals.

But Adobe Acrobat does look at revocation information embedded in the document or cached locally. If Acrobat finds such information and determines that it's from the validation time of the certificate in question, Acrobat accepts and uses it.

If you need signatures to be verifiable by Acrobat (or other generic validators), therefore, you should embed revocation information in time. This is what the "Add Verification Information" option in Acrobat is good for.

Alternatively you can try to use PAdES-aware software and extend the signature to the PAdES baseline LT or LTA profiles. Beware, though: Your example signature is not a PAdES baseline signature to start with, so the PAdES-aware software may reject it.

View solution in original post

Report · Oct 13, 2022

The signer certificate is expired, but the revocation information can be retrieved either with OCSP (http://ocsp.a-trust.at/ocsp) or with the corresponding CRL (http://crl.a-trust.at/crl/a-sign-premium-mobile-05).

In general certificate authorities are not required to keep revocation information for a certificate after its regular validity interval. A generic signature validator like Adobe Acrobat, therefore, may choose to not even request revocation information thereafter.

Yes, there are mechanisms by which CAs in their CRLs and OCSP responses can signal that they keep the revocation information for a longer time (and your CA does so), but as Acrobat doesn't even request them, it doesn't get those signals.

But Adobe Acrobat does look at revocation information embedded in the document or cached locally. If Acrobat finds such information and determines that it's from the validation time of the certificate in question, Acrobat accepts and uses it.

If you need signatures to be verifiable by Acrobat (or other generic validators), therefore, you should embed revocation information in time. This is what the "Add Verification Information" option in Acrobat is good for.

Alternatively you can try to use PAdES-aware software and extend the signature to the PAdES baseline LT or LTA profiles. Beware, though: Your example signature is not a PAdES baseline signature to start with, so the PAdES-aware software may reject it.