Verfication information of digital signature not saved in PDF as expected due to configuration?

New Here ,
Feb 24, 2021 Feb 24, 2021

Copy link to clipboard

Copied

I'm using Acrobat Reader DC for digital signature. Signature format CAdES equivalent. I have also activated the option for automatically adding verification information when the PDF is saved. I am also using external timestamps.

 

When I create a digital signature with my certificate, it is displayed as verified. Now I save the document and open it again. The advanced properties dialog of the signatures says that it is a PAdES B-T signature. Shouldn't it be a PAdES B-LT signature if the verification information is saved with PDF?

 

Now I can manually add the verification information via the context menu of the signatures in the bar to the left of the document. Now the signature is PAdES B-LT. 

 

Why isn't the signature immediately and without manual interaction  PAdES B-LT if the corresponding option to add verification information when saving activated?

TOPICS
Security digital signatures and esignatures

Views

71

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Feb 26, 2021 Feb 26, 2021

Copy link to clipboard

Copied

 You are aware that there are different profiles for embedded digital signatures in PDFs, the good ol' ISO 32000-1 interoperable signatures and the ETSI EN 319 142 / ISO 32000-2 PAdES signatures.
 Both profiles allow validation related information (VRI) to be stored in the signed PDF for validators to use during signature validation. But the profiles differ in details, in particular where and when such information are to be stored:

  • In case of ISO 32000-1 interoperable signatures that information is stored in a signed attribute in the embedded CMS signature container. As it's a signed attribute, the information must already be present before signing to be embedded.
  • In case of PAdES, in particular PAdES BASELINE signatures, such information must be embedded in an incremental update of the signed document, i.e. after signing.

 Most likely "the option for automatically adding verification information when the PDF is saved" refers to the former profile and the adding of VRI in a signed attribute. For a signature to be considered PAdES B(ASELINE)-LT, though, the VRI must be present as specified for the latter profile.
 Adobe Acrobat as a validator accepts VRI according to either profile, even a mixture thereof, but (if I remember correctly) it only declares a signature PAdES B-LT if the VRI are present according to the latter profile.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 19, 2021 Mar 19, 2021

Copy link to clipboard

Copied

LATEST

Option "Automatically add verification information when saving signed PDF document" works only for previous signatures, i.e. if you're the second or third person signing the same document, this option will add VRI data for all previous signatures, but not for the last signature (yours). Thus it's better to turn it off, since it doesn't help for documents signed by single person and produces mixed results for documents signed by multiple persons.

 

To be PAdES compliant, it's also necessary to turn off option "Include signature's revocation status" as this adds Adobe-proprietary revocation data not compliant with PAdES - see

https://acrobat.uservoice.com/forums/590923-acrobat-for-windows-and-mac/suggestions/42170878-digital...

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines