PAdES B-LTA-Level signature

Report · Jun 25, 2019

Hey, everyone.

I am using Adobe Acrobat Reader DC 2019.012.20035 on W10 (64-bit).

I was wondering if I can sign digitally at PAdES B-LTA-level. So far I've only been able to get B-T. I've been digging around and apparently, in addition to what I already have for the T-level, I need to add

VRI (Verification Related Information) to the DSS (Document Security Store) with stuff like OCSP responses and all certificates of the certificate chain from the user certificate all the way up to the Root CA certificate to get the B-LT-level signature, and then
a document timestamp and VRI details for the TimeStamp Authority to the DSS for the B-LTA-level.

How would I go about creating a DSS and add all this VRI to it? I've been exploring the options in Preferences > Signatures, but I can't find anything relevant.

Thanks.

Report · Jan 09, 2022

If you've reached B-T level, it means you already have a working signature certificate and a Timestamp authority (TSA) set up properly. Good job!

Next steps to reach B-LTA:

1. Save and close the document. Then open it again in a new Reader/Acrobat instance, right-click the existing digital signature and select Add Verification Information. (Note: To my understanding, this exact functionality is achieved if you have enabled the option to Automatically add verification information when saving signed PDF, however in my experience this rarely works, if at all.) You have now reached B-LT level.

2. Add a timestamp to the document by selecting the option to Apply a Document time stamp. Save the document. You have now reached B-LTA level.

I've noticed that this only works on documents that are not certified with a digital signature. For some reason it is impossible to add a Document time stamp to such documents. So in case of certified PDFs, the highest level I was able to get through regular Adobe Reader/Acrobat and other PDF reading/editing software is B-LT.

Report · Nov 10, 2022

Hello. Thanks for the great advice. I wanted to add my experience using PKCS#11 security keys and trying to obtain multiple PAdES B-LTA signatures, using Acrobat Pro DC 2022.001.20112:

1. In my experience, the "Add Verification Information" option sometimes appears, and sometimes not. I wasn't sure what caused this, but even when it does not appear (probably because somehow the verification information is already included by default), the workflow succeeds. My "Automatically add verification information when saving signed PDF" is on, but has been so since the beginning.

2. I found time-stamping the document before the chain of signatures to be as a better workflow, as adding post-signature data elements to a document sometimes upsets the signature validity judgements of other compatible software (such as PDF Studio Pro).

2. My recommended workflow for a chain of signatures, all PAdES B-LTA certified, is as follows:

3. Edit the pdf on Acrobat Pro in Prepare Form mode and add all empty signature fields for expected signers.

4. Add a time stamp (Apple's server works just fine) - this will save the document with the time stamp signature.

5. For every signer, using a new acrobat session, have them sign their field and save the document.

6. All signatures should now be valid and B-LTA conformant. Third party tools such as PDF Studio Pro should also agree.

7. I agree that at this point B-LTA appears impossible to obtain whenever a certification step is introduced in the chain of production. I wasn't able to go beyond B-T with certified documents. But any signature can bear certification purposes, and document editing / printing restrictions can be added using Adobe password security.