Adobe Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Exit
About Peter Goodey
since
‎Jun 25, 2018
‎May 06, 2021
Peter Goodey
Community Beginner
10
Posts
1
Upvotes
0
Solutions
‎May 05, 2021
06:09 AM
Hi Tomer Basically the signing certificate has to have the AATL policy specified. Most annoyingly it also makes PAdES LTA documents signed 4+ years ago using non-AATL certificates invalid which is definitely incorrect and goes against core the intention of the standard. It was reported 18 months ago as a bug but there has been no response from Adobe. As a developer you have no option but to obtain an unnecessarily over-priced AATL certificate. Or alternatively ignore the inavlid-policy constraint error and perhaps use a different reader. Regards Peter
... View more
‎Nov 22, 2019
05:05 AM
Anyone tracking this topic I have discovered that this behaviour only occurs when the signature has long-term validation information in a a VRI dictionary that has a timestamp (/TS) entry. Adobe are currently looking into it
... View more
‎Nov 22, 2019
03:05 AM
One final note on this: We have previously signed documents that had long term validation information which had then been document timestamped - making the document PAdEs Baseline Long Term Archival which are now showing as invalid. This runs counter to the logic of PADES LTA reasonaing which should show if a signature was valid at signing time, and information to support this is included the document, then the signature should be still valid for as long as the timestamp's certificate chain is valid. I would therefore suggest that this behaviour change breaks with PADES LTA.
... View more
‎Nov 22, 2019
03:01 AM
@rolandor81994411 I have submitted a bug report to Adobe to suggest that Signature's validity is changed to unknown rather than invalid when this policy requirement has not been met. It is valid in the sense that it is proven that the signing certificate's private key signed the document; the signing certificate chains up to a trusted AATL root; and that the certificate has not been revoked.
... View more
‎Nov 21, 2019
06:08 AM
I know it's been a while but just to complete this response for anyone else, here is the Certificate Policies extension for the signing certificate. As you can see it does not have the policy with Oid 1.3.6.1.4.1.6449.1.2.1.6.6 that appears in the root certificate. I do agree that it should not mark the signature as invalid - that is entirely misleading. The certificate has been used to created a valid signature. It is only the validity of the certificate that is in question!
... View more
‎Sep 29, 2019
12:04 AM
It does. Otherwise it wouldn't validate at all. My question is really what needs to be in the CMS/PKCS#7 for this box to get populated
... View more
‎Sep 19, 2019
02:08 AM
Hopefully the ever helpful Steven Madwin can assist. I've developed the PAdES signature logic for our PDF manipulation library. When we create a signature conforming to B-LTA by adding an ETSI.RFC3161 DocTimeStamp we get a "Timestamp embedded in the document" panel displaying in the Advanced Signature Properties dialog in DC 2019 (see below). We are wondering why it appears, when we have seen other B-LTA signatures that do not have this panel (see further below). Also why does the Timestamp Authority show as "Not available". The actual signature is at Rev. 1 with the DocTimeStamp is at Rev. 2. The DocTimeStamp's CMS contains the certificate. My hunch that this is an embryonic step towards fully displaying the conforming attributes of B-LTA in one properties window? In which case does the second panel relate to the DocTimeStamp in Rev. 2? For comparison here is a B-LTA signature from another file: I have painstakingly followed the PAdES specifications during development. Is there something more we need to add to populate this certificate field? Perhaps DSS entries for the document timestamp certificate? Incidently, this does not affect the validity of the signature as shown by Acrobat. Many thanks Peter P.S. This new Community forums design is a tad annoying. I used to be able to find things easily 😞
... View more
‎Aug 15, 2019
09:22 AM
Hi Steven Madwin​ Thanks for getting back to me so quickly. Here's the policy details from the UserTrust/Sectigo CA Cert. Look reasonable? I could delve into the cert to dump lower level details?
... View more
‎Aug 14, 2019
08:08 AM
We have previously been able to sign documents with certificates with the following intended usages: Digital Signature, Encrypt Keys, Email Protection, 1.3.6.1.4.1.6449.1.3.5.2 As per Steven.Madwin​'s response to Document signing requires code signing certificate this should be fine. However as of Acrobat Reader DC 2019 the signature is marked as invalid. The certificate path shows "Invalid policy constraint" for the issuing certificate paths and the signing certificate. The certificate we are using is issued by Sectigo and is AATL approved. Has Acrobat become fussier about the types of certificates it will accept. If so what needs to be present in the certificate?
... View more
‎Oct 01, 2018
02:22 AM
1 Upvote
Steven.Madwin​ Thanks this helped me a lot too!
... View more
Copyright © 2024 Adobe. All rights reserved.
AdChoices