Hello fellow Adobe users. I was hoping to get help on a problem I am experiencing with regards to long term validation of a digital signature:
From what I understand, if a digital signature is valid at the time of signing (i.e. using a valid PKI cert, successfully passing the revocation check, and using secure time with a valid time-stamp server), then the signature should be able to be validated for the long term if the revocation information is embedded in the certificate (an option that can be checked in advanced security preferences).
In my scenario, I have PDF that was signed, validated, and I can see the CRL information was correctly embedded in the certificate. Now, I have this same certificate revoked and open the same PDF document unmodified. What happens is the signature is validated live, rather than offline, despite my CRL information having been embedded. Since the certificate has been revoked, the validation fails, despite the fact that it was valid AT THE TIME of signing.
This means long term validation is failing. I don't care if the person is now on the CRL list. I only care that at the time of signing, the signature was valid.
In the Adobe Security Administration Guide, Section "5.4.2.4 Embedding Revocation Data in Signatures" states the following:
"By default, revocation checking information is not stored in a signature and the application will either check online or a local cache for revocation information. However, revocation data can be stored in a signature, thereby enabling offline revocation checking as well as a determination as to whether a signer's certificate was valid at the time of signing".
So my question is - why isn't the embedding of the certificate making my certificate valid since it was valid at the time of signing regardless of the current status of the user's cert? I even checked the registry to make sure the blsEnabled flag is set to 1 so that revocation status is included when signing.
I would really appreciate help on this as I am completely stumped on why this isn't working. Thanks in advance.
ps: I am using GlobalSign certificates to sign.
If Adobe Acrobat/Reader is validating the signature based on the current time, it will always check the current CRL if it is available. You MAY select the option to validate the signature based on the signing time, but let me war you that this is NOT safe in my opinion:
Signatures should always be validated based on the current time, except IF there is a timestamp. Remember that if there is no timestamp, the signing time is informed by the signer. If the certificate is revoked, maybe is because the private key is compromised, therefore, you SHOULDN'T trust anything the signer says... including the signing time.
IF there is a timestamp, and you trust the Time Stamping Authority, then you can validate the signature and check the CRL from the time the timestamp was emitted.
Resuming: There is no *trustful* long term validation without timestamp. Adobe allows you to do it, just check the option I've explained here, but I really don't think you should ;)
[color=darkblue][b]Cristian Thiago Moecke[/b]
LabSEC - UFSC - Brazil[/color]