LTV和文档时间戳之间有什么联系? [英] What is the connection between LTV and document timestamps?
问题描述
我对iText中的LTV感到困惑。我已经阅读了论文,讨论但有一点仍然不清楚。 LTV和文档时间戳之间有什么联系?或者更准确地说,如何在不使用时间戳的情况下启用pdf LTV?
我肯定知道,要制作支持LTV的文档,我不需要时间戳。我尝试在acrobat中签署带有数字证书的文档,打开时说文档已启用LTV,我没有使用任何时间戳。
在Adobe Reader中启用LTV
我最后一次看到Adobe并没有在技术上公开定义启用LTV的含义。
Adobe的PDF传播者Leonard Rosenthol在今年1月的iText邮件列表中给出了这个定义:
启用LTV意味着验证文件所需的所有信息(减去根证书)都包含在其中。
已被澄清为
PDF已正确签名并包含所有必需的证书,每个证书的有效CRL或OSCP响应[根证书除外]证书]
但是
每个证书的有效CRL或OSCP响应还包括CRL和OCSP上的签名。只是签名证书。
他指出其中一个Adobe工程师
当所有抵押品都嵌入到签名而不是DSS(我刚刚修复了一个没有正确处理此案例的错误)。在这种情况下,可能没有DSS。但是,这是非常不寻常的,因为CRL和OCSP上的签名不包含Adobe扩展的嵌入式转换信息。然而,这是一个遥远的可能性。
添加LTV信息在iText中
另一方面,使用iText添加LTV信息是尝试将此类信息添加到缺少所需信息的签名文档中。
虽然缺少Adobe的具体技术定义,但这基本上是一次尽力而为的尝试,而不是人们可以明确声称已经做过的事情。特别证明,添加这些信息的DSS部分规范的解释是不一致的。
也许Bruno可以报告当前的努力状态。
您的问题
LTV与文档时间戳之间的联系是什么?
文档时间戳和LTV信息最初是在相同的PAdES规范部分ETSI TS 102 778-4中定义的他们之间已经定义了乒乓球:
因此,有时假设每次添加DSS时,都必须添加文档时间戳。这反过来可能会引起一些鸡蛋问题,因为时间戳也与某些证书有关,可能需要额外的DSS信息。
正如伦纳德还写回来的那样1月份主题为启用LTV的DSS
否时间戳(常规或文档级别)是必需的。
因此回到你的问题,
或者更准确地说,如何在不使用时间戳的情况下启用pdf LTV?
为所有涉及的证书添加验证信息,但根证书除外,还包括验证信息中使用的证书。无论何时加盖时间戳,都要添加时间戳的验证信息。
I am confused about LTV in iText. I have read the paper, discussions but there is one thing still unclear. What is the connection between LTV and document timestamps? Or more precisely, how do I make pdf LTV enabled without using timestamps? One thing I know for sure, to make an LTV enabled document, I do not need timestamps. I tried signing a document with a digital certificate in acrobat and when opened it says the document is LTV enabled, I did not use any timestamp.
LTV enabled in Adobe Reader
The last time I looked Adobe had not publicly defined what they mean by "LTV enabled" technically.
Adobe's PDF evangelist Leonard Rosenthol gave this definition on the iText mailing list this January:
LTV enabled means that all information necessary to validate the file (minus root certs) is contained within.
which has been clarified as
the PDF is signed correctly and contains all necessary certificates, a valid CRL or OSCP response for every certificate [except for the root certificate]
but as
"a valid CRL or OSCP response for every certificate" also includes signatures over CRLs and OCSPs., not just the signature certificate.
he pointed out quoting one of the Adobe engineers
LTV may be enabled when all collaterals are embedded in the signatures and not DSS (I just fixed a bug that did not handle this case correctly). In this case there may be no DSS. However, this is very unusual, because signatures over CRLs and OCSPs do not contain embedded rev info which is Adobe extension. Yet, this is a distant possibility.
Adding LTV information in iText
Using iText to add LTV information, on the other hand, is an attempt to add such information to a signed document which misses the required information.
Missing a concrete technical definition by Adobe to go by, though, this essentially is a best effort attempt, not something one can definitively claim to have done. It especially turned out that the interpretation of the specification of the DSS sections to add these information was inconsistent.
Maybe Bruno can report the current state of the endeavor.
Your questions
What is the connection between LTV and document timestamps?
Document time stamps and LTV information have initially been defined in the same PAdES specification part ETSI TS 102 778-4 and some ping-pong between them has been defined there:
Thus, it had been assumed sometimes that each time you add DSS you also have to add a document time stamp. This in turn may give rise to some hen-egg issue because the time stamp also relates to some certificate for which additional DSS information might be required.
As Leonard also wrote back in January on the topic of "DSS for LTV-enabled"
No timestamp (regular or document level) is required.
Thus, getting back to your questions,
Or more precisely, how do I make pdf LTV enabled without using timestamps?
Add validation information for all involved certificates except root certificates, also including certificates used in the validation information. And whenever you time stamp, add validation information for the time stamp, too.
这篇关于LTV和文档时间戳之间有什么联系?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
