0

I am trying to figure out the revocation checking algorithm in Adobe Reader or Acrobat. When I have a time stamp embedded into a signature then time stamp certificate's revocation is checked according to the current time. However, when I have a document time stamp then revocation is checked according to secure (time stamp) time. Signature embedded time stamp is validated according to current time even if it's a PAdES B-LTA signature (PDF has an additional document level time stamp).

Why is there a difference in 'checking time' between the two time stamp types?

EDIT: I use Adobe Reader DC 2015.017.20053

Amedee Van Gasse
  • 7,280
  • 5
  • 55
  • 101
Daniel
  • 1,391
  • 2
  • 19
  • 40
  • Can you share sample files to reproduce the observed behavior with? – mkl Aug 22 '16 at 12:14
  • Thanks for the help. Here it is: https://www.dropbox.com/s/ef5rnsf09c187np/bitcoin-LTA.pdf?dl=0 – Daniel Aug 22 '16 at 12:41
  • Well, you are right, that is weird. I also would have expected it the other way around, the outer timestamp being verified at the current time and the inner at the time of the outer one. But concerning the time stamps we are in a borderline situation anyways: The time stamping certificate already is a trust anchor by itself, so validations are very limited anyways... I'll look into it some more... – mkl Aug 22 '16 at 14:48
  • Yes, my thoughts exactly. I have removed the time stamp's certificate from the trusted certificates list, as we need to see how the embedded revocation is handled by Adobe Reader. There's something strange with revocation checking as well, but I'll open another question once I have this time stamping issue sorted. – Daniel Aug 22 '16 at 14:50
  • For further tests I would advice working with different TSAs for the different time stamps; if the same is used, trust might prematurely be established. Furthermore the TSAs should not use trust anchors for time stamping; if trust anchors are used, hardly any tests are executed at all. – mkl Aug 22 '16 at 15:56
  • I just spotted one thing, probably not important for verification but in general: All revisions of your document have the identical trailer **ID** entry. This is wrong: The first part indeed shall remain but the second is expected to differ between revisions. In some respects, e.g. indexing, Adobe Reader is known not to function properly if different files have the identical ID, see for example [this answer](http://stackoverflow.com/a/28697329/1729265). Similar problems might arise if different revisions of the same base document have the identical ID. – mkl Aug 22 '16 at 16:13
  • *we need to see how the embedded revocation is handled by Adobe Reader* - Unfortunately this might change from version to version. And ETSI / EN specifications allow a certain freedom for verification procedures as long as the result is correct (in the context at hand). – mkl Aug 22 '16 at 16:39
  • https://www.dropbox.com/s/nsgxv4paaspefp5/bitcoin-LTA2.pdf?dl=0 Here's another document with a different TSA. This TSA is a test system so it doesn't show up in any trusted lists (Adobe or EUTL). However, the same phenomena is displayed. Here's the Root CA for the test TSA that you have to add to your trusted list: http://www.e-szigno.hu/TRootCA2008.crt – Daniel Aug 22 '16 at 16:43
  • _Furthermore the TSAs should not use trust anchors_. Yes, but they are included in the EU Trusted Lists, so Adobe automatically downloads them and adds them to the trusted certificates. I was shocked to see this as a practice and tried to move to a different TSA but it seems that all time stamp providers in our country have the _TSA_ certificates added to the EUTL so I'm out of options. – Daniel Aug 22 '16 at 16:49
  • I cannot thank you enough for your time in this matter. However I have another finding which might be related. I created another post for it: http://stackoverflow.com/questions/39085054/adobe-reader-time-stamp-embeded-into-signature-requires-download-of-revocation – Daniel Aug 22 '16 at 17:06
  • This is not an iText question. I will remove the tag. – Amedee Van Gasse Aug 23 '16 at 11:06

0 Answers0