0

I am trying to implement Document Timestamp (a separate signature with type DocTimeStamp and SubFilter ETSI.RFC3161) and Signature Timestamps (timestamp token as unsigned attribute to current signature). I am trying to understand what all changes in signature dictionary are required. Below are my findings:

  1. For Document Timestamp, I need to add the certs, CRLs and OCSPs to DSS dictionary. A separate DTS dictionary will also be created for contents like ByteRange , contents , SubFilter etc.
  2. If it is a subsequent signature, I need to add the Certs, CRL and OCSPs for previous signature to existing DSS dictionary.
  3. For Signature Timestamps, I just need to add certs, CRLs and OCSPs to DSS dictionary along with existing revocation info.

Please confirm , if my understanding is correct or I am missing anything. Also, please suggest code samples for fetching the certs, CRLs and OCSPs for timestamp signatures and embedding it to DSS dictionary to make it LTV enable.

I have read the specs and tried PDFBox samples but those timestamp signatures are not updating the DSS dictionary.

Qazazazaz
  • 11
  • 4
  • Which examples did you try? One specifically deals with DSS. – Tilman Hausherr Jul 06 '23 at 08:16
  • 1
    In particular, did you try the `AddValidationInformation` example? Also please share a PDF with a timestamp for which the example does not work as expected? – mkl Jul 06 '23 at 08:30
  • Using `AddValidationInformation` I can only add Revocation information after my timestamp signature has been completed. How can I add it while signing the PDF only? I don't want to first sign it , then save it and then update DSS. Instead, I want all that as single transaction. @mkl – Qazazazaz Jul 06 '23 at 11:54
  • Is there any sample where we can add Revocation Information in DSS while applying timestamp directly without saving the signature? For example, updating DSS while running sample `CreateSignedTimeStamp` and `CreateEmbeddedTimeStamp` ? – Qazazazaz Jul 06 '23 at 12:04
  • That completely depends on the validation model your PKI and your signature need to support and your ahead-of-time knowledge about the workings of the TSA server. E.g., if you want to create signatures and time stamps that need to be validated according to ETSI validation policies (i.e. in an European interoperable qualified context), you have to provide fresh revocation data produced _after_ the time stamp time. Also some TSAs have many TSUs that process requests round-robin; to add revocation information early you'd need to provide them for all TSU certificates. – mkl Jul 06 '23 at 15:50
  • If your use case allows adding revocation information early (so they strictly are slightly outdated at the time of signing/time stamping) and you know ahead of time which certificates are of interest, you can take the `AddValidationInformation` example and modify it, so it does not collect validation related information for existing signatures but for the signatures you want to apply. Obviously, you cannot create VRI dictionaries; fortunately, though, they meanwhile have become optional, even deprecated. – mkl Jul 06 '23 at 16:01

0 Answers0