-
Notifications
You must be signed in to change notification settings - Fork 2
PAdES Long Term Validation
PAdES (PDF Advanced Electronic Signatures) is a set of restrictions and extensions to PDF making it suitable for Electronic Signatures.
-
The signature is included in a data structure in the PDF as a CMS binary encoded object
-
Validation Data is the data necessary to validate an electronic signature: CA Certificate(s), OCSP, CRL
-
A LTV (Long-Term Validation) signature is valid after the signing certificate is expired, even after the Validation Data is not available online anymore
To issue a PADES-conform LTV signature with Swisscom's All-In Signing Service:
- the SignatureStandard element must be set to PAdES in order for AIS to correctly process and embed in the signature object the corresponding attributes as defined by the standard
- the AddTimestampp element must be present, in order for the timestamp to be included in the signature
- the AddRevocationInformation element must be present so the validation information is delivered by the service
- for CMS signatures (both static and on-demand) the type of the AddRevocationInformation is not necessary, since it will automatically match the defined signature standard.
"SignRequest": {
...
"OptionalInputs" : {
"AddTimestamp" : {
"@Type" : "urn:ietf:rfc:3161"
},
"AdditionalProfile" : [http://ais.swisscom.ch/1.0/profiles/batchprocessing, "urn:oasis:names:tc:dss:1.0:profiles:timestamping", http://ais.swisscom.ch/1.0/profiles/ondemandcertificate, "urn:oasis:names:tc:dss:1.0:profiles:asynchronousprocessing", http://ais.swisscom.ch/1.1/profiles/redirect ],
"ClaimedIdentity" : {
"Name" : "ais-90days-trial-withRAService:OnDemand-Advanced"
},
"SignatureType" : "urn:ietf:rfc:3369",
"sc.AddRevocationInformation" : {
"@Type" : "BOTH"
},
"sc.CertificateRequest" : {
"sc.DistinguishedName" : "cn=TEST Peter Amrhyn, givenname=Peter, surname=Amrhyn, c=CH, serialnumber=RAS5b4c4cc656c7480009281eff",
"sc.StepUpAuthorisation" : {
"sc.Phone" : {
"sc.Language" : "en",
"sc.MSISDN" : "41799452016",
"sc.Message" : "Please confirm the signing of the tax document"
}
}
}
}
}
To ensure your signed PDF is LTV-enabled:
You must ensure that the Validation Information is included in the document. Considerations:
- For PAdES signatures, the Validation Information is embedded in the signature object as an unauthenticated attribute
- However: the timestamp validation information must also be available in the document
- Since the timestamp is a CAdES signature, its validation information is delivered as a separated object in the OptionalOutputs element
- It's up to the signing application (i.e. the one invoking the service) to embed these validation information in the PDF
"SignResponse": {
"@RequestID": "2020-08-11T11:25:41.145+0200",
"@Profile": "http://ais.swisscom.ch/1.1",
"Result": {"ResultMajor": "urn:oasis:names:tc:dss:1.0:resultmajor:Success"},
"OptionalOutputs": {"sc.RevocationInformation": {
"sc.CRLs": {"sc.CRL": "MIIFbT...sgEnCA=="},
"sc.OCSPs": {"sc.OCSP": "MIIItw...0lUAuO"}
}},
"SignatureObject": {"Base64Signature": {
"@Type": "urn:ietf:rfc:3369",
"$": "MII8Fg...CNAVmw="
}}
}
The delivered OCSPs and CRLs must be included in the DSS dictionary object. See PDF specification for further information.
To ensure your signed PDF is PAdES-B-T compliant:
You must set the subfilter as the PAdES-defined "ETSI.CAdES.detached" (and NOT "adbe.pkcs7.detached“)
In case you need your signed PDF to be PAdES LTA compliant
The document must include two timestamps:
- The one included in the signature, this is already ensured by AIS if the "AddTimestamp" element is included in the sign request as described above
- An additional one, issued by timestamping the already signed document sending an additional sign request with timestamp as signature type
https://en.wikipedia.org/wiki/PDF