Discuss this help topic in SecureBlackbox Forum

LTV-enabled signatures

The term LTV (Long-Term Validation) implies that all information necessary to validate the signature (excluding root certificates) is contained within the PDF file. At least, the file should contain enough information to be validated in the long term future. Validation information expires with time and needs to be updated periodically, hence the 'long future' period makes the LTV concept somewhat ambiguous.

PAdES (PDF Advanced Electronic Signatures) standard extends the generic PDF signatures mechanism to address increasing demand for native long-term digital signature capabilities. The standard in particular introduces provisions for signature archival and update operations. To create an LTV-enabled signature in SecureBlackbox, first create a PAdES signature using TElPDFAdvancedPublicKeySecurityHandler component. This signature should include a timestamp from a trusted TSA that confirms the signing time; all validation information should also be embedded. More information about PAdES signatures and code examples can be found in this article.

Note that a document signed in the above way should be updated regularly to comply with the recent changes in cryptography. On each update, a timestamp that certifies the document's content and the time of update must be appended to the document (ETSI TS 102-778-4). Thus, the document might contain a collection of timestamp signatures, each of which certifies the document and the preceding signatures with a present-day algorithm and key.

To check if the document contains all necessary validation information, try to validate the signature without referring to external sources. To do this, set the DeepValidation and ForceCompleteChainValidation properties of TElPDFAdvancedPublicKeySecurityHandler to True; set the OfflineMode property of the employed TElX509CertificateValidator object to True, and set its UseSystemStores property to False. Please remember to provide the trusted CA certificates to the validator separately via AddTrustedCertificates() method to avoid trust problem during the validation.

How To articles about PDF signing

Discuss this help topic in SecureBlackbox Forum