EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Same code, different results

Posted: 12/22/2009 15:12:59
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

I run the same code (C# and .NET SBB) to certify PDF documents using certificates on tokens from two different issuers. One token contains the certificate and CA, while the other contains the certificate, CA and Adobe Root CA. Both with timestamping. The documents certified using the first token are fine. However, the documents certified with the second token, when opened in Adobe Standard 9.2.0, show in Signature Panel that the certificate is valid, but "revocation of client's signature could not be checked". Can you please tell me why Adobe fails to check the revocation? Is there something I need to specify in my code?
Thank you
Posted: 12/22/2009 22:21:38
by Ken Ivanov (Team)

Thank you for contacting us.

When validating the signature, Adobe Reader attempts to check that the certificate that has been used to create the signature was not revoked at the moment of signing. Revocation check is performed in the following way:
1) Adobe Reader downloads the CRL (certificate revocation list) or OCSP response from the location specified in the signing certificate and checks that the certificate is not present in the revoked certificates list.
2) The signer can include necessary revocation information himself on the stage of signing. This will allow recipients to check revocation without a need to download revocation objects (in other words, this method does not require recipients to have Internet access).

Regarding your particular case, it is likely that Adobe Reader succeeds to download revocation information for the first certificate, but fails to do it for the second one. Having the certified document we would be able to tell more about why it fails to do it for the second certificate.
Posted: 01/18/2010 17:32:50
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

Sorry for the delay.

After a few more tests I noticed that, when not behind a proxy, Adobe was able to validate both documents, which appears to be the culprit. It sounds like a good idea to save the revocation information at the time of signing.

Thank you,
Posted: 01/19/2010 07:02:41
by Ken Ivanov (Team)

Great, thank you for letting us know.



Topic viewed 1024 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!