EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDF document timestamp - how to obtain time

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#23531
Posted: 02/19/2013 04:19:53
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

Hello,

if I verify a PDF document timestamp, I don't know, how to get time obtained from timestamp server. There is a sample application "PAdES". It shows document signatures (document timestamp is a document signature in fact) and their times. In case of document timestamp, the time is obtained from TElPDFSignature.SigningTime property which is just a local machine time. In case of normal document signatures, time must be obtained from signature timestamp, if present. But this is, of course, totally unusable in case of document timestamp.
#23532
Posted: 02/19/2013 05:01:28
by Ken Ivanov (EldoS Corp.)

Lukas,

Depending on the time you wish to get, you should obtain it in different ways.

TElPDFSignature.SigningTime returns the time that was embedded into the signature by the signer. As it is no problem for the signer to set it to any value, you generally cannot trust this time.

If a signature is timestamped with an external TSA, there is an additional time indicator, included to the timestamp. You can read it, together with other timestamp details, via the Timestamps[] property of the handler.

Please also note that you must not trust times encapsulated into signature timestamps just "because it's a timestamp". Instead, you should verify that the chain of the used TSA ends up with a trusted CA certificate, and that the TSA certificate itself was valid (and not revoked or expired) at the moment of signing. Only then you will be able to trust the time stated in the timestamp.

Document timestamp is a separate entity, whose goal is extending document validity in time - e.g. if certificate chains used for signing the document become expired or revoked, or if a cryptographic algorithm weakens. Document timestamps have no relation to the time when the document was signed.
#23533
Posted: 02/19/2013 07:38:16
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

Quote
Document timestamps have no relation to the time when the document was signed.


There is a rule of archiving: First archival timestamp must be added before signature timestamp certificate is expired. If an archival timestamp didn't contained time, how would a validator be able to check that it was added before signature timestamp certificate was expired?

I have no experience with verification of archived signatures. Can you refer me somewhere I can find it or give me a hint?
#23544
Posted: 02/20/2013 01:09:25
by Ken Ivanov (EldoS Corp.)

Lukas,

Archival timestamps *do* contain time, however, this time is in general unrelated to the document signing time. Expiration of TSA certificate is only one of the reasons for placing a document timestamp into the document. Depending on the signature policy, document timestamps may be bound to particular events in local PKI environment's life and be added more or less frequently.

Archival signature validation process is fairly straightforward:

1. Validate the 'main' (document) signature and the signature timestamp at the moment of signing (as reported in the signature timestamp).

2. Validate all the document timestamps, in order, ensuring that each subsequent timestamp was created before the expiration of the certificate the previous timestamp was made with, and in accordance with the details of local signature policy.

All the validations assume that you perform full certificate chain validation at the moment when a particular entity (signature, timestamp, document timestamp) was created.
#23563
Posted: 02/20/2013 04:01:39
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

Quote
Validate all the document timestamps, in order, ensuring that each subsequent timestamp was created before the expiration of the certificate the previous timestamp was made with


But how can I ensure that each subsequent timestamp was created before the expiration of the certificate the previous timestamp was made with? I need to compare previous timestamp certificate expiration time with following timestamp creation time. And that returns us to my original question: How can I get a reliable document timestamp time? In other words, how can I get a realiable creation time from TElPDFSignature instance whose PAdESSignatureType is TSBPAdESSignatureType.pastDocumentTimestamp? Thank you.
#23568
Posted: 02/20/2013 05:43:10
by Ken Ivanov (EldoS Corp.)

You can get the time from the Handler's CMS.Signatures[0].SigningTime property. We will also extend the handler declaration and publish a DocumentTimestamp property of TElClientTSPInfo type in future SecureBlackbox update for easier access to timestamp-specific information.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 1569 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!