Embedding revocation checks in signed documents

primetomas · June 7, 2012, 2:58pm

Hi,

I previously asked this in Help:

http://www.pdfforge.org/forum/help/8762-pdf-signatures-and-embedded-ocsp

I have now tested v1.4 and can set the timestamp url. This is though not te same as the revocation check. Most comonly the signing certificate contains a URL to the OCSP server where revocation checks can be made. Adobe Reader checks this url too revocation. The same OCSP response can however be embedded in the PDF document, making it suitable for long term archiving, or off-line reading.

Are there any plans to include this feature in PDFCreator?

Cheers,
Tomas

philip · June 12, 2012, 2:14pm

Hello,

we will have to speak to the iText team about this. Do you know how this works technically or have access to documentation on this?

kind regards,
Philip

primetomas · June 12, 2012, 5:27pm

Aha iText, great. We have code for this in SignServer, using java iText.

It is in the PDFSigner.java module, see.

http://signserver.svn.sourceforge.net/viewvc/signserver/trunk/signserver/modules/SignServer-Module-PDFSigner/src/java/org/signserver/module/pdfsigner/PDFSigner.java?revision=1982&view=markup

Look for the com.lowagie.text.pdf.OcspClientBouncyCastle.

Basically you need a URL for the OCSP server, and the signer certificate chain, then the OCSP response it added to authenticated attributes in the signature.

Cheers,

Tomas