What is the connection between LTV and document timestamps?

Tags: digital signaturesLTVPAdESiText 5

I am confused about LTV in iText. I have read the paper, discussions but there is one thing still unclear. What is the connection between LTV and document timestamps? Or more precisely, how do I make a PDF document LTV enabled without using timestamps? One thing I know for sure, to make an LTV enabled document, I do not need timestamps. I tried signing a document with a digital certificate in acrobat and when opened it says the document is LTV enabled, I did not use any timestamp.

Posted on StackOverflow on Nov 19, 2013 by leosenko

Answer provided by mkl:

The last time I looked Adobe had not publicly defined what they mean by "LTV enabled" technically. Adobe's PDF evangelist Leonard Rosenthol gave this definition on the iText mailing list this January:

LTV enabled means that all information necessary to validate the file (minus root certs) is contained within.

which has been clarified as:

the PDF is signed correctly and contains all necessary certificates, a valid CRL or OSCP response for every certificate [except for the root certificate]

but as:

"a valid CRL or OSCP response for every certificate" also includes signatures over CRLs and OCSPs, not just the signature certificate.

he pointed out quoting one of the Adobe engineers:

LTV may be enabled when all collaterals are embedded in the signatures and not DSS (I just fixed a bug that did not handle this case correctly). In this case there may be no DSS. However, this is very unusual, because signatures over CRLs and OCSPs do not contain embedded rev info which is Adobe extension. Yet, this is a distant possibility.

Regarding your questions:

What is the connection between LTV and document timestamps?

Document time stamps and LTV information have initially been defined in the same PAdES specification part ETSI TS 102 778-4 and some ping-pong between them has been defined there:

Thus, it had been assumed sometimes that each time you add DSS you also have to add a document time stamp. This in turn may give rise to some hen-egg issue because the time stamp also relates to some certificate for which additional DSS information might be required.

As Leonard also wrote back in January on the topic of "DSS for LTV-enabled"

No timestamp (regular or document level) is required.

Thus, getting back to your questions,

Or more precisely, how do I make pdf LTV enabled without using timestamps?

Add validation information for all involved certificates except root certificates, also including certificates used in the validation information. And whenever you time stamp, add validation information for the time stamp, too.

See also: