JohnPlanetary
commented
2 years ago I investigate in more detail, and the http://tsa.belgium.be/connect certificate is not root, is just that the Adobe doesn't show the sub-CA and Root CA above it, and shows just it, making impossible to add the OCSP/CRL after the signature because it thinks is a root certificate. The Digicert one is show properly with the root and sub-CA and in that one is possible to add the information.
I already have PDF's signed where the timestamp is no longer valid because the OCSP/ CRL response was not included in the PDF.
Is it possible to add a option to force the JSignPDF to download and incorporate to the final PDF the OCSP response or CRL (if OCSP not available) of the timestamp, so that in the future even after the expiring date is possible to verify that the timestamp was valid at the time of the signature.
Currently I can only do that if I chose the option "Not certified" and then open "Adobe Acrobat Reader DC" and force "Add verification information" and then "Save has..." to incorporate the answer into the PDF file permanently... otherwise the information is not added.
Of course, if the timestamp certificate is root it won't have any OCSP/ CRL to check. Say: http://tsa.belgium.be/connect is a root certificate, and wont use OCSP/ CRL But: http://timestamp.digicert.com will use OCSP/ CRL because is not using the root certificate to sign.
Until PAdES B-LTA is integrated in JSignPDF (if ever) these at least does something to help to achieve true LTV.
Of course, PAdES B-LTA would need the same level of attention, I've notice another application (from a government) that applies PAdES B-LTA but doesn't incorporate OCSP/ CRL on the signature timestamp... because they use root certificate for the timestamp, but if a person uses another timestamp authority the information won't be included.