Acrobat adds unusable OCSP to documents with long-term validation
Due to OCSP caching, Acrobat most of the time adds stale OCSP to digitally signed documents with long-term validation (LTV)
PAdES-LT and -LTA profiles require signature to include qualified timestamp and OCSP's thisUpdate time must be AFTER signature time as certified by qualified timestamp - otherwise OCSP can't be used for signature validation.
Thus, when adding LTV data to signed documents, Acrobat should always check:
1) whether the signature contains qualified timestamp
2) whether OCSP's thisUpdate time is AFTER the timestamp time (it's not allowed to consider any clock skew here since qualified timestamp servers and OCSP responders should be synchronized to precise time source)
Please note, that caching could occur not just in Acrobat, but also on OCSP servers, which can return responses with thisUpdate being in the past like this:
Produced At: Dec 12 16:40:29 2020 GMT
This Update: Dec 12 16:40:20 2020 GMT
Next Update: Dec 12 16:50:20 2020 GMT
Such OCSP can't be used to validate a signature created at Dec 12 16:40:28 2020 GMT!
-
Marian Ďurkovič commented
Any news on this bugreport?