Validation in Adobe Acrobat
Last updated
Last updated
Throughout this tutorial, we'll be using the document you can find in the link below. Download it so you can follow and repeat all steps on your own:
As you can see, on opening the document Adobe tells us the signature is valid:
But let's take a closer look. If we click on Signature Panel
, we can find more detailed information on the signature itself:
The first thing we notice is that the document has been signed twice, once by me:
and once by a Time Stamping Authority
(TSA):
Both signatures have a Source of Trust, defined automatically by the digital certificate used. In our example, since we used a digital certificate from a Belgian Identity Card, the listed Source of Trust is the European Union Trusted Lists
(EUTL), a document issued by the EU which contains information about which certificates we can safely trust from each EU Member State.
When we take a closer look at the first signature by clicking on certificate details:
You can see that the certificate used to sign this document is part of a chain of certificates; the personal citizen certificate was signed by the Citizen CA
certificate, which in turn was signed by the Belgium Root CA3
certificate.
How do we know we can trust the Belgium Root CA3
certificate, you may ask? If you guessed "Thanks to the EUTL
", you'd be right.
The second signature, by the Time Stamping Authority (TSA), is also part of a certificate chain leading back to a certificate trusted by the EUTL
, in this case the Belgium Root CA4
certificate.
As you may have noticed, the TSA signature is marked as LTV enabled
, while the citizen signature is not. What does this mean?
It means that while the citizen signature is valid, it does not contain the (CRLs) or (OCSP) information that was in effect at the moment the signature was created. If we try to validate my signed document in 50 years, this information may no longer be available online. When Adobe tells us that the signature is LTV enabled
(short for Long Term Validation), it means that all of the necessary information to verify the signature in the future is included in the signature itself. Isn't that neat?