Frequently Asked Questions - Signing and Validation

Generation of signatures, signature validation, validation protocols etc.

With Sign Live! CC are electronic signatures according to international ETSI - Default (PAdES) and can therefore also be checked by other applications that support this standard. This also includes Adobe Acrobat Reader.

In spite of this, signatures based on certificates from German trust service providers and with Sign Live! C.C, are sometimes not displayed as valid by Adobe Acrobat Reader. This has various causes for which Adobe and the respective trust service provider are responsible:

  • Deutsche Telekom AG (telesec)
    The older Telese signature cards use the ECDSAAlgorithm with brain pool curves. These are not supported by Adobe Acrobat Reader and can therefore not be checked. Telesec signature cards, the issued after February 01, 2021 were based on a different algorithm which is recognized by Adobe Reader. An update of the Adobe Reader may be necessary.
     
  • DGN German Health Network Service GmbH
    The one from the DGN generated for verification OCSP-Response is signed by a different root certificate than the end-user certificates used. This is after eIDAS VO as permitted, but only to a limited extent with the ETSI-Standards compatible. Adobe Acrobat Reader does not support this method, which is why revocation checks cannot be carried out successfully here.
    An update from Adobe Reader can possibly help here.

If you need more detailed information on the verification of signatures in Adobe Acrobat Reader, please contact Adobe Systems GmbH or your trusted service provider.

 

Status: April 2021
Generated: October 2017

Created: 12.10.2017 - 13: 53
Stand: 24.06.2021 - 10: 11

In collaboration with the DATEV became the product Sign Live! CC DATEV-Edition developed. You can find important information under the following links:

Learn how to digitally seal and sign an audit report as well as further links to the DATEV Marketplace:
https://www.datev.de/web/de/top-themen/wirtschaftspruefer/weitere-themen/pruefungsberichte-digital-signieren/

Post in DATEVmagazine, issue 12/2018 for DATEV-Wizards for qualified signature:
https://www.datev-magazin.de/2018-12/produkte-services-2018-12/so-signieren-sie-dokumente-digital/
 
Practical information from WPK on the subject Electronic examination notes and reports:
https://www.wpk.de/mitglieder/praxishinweise/elektronische-pruefungsvermerke-und-berichte/

In the service video "Qualified digital signature of reports“The complete signature process is described in detail.
https://www.datev.de/web/de/service/self-service/servicevideo/berichte-qualifiziert-digital-signieren/

In addition to the signature software, you also need a signature card and a card reader. You can get the signature card at the D-TRUST (Federal Printing Office) under https://www.bundesdruckerei.de/de/bestellen acquire. We recommend as a card reader PURE SCT RFID comfort.

To ensure that the signature from the DATEV-Environment it is imperative that the Sign Live! CC DATEV-Edition installed. Access to this version is set up individually.

The Order process of the Sign Live! CC DATEV-Edition you can under https://www.intarsys.de/DATEV-Edition-purchase trigger.

 

 

Created: 17.08.2018/XNUMX/XNUMX
Updated: 05.06.2019/XNUMX/XNUMX

Created: 17.08.2018 - 11: 20
Stand: 05.11.2020 - 09: 59

For the signature from the DATEV-Environment must compellingly the Sign Live! CC DATEV-Edition be installed. Otherwise, the proper execution of a signature from the DATEVEnvironment cannot be guaranteed. The Sign Live! CC DATEV-Edition is available for download in a protected area on our homepage. The required access rights are set up individually. You will receive the information about this together with the license you have purchased.
You will be informed about the setup of the user data by email. If necessary, please also check your spam folder.

If you have not been granted access, please send an appropriate email to support@intarsys.de.

 

Created: 30.04.2020/XNUMX/XNUMX
Updated: 30.04.2020/XNUMX/XNUMX

Created: 30.04.2020 - 10: 39
Stand: 05.11.2020 - 09: 59

PDF-Documents can be signed invisibly or visibly. With the visible signature, the standard representation is mostly used, in which various data from the signature certificate are displayed in the defined signature field.
When displaying the signature individually, the signature date can be entered as a variable. The alternatives available are:

  • system.millis: d = full notation (2021_04_14-09_12_52_610)
  • system.millis: ds = short form (14.04.21/09/12 XNUMX:XNUMX)
  • system.millis: dm = medium notation (14.04.21/09/12 06:XNUMX:XNUMX)
  • system.millis: df = long notation (Wednesday, April 14, 2021 09:12 CEST)
  • system.millis: dd = Date only (Wednesday, April 14, 2021)
  • system.millis:dt = Time only (11:16)
  • system.millis: dd (YYYY) = Java Format (2016)
  • system.millis: dd (dd.MM.yyyy 'around' HH: mm) = Java Format (14.04.2021/09/12 at XNUMX:XNUMX)

In SLCC a workaround for the display of ':' is necessary up to v.7.1.8:

  • Period instead of colon: system.millis: d (dd.MM.yyyy 'around' HH.mm)
  • Split: $ {system.millis: dds} "by" $ {system.millis: dts}

Please note that this is the system time at the point in time at which the signature field display is generated. This can deviate from the signature time (e.g. from a time stamp)

The procedure for the individual representation of the signature can be found in the tutorial. The tutorials can be found at https://www.intarsys.de/dokumente/tutorials

 

 

Updated: 14.04.2021/XNUMX/XNUMX
Created: 18.11.2019/XNUMX/XNUMX

Created: 18.11.2019 - 13: 29
Stand: 14.02.2022 - 11: 22

General

Whoever brings packaged goods into circulation is subject EU-wide the so-called extended product responsibility. This means that he has to take responsibility for ensuring that this packaging has the least possible impact on the environment. This costs money and was previously regulated in the Packaging Ordinance (VerpackV). On January 01st, 2019, the VerpackV was replaced by the   Packaging Act replaced. To implement the packaging law, the Central Office for Packaging Register Foundation (ZSVR) brought to life.

The ZSVR aims to ensure a transparent and fair distribution of the costs of the disposal and recycling system for the yellow bins / yellow bags (   "Dual System") to establish itself in the market. Every commercial first-time distributor of filled sales packaging, which is typically incurred by the end consumer or at the so-called equivalent waste disposal sites, has to be in the packaging register of the ZSVR be registered with their master data and the brands they sell. (Source: Wikipedia).

Anyone who puts “packaging subject to system participation” into circulation in Germany must contact the ZSVR im Packaging register LUCID to register. One of the technical requirements is the availability of suitable signature software such as Sign Live! CC listed. Further information can be found on the website of the ZSVR   here .

Signature with Sign Live! CC

LUCID

For the packaging register must embedded Signatures in PAdES format be generated. PDF-Signatures are in Sign Live! CC standard in the required format PAdES created.

How to create an embedded signature in Sign Live! CC:

  • Starten Sie Sign Live! CC
  • Open the PDFFile with File> Open menu item
  • The signature process is carried out via the menu Tools> Signature Functions> Sign Document started.
  • Select PDF Signature - PDF-internal signature after PDF-Specification and press [Next].
  • In the window Signature field position select the option Create a new signature field. After pressing [Next] the mouse pointer changes. Now drag on the with the left mouse button pressed PDF a field in the desired position in the desired size.
  • As soon as you release the left mouse button, the window opens Signature field representation. Choose here Standard [Continue].
  • Select as signature device You SignIT smartcard CC - Sign with a signature card and card reader at the workplace [Continue]. If you have not already done so, please insert the signature card into the card reader.
  • Im Identity window the card reader used and the certificate from the signature card are displayed. Depending on the setting, several certificates can be displayed. Please select the certificate with the Purpose: qualified signature [Continue].
  • The Attribute Certificates window can with [Next] skipped .
  • You will now be able to enter your personal PIN asked. Enter the PIN on the card reader and confirm your entry also on the card reader.
  • The successful signature is saved in Sign Live! CC displayed in the left application window.

Please note that in order to create a qualified signature Sign Live! CC must be licensed. A license for Windows or Mac OS can about our  Shop can be acquired.

Created: 23.05.2019/XNUMX/XNUMX
Updated: 23.05.2019/XNUMX/XNUMX

Created: 23.05.2019 - 11: 48
Stand: 09.06.2020 - 10: 15

The presentation of the signature can be designed individually. The procedure is in  Tutorial "Design signature field display" described. 
It is essential to ensure that the last variable in the Appearance window contains a value. A line break as the last variable would lead to an error message (internal cryptographic library error).

Updated: September 2020
Created: March 2020

Created: 19.03.2020 - 11: 42
Stand: 15.04.2021 - 09: 03

For the qualified electronic signature you need in addition to the Software additionally a Signature card and a Card reader.
You can obtain signature cards from trust service providers (VDA). The from Sign Live! CC Supported signature cards and card readers can be found in our   Description of services and system requirements

  • To the intarsy shop Purchase the signature application software here Sign Live! CC for different operating systems.

Updated: October 2017
Created: December 2015

Created: 29.07.2015 - 16: 57
Stand: 05.02.2020 - 13: 52

Documents are saved in Sign LIve! CC Signed in "Trusted Mode". This requires additional memory and can lead to large files Error message "... Java heap space" to lead
To sign large files, the Sign Live! CC the "Trusted Mode" can be switched off. When the file is opened, “All files (*. *)” Is set as the file type.

How to sign large files with Sign Live! CC:

  • Via menu item "Tools> Settings> Trusted Mode" check box "Ensure document integrity" deactivate.
  • Sign Live! CC start anew.
  • With menu item "File> Open" the file with Sign Live! CC to open. Please set the file type as "All files (*. *)".
     The file is opened (recognizable by the fact that the file name is displayed in the tab), but not displayed (message: The content of the document cannot be displayed because the document format is unknown).
  • Via symbol or menu item "Tools> Signature functions> Sign document" start the signature process. During the signature process, the file can be provided with a time stamp, provided the time stamp has been set up. It will be a PKCS# 7 signature generated.

Status: January 2015

Created: 13.08.2015 - 10: 10
Stand: 06.06.2017 - 15: 17

Various providers of trust services (formerly trust centers) offer qualified time stamps with the highest evidential value for a fee.

Sign Live! CC supports all common time stamps.

To use the timestamp you have to be in Sign Live! CC perform two actions:

  • Configure access to the timestamp provider
  • Configure the signature to embed the timestamps.

The time stamp service is offered during the signature process.

 Tutorial timestamp

Status: February 2015

 

Created: 29.07.2015 - 16: 12
Stand: 28.04.2021 - 10: 20

We have added the extension for the signature file to a PKCS# 7 signature Sign Live! CC Version 7.x revised.

As an example, here is a file TESTS.PDF signed.
Via the menu item Extras> Settings> Signatures> Signature creation> Signature PKCS# 7 the following settings are relevant:

  • Check box "Replace file extension instead of appending" aktiv creates a signature file with the name TESTS.PDF.p7s
  • Check box "Replace file extension instead of appending" not active creates a signature file with the name TESTS.p7s

 

Status: November 2016

Created: 16.11.2016 - 14: 38
Stand: 16.11.2016 - 14: 41

What is a convenience signature?

A convenience signature is basically a small “mass processing” in which several documents are signed via a so-called service as soon as they are in the defined input directory. The signaturePIN is entered once and the number of documents defined by the license is provided with an invisible signature. If this number is exceeded, another PIN-Entry required.
 

Requirement:

  • The license for comfort signature has been imported
  • Multi-signature card is available

Setup in Sign Live! CC:

  • Via menu item Tools> Settings please by Signatures> Signature device> signITsmartcard the check boxes PIN-Entry required and PIN-Entry via secure terminal only  deactivate.
    PIN- Allow caching Please visit activate. The settings window with [OK] shut down.
  • Via menu item Tools> Services> Service Container Management open this.
    - There with that green plus sign add a service container and select "file system" as type [OK].
    - In the "General container settings" ID assigned (name of the service container) and for services the one there green plus sign to press.
    - Select the service type "Signature creation"And as type"Signature with smart card session". [OK]
    - At FSM-Monitoring allows you to define the directories. The directories are in the directory as default /<.SignLiveCC>/ created.

You start the signature service with the green arrow.

Created: 28.04.2021 - 11: 46
Stand: 28.04.2021 - 11: 49

Despite a valid signature, the validation result contains the information that no valid blacklist was found.
This can be remedied as follows.

  • Close _Sign Live! CC_
  • Copy the file from / demo / vmoptions / auth tunneling into the directory / am. (Home = installation directory).
  • Start _Sign Live! CC_ New and validate the document again.

 

Created: 21.02.2020/XNUMX/XNUMX

Created: 21.02.2020 - 15: 36
Stand: 21.02.2020 - 15: 36

You can see the time stamp in Sign Live! CC "Signature overview" in the sidebar.

  • To do this, open the signed file with Sign Live! CC.
    The default is Sign Live! CC set so that every document is checked for signature when it is opened. This check may take a moment.
  • After the verification is complete, the signature overview is displayed in the left part of the window.
    If this is not the case, the signature overview in the menu "View -> Sidebars -> Signature overview" be switched on.
    In the best case scenario, all areas are marked with a green tick.
  • One of the hooks is labeled “The timestamp is qualified and valid.”.
    In addition, “Signed on:” has the addition “(source: timestamp)”.

Last change: February 2015

Created: 29.07.2015 - 16: 01
Stand: 21.12.2015 - 15: 27

For validation, it should be specified in the application that a revocation list check is carried out and - if this fails - with a OCSP-Check (online status check) all certificates are to be checked for blocking. With this setting, Sign Live! CC delivered.

  • If a document is not validated despite having a valid signature, check the settings. To do this, open the settings dialog (menu item "Tools> Settings"), navigate to the "Signatures> Signature Validation> Certificate Validation " and answer the question "Which certificates should OCSP being checked?" to "All certificates".
  • Please make sure that the check boxes "Blacklist check" and "Online status check" are activated.

Checking the signature again should produce a valid result.

Various trust centers have canceled the check by blacklist, most recently Telesec on June 30.06.2015, XNUMX. These trust centers are currently taking effect OCSP-Responder back.

 

Status: April 2016

Created: 13.08.2015 - 10: 37
Stand: 28.04.2016 - 14: 21

On September 01.07.2017st, XNUMX the eIDASRegulation in force. The TRUST-Center (Telesec, D-TRUST etc.) have therefore adapted their certificates. In order to continue to successfully validate these certificates, in Sign Live! CC an update to version 7.x is required.

Status: May 2018

Created: 27.06.2017 - 17: 22
Stand: 07.05.2018 - 09: 28

What does “Sign Live! CC implements the currently valid catalog of algorithms "?

An algorithm catalog defines which cryptographic algorithms are currently and for a period in the future considered to be secure. In doing so, it significantly sets the level of security of a PKI(1) fixed.
The Signature Act and the Signature Ordinance (SigG / SigV) for qualified electronic signatures have a PKI defined and required a catalog of algorithms that was constantly updated. Since July 01.07.2017st, XNUMX this has been in the eIDASRegulation regulated.

The BSI (Federal Office for Information Security) creates the Alogorthmen catalog based on a 7-year forecast. I. E. the algorithms under consideration are to be regarded as secure today and in all probability for at least the next 7 years. Very often these periods are extended every year. If it is to be expected that an algorithm will become insecure, users have a warning period of 7 years. It has not happened since the SigG catalog of algorithms that known attacks jeopardize the security level of cryptographic algorithms so suddenly that a period of validity had to be shortened.

Sign Live! CC implements the specifications of the algorithm catalog valid at the time of publication of the software.

What happens to the algorithm catalog through the implementation of the eIDASVO?

To the eIDAS-Verordnung in Germany, SigG / SigV will be replaced by the Trust Services Act and the associated ordinance at the end of 2017. An algorithm catalog is e.g. Not yet in the eIDAS-VO anchored. It is still open whether by then the EU-Manage the necessary rules EULevel or Germany continues to adhere to the German catalog as long as no EU-Catalog exists. We will keep you informed on this subject.

(1) PKI = Public key infrastructure. For details, see https://de.wikipedia.org/wiki/Public-Key-Infrastruktur

 

Last updated: June 2021
Created: December 2016

Created: 29.12.2016 - 11: 44
Stand: 24.06.2021 - 10: 38

A distinction is made between different forms of electronic signature, all of which are legally binding but have different evidential value and are therefore suitable for very different areas of application.

  • The simple signature does not impose any requirements on the identification of the person who signs the data. There is also no requirement as to how the signed data is connected to the signature and therefore no prescribed possibility to check this. The digitized lettering of a signature (e.g. using a signature pad) represents a simple signature just like the use of an email footer. Simple signatures can be upgraded by using a certificate to create them. This can be used to check the integrity of the data. If a qualified seal is used for this purpose, the assessment of evidence applies accordingly eIDAS Art. 35 (2).
  • The advanced signature is created by means that the signatory can keep under his sole control. The requirements for the identification and storage of the key used are public in the Certification Practice Statement (CPS) deposited. in the CPS are all important information about the Certificate Authority (CA), whose guidelines and procedures are stored in summary form. This results in a clear assignment of the owner. The integrity of the document can also be ensured via the signature with such a certificate.
  • Within the qualified electronic signature the owner of the signature can be clearly and securely assigned, since identification takes place, for example, via PostIdent, VideoIdent or the online ID function (eID). A qualified certificate is used which is issued by an eIDAS confirmed trust service provider. Only this type of signature complies with the written form  BGB §126a and is after  ZPO §371a proving.

Created: January 2021

Created: 29.10.2018 - 12: 29
Stand: 28.04.2021 - 10: 19

Whether a signature is valid, i.e. valid, should be verifiable even after many years. In order to be able to check a signature again, several pieces of information must be available:

  • Was the end user certificate used valid at the time it was used?
  • Was the issuing one CA (Certificate Authority) of this certificate at the time of creation of the end user certificate trustworthy and the root certificate valid?
  • What level of quality was the certificate used? Simple, advanced or qualified?

In order to be able to reliably answer these questions, a validation application such as Sign Live! several exams. An important aspect of this check is blocking checks using OCSP (Online Certificate Status Protocol) i.e. queries from the trust service provider (VDA) who issued the end-user certificate used. So that these OCSPQueries can be made, this service must be dated VDA online (directory service). The answers of the VDA are in turn signed by the latter so that the trustworthiness can be checked and thus ensured. This in turn takes place with the inclusion of OCSP-Interrogate. How this is to be done in full is determined by international standards (ETSI) regulated. At the end of these queries, the validation application can then provide a trustworthy status of the end user certificate used.

But what if the necessary directory service is temporarily or permanently unavailable? There may be a temporary malfunction if the required directory service is simply not available online. Or what if this is done by setting the VDA was switched off? The central deletion of information after the retention period has expired is also an incision. The end user certificate used cannot be checked in such cases and thus the complete signature verification does not lead to a clear result.

Different with LTV-Signatures. With this type of signature, all the required information is provided, again in accordance with international standards (ETSI), embedded in the signature. In case of PDFDocuments and signatures, for example, through the PAdES standard (ETSI EN 319 142) in the context of PAdES-B-LT-Profiles technically regulated.

The necessary information can be embedded both during the signature creation and later during validation. However, it is seldom that this takes place when the signature is created, since the time required for the signature creation is also followed by the verification. This is how enrichment is offered to LTV-Signature during validation before archiving. From this point on, the signature is always checked offline and takes place without access to the directory service. A check is therefore independent of the availability of this service, regardless of the reason why it is not available.

Perform the LTV-Signature even more?

How the validity of certificates is checked depends on different models (chain, shell or modified shell model). These different models also make perfect sense for the different uses of certificates. The validity of a SSL-Certificates should be checked differently in the browser than a certificate that was used to sign documents that must be verifiable for decades.

Let's take Adobe Reader as an example. Adobe Reader will no longer classify a signature as trustworthy after the end user certificate used has expired, even if the signature was made during the period of validity.

This behavior can be caused by the LTVSignature should be avoided if the LTV-Signature done before the expiration date. With the timely LTV-Signature, the Adobe Reader tick remains green and the signature continues to be positively checked - permanently. This is an important step on the way to greater acceptance of the signature by its users.

How does a LTV-Signature with Sign Live! CC generated?

  You can find the answer in our tutorial


Status: February 2020

Created: 10.08.2016 - 13: 04
Stand: 23.01.2021 - 10: 55

Signatures generated with intarsys products produce results in some validation tools that contain the terms "PARTIAL / FULL PDF" or "Empty revision".

intarsys signature products integrate LTV * information as a new revision in the PDF document.

Most validation tools ignore this technical detail. However, some validation tools alert the user of this fact by using the subject of the test as a PARTIAL PDF describe ( EU DSS demonstration WebApp ) or indicate that the document is a empty revision includes.

The generated signatures conform to the spec and even have to be generated as long as the LTV information is added after the signature.
These statements have no relevance for the validity of the checked signatures.

* LTV - Long Term Validation
LTV information includes OCSP responses and / or revocation lists for the certificates that are required for an examination. These data facilitate the subsequent verification of the signatures and make it possible that the verification can even take place without a network connection.
 

 

Created: 08.09.2021 - 11: 43
Stand: 08.09.2021 - 11: 44

FAQ search