Whether a signature is valid, i.e. valid, should be verifiable even after many years. In order to be able to check a signature again, several pieces of information must be available:

  • Was the end user certificate used valid at the time it was used?
  • Was the issuing one CA (Certificate Authority) of this certificate at the time of creation of the end user certificate trustworthy and the root certificate valid?
  • What level of quality was the certificate used? Simple, advanced or qualified?

In order to be able to reliably answer these questions, a validation application such as Sign Live! several exams. An important aspect of this check is blocking checks using OCSP (Online Certificate Status Protocol) i.e. queries from the trust service provider (VDA) who issued the end-user certificate used. So that these OCSPQueries can be made, this service must be dated VDA online (directory service). The answers of the VDA are in turn signed by the latter so that the trustworthiness can be checked and thus ensured. This in turn takes place with the inclusion of OCSP-Interrogate. How this is to be done in full is determined by international standards (ETSI) regulated. At the end of these queries, the validation application can then provide a trustworthy status of the end user certificate used.

But what if the necessary directory service is temporarily or permanently unavailable? There may be a temporary malfunction if the required directory service is simply not available online. Or what if this is done by setting the VDA was switched off? The central deletion of information after the retention period has expired is also an incision. The end user certificate used cannot be checked in such cases and thus the complete signature verification does not lead to a clear result.

Different with LTV-Signatures. With this type of signature, all the required information is provided, again in accordance with international standards (ETSI), embedded in the signature. In case of PDFDocuments and signatures, for example, through the PAdES standard (ETSI EN 319 142) in the context of PAdES-B-LT-Profiles technically regulated.

The necessary information can be embedded both during the signature creation and later during validation. However, it is seldom that this takes place when the signature is created, since the time required for the signature creation is also followed by the verification. This is how enrichment is offered to LTV-Signature during validation before archiving. From this point on, the signature is always checked offline and takes place without access to the directory service. A check is therefore independent of the availability of this service, regardless of the reason why it is not available.

Perform the LTV-Signature even more?

How the validity of certificates is checked depends on different models (chain, shell or modified shell model). These different models also make perfect sense for the different uses of certificates. The validity of a SSL-Certificates should be checked differently in the browser than a certificate that was used to sign documents that must be verifiable for decades.

Let's take Adobe Reader as an example. Adobe Reader will no longer classify a signature as trustworthy after the end user certificate used has expired, even if the signature was made during the period of validity.

This behavior can be caused by the LTVSignature should be avoided if the LTV-Signature done before the expiration date. With the timely LTV-Signature, the Adobe Reader tick remains green and the signature continues to be positively checked - permanently. This is an important step on the way to greater acceptance of the signature by its users.

How does a LTV-Signature with Sign Live! CC generated?

  You can find the answer in our tutorial


Status: February 2020

Created: 10.08.2016 - 13: 04
Stand: 23.01.2021 - 10: 55

FAQ search