PDF/PAdES Hash Signing Attributes
If PDF Hash signatures were selected the following screen is shown. The options are discussed in the table that follows.
The configuration items are as follows:
Items |
Description |
||
Signature Settings |
Select the signature format to be produced. For more details see the section Supported Signature types. Note: The ISO 32000-1 based PDF signatures are verifiable in Adobe Reader 7+ and PAdES signatures based on ETSI Standard are verifiable in Adobe Reader 10+. |
||
Timestamp (TSA) Settings |
When a timestamp is to be added to the signature select the required timestamp authority (or authorities) from the list of registered TSAs. The configuration of TSA address(es) is described in this section: configuring Time Stamp Authorities.
|
||
Signature Conversion |
When the signing service receives data or a hash to sign, this option is ignored. This is a special option to be used only when the business application send data with a basic signature to the service in order to have it extended to a long-term format. The recommended approach is to use the Verification Service for this so that the signature can be checked first and then extended.
Note: For conversion to PAdES Part4-LTV signatures the full signed document must be provided. This is because as part of creating a PAdES Part4-LTV signature the certificate revocation information must be written to a special "DSS" signature dictionary in the PDF. When using this type of signature just the hash is provided so this is not possible. Note: It is recommended that the ADSS Verification Service is used for enhancing signatures since this verifies existing signatures prior to enhancement - see the Verification Server > verification profile > Advance Settings page. |
||
Revocation Status Information Unavailable Error |
If the signature formats PDF Signature with embedded timestamp and revocation information is selected then an extra check box is offered to decide if ADSS Server should return an error if it cannot embed the revocation information when creating the Long-Term signature Such signatures require embedded status/ revocation information for the signer's certificate chain. This is useful to stop basic signatures being created when a communication failure prevents revocation information being obtained from external resources. If this check box is not selected then the signature will be produced but it may not contain the embedded revocation if this was unavailable at the time of signing, e.g. if the relevant OCSP is not responding or if the dynamic CRL is unavailable. ADSS Server is generally configured to cache CA CRLs locally and it also has a short-life cache for dynamic CRLs and OCSP responses. Note: It is recommended you always tick this box. |
||
Hashing Algorithm |
The hash algorithm selected is used within the signature creation process. The following algorithms are available:
SHA256 is recommended. |
||
Signature/Document Relationship |
This defines how the signature and the document exist i.e. is one inside the other or do they exist separately. Following options are available:
Enveloping only supports older SHA-1 signatures. SHA2 based signatures must always use the Detached option |
||
EPES signature |
Explicit Policy Based Electronic (EPES) signature settings are only available for the PAdES Part 3 signature type. By enabling the check box Add Signature Policy Identifier, the signing profile can be used to produce (EPES) signatures where a signature policy OID, URI and user notice are added in the digital signature as specified below. 1. Signature Policy Object ID A mandatory field. Provide the Signature Policy OID to be added for EPES signatures. 2. Signature Policy URI An optional field. Provide the Signature Policy URI to be added for EPES signatures. If there is no Policy URI defined inside the signing profile then EPES configurations should be made in policy.properties file located at: [ADSS Installation Directory]/service/ Open this file in any text editor and enter policy OID and path to the policy document e.g. 1.2.3.4.5 = "F:/Policy_File".
3. Signature Policy User Notice An optional field. You must provide a user notice to be added to the EPES signatures produced. |
See also
PDF/PAdES Signing Attributes
Microsoft Office Signing Attributes
PKCS7 Signing Attributes
CMS/CAdES Signing Attributes
XML/XAdES Signing Attributes
S/MIME Signing Attributes