Discuss this help topic in SecureBlackbox Forum
Archive CAdES signature
In CAdES context, archiving means making the signature verifiable offline. Essentially, a CAdES-A (archival) signature contains all validation information, and doesn't need external sources for verification. The process of archiving consists of thorough validation of the signature during which all relevant validation information (main and subordinate certificate chains, revocation elements, timestamps, etc.) is collected and added to the signature blob. The signature created in such way remains verifiable independently of any external services as long as certificates involved in its creation are valid.
Archival signatures must be updated from time to time following the expiration of the certificates used to create it. This is done by including an extra timestamp from a trusted third party that confirms the authenticity of the content at the moment of updating. All validation elements required to validate new TSA response ('archival timestamp') are also added to the signature at this point.
When the certificate the last archival timestamp was made with is about to expire, another archival timestamp is added, and so on.
This means that an archived signature grows with time, as more and more validation timestamps and elements are added. To verify the archival signature, the original signature should be verified first. Then the verifier should check that the chain of appended archival timestamps certifies each other correctly. Finally, the last timestamp is validated 'at the current moment', which may imply contacting online revocation sources.
The step-by-step instruction below explains how to archive a CAdES signature (either already archived or not) with SecureBlackbox:
TElCMSSignature sig = cms.get_Signatures(0);
TElCAdESSignatureProcessor processor = new TElCAdESSignatureProcessor(sig);
processor.Archive(tspClient);