Andrea Valle, from Adobe, clarified this for me by e-mail:
This has been discussed within ESI for some time, and finally the team decided to clarify this in EN 319 142-1.
See section 5.4.1 on page 11 of version 1.1.0:
The life-time of the protection can be further extended beyond the life-time of the last document time-stamp applied by adding further DSS information to validate the previous last document time-stamp along with a new document time-stamp. Every time a DSS Dictionary is updated during incremental update, it should contain the values from the previous DSS Dictionary.
NOTE: In general the DSS Dictionary will contain validation data from previous revisions plus validation data added for the current revision. If entries are removed from a DSS Dictionary during an incremental update the set of validation data might not be complete for validation of the signatures, but replacement of validation data - like e.g. more up-to-date certificate status information - might be performed for optimization reasons.
So it's actually recommended to add all entries from the older DSS dictionary, but not mandatory. You can update these entries if they don't break the signature, but that's optional.
Reading a little bit further on the same document:
The Document Security Store (DSS) shall be a dictionary that shall have the value DSS as key in the document catalog dictionary. This dictionary is used to provide a single place where all of the validation-related information for some or all signatures in the document should be placed.
The DSS is intended to provide a single place where all information should be placed.
So, if you don't place all information there, you're not breaking anything, but you're not using the DSS as intended.
Then, the answer is: a pdf signer should use the first approach, but a pdf validator should be prepared for the second.
EDIT:
Actually, any PAdES validator should check either the DSS entries existed earlier anyway. If you check only the lastest one, it's possible to re-validate an invalid signature, if the CA certificate used to sign the CRLs or OCSPs was compromissed latter, and this fake information was added in the latest DSS.
Example:
- Sig 1 was made with an revoked certificate
- All DSS entries are added, and the signature is sure to be invalid
A DocumentTimeStamp is added, protecting this DSS.
Sig 1 CA certificate is compromissed
Sig 2 is made, with a valid certificate
- Sig 2 DSS entries are added, LTV-enabling the signature
- Sig 1 CRL/OCSP is replaced with a fake one made with the compromissed CA certificate
In this situation, a validator that relies on the lattest DSS will validate Sig 1, when it shouldn't. That's why you add a DocumentTimeStamp to protect the information about that signature.
TL;DR:
Both options are right. The DSS should have information about all signatures, but it's not mandatory. And a validator should check the DSS that was made right after the signature, not only the latest one.
