While searching knowledge on this, I found How do I prepare for Certificate Authority end of business?, but I don't quite seem to grasp it.
Let's say:
one operates a file server X,
X saves files, signatures and the public certificate information from S which was used to sign the files sent by S to X,
party Y downloads the file and signature from X and wished to verify it is a file signed by S.
I believe the verification works even if the public certificate stored and later served with the file and signature by X works, but what if the CA has gone out of business or S has changed to a different provider. Is the chain of the old, saved public certificates along the data trusted anymore? If it is, how come, if the chain to CA is broken?
Although legal liability is largely a non-technical matter, if the chain is broken (see previous passage), wouldn't changing CAs allow S to evade potential issues arising on signing documents? I.e. it could technically repudiate the signatures.
<edit: I suspect this could revolve around some of the fields that state the legal entity that has requested the certificate, the company name or somesuch. Also interesting reads are SSL certificate chain verification, Manually walking through the signature validation of a certificate and PKI - Certificate Chain Validation, which lead me to believe all the certificates excluding the root CA need to be present. At least on Windows the root CA needs be installed by Microsoft, so I wonder if the root CA gets removed, what then?