PathValidationOptionSpec

A complex data type that represents RFC3280-related path validation options. It is used by the Verify PDF Signature operation and Verify PDF Signature operation (deprecated) operations in the Signature service.

For information about data that can be accessed using Xpath Expressions, see Data items.

For information about configuring default properties, see Datatype specific settings.

Data items

The data items that PathValidationOptionSpec variables contain.

anyPolicyInhibit

A boolean value that indicates whether any policy can be processed if it is included in the certificate. A value of true indicates that any policy is not processed. The default value of false indicates that any policy can be processed.

checkAllPaths

A boolean value that specifies whether all paths to a trust anchor are checked for validity. A value of true indicates that all paths are checked. The default value of false indicates not to validate the paths.

checkCABasicConstraints

A boolean value that indicates whether the CA Basic Constraints certificate extension must be present for CA certificates. For example, earlier versions of some certificates are not compliant with RFC 3280 and do not contain the basic constraints extension. The default value of true indicates that CA Basic Constraints certificate extension is required, and false indicates that the certificate extension is not required.

explicitPolicy

A boolean value that indicates whether the path must be valid for at least one of the certificate policies in the user's initial policy set. A value of true indicates that there must be at least one valid certificate policy path. The default value of false indicates that no valid path is required.

followURIsInAIA

A boolean value that indicates whether to follow any URIs specified in the certificate's Authority Information Access (AIA) extension for path discovery. The AIA extension specifies where to find up-to-date certificates. A value of true indicates to follow URIs in the certificate’s AIA extension. The default value of false indicates not to follow URIs.

LDAPServer

A string value that specifies the Lightweight Directory Access Protocol (LDAP) server that is used to retrieve certificate revocation list (CRL) information. The LDAP server searches for CRL information by using Distinguished Name (DN) according to the rules specified in RFC 3280, section 4.2.1.14.

policyMappingInhibit

A boolean value that indicates whether policy mapping is allowed in the certification path. A value of true means that policy mapping is not allowed. The default value of false means that policy mapping is allowed.

requireValidSigForChaining

A boolean value that indicates whether chains can be built with invalid signatures. A value of true indicates that the chain is not built if an invalid signature is encountered. The default value of false indicates that invalid signatures are ignored when building the chain.

Datatype specific settings

Properties for specifying the path validation options.

Require Explicit Policy

Select this option to specify that the path must be valid for at least one of the certificate policies in the user initial policy set. When this option is deselected, the path validity is not required. By default, the option is deselected.

Inhibit ANY Policy

Select this option to specify that a policy object identifier (OID) must be processed if it is included in a certificate. When deselected, any policy can be selected. By default, the option is deselected.

Check All Paths

Select this option to require all paths to a trust anchor must be validated. When this option is deselected, all paths to a trust anchor are not validated. By default, the option is deselected.

Inhibit Policy Mapping

Determines whether policy mapping is allowed in the certification path. If selected, policy mapping is allowed. This option is not selected by default.

LDAP Server

Sets the URL or path of the Lightweight Directory Access Protocol (LDAP) server used to retrieve information about the certificate revocation list (CRL). The LDAP server searches for CRL information using the distinguished name (DN) according to the rules specified in RFC 3280, section 4.2.1.14. For example, you can type www.ldap.com for the URL or ldap://ssl.ldap.com:200 for the path and port.

Follow URIs in Certificate AIA

Select this option to specify to follow any URIs specified in the certificate’s Authority Information Access (AIA) extension for path discovery. The AIA extension specifies where to find up-to-date certificates. When this option is deselected, no URIs are processed in the AIA extension from the certificate. By default, the option is deselected.

Basic Constraints Extension required in CA Certificates

Select this option to specify that the certificate authority (CA) Basic Constraints certificate extension must be present for CA certificates. Some early German certified root certificates (7 and earlier) are not compliant to RFC 3280 and do not contain the basic constraint extension. If it is known that a user's EE certificate chains up to such a German root, deselect this option. When this option is deselected, the presence of the CA Basic Constraints certificate in CA certificates is not required. By default, the value is selected.

Require Valid Certificate Signature During chain building

Select this option to require that all Digital Signature Algorithm (DSA) signatures on certificates be valid before a chain is built. For example, in a chain CA > ICA > EE where the signature for EE is not valid, the chain building stops at ICA. EEs are not included in the chain. When this option is deselected, the entire chain is built regardless of whether an invalid DSA signature is encountered. By default, the option is deselected.