OCSPOptionSpec

A complex data type that represents settings for the Online Certificate Status Protocol (OCSP) revocation checking.

OCSPOptionSpec variables are used in the following operations of the Signature service:

Certify PDF operation

Sign Signature Field operation

Verify PDF Signature operation

Verify PDF Signature operation (deprecated)

Verify XML Signature operation

For information about data that can be accessed using Xpath Expressions, see Data items.

For information about configuring default properties, see Datatype specific settings.

Data items

The data items that OCSPOptionSpec variables contain.

allowOCSPNoCheck

A boolean value that indicates whether the OCSPNoCheck extension is permitted in the response signing certificate. An OCSPNoCheck extension can be added to the OCSP certificate to prevent validation loops. A value of true indicates that the OCSPNoCheck extension is allowed. The default value of false indicates that the OCSPNoCheck extension cannot be present in the certificate.

doSignRequest

A boolean value that indicates whether to sign the request. A value of true indicates that the request must be signed. The default value of false indicates that a signed request is not required.

goOnline

A boolean value that indicates whether to access the network to retrieve OCSP information. A value of true indicates that the OCSP checking is performed by accessing the network. The default value of false indicates that checking is performed by accessing embedded and cached OCSP responses. This type of checking reduces the amount of network traffic.

ignoreValidityDates

A boolean value that indicates whether to ignore the thisUpdate and nextUpdate time values of the OCSP server response. The thisUpdate and nextUpdate times are external sources that are retrieved through HTTP or LDAP and can be different for each revocation information. A value of true indicates that the validity dates are ignored. The default value of false indicates that validity dates are used, which can negatively affect the response validity.

maxClockSkew

A long value that indicates, in minutes, the maximum allowed skew in OCSP server response time and local time. The default value is 5.

ocspServerURL

A string value that specifies the URL for the OCSP server.

requestSignerCredentialAlias

A string value that represents the alias that corresponds to the credential that is used to sign the PDF document.

RequireOCSPCertHash

A string value that indicates whether a certificate public key hash extension is required in the OCSP (Online Certificate Status Protocol) responses. This extension is required in the case of SigQ validation. SigQ compliance requires the CertHash extension to be in the OCSP responder certificate. Set this property to true only when processing for SigQ compliance and supported OCSP responders. A value of true indicates that the CertHash extension must be in the OCSP responder. The default value of false indicates that the CertHash extension does not need to be in the OCSP responder certificate.

responseFreshness

An int value that specifies the maximum time validity (in minutes) of the preconstructed OCSP response. The default value is 52600 (one year).

revocationCheckStyle

A string value that specifies the type of revocation-checking that is performed when verifying a signature in a PDF document.

These string values are valid:

AlwaysCheck:
Checks for revocation of all certificates.

BestEffort:
Checks for revocation of all certificates when possible.

CheckIfAvailable:
Checks for revocation of all certificates only when revocation information is available.

NoCheck:
Does not check for revocation.

The default value is CheckIfAvailable.

sendNonce

A boolean value that indicates whether a nonce is sent with the request. A nonce is a parameter that can be a timestamp, a visit counter on a web page, or a special marker. The parameter is intended to limit or prevent an unauthorized replay or reproduction of a file. The default value of true indicates that a nonce is sent with the request and a value of false indicates that a nonce is not in the request.

URLtoConsultOption

A stringvalue (with a finite list of valid values) that represents the type of OCSP servers and the order to use them when performing the revocation check. The default value is UseAIAInCert.

These values are valid:

LocalURL:
Use the locally configured URL.

UseAIAInCert:
Use the URL of an online certificate status protocol server specified in the Authority Information Access (AIA) extension in the certificate. The AIA extension is used to identify how to access certificate authority (CA) information and services for the issuer of the certificate.

UseAIAIfPresentElseLocal:
Use the URL of the OCSP server specified in the AIA extension in the certificate if present. If the AIA extension is not present in the certificate, use the URL configured in the OCSP Server URL.

UseAIAInSignerCert:
Use the URL of the OCSP server specified in the AIA extension in the signer certificate.

Datatype specific settings

Properties for the Online Certificate Status Protocol (OCSP).

URL to Consult Option

Sets the list and order of the OCSP servers used to perform the revocation check. The default value is UseAIAInCert. Select one of these values:

UseAIAInCert:
Use the URL of an online certificate status protocol server specified in the Authority Information Access (AIA) extension in the certificate. The AIA extension is used to identify how to access certificate authority (CA) information and services for the issuer of the certificate.

LocalURL:
Use the specified URL for the OCSP server specified in the OCSP Server URL option.

UseAIAIfPresentElseLocal:
Use the URL of the OCSP server specified in the AIA extension in the certificate if present. If the AIA extension is not present in the certificate, use the URL configured in the OCSP Server URL.

UseAIAInSignerCert:
Use the URL of the OCSP server specified in the AIA extension in the signer certificate.

OCSP Server URL

Sets the URL of the configured OCSP server. The value is only used when the LocalURL or UseAIAIfPresentElseLocal values are in URL To Consult Option.

Revocation Check Style

Sets the revocation-checking style used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. The default value is CheckIfAvailable. Select one of these values:

NoCheck:
Does not check for revocation.

BestEffort:
Checks for revocation of all certificates when possible.

CheckIfAvailable:
Checks for revocation of all certificates only when revocation information is available.

AlwaysCheck:
Checks for revocation of all certificates.

Max Clock Skew Time (minutes)

Sets the maximum allowed skew, in minutes, between response time and local time. Valid skew times are 0 - 2147483647 min. The default value is 5 min.

Response Freshness Time (minutes)

Sets the maximum time, in minutes, for which a preconstructed OCSP response is considered valid. Valid response freshness times are 1- 2147483647 min. The default value is 525600 min. (one year).

Send Nonce

Select this option to send a nonce is with the OCSP request. A nonce is a parameter that varies with time. These parameters can be a timestamp, a visit counter on a web page, or a special marker. The parameter is intended to limit or prevent the unauthorized replay or reproduction of a file. When the option deselected, a nonce is not sent with the request. By default, the option is selected.

Sign OCSP Request

Select this option to specify that the OCSP request must be signed. When the option is deselected, the OCSP request does not need be signed. By default, the option is deselected.

Request Signer Credential Alias

Sets the credential alias used for signing the OCSP request when signing is enabled.

Go Online for OCSP

Select this option to access embedded and cached OCSP responses on LiveCycle Server. The network can be accessed to retrieve OCSP information for OCSP checking. Accessing OCSP responses on the server helps to reduce the amount of network traffic generated due to OCSP checking. When the option deselected, OCSP checking is performed by accessing LiveCycle Server. By default, the option is selected.

Ignore Validity Dates

Select this option to use the OCSP response thisUpdate and nextUpdate times. Ignoring the response’s thisUpdate and nextUpdate times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP and can be different for each revocation information. When the option is deselected, the thisUpdate and nextUpdate times are ignored. By default, the option deselected.

Allow OCSP NoCheck Extension

Select this option to allow an OCSPNoCheck extension in the response signing certificate. An OCSPNoCheck extension can be present in the OCSP Responder’s certificate to prevent infinite loops from occurring during the validation process. When the option deselected, the OCSPNoCheck extension is not allowed. By default, the option is selected.

Require OCSP ISIS-MTT CertHash Extension

Select this option to specify that certificate public key hash (CertHash) extensions must be present in OCSP responses. This extension is required for SigQ validation. SigQ compliance requires the CertHash extension to be in the OCSP responder certificate. Select this option when processing for SigQ compliance and supported OCSP responders. When the option is deselected, the CertHash extension presence in the OCSP response is not required. By default, the option is deselected.