The Signature service (SignatureService)
enables your organization to protect the security and privacy of
Adobe PDF documents that it distributes and receives. This service
uses digital signatures and certification to ensure that documents
are not altered. Altering a document breaks its signature. Because security
features are applied to the document itself, the document remains secure
and controlled for its entire life cycle; beyond the firewall, when
it is downloaded offline, and when it is submitted back to your
organization.
For details on the Signature service, see Services Reference.
The following settings are available for the Signature service.
- Name Of The Remote HSM SPI Service:
- This option is for use when the HSM is installed on a remote
computer. Specify this option when LiveCycle is installed on a 64-bit
Windows and you are using HSM devices for signing.
- URL Of The Remote HSM Web Service:
- Specify this option when LiveCycle is installed on 64-bit
Windows and you are using HSM devices for signing.
- Certification To Include Form Load Changes:
- When this option is selected, the XFA Form State is certified
in addition to the XFA template. Note that enabling this option
may have a negative impact on performance. The default value is true.
- Execute Document JavaScript scripts:
- Specifies whether to execute Document JavaScript scripts
during signature operations. The default value is false.
- Process documents with Acrobat 9 compatibility:
- Specifies whether to enable Acrobat 9 compatibility. For
example, when this option is selected, Visible Certification in
Dynamic PDFs is enabled. The default value is false.
- Embed Revocation Info While Signing:
- Specifies whether revocation information is embedded while
signing the PDF document. The default value is false.
- Embed Revocation Info While Certifying:
- Specifies whether the revocation information is embedded
while certifying the PDF document. The default value is false.
- Enforce Embedding of Revocation Info For All Certificates
During Signing/Certification:
- Specifies whether a signing or certification operation fails
if valid revocation information for all certificates is not embedded.
Note that if a certificate does not contain any CRL or OCSP information,
it is considered valid, even if no revocation information is retrieved.
The default value is false.
- Revocation Check Order:
- Specifies the order of revocation checking when checking
is possible through both Certificate Revocation List (CRL) and Online Certificate
Status Protocol (OCSP) mechanisms. The default value is OCSPFirst.
- Maximum Size Of Revocation Archival Info:
- The maximum size of the revocation archival info in kilobytes.
LiveCycle attempts to store as much revocation information as possible
without exceeding the limit. The default value is 10 KB.
- Support Signatures Created From PreRelease Builds Of
Adobe Products:
- When this option is selected, signature created using pre-release
version of Adobe products will validate correctly. The default value
is false.
- Verification Time Option:
- Specifies the time of verification of a signer's certificate.
The default value is Secure Time Else Current Time.
- Use Revocation Information Archived in Signature during
Validation:
- Specifies whether the revocation information that is archived
with the signature is used for revocation checking. The default
value is true.
- Use Validation Information Stored In The Document For
Validation Of Signatures:
- When this option is selected, validation information (including revocation
and timestamp information) embedded in the doument is used to validate
signatures. The default value is true.
- Maximum Nested Verification Sessions Allowed:
- The maximum number of nested verification sessions that are
allowed. LiveCycle uses this value to prevent an infinite loop when
verifying the OCSP or CRL signer certificates when the OCSP or CRL
certificate is not set up correctly. The default value is 5.
- Maximum Clock Skew for Verification:
- The maximum time, in minutes, that the signing time can be
after the validation time. If the clock skew is greater than this
value, the signature will not be valid. The default value is 65 minutes.
- Certificate Lifetime Cache:
- The lifetime of a certificate, retrieved online or through
other means, in the cache. The default value is 1 day.
Transport Options- Proxy Host:
- The URL of the proxy host. Used only if some valid value
is provided. No default value.
- Proxy Port:
- The proxy port. Type any valid port number from 0 to 65535.
The default value is 80.
- Proxy Login Username:
- The proxy login user name. Used only if some valid value
is provided for proxy host and proxy port. No default value.
- Proxy Login Password:
- The proxy login password. Used only if some valid value is
provided for proxy host, proxy port, and proxy login user name.
No default value.
- Maximum Download Limit:
- The maximum amount of data, in MBs, that can be received
per connection. The minimum value is 1 MB and the maximum value
is 1024 MB. The default value is 16 MB.
- Connection Time Out:
- The maximum time to wait, in seconds, for establishing a
new connection. The minimum value is 1 and the
maximum value is 300. The default value is 5.
- Socket Time Out:
- The maximum time to wait, in seconds, before a socket time-out
(while waiting for data transfer) occurs. The minimum value is 1 and
the maximum value is 3600. The default value is 30.
Path Validation Options- Require Explicit Policy:
- Specifies whether the path must be valid for at least one
of the certificate policies that is associated with the trust anchor
of the signer certificate. The default value is false.
- Inhibit ANY Policy:
- Specifies whether the policy object identifier (OID) should be
processed if it is included in a certificate. The default value
is false.
- Inhibit Policy Mapping:
- Specifies whether policy mapping is allowed in the certification
path. The default value is false.
- Check All Paths:
- Specifies whether all paths should be validated or whether validation
should stop after finding the first valid path. Select true or false.
The default value is false.
- LDAP Server:
- The LDAP Server used to look up certificates for path validation. No
default value.
- Follow URIs in Certificate AIA:
- Specifies whether Uniform Resource Identifiers (URIs) in
Certificate AIA are processed during path discovery. The default
value is false.
- Basic Constraints Extension required in CA Certificates:
- Specifies whether the certificate authority (CA) Basic Constraints
certificate extension must be present for CA certificates. Some
early German certified root certificates (7 and earlier) are not
compliant to RFC 3280 and do not contain the basic constraint extension.
If it is known that a user's EE certificate chains up to such a
German root, deselect this check box. The default value is true.
- Require Valid Certificate Signature During Chain Building:
- Specifies whether the chain builder requires valid signatures
on certificates used to build chains. When this check box is selected,
the chain builder will not build chains with invalid RSA signatures
on certificates. Consider chain CA > ICA > EE where the CA's
signature on an ICA is not valid. If this setting is true, the chain
building will stop at the ICA, and the CA will not be included in
the chain. If this setting is false, the full 3-certificate chain
is produced. This setting does not affect DSA signatures. The default
value is false.
Timestamp Provider Options- TSP Server URL:
- The URL of the default timestamp provider. Used only if some valid
value is provided. No default value.
- TSP Server Username:
- The user name if required by the timestamp provider. Used
only if some valid value is provided for the URL. No default value.
- TSP Server Password:
- The password for the above user name if required by the timestamp
provider. Used only if some valid value is provided for the URL
and the user name. No default value.
- Request Hash Algorithm:
- Specifies the hashing algorithm to be used while creating
the request for the timestamp provider. The default value is SHA1.
- Revocation Check Style:
- Specifies the revocation checking style used for determining
the trust status of the timestamp provider's certificate from its
observed revocation status. The default value is BestEffort.
- Send Nonce:
- Specifies whether a nonce is sent with the timestamp provider request.
A nonce can be a timestamp, a visit counter on a web page,
or a special marker that is intended to limit or prevent the unauthorized
replay or reproduction of a file. The default value is true.
- Use Expired Timestamps During Validation:
- When this option is selected, expired timestamps can be used
to retrieve validation times of signatures. The default value is
true.
- TSP Response Size:
- Estimated size, in bytes, of the TSP response. This value should
represent the maximum size of the timestamp response that the configured
timestamp provider could return. Do not change this unless you are absolutely
sure. The minimum value is 60B and the maximum value is 10240B. The
default value is 4096B.
Certificate Revocation List Options- Consult Local URI First:
- Specifies whether the CRL location that is provided in Local
URI or CRL Lookup should be given preference over any location specified within
a certificate for the purpose of revocation checking. The default
value is false.
- Local URI for CRL Lookup:
- URL of the local CRL provider. This value is consulted only
if the Consult Local URI First setting is set to true. No default
value.
- Revocation Check Style:
- Specifies the revocation checking style used for determining
the trust status of the CRL provider's certificate from its observed revocation
status. The default value is BestEffort.
- LDAP Server for CRL Lookup:
- The LDAP Server used to get the CRLs (as www.ldap.com). All
DN-based queries for CRLs will be directed to this server. No default
value.
- Go Online:
- Specifies whether to go online to fetch a CRL. If false,
only cached CRLs (on local disk or those embedded with signature)
are consulted. The default value is true.
- Ignore Validity Dates:
- Specifies whether to ignore the response's thisUpdate and
nextUpdate times, which prevents these times from having a negative
effect on response validity. The default value is false.
- Require AKI extension in CRL:
- Specifies whether the Authority Key Identifier extension
must be included in a CRL. The default value is false.
Online Certificate Status Protocol Options- OCSP Server URL:
- URL for the default OCSP server. Whether the OCSP server that
is specified through this URL is used depends on the URL To Consult
Option setting. No default value.
- URL To Consult Option:
- Controls the list and order of the OCSP servers that are used
for performing the status check. The default value is UseAIAInCert.
- Revocation Check Style:
- Specifies the revocation checking style that is used while
verifying the OCSP server's certificate. The default value is CheckIfAvailable.
- Send Nonce:
- Specifies whether a nonce is sent with the OCSP request.
A nonce can be a timestamp, a visit counter on a web page, or a
special marker that is intended to limit or prevent the unauthorized
replay or reproduction of a file. The default value is true.
- Max Clock Skew Time:
- Maximum allowed skew, in minutes, between response time and
local time. The minimum value is 0 and the maximum
value is 2147483647m. The default value is 5m.
- Response Freshness Time:
- Maximum time, in minutes, for which a preconstructed OCSP
response is considered valid. The minimum value is 1m and
the maximum value allowed is 2147483647. The default
value is 525600 (one year).
- Sign OCSP Request:
- Specifies whether the OCSP request should be signed. The default
value is false.
- Request Signer Credential Alias:
- Specifies the credential alias to use for signing the OCSP
request if signing is enabled. Used only if signing of OCSP request
is enabled. No default value.
- Go Online:
- Specifies whether to go online to do revocation checking.
The default value is true.
- Ignore the response’s thisUpdate and nextUpdate times:
- Specifies whether to ignore the response's thisUpdate and
nextUpdate times, which prevents these times from having a negative
effect on response validity. The default value is false.
- Allow OCSPNoCheck extension:
- Specifies whether the OCSPNoCheck extension is allowed in
the response signing certificate. The default value is true.
- Require OCSP ISIS-MTT CertHash Extension:
- Specifies whether a certificate public key hash extension
must be included in OCSP responses. The default value is false.
Error Handling Options for Debugging- Purge Certificate Cache on next API call:
- Specifies whether to purge the Certificate Cache when the
next Signature Service Operation is called. After the operation
is called, this option is set back to false. The default value is
false.
- Purge CRL Cache on next API call:
- Specifies whether to purge the CRL Cache when the next Signature
Service Operation is called. After the operation is called, this
option is set back to false. The default value is false.
- Purge OCSP Cache on next API call:
- Specifies whether to purge the OCSP Cache when the next Signature
Service Operation is called. After the operation is called, this
option is set back to false. The default value is false.
|
|
|