CRLOptionSpec

A complex data type that stores preferences for the certificate revocation list (CRL).

CRLOptionSpec variables are used in the following operations of the Signature service:

Certify PDF operation

Sign Signature Field operation

Verify PDF Signature operation

Verify PDF Signature operation (deprecated)

Verify XML Signature operation

For information about data that can be accessed using Xpath Expressions, see Data items .

For information about configuring default properties, see Datatype specific settings .

Data items

The data items that CRLOptionSpec variables contain.

alwaysConsultLocalURL

A boolean value specifies whether to use the CRL location provided as a local URI before any specified locations within a certificate. The CRL location provided is used for revocation checking. When this value is set to true , it means the local URI is used first. The default value of false indicates that locations specified in the certificate are used before the local URI is used.

goOnline

A boolean value that indicates whether to access the network to retrieve CRL information. Accessing the network to retrieve the most recent CRL list can improve network performance by going online only when necessary. When the value is set to false , CRL information is not retrieved online. The default value of true indicates that CRL information is accessed online.

ignoreValidityDates

A boolean value that indicates whether to use thisUpdate and nextUpdate times. Ignoring the response’s thisUpdate and nextUpdate times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP and can be different for each revocation information. A value of true indicates that the validity dates are ignored. The default value of false indicates that validity dates are used.

LDAPServer

A string value that represents the URL or path of the Lightweight Directory Access Protocol (LDAP) server. The LDAP server is used to retrieve information about the certificate revocation list (CRL). For example, you can type www.ldap.com for the URL or ldap://ssl.ldap.com:200 for the path and port. The LDAP server searches for CRL information using the distinguished name (DN) according to the rules specified in RFC 3280 , section 4.2.1.14.

localURI

A string value that represents the URL for the local CRL store. This value is used only if the alwaysConsultLocalURL value is set to true . The default value is null .

requireAKI

A boolean value that specifies whether an AKI extension must be present in a CRL. An authority key identifier (AKI) helps to identify the next certificate within a certificate chain. A value of true indicates that the AKI extension is required. The default value of false indicates that the AKI extension is not required.

revocationCheckStyle

A RevocationCheckStyle value that specifies the type of revocation check that is performed when verifying a signature in a PDF document.

Datatype specific settings

Properties for configuring the certificate revocation options.

Consult Local URI First

Select this option to use the CRL location provided as a local URI before any specified locations within a certificate. The CRL location provided is used for revocation checking. When this option is selected, it means the local URI is used first. When this option is deselected, the locations specified in the certificate are used before the local URI is used. By default, the option is deselected.

Local URI for CRL Lookup

Sets the URL for the local CRL store. This value is used only if the Consult Local URI First option is selected.

Revocation Check Style

Sets the revocation-checking style used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. The default is BestEffort. Select one of these values:

NoCheck:
Does not check for revocation.

BestEffort:
Checks for revocation of all certificates when possible.

CheckIfAvailable:
Checks for revocation of all certificates only when revocation information is available.

AlwaysCheck:
Checks for revocation of all certificates.

LDAP Server

Sets the URL or path of the Lightweight Directory Access Protocol (LDAP) server used to retrieve information about the certificate revocation list (CRL). The LDAP server searches for CRL information using the distinguished name (DN) according to the rules specified in RFC 3280 , section 4.2.1.14. For example, you can type www.ldap.com for the URL or ldap://ssl.ldap.com:200 for the path and port.

Go Online for CRL Retrieval

Select this option to access the network to retrieve CRL information. Accessing the network to retrieve the most recent CRL list can improve network performance by going online only when necessary. When this option is deselected, CRL information is not retrieved online. By default, the option is selected.

Ignore Validity Dates

Select this option to use thisUpdate and nextUpdate times. Ignoring the response’s thisUpdate and nextUpdate times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP and can be different for each revocation information. When the option is deselected, the thisUpdate and nextUpdate time are ignored. By default, the option deselected.

Require AKI Extension in CRL

Select this option to specify that the Authority Key Identifier (AKI) extension must be present in the CRL. The AKI extension can be used for CRL validation. When this option is deselected, the presence of the AKI extension the CRL is not required. By default, the option is deselected.