1 Reply Latest reply on Jun 3, 2015 12:58 PM by IsakTen

    Long term digital signature validation - embedding OCSP responses?


      I am looking to see if there is a way to embed the OCSP response at signing for long term digital signature validation.  We have a two-fold issue:


      1. Documents digitally signed will eventually expire, and for audit purposes we need to determine if those signatures were valid at the time of signing well past their expiration date
      2. When using the "Include signature's revocation status" option in Acrobat XI, it embeds the entire CRL (currently 3+ MB).  This causes an issue when we get above 7 or 8 signatures because the file gets too big to email based on our email attachment size restrictions.  We're getting hit hard on storage requirements because the files can get upwards of 20+ MB, and we sign a ton of PDFs.


      My focus is to see if the OCSP response can be embedded at the time of signing into the PDF as opposed to the entire CRL (the OCSP response should be much smaller).  Maybe I'm just not reading the manuals close enough, but I don't see this option anywhere.  Any suggestions?  We're also looking at third party tools to address this, but we'd prefer to use something native to Adobe if possible.


      Thanks in advance.

        • 1. Re: Long term digital signature validation - embedding OCSP responses?
          IsakTen Level 4

          It depends on what the CA that issued the signing certificate provides. Certificate may have pointers to the location of OCSP or CRL or both. When Acrobat signs with certificate it always tries OCSP first. If it gets an applicable one, it uses it and does not even go for CRL. It goes for CRL only if it cannot get a good OCSP. Whichever it uses in the signature validation process, it embeds in the signature.

          If you have PDFs with multiple signatures you can create signatures without embedding revocation info in the signatures (there is a preference for that), and then perform "Add Verification Information"  command for each signature. This way each OCSP/CRL will be embedded only once whereas if you embed revocation info in the signature the same OCSP/CRL applicable to several signatures in the document will be embedded in each signature.