I am looking to see if there is a way to embed the OCSP response at signing for long term digital signature validation. We have a two-fold issue:
My focus is to see if the OCSP response can be embedded at the time of signing into the PDF as opposed to the entire CRL (the OCSP response should be much smaller). Maybe I'm just not reading the manuals close enough, but I don't see this option anywhere. Any suggestions? We're also looking at third party tools to address this, but we'd prefer to use something native to Adobe if possible.
Thanks in advance.
It depends on what the CA that issued the signing certificate provides. Certificate may have pointers to the location of OCSP or CRL or both. When Acrobat signs with certificate it always tries OCSP first. If it gets an applicable one, it uses it and does not even go for CRL. It goes for CRL only if it cannot get a good OCSP. Whichever it uses in the signature validation process, it embeds in the signature.
If you have PDFs with multiple signatures you can create signatures without embedding revocation info in the signatures (there is a preference for that), and then perform "Add Verification Information" command for each signature. This way each OCSP/CRL will be embedded only once whereas if you embed revocation info in the signature the same OCSP/CRL applicable to several signatures in the document will be embedded in each signature.