Discuss this help topic in SecureBlackbox Forum
Load CMS message
Tuning up TElCAdESSignatureProcessor for signature validation TElCAdESSignatureProcessor is a powerful component that can be used in a variety of scenarios. As such, it exposes a lot of configuration properties that can be tuned-up to match your particular validation environment. In this article we will walk through the properties and describe which of them you might need to adjust. Values in brackets indicate the default values for the properties. Note: you can read about general CAdES signature validation approach here. ValidationMoment (current time): use this property to specify the moment in time for which you want to establish the signature validity. Typically this would be the moment of signature creation (reflected by the signature's SigningTime property, or the Time property from the authorized timestamp), but sometimes may be the current time too. ForceCompleteChainValidation (true): whether or not to validate the whole certificate chain. Unless you have some really specific infrastructure (like standalone explicitly-trusted certificates), you must have this property set to true. IgnoreChainValidationErrors (false): whether or not to ignore chain validation errors (a variety of them, including badly formed chains, unavailable revocation information, missing certificates or untrusted chains). In most cases it is reasonable to keep this property set to false. The only situations where you may consider setting it to true is where you need to update the signature (by including missing revocation information to it), and you are either OK to add incomplete revocation information or you, as a solely updating party, do not trust the signing chain. PerformRevocationCheck (true): whether or not to check revocation status when validating the chains. OfflineMode (false): whether or not the component is allowed to use online revocation information sources. You may consider setting this property to true to check whether a validated signature is archivable (verifiable online). DeepTimestampValidation (true): whether or not deep timestamp validation should be performed (with chain and revocation checks). DeepCountersignatureValidation (true): the same for countersignatures. GracePeriod (0): a period, in seconds, which specifies the delta between signature creation moment and the moment when certificate status is eventually checked within the process of creating extended signature. This is to make sure that the certificate was not revoked at the moment of signing (in some cases it makes sense to wait for several seconds after the signing to ensure that the up-to-date status information was propagated to the OCSP server). ReportInvalidTimestamps (true): whether to report validation exceptions if a bad timestamp is encountered.