Tuning up TElCAdESSignatureProcessor for signature validation
TElCAdESSignatureProcessor component can be used in a variety of scenarios. It exposes a lot of configuration properties that can be tuned-up to match your particular validation environment. In this article we will walk through the properties and describe which of them you might need to adjust. Values in brackets indicate the default values for the properties.
Note: you can read about general CAdES signature validation approach here.
ValidationMoment (current time) — specifies the moment in time for which you want to establish signature validity. Typically this would be the moment of signature creation (reflected by the signature's SigningTime property or the Time property of the authorized timestamp), but sometimes may be the current time too.
ForceCompleteChainValidation (true) — whether or not to validate the whole certificate chain. Unless you have some really specific infrastructure (like standalone explicitly-trusted certificates), you must have this property set to true.
IgnoreChainValidationErrors (false) — whether or not to ignore chain validation errors (a variety of them, including badly formed chains, unavailable revocation information, missing certificates or untrusted chains). In most cases it is reasonable to keep this property set to false. The only situations where you may consider setting it to true is where you need to update the signature by including missing revocation information. You are either OK to add incomplete revocation information or, as a solely updating party, you don't trust the signing chain.
PerformRevocationCheck (true) — whether to check revocation status during chain validation.
OfflineMode (false) — specifies if online revocation information sources can be used. You may set this property to true to check whether the signature is archival (verifiable online).
DeepTimestampValidation (true) — whether deep timestamp validation should be performed (with chain and revocation checks).
DeepCountersignatureValidation (true) — same for countersignatures.
GracePeriod (0) — time interval (in seconds) between the signature creation moment and the moment when certificate status is eventually checked during the extended signature creation. Grace period ensures that the certificate was not revoked at the moment of signing. It makes sense to wait a few seconds after the signing is completed to ensure that the up-to-date status information has propagated to the OCSP server.
ReportInvalidTimestamps (true) — whether to report validation exceptions when a bad timestamp is encountered.