Validation Policy
Here the operator can define the required validation policies for LOTL/TSL according to its required configurations. See the image below:
The configuration items are as follows:
|
Items |
Description |
|
Revocation Settings |
Defines the following: |
|
Primary Method |
Defines the primary method for validation i.e. OCSP (AIA) or CRL (CDP). |
|
Secondary Method |
Defines the secondary method for validation i.e. OCSP (AIA) or CRL (CDP). |
|
OCSP Request Settings |
Defines the following: |
|
Add Nonce extension |
If this option is enabled then ADSS Server will add a nonce (i.e. a number used once) extension to the OCSP request message. The OCSP response is checked to ensure that it contains the same nonce value to prevent replay attacks. |
|
Add Service Locator extension |
If this option is enabled then ADSS Server will add the responder URL from the target certificate’s AIA extension into the OCSP request as a Service Locator extension. This helps the OCSP Responder to relay the OCSP request to other OCSP responders if the request cannot be handled directly. |
|
Sign OCSP Request |
Select this checkbox if the OCSP Responder requires OCSP request messages to be signed. Then select the OCSP Request signing Certificate which pre-exists in the Key Manager. |
|
Verify OCSP Responder's certificate |
Select this checkbox if revocation checking of the OCSP Responder certificate is also required. Note: This is considered unusual since OCSP responder certificates are typically configured with a 'NOCHECK' extension. |
|
Verify OCSP Responder is authorised by the CA |
If this option is enabled then ADSS Server validates that the OCSP Responder that provides the OCSP response message is certified by the same CA that certified the target certificate; and furthermore that the OCSP Responder’s certificate was specifically marked by the CA for “OCSP Signing” in the certificates Extended Key Usage field. |
|
Hash Algorithm |
Specify the hash algorithm to be used to generate OCSP request and furthermore to sign the OCSP request. |
|
Clock Tolerance |
When verifying OCSP responses from peer responder, OCSP Service will compare the time within the OCSP response with its local clock to ensure they are “fresh” responses. System times may not be perfectly synchronized and so a tolerance value is essential. It is recommended that this is set to at least 100 seconds. |
|
Response timeout |
Defines how many seconds OCSP Service will wait for the peer OCSP Responder before assuming that there is a communication problem. It is recommended that this is set to at least 10 seconds. Note: Set to zero if the timeout is unlimited. |
Once the configurations are complete, click on the Next button.
|
|
If all the checkboxes are checked, then if any new TSL is found on the next LOTL fetch, it will be added automatically. |
See also
General
Other TSL Pointers
Validation Policy
TS Filtration
Polling Settings