Digital Signatures Validation
Hi, by default Acrobat (Reader, Standard and Pro) try to validate digital signatures with NONCE extension enabled, if it fails it reverts to CRL download. Since NONCE extension is not mandatory (regardless of being a best practice and better and secure way of validation - example: preventing replay attacks), many suppliers for several reasons cannot use it. My suggestion to make the application aligned with RFC and able to handle with all digital certificate suppliers would be to also check OCSP without the NONCE extension enabled.
1st - Check OCSP with NONCE extension enabled;
-> new 2nd - check OCSP without NONCE extension enabled;
3rd - check CRLs
Of course on a successfully response at any of the above steps you will not check the next method, so if you get a valid response with OCSP with NONCE you will not check without it neither CRL.
Please let me know if something is not clear.
Many thanks in advance!