Programmatically importing certificates in Acrobtat Trusted Identities

Someone can send you thier public key cert in an FDF file by email. Then all you need to do is open the FDF to import the signature. This is the easiest way to do it.

Hi,

Yes thanks but imagine a situation where a signed PDF is sent to thousands of customers. All of these customers first need to open the FDF to import the signature and then open the PDF to see a valid signature, other wise a question mark would be shown. There is a strong chance that few customers will forget to open the FDF and rather open PDF directly. I understand some user training would be required but keeping in view the fact that people do make mistake I am looking for a solution which do not require any customer intervention i.e.

Open the PDF and you'll see the valid signature tick and that is only possible here if the signer certificate is trusted.

Is there some way that this via java script. Alternatively (not sure whether this is possible/permissible or not) is to embed an exe in the PDF, on PDF open we programmatically extract it and execute it. The exe then updates the Adobe set of registry i.e. iMSStoreTrusted, set its to 62 (hex). For this to work the signer certificate should be trusted in Windows IE key store which can be bought from any CA.

Regards,
Wahaj

It would be very very bad of Adobe to allow an exe to be extracted from a PDF and run on an arbitrary system. This would violate all kinds of security restrictions. So no, there is absolutely no way this will ever happen.

The whole point of PDF security is to keep unknown software in the PDF from messing with the user's system. Like a script in a PDF. This is why there is a cumbersom interactive validation process. They have to explicity say, "Yes, I trust this". That's the point of signatures. It's an external entity that validates that they know about what you are sending them.

You can make the process a little easier by using a signature that validates by calling a service over the internet. You'll need to read a bit about security and digital signatures.

Hi,

When you say validating the signature by calling a service I think there is only one way here:

1) Use a custom signature handler which communicates with the services and if signature is trusted then update the signature appearance

Not sure whether this can be achieved via Java script. Looking at the Adobe 8 java script reference and java script developer guide, it seems we don't have the control over the signature validation.

Regards,
Wahaj

This is correct. And it cannot be done with JavaScript. JavaScript is a tool for scripting the Acrobat Application. Even when it's in a PDF document, it's really working on Acrobat. You can load sinatures and force validatian, but scripting is lightweight by nature. To do heavy lifting you need a plug-in.

It seems you may be trying to do something that is very difficult, or maybe impossible. Consider rethinking it.

Thanks for the help..

Yes I am now considering the FDF option. Is there a way to preset the trust settings for a Certificate so that when the user opens the FDF, he may go to 'Set Contact Trust' and see the check boxes set i.e. Use this Certificate as a Trusted Root. This way user will simply double click and import the certificate and no additional setting is required.

I couldn't see any pre-setting option when generating the FDF either in Adobe 8 or 9 so looks like I am stuck again :(.

Is it possible to do this ?

There aren't any options for doing this.

But if you're clever enough you might be able to insert some JavaScript in the FDF File that contains the certificate. This script would inform the user that they need to do something. I'm not sure if JS is compatible with a cert in an FDF, but you can find out about it in the PDF Specification, which explains the FDF format.