These forums are now Read Only. If you have an Acrobat question, ask questions and get help from one of our experts.

Trusted root

Laurent Merchez
Registered: Jan 14 2009
Posts: 13
Answered

Hello,
I work for large association in Belgium and we would like to offer our members the possibility to digitally sign pdf document.
We have 25 000 members and we will also need digital Ids for their counterparts.
Since 2005 or so, every belgian citizen and resident have received an ID card with a chip that contains a certificate issued by "Belgium Root CA" (see http://eid.belgium.be in Fr or Nl).
It is still underused (few people equipped with readers) but we would like to take advantage of that.

Altough I have not been able to test it, I understand that, in order to be able to verify these signatures, "Belgium Root CA" must be added in the list of Trusted Identities and then the user has to edit the trust to let it act as a trusted root.
Questions is:
- Must it be done for every user on every machine, or is there a way to automatically "bind" these settings to a document?
- Is there a way to make the process automatic or to simplify it ?

Sorry for the long post
With thanks in advance.

Laurent

jbharris
Expert
Registered: Dec 17 2007
Posts: 18
Laurent:

This is a great question. First, let me point out that I posted a number of blog entries on this very topic of trust to the Security Matters blog (blogs.adobe.com/security). Here are the posts:

http://blogs.adobe.com/security/2008/08/setting_signature_trust_in_ado_1.php
http://blogs.adobe.com/security/2008/08/setting_signature_trust_in_ado_2.php
http://blogs.adobe.com/security/2008/10/setting_signature_trust_in_ado.php

These articles go into detail about how the trust can be set up at the client level, or at a more global level via the exchange of an FDF file or Acrobat Security Settings file.

For a more automated approach, organizations have started to look at programs like CDS ( http://www.adobe.com/security/partners_cds.php ), where they can acquire certificates that are chained to the Adobe root certificate embedded and trusted by Acrobat and Reader v6+. But your example is different, because you're trying to leverage existing certificates.

A new program launching shortly will allow government entities like the Belgian government to apply to submit their root certificates to a list of trusted identities that Adobe will manage and download to all users of Acrobat and Reader 9 and above. (nothing prior) Then, any signatures made by certificates linked to those 'trust list' roots will also be trusted by those products. We'll have more information available on this program soon.

-John B Harris, Adobe

Laurent Merchez
Registered: Jan 14 2009
Posts: 13
I have tested the acrobat security settings file and it is really interesting.
I have one more question about these:

Right now, I sign this file using my belgian Id card, but that means whoever needs to import my settings must add Belgium root CA in the list of their trusted identities in Acrobat or they get a warning !

If I get a CDS signature from one of adobe partner, can I use it to sign the security settings file to avoid a warning when importing the securitySettingsfile ?

Thank you
jbharris
Expert
Registered: Dec 17 2007
Posts: 18
Yes, this would do the trick, as would using the Belgian eID certificate if they join the new trust program.

-John B Harris, Adobe

Laurent Merchez
Registered: Jan 14 2009
Posts: 13
Thank you again,
It is a funny coincidence that you reply my questions on this forum, as I saw your name on the adobe website before posting here and I considered sending you an email then...

At the time, we were considering working with CDS credentials but we had to give up because it did not suit our needs although it was very interesting...
You may be interested by our problem:
Beside the signing of PDF document with the ID card we are also trying to implement a Clickthrough signing solution. (That is people should be able to sign document through a web application using credentials we store for them )
At first we thought that we could find some server-based CDS implementations (with some kind of HSM to store the credentials).
It seems that such a solution may be available (although we have received contradictory answers on the matter) but they are really aimed at users who sign a lot of documents each year.

We are in the opposite situation we are really an SME (60 employees) overflowed by a huge number of documents (70 000 contracts this year, 30% increase each year), every document has two signatures on it. The signers are members of an association of professional artists and artists employers. Last years we had 20 000 active members/signers) . That is an average of 7 signature a year per active member.

I don't think we are the only one in this situation: Unions, bars of lawyers, any professional association, small in size but with a lot of identified/registered members. It would be nice if it was possible to adjust the CDS offers to these situations even with some restrictions (eg: Would it be technically possible to create some CDS credentials that would be valid only in document certified (mdp) by the organisation delivering the certicates)

Sorry for the long post,

Thank you again for your kind answers.

Laurent