Trusted root

Laurent:

This is a great question. First, let me point out that I posted a number of blog entries on this very topic of trust to the Security Matters blog (blogs.adobe.com/security). Here are the posts:

http://blogs.adobe.com/security/2008/08/setting_signature_trust_in_ado_1.php
http://blogs.adobe.com/security/2008/08/setting_signature_trust_in_ado_2.php
http://blogs.adobe.com/security/2008/10/setting_signature_trust_in_ado.php

These articles go into detail about how the trust can be set up at the client level, or at a more global level via the exchange of an FDF file or Acrobat Security Settings file.

For a more automated approach, organizations have started to look at programs like CDS ( http://www.adobe.com/security/partners_cds.php ), where they can acquire certificates that are chained to the Adobe root certificate embedded and trusted by Acrobat and Reader v6+. But your example is different, because you're trying to leverage existing certificates.

A new program launching shortly will allow government entities like the Belgian government to apply to submit their root certificates to a list of trusted identities that Adobe will manage and download to all users of Acrobat and Reader 9 and above. (nothing prior) Then, any signatures made by certificates linked to those 'trust list' roots will also be trusted by those products. We'll have more information available on this program soon.

I have tested the acrobat security settings file and it is really interesting.
I have one more question about these:

Right now, I sign this file using my belgian Id card, but that means whoever needs to import my settings must add Belgium root CA in the list of their trusted identities in Acrobat or they get a warning !

If I get a CDS signature from one of adobe partner, can I use it to sign the security settings file to avoid a warning when importing the securitySettingsfile ?

Thank you

Yes, this would do the trick, as would using the Belgian eID certificate if they join the new trust program.

Thank you again,
It is a funny coincidence that you reply my questions on this forum, as I saw your name on the adobe website before posting here and I considered sending you an email then...

At the time, we were considering working with CDS credentials but we had to give up because it did not suit our needs although it was very interesting...
You may be interested by our problem:
Beside the signing of PDF document with the ID card we are also trying to implement a Clickthrough signing solution. (That is people should be able to sign document through a web application using credentials we store for them )
At first we thought that we could find some server-based CDS implementations (with some kind of HSM to store the credentials).
It seems that such a solution may be available (although we have received contradictory answers on the matter) but they are really aimed at users who sign a lot of documents each year.

We are in the opposite situation we are really an SME (60 employees) overflowed by a huge number of documents (70 000 contracts this year, 30% increase each year), every document has two signatures on it. The signers are members of an association of professional artists and artists employers. Last years we had 20 000 active members/signers) . That is an average of 7 signature a year per active member.

I don't think we are the only one in this situation: Unions, bars of lawyers, any professional association, small in size but with a lot of identified/registered members. It would be nice if it was possible to adjust the CDS offers to these situations even with some restrictions (eg: Would it be technically possible to create some CDS credentials that would be valid only in document certified (mdp) by the organisation delivering the certicates)

Sorry for the long post,

Thank you again for your kind answers.

Laurent