Home » Adobe Manuals » Computer Software » Adobe 22002486 » Manual Viewer

Adobe 22002486 Digital Signature User Guide - Page 180

As of Acrobat 9, Adobe Policy Server is renamed to Adobe LiveCycle Rights Management Server

View all Adobe 22002486 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 180 highlights

Acrobat 9 Family of Products Security Feature User Guide Glossary of Security Terms 180 Table 5 Security Terms MSCAPI OCSP Online Certificate Status Protocol (OCSP) Windows Microsoft Crypto API (MSCAPI) is the API that the application uses to access cryptographic service providers such as PFX files and PKCS#11 files. MSCAPI is also used by the application anytime it uses a Windows security feature. See Online Certificate Status Protocol. OCSP defines a protocol for determining the revocation status of a digital certificate without requiring a CRL. Unlike CRL, OCSP obviates the need to frequently download updates to keep certification status lists current. Acrobat's OCSP revocation checker adheres to RFC 2560. organization digital ID, desktop A digital ID issued to an organization or non-human entity (for example, the Adobe Public Relations Department). It can be used by an authorized employee to perform signing operations, at the desktop, on behalf of the company. organization digital ID, server A digital ID issued on behalf of an organization or non-human entity (e.g. Adobe Public Relations Department, Cisco Corporation, etc.) for performing server-based, automated signing operations. PKCS PKCS#11 device A group of Public Key Cryptography Standards authored by RSA Security External hardware such as a smart card reader or token. It is driven by a module (a software driver such as a .dll file on Windows). PKCS#11 digital ID PKCS#11 format An ID on a PKCS# device. A device may contain one or more IDs. Cryptographic Token Interface Standard: An encryption format used by smart cards, tokens, and other PKCS#11-compatible devices. The ID is stored on the device rather than on the user's computer. PKCS#11 module PKCS#11 token PKCS#12 The software module that drives a PKCS#11 device. See PKCS#11 device. Personal Information Exchange Syntax Standard: Specifies a portable, password protected, and encrypted format for storing or transporting certificates. The certificates are stored in .pfx (Windows) and .p12 (Macintosh) files. Unlike other formats, the file may contain private keys. PKCS#7 Policy Server Certificate Message Syntax (CMS): Files with .p7b and .p7c extensions are registered by the Windows OS. If you double click on a .p7c file it will be viewed by a Windows application. As of Acrobat 9, Adobe Policy Server is renamed to Adobe LiveCycle Rights Management Server privileged context qualified certificates qualified electronic signatures roaming ID root certificate A context in which you have the right to do something that's normally restricted. Such a right (or privilege) could be granted by executing a method in a specific way (through the console or batch process), by some PDF property, or because the document was signed by someone you trust. For example, trusting a document certifier's certificate for executing JavaScript creates a privileged context which enables the JavaScript to run where it otherwise would not. A qualified certificate that conforms to the RFC 3739 specification. It contains a qc statement that simply states that it is a qualified certificate. These types of certificates meet the requirements of the German digital signature law, and most qualified certificates currently originate from German trust centers. Electronic signatures that use a qualified certificate valid at the time of their creation and that have been produced with a secure signature-creation device. A roaming ID is a digital ID that is stored on a server. The private key always remains on the server, but the certificate and its public key can be downloaded at the subscriber's request to any location. Roaming IDs require an Internet connection. The top-most issuing certificate in a certificate chain. It is sometimes used as a trust anchor. secure signature-creation devices security restricted property or method (SSCD) Software or hardware products used to store and apply signature code and that are designed for qualified electronic signatures A property or method whose availability is restricted to certain events such as batch processing, console execution, or application startup. For example, in Acrobat 7.0, a security-restricted method (S) can only be executed through a menu event if one of the following is true: The JavaScript user preferences item "Enable menu items JavaScript execution privileges" is checked or the method is executed through a trusted function. The JavaScript for Acrobat API Reference identifies the items that have restrictions.

Section	Page
Getting Started	8
1.1 What’s in this Guide?	8
1.2 Who Should Read This Guide?	8
1.3 How Should You Use This Guide?	9
1.4 Roadmap to Other Security Documentation	9
Getting and Using Your Digital ID	11
2.1 Digital ID Basics	11
2.1.1 What is a Digital ID?	11
2.1.2 Digital ID Storage Mechanisms	12
2.1.3 Registering a Digital ID for Use in Acrobat	13
2.1.4 Digital ID Management and the Security Settings Console	14
2.1.5 Setting Identity Information	14
2.2 Generic ID Operations	15
2.2.1 Specifying Digital ID Usage	15
2.2.2 Sharing (Exporting) a Digital ID Certificate	16
2.2.3 Viewing All of Your Digital IDs	16
2.2.4 Customizing a Digital ID Name	17
2.2.5 Viewing Digital ID Certificates in the Certificate Viewer	17
2.3 Managing PKCS#12 Digital ID Files	19
2.3.1 Logging in to a Digital ID File	19
2.3.2 Adding a Digital ID from a PKCS#12 File	19
2.3.3 Adding and Removing Digital ID Files from the File List	20
2.3.4 Changing an ID File’s Password	20
2.3.5 Changing a PKCS#12 File’s Password Timeout	21
2.3.6 Logging in to PKCS#12 Files	22
2.3.7 Creating a Self-Signed Digital ID	22
2.3.8 Deleting a PKCS#12 Digital ID	25
2.4 Managing Windows Digital IDs	26
2.4.1 Finding a Digital ID in a Windows Certificate Store File	26
2.4.2 Deleting a Digital ID from the Windows Certificate Store	26
2.5 Your server may require additional or different authentication steps. Follow directions that appear in the dialogs.Managing IDs Stored on Hardware Devices	27
2.5.1 Adding an ID that Resides on External Hardware	27
2.5.2 Changing Passwords	28
2.5.3 Logging in to a Device	28
Managing Certificate Trust and Trusted Identities	30
3.1 What is Trust?	30
3.2 What is a Trusted Identity?	30
3.3 Adding Someone to Your Trusted Identity List	32
3.3.1 Requesting a Digital ID via Email	33
3.3.2 Importing a Certificate From a File	33
3.3.3 Searching for Digital ID Certificates	34
3.4 Certificate Trust Settings	35
3.4.1 Using Certificates for Certificate Security (Encryption)	38
3.5 Using Directory Servers to Add Trusted Identities	38
3.5.1 Manually Configuring a Directory Server	39
3.5.2 Editing Directory Servers Details	40
3.5.3 Deleting a Directory Server	41
3.5.4 Specifying a Default Directory Server	41
3.5.5 Importing and Exporting Directory Server Settings	41
3.6 Managing Contacts	42
3.6.1 Viewing and Editing Contact Details	42
3.6.2 Emailing Certificate or Contact Data	43
3.6.3 Saving Certificate or Contact Details to a File	43
3.6.4 Associating a Certificate with a Contact	43
3.6.5 Changing a Trusted Identity’s Certificate Association	44
3.6.6 Deleting Contacts and Certificates	44
Authoring Signable Documents	46
4.1 Best Practices for Signed Documents that will Change	46
4.2 Setting up the Signing Environment	46
4.2.1 Setting Signing Preferences	47
4.2.1.1 Requiring Preview Mode	47
4.2.1.2 Changing the Default Signing Method	48
4.2.1.3 Embedding Signature Revocation Status	49
4.2.1.4 Allowing Signing Reason	50
4.2.1.5 Showing Location and Contact Details	50
4.2.1.6 Enabling Document Warning Review	50
4.2.1.7 Requiring Document Warning Review Prior to Signing	51
4.2.1.8 Enabling a Warnings Comment or Legal Attestation	51
4.2.2 Customizing Signature Appearances	52
4.2.2.1 Creating a Custom Signature	52
4.2.2.2 Creating a Custom Watermark or Background	52
4.2.2.3 Creating a Custom Signature Appearance	53
4.2.2.4 Editing or Deleting a Signature Appearance	54
4.2.3 Using Timestamps During Signing	55
4.3 Working with Signature Fields	56
4.3.1 Creating a Blank Signature Field	57
4.3.2 Specifying General Field Properties	58
4.3.3 Customizing Field Appearances	59
4.3.4 Changing the Default Field Appearance	60
4.3.5 Cut, Copy, and Paste Signature Fields	60
4.3.6 Arranging Signature Fields	60
4.3.7 Creating Multiple Copies of a Signature Field	61
4.4 Authoring Signable Forms	62
4.4.1 Authoring a Document with Multiple Fields	62
4.4.2 Locking Fields Automatically After Signing	62
4.4.3 Making a Field a Required Part of a Workflow	63
4.4.4 Specifying a Post-Signing Action	64
4.4.5 Unlocking a Field Locked by a Signature	66
Controlling Signing with Seed Values	67
5.1 Seed Value Basics	67
5.1.1 Changes Across Releases	68
5.1.2 Supported Seed Values	69
5.1.3 Enabling JavaScript to Set Seed Values	70
5.2 Forcing a Certification Signature	71
5.3 Giving Signers the Option to Lock a Document	73
5.4 Forcing Signers to Use a Specific Signature Appearance	74
5.5 Adding Custom Signing Reasons	75
5.6 Specifying Timestamps for Signing	76
5.7 Specifying Alternate Signature Handlers and Formats	77
5.8 Specifying a Signature Hash Algorithm	79
5.9 Embedding Revocation Information in a Signature	79
5.10 Specifying Certificate Properties for Signing	80
5.10.1 Specifying Signing Certificates Origin	82
5.10.2 Specifying Certificates by Key Usage	83
5.10.3 Specifying Certificates by Policy	84
5.10.4 Specifying a URL When a Valid Certificate is not Found	85
5.10.5 Restricting Signing to a Roaming ID	86
5.11 Custom Workflows and Beyond	86
Signing Documents	89
6.1 Signing Basics	89
6.1.1 Before You Sign . . .	89
6.1.2 Signature Types	89
6.1.3 Signing User Interface	90
6.2 Signing With a Certification Signature	90
6.2.1 Certification Workflow for Documents with Multiple Signers	92
6.2.2 Setting up a Document for Certification	93
6.2.3 You can customize the way a certified document behaves for signers by giving form fields additional features with seed values. For example, you can preconfigure custom signing reasons or limit signing to only those with certificates with predef...	93
6.2.4 Certifying a Dynamic Form	95
6.2.5 Why Can’t I Certify?	96
6.3 Signing with an Approval Signature	96
6.3.1 Signing Documents in Acrobat	96
6.3.2 Signing in a Browser	98
6.3.3 Clearing One or More Signatures	99
Validating Signatures	100
7.1 Signature Validity Basics	100
7.1.1 What Makes a Signature Valid?	100
7.1.1.1 Authenticity Verification	101
7.1.1.2 Document Integrity Verification	101
7.2 Setting up Your Environment for Signature Validation	102
7.2.1 Validating Signatures Automatically	102
7.2.2 Setting Digital Signature Validation Preferences	103
7.2.3 Using Root Certificates in the Windows Certificate Store	104
7.2.4 Validating Signatures with Timestamps and Certificate Policies	105
7.3 Validating Signatures Manually	106
7.3.1 Validating Signatures with Adobe Reader	106
7.3.2 Validating a Single Signature in Acrobat	106
7.3.3 Validating All Signatures in Acrobat	107
7.3.4 Validating an Problematic Signature (trusting a signer on-the-fly)	108
7.3.5 Validating Signatures for other Document Versions	110
7.3.6 Validating Signature Timestamps	110
7.3.6.1 When Timestamps Can’t be Verified. . .	112
7.4 Status Icons and Their Meaning	113
7.4.1 Signature Status Definitions	113
7.4.2 Document Status Definitions	113
7.4.2.1 Signature status cheat sheet	114
7.5 Troubleshooting a Signature or Document Status	115
7.5.1 Troubleshooting an Identity Problem	115
7.5.1.1 Troubleshooting Digital ID Certificates	116
7.5.1.2 Displaying the Signer’s Certificate	117
7.5.1.3 Verifying the Identity of Self-Signed Certificates	118
7.5.1.4 Checking Certificate Revocation Status	119
7.5.1.5 Exporting a Certificate Other than Yours to a File	120
7.5.2 Troubleshooting a Document Integrity Problem	120
7.5.2.1 LiveCycle Dynamic Forms and the Warning Triangle	121
7.5.2.2 Viewing and Comparing Changes and Versions	122
7.5.2.3 Viewing a List of Post-Signing Modifications	122
7.5.2.4 Comparing a Signed Version to the Current Version	123
7.6 Document Behavior After Signing	124
7.6.1 JavaScript and Dynamic Content Won’t Run	125
7.6.2 Certifying a Document is Prevented	125
7.6.3 Form Field Fill in, Signing, and/or Other Actions Don’t Work	125
Document Integrity and Preview Mode	126
8.1 Preview Mode and Signing Workflows	126
8.2 Preview Mode and Validation (View Signed Version)	127
8.3 PDF Signature Reports	127
8.4 Signature Report Error Codes	129
External Content and Document Security	132
9.1 Enhanced Security	132
9.1.1 Enabling Enhanced Security	133
9.1.2 Changes in FDF Behavior	134
9.1.3 Interaction with Trust Manager	136
9.1.4 Make Privileged Folder Locations Recursive	136
9.2 Controlling Multimedia	136
9.2.1 Configuring Multimedia Trust Preferences	137
9.2.2 Controlling Multimedia in Certified Documents	138
9.3 Setting JavaScript Options	139
9.3.1 High Privilege JavaScript Defined	139
9.3.2 Javascript and Certified Documents	139
9.4 Adobe Trusted Identity Updates	140
9.5 Working with Attachments	141
9.5.1 Default Behavior: Black and White Lists	141
9.5.2 Adding Files to the Black and White Lists	144
9.5.3 Resetting the Black and White Lists	144
9.5.4 Allowing Attachments to Launch Applications	145
9.6 Controlling Access to Referenced Files and XObjects	145
9.7 Internet URL Access	146
9.7.1 Turning Internet Access Off and On	146
9.7.2 Allowing and Blocking Specific Web Sites	147
Migrating and Sharing Security Settings	149
10.1 Security Setting Import and Export	149
10.1.1 Exporting Security Settings to a File	149
10.1.2 Importing Security Settings from a File	150
10.1.3 Importing Security Settings from a Server	152
10.2 Sharing Settings & Certificates with FDF	152
10.2.1 FDF Files and Security	154
10.2.2 Exporting Application Settings with FDF Files	155
10.2.2.1 Distributing a Trust Anchor or Trust Root	155
10.2.2.2 Setting the Certificate Trust Level	158
10.2.2.3 Exporting Your Certificate	158
10.2.2.4 Emailing Your Certificate	159
10.2.2.5 Saving Your Digital ID Certificate to a File	160
10.2.2.6 Requesting a Certificate via Email	161
10.2.2.7 Emailing Server Details	162
10.2.2.8 Exporting Server Details	163
10.2.3 Importing Application Settings with FDF Files	164
10.2.3.1 Responding to an Email Request for a Digital ID	164
10.2.3.2 Importing Someone’s Certificate	166
10.2.3.3 Importing Multiple Certificates	167
10.2.3.4 Importing Timestamp Server Settings	169
10.2.3.5 Importing Directory Server Settings	171
10.2.3.6 Importing Adobe LiveCycle Rights Management Server Settings	172
10.2.3.7 Importing Roaming ID Account Settings	173
10.2.3.8 Importing a Trust Anchor and Setting Trust	175
Glossary of Security Terms	178

Match case Limit results 1 per page

Acrobat 9 Family of Products

Glossary of Security Terms

Security Feature User Guide

180

MSCAPI

Windows Microsoft Crypto API (MSCAPI) is the API that the application uses to access cryptographic

service providers such as PFX files and PKCS#11 files. MSCAPI is also used by the application anytime it

uses a Windows security feature.

OCSP

See Online Certificate Status Protocol.

Online Certificate Status

Protocol (OCSP)

OCSP defines a protocol for determining the revocation status of a digital certificate without requiring a

CRL. Unlike CRL, OCSP obviates the need to frequently download updates to keep certification status

lists current. Acrobat’s OCSP revocation checker adheres to RFC 2560.

organization digital ID, desktop

A digital ID issued to an organization or non-human entity (for example, the Adobe Public Relations

Department). It can be used by an authorized employee to perform signing operations, at the desktop,

on behalf of the company.

organization digital ID, server

A digital ID issued on behalf of an organization or non-human entity (e.g. Adobe Public Relations

Department, Cisco Corporation, etc.) for performing server-based, automated signing operations.

PKCS

group of Public Key Cryptography Standards authored by RSA Security

PKCS#11 device

External hardware such as a smart card reader or token. It is driven by a module (a software driver such

as a .dll file on Windows).

PKCS#11 digital ID

An ID on a PKCS# device. A device may contain one or more IDs.

PKCS#11 format

Cryptographic Token Interface Standard: An encryption format used by smart cards, tokens, and other

PKCS#11-compatible devices. The ID is stored on the device rather than on the user’s computer.

PKCS#11 module

The software module that drives a PKCS#11 device.

PKCS#11 token

See PKCS#11 device.

PKCS#12

Personal Information Exchange Syntax Standard: Specifies a portable, password protected, and

encrypted format for storing or transporting certificates. The certificates are stored in .pfx (Windows)

and .p12 (Macintosh) files. Unlike other formats, the file may contain private keys.

PKCS#7

Certificate Message Syntax (CMS): Files with .p7b and .p7c extensions are registered by the Windows OS.

If you double click on a .p7c file it will be viewed by a Windows application.

Policy Server

As of Acrobat 9, Adobe Policy Server is renamed to Adobe LiveCycle Rights Management Server

privileged context

A context in which you have the right to do something that’s normally restricted. Such a right (or

privilege) could be granted by executing a method in a specific way (through the console or batch

process), by some PDF property, or because the document was signed by someone you trust. For

example, trusting a document certifier’s certificate for executing JavaScript creates a privileged context

which enables the JavaScript to run where it otherwise would not.

qualified certificates

A qualified certificate that conforms to the RFC 3739 specification. It contains a qc statement that simply

states that it is a qualified certificate. These types of certificates meet the requirements of the German

digital signature law, and most qualified certificates currently originate from German trust centers.

qualified electronic signatures

Electronic signatures that use a qualified certificate valid at the time of their creation and that have been

produced with a secure signature-creation device.

roaming ID

A roaming ID is a digital ID that is stored on a server. The private key always remains on the server, but

the certificate and its public key can be downloaded at the subscriber’s request to any location. Roaming

IDs require an Internet connection.

root certificate

The top-most issuing certificate in a certificate chain. It is sometimes used as a trust anchor.

secure signature-creation

devices

(SSCD) Software or hardware products used to store and apply signature code and that are designed for

qualified electronic signatures

security restricted property or

method

A property or method whose availability is restricted to certain events such as batch processing, console

execution, or application startup. For example, in Acrobat 7.0,

a security-restricted method (S) can only

be executed through a menu event if one of the following is true: The JavaScript user preferences item

“Enable menu items JavaScript execution privileges” is checked or the method is executed through a

trusted function. The

JavaScript for Acrobat API Reference

identifies the items that have restrictions.

Table 5

Security Terms