Archive for June, 2013

Alignment of Adobe-Approved Trust List (AATL) and EU Trust List (EUTL)

Adobe has long recognized the value of digital signatures as a tool for driving secure transactions in Europe. As a continuation of our previous investments in qualified signature technology, we see the integration of the EU Trust List into Adobe Acrobat and Reader software as the next logical step. Though this sounds like a relatively simple problem, in reality it took some time, requiring agreement with a number of stakeholders outside of Adobe. ETSI’s June 19 announcement of TS 119 612 v1.1.1: Electronic Signatures and Infrastructures (ESI); Trusted Lists is the culmination of many months work by interested stakeholders, and the first step in creating a solution.

Over the past few years, our commitment to advancements in digital signatures has made Acrobat and Reader one of the most readily available means for EU citizens to receive signed electronic documents based on qualified certificates. Some of our most significant milestones include:

  • Developing the “Adobe-Approved Trust List” (AATL) to ensure that qualified certificates issued by valid Certification Service Providers could be recognized by our products.
  • Working with the European Telecommunications Standards Institute (ETSI) to develop the technical specification for PDF Advanced Electronic Signature (PAdES), incorporated into the Adobe Acrobat PDF Reader product in 2009.
  • Enabling the manual import of qualified certificates, in Acrobat 9 and later, into the trust list within Acrobat or Reader, so that qualified signatures are validated.

Our approach has had some limitations. Currently, only certificates imported by the user or included in the AATL are “trusted,” and therefore recognized as valid by Adobe software. Other qualified certificates – including those on the national trust lists – are not recognized by Adobe as legitimate sources.  As a result, users and Certification Service Providers are asking Adobe to do more to recognize national trust lists within Adobe software.

ETSI’s announcement of TS 119 612 v1.1.1: Electronic Signatures and Infrastructures (ESI); Trusted Lists  is the culmination of many months of work by interested stakeholders, including Adobe, and at last provides a stable means of streamlining the recognition of trust lists within software applications. A key concern has been to ensure that there is a stable standard that describes how proprietary trust lists (such as the AATL) interact with national trust lists. This involves a number of separate issues including:

  • The national trust list description needs to be consistent to allow certificates to be read by software applications, otherwise some certificates from certain countries will not be readable
  • Trust lists are built into a number of software applications, most notably web browsers. A standard is needed to ensure that software applications all react in a consistent way when reconciling certificates that are in both the proprietary trust list and the national trust list.

A stable specification is a significant milestone, as it will allow software manufacturers and vendors, including Adobe, to implement the new features into future versions of their software. From an Adobe perspective we are working through a number of technical considerations. Many of these are unique to Adobe, including:

  • Updates – With hundreds of millions of instances of Acrobat/Reader in the world that could potentially encounter a digital signature that needs validation, sending updates is a non-trivial matter from an engineering and bandwidth perspective.
  • User experience – The same functional version is shipped globally. Since not all users will want or require the EUTL functionality, we are investigating the best way to make this option available, and the frequency with which updates will be offered.

It is not our policy to comment publicly on the roadmap for any of our software, however we consider these issues entirely solvable and are working hard to find good solutions. More details of specific implementation plans will be made available in due course.  In the meantime, we look forward to the adoption of the standard by the EC within the planned new Trust Services Regulation, which will replace the current e-Signatures Directive.

Steve Gottwals
Group Product Manager, Acrobat

John Jolliffe
Senior Manager, European Government Affairs

Adobe Support for Encrypted Media Extensions

Adobe is actively supporting the development of the Encrypted Media Extensions (EME) to the HTML5 standard. We are working on implementations of the EME and its companion specification, MSE (Media Source Extensions) and have been regular participants in the task force working sessions and email discussions.

HTML has grown to include many capabilities which were previously only provided by browser plugins like Adobe Flash. As a result, more developers are choosing to build applications using Open Web technologies. However, there are applications that are not possible to build today without extending the browsers capabilities. The inclusion of the <video> tag in particular has been a huge step forward, but that capability is limited to playing unprotected videos. To enable the playing of protected videos like feature-length Hollywood films, developers are forced to rely on plugins or non-standard browser extensions. As Adobe supports Open Web development more and more, we need to find a way to provide this capability to developers. I believe the EME specification will help us provide this capability for customers using our Adobe Primetime products.

This EME specification provides benefits to multiple parties. Content providers will benefit from more standardization of the formats used for delivering protected audio and video, lowering their cost for delivering the content. Developers will benefit from easier and faster cross-platform development by leveraging the common Web stack along with the EME APIs. End users will benefit from being able to stay within the familiar browser environment instead of being forced out to standalone proprietary applications. End users may also benefit from increased content options, due to the lower costs to content providers I mentioned above. Everyone will benefit from the reduced API surface area (as compared to existing plugin based solutions) this exposes to malicious code on the web.

The EME working group has published its First Public Working Draft. We are working with the group to address the issues that have been raised so far and constructive comments are welcome. Adobe is working on our own implementations of EME and once ready, we will make them as widely available as possible. Adobe’s goal is to enable more content to flow to more people on more platforms. I believe strongly that this effort will help us towards achieving that goal.

Joe Steele
Sr. Computer Scientist
Runtime Engineering