Alignment of Adobe-Approved Trust List (AATL) and EU Trust List (EUTL)

Adobe has long recognized the value of digital signatures as a tool for driving secure transactions in Europe. As a continuation of our previous investments in qualified signature technology, we see the integration of the EU Trust List into Adobe Acrobat and Reader software as the next logical step. Though this sounds like a relatively simple problem, in reality it took some time, requiring agreement with a number of stakeholders outside of Adobe. ETSI’s June 19 announcement of TS 119 612 v1.1.1: Electronic Signatures and Infrastructures (ESI); Trusted Lists is the culmination of many months work by interested stakeholders, and the first step in creating a solution.

Over the past few years, our commitment to advancements in digital signatures has made Acrobat and Reader one of the most readily available means for EU citizens to receive signed electronic documents based on qualified certificates. Some of our most significant milestones include:

  • Developing the “Adobe-Approved Trust List” (AATL) to ensure that qualified certificates issued by valid Certification Service Providers could be recognized by our products.
  • Working with the European Telecommunications Standards Institute (ETSI) to develop the technical specification for PDF Advanced Electronic Signature (PAdES), incorporated into the Adobe Acrobat PDF Reader product in 2009.
  • Enabling the manual import of qualified certificates, in Acrobat 9 and later, into the trust list within Acrobat or Reader, so that qualified signatures are validated.

Our approach has had some limitations. Currently, only certificates imported by the user or included in the AATL are “trusted,” and therefore recognized as valid by Adobe software. Other qualified certificates – including those on the national trust lists – are not recognized by Adobe as legitimate sources.  As a result, users and Certification Service Providers are asking Adobe to do more to recognize national trust lists within Adobe software.

ETSI’s announcement of TS 119 612 v1.1.1: Electronic Signatures and Infrastructures (ESI); Trusted Lists  is the culmination of many months of work by interested stakeholders, including Adobe, and at last provides a stable means of streamlining the recognition of trust lists within software applications. A key concern has been to ensure that there is a stable standard that describes how proprietary trust lists (such as the AATL) interact with national trust lists. This involves a number of separate issues including:

  • The national trust list description needs to be consistent to allow certificates to be read by software applications, otherwise some certificates from certain countries will not be readable
  • Trust lists are built into a number of software applications, most notably web browsers. A standard is needed to ensure that software applications all react in a consistent way when reconciling certificates that are in both the proprietary trust list and the national trust list.

A stable specification is a significant milestone, as it will allow software manufacturers and vendors, including Adobe, to implement the new features into future versions of their software. From an Adobe perspective we are working through a number of technical considerations. Many of these are unique to Adobe, including:

  • Updates – With hundreds of millions of instances of Acrobat/Reader in the world that could potentially encounter a digital signature that needs validation, sending updates is a non-trivial matter from an engineering and bandwidth perspective.
  • User experience – The same functional version is shipped globally. Since not all users will want or require the EUTL functionality, we are investigating the best way to make this option available, and the frequency with which updates will be offered.

It is not our policy to comment publicly on the roadmap for any of our software, however we consider these issues entirely solvable and are working hard to find good solutions. More details of specific implementation plans will be made available in due course.  In the meantime, we look forward to the adoption of the standard by the EC within the planned new Trust Services Regulation, which will replace the current e-Signatures Directive.

Steve Gottwals
Group Product Manager, Acrobat

John Jolliffe
Senior Manager, European Government Affairs

Comments are closed.