Setting Signature Trust in Adobe Reader & Adobe Acrobat – Part Two – “The How – Manual Trust Settings”

PostsThe Archives

In part one of this series, I discussed the three essential questions that Adobe products ask in regards to electronic signatures: (1) is the signature credential in good standing; (2) has the document changed since it was signed, and (3) has the relying party trusted the signer.  This third question is the one that is oftentimes left to the user or organization to answer, due to the unique circumstances of any particular situation.  Today we’ll discuss how users can set up that trust and provide the third leg of the tripod in the intrinsic valdiity of an electronic signature.

Signature credentials are trusted in Adobe products through the establishment and installation of trust anchors and trusted identities.  Trust anchors are typically root certificates—certificates at the top of the hierarchy from which other certificates are derived.  Trusted identities can be any certificate, even an end-entity, or user, certificate.  In any case, in order to pass validation, the signing certificate must either be a trust anchor (root) or be chained to (derived from) that root.

We’ll cover in this post the 3 ways an individual user can set trust in Adobe products.

User Trust Setting #1: The Signature Dialog Box

This is the most straightforward method: a user receives a signed document from an individual who has not been previously trusted by the user. The user opens the document with Adobe Acrobat or Reader, right-clicks on the signature, chooses Show Signature Properties and then Show Certificate. By clicking on the Trust tab within that dialog box, the user can select Add to Trusted Identities to select whether the credential will be trusted for standard approval signatures and/or certification (publishing) signatures.


User Trust Setting #2: Trust Manager

In this method, a user may already have a number of certificates in hand or available (via email, for example) from approved signers and wishes to add them to the Trusted Identity list. The user clicks on the Advanced menu and then chooses Manage Trusted Identities. The user can then simply add or request ‘contacts’ (certificates) and go on to edit that trust.


User Trust Setting #3: Certificate Store (Windows)

In order to best serve the purposes of web browsing, operating system and browser vendors have created lists of trusted identities (SSL certificates) to enable more secure transactions online. Users of Adobe products have the option to allow the software to trust all of the certificates in the Windows Certificate Store, though this option is not selected by default. Why? Adobe believes the store casts too wide a net, and trusts a large number of both high and low assurance certificates, thereby introducing unnecessary risk into a document signing scenario. The rise of the enhanced validation (EV) SSL certificate also highlights this problem.

Despite these concerns, some users may still wish to enable this option. Within the Edit menu, select Preferences, and then Security. Click on the Advanced Preferences button, and then on the Windows Integration tab. The user can then choose to either trust certificates in the Store for validating standard signatures and/or certification signatures.

For more detailed information on these options, be sure to check out this link:

Acrobat & Reader Security Documentation


Posts, The Archives

Posted on 08-29-2008