Page 1 PDF Creation Date: November 17, 2008 Digital Signature User Guide for Acrobat 9.0 and Adobe Reader 9.0 Acrobat® and Adobe® Reader® Version 9.0...
Page 2 Adobe Systems Incorporated. Please note that the content in this guide is protected under copyright law even if it is not distributed with software that includes an end user license agreement.
Page 3: Table Of Contents
Contents Getting Started ........................8 1.1 What’s in this Guide? ..........................8 1.2 Who Should Read This Guide? ......................8 1.3 How Should You Use This Guide? ......................9 1.4 Roadmap to Other Security Documentation ..................9 Getting and Using Your Digital ID..................11 2.1 Digital ID Basics..........................11 2.1.1 What is a Digital ID? ..............................11 2.1.2 Digital ID Storage Mechanisms ..........................12 2.1.3 Registering a Digital ID for Use in Acrobat......................13...
Page 4 Acrobat 9 Family of Products Security Feature User Guide 3.4.1 Using Certificates for Certificate Security (Encryption).................38 3.5 Using Directory Servers to Add Trusted Identities ................38 3.5.1 Manually Configuring a Directory Server......................39 3.5.2 Editing Directory Servers Details ..........................40 3.5.3 Deleting a Directory Server.............................41 3.5.4 Specifying a Default Directory Server .........................41 3.5.5 Importing and Exporting Directory Server Settings ..................41 3.6 Managing Contacts...........................42...
Page 5 7.2.3 Using Root Certificates in the Windows Certificate Store................. 104 7.2.4 Validating Signatures with Timestamps and Certificate Policies............105 7.3 Validating Signatures Manually ....................106 7.3.1 Validating Signatures with Adobe Reader ..................... 106 7.3.2 Validating a Single Signature in Acrobat ......................106 7.3.3 Validating All Signatures in Acrobat......................... 107...
Page 6 9.3 Setting JavaScript Options......................139 9.3.1 High Privilege JavaScript Defined ........................139 9.3.2 Javascript and Certified Documents......................... 139 9.4 Adobe Trusted Identity Updates ....................140 9.5 Working with Attachments ......................141 9.5.1 Default Behavior: Black and White Lists ......................141 9.5.2 Adding Files to the Black and White Lists.......................
Page 7 10.2.3.4 Importing Timestamp Server Settings ....................169 10.2.3.5 Importing Directory Server Settings ....................171 10.2.3.6 Importing Adobe LiveCycle Rights Management Server Settings..........172 10.2.3.7 Importing Roaming ID Account Settings ................... 173 10.2.3.8 Importing a Trust Anchor and Setting Trust..................175 11 Glossary of Security Terms ....................
Page 8: Getting Started
Adobe Acrobat family of products (including Adobe Reader) in digital signature workflows, leverage this guide to help your clients use the product correctly and effectively. This guide should be used in conjunction with the Acrobat...
Page 9: How Should You Use This Guide
Acrobat 9 Family of Products Getting Started Security Feature User Guide How Should You Use This Guide? 1.3 How Should You Use This Guide? If you are setting up a signature workflow for the first time, do not have a digital ID, or have not established some sort of trust for other signer’s whose signature you need to validate, read Chapter 2, “Getting and Using Your Digital ID”...
Page 10 A guide to the documentation in the Adobe Acrobat SDK. Roadmap Acrobat and PDF Library API Reference Developers A description of the APIs for Acrobat and Adobe Reader® plug-ins, as well as for PDF Library applications. JavaScript for Acrobat API Reference Developers A listing of the Acrobat JavaScript APIs.
Page 11: Getting And Using Your Digital Id
Getting and Using Your Digital ID A digital ID is like a driver’s license or passport or other “certified by some entity” paper identification. It proves your identity to people and institutions that you communicate with electronically. These IDs are a critical component of digital signatures and certificate security.
Page 12: Digital Id Storage Mechanisms
Network sharing: Certificates can be stored on a central server. The Trusted Identity Manager can be  used to search for certificates on LDAP directory servers. Adobe applications provide tools for configuring and managing directory servers. For details, see “Using Directory Servers to Add Trusted Identities”...
Page 13: Registering A Digital Id For Use In Acrobat
Windows Certificate Store. Import Import Import Import Contains: Certificate and public key only .apf Adobe Profile Files (Legacy): Not used after Acrobat 5. Files can be Import Import Import Import upgraded by double clicking them. Export Contains: Digital ID (public and private keys) 2.1.3 Registering a Digital ID for Use in Acrobat...
Page 14: Digital Id Management And The Security Settings Console
Acrobat 9 Family of Products Getting and Using Your Digital ID Security Feature User Guide Digital ID Management and the Security Settings Console Finding a Digital ID in a Windows Certificate Store File  Adding an ID that Resides on External Hardware ...
Page 15: Generic Id Operations
 Adobe Reader (Windows): Edit > Preferences > Identity  Adobe Reader (Macintosh): Adobe Reader > Preferences > Identity  2. Configure the identity details. These details will appear in your signature appearance when you sign with a self-signed digital ID.
Page 16: Sharing (Exporting) A Digital Id Certificate
Acrobat 9 Family of Products Getting and Using Your Digital ID Security Feature User Guide Sharing (Exporting) a Digital ID Certificate When you specify ID usage, that ID is the first one in the list you’ll see when you’re asked to select an ID in a signing or encryption workflow.
Page 17: Customizing A Digital Id Name
Acrobat 9 Family of Products Getting and Using Your Digital ID Security Feature User Guide Customizing a Digital ID Name 2. Select Digital IDs in the left-hand tree (Figure All the IDs you have added appear in the right hand panel. The list includes all of the IDs that you can view separately under: Digital ID Files ...
Page 18 Acrobat 9 Family of Products Getting and Using Your Digital ID Security Feature User Guide Viewing Digital ID Certificates in the Certificate Viewer 2. Select Digital IDs in the left-hand tree (Figure 2.2.1). 3. Highlight an ID in the list on the right. 4.
Page 19: Managing Pkcs#12 Digital Id Files
Note: In enterprise settings, you may be instructed by your administrator to get a digital ID from a specific location or to customize Acrobat or Adobe Reader to work with software supplied by your organization. To find a digital ID file: 1.
Page 20: Adding And Removing Digital Id Files From The File List
9. Review the digital ID list and choose Finish. 2.3.3 Adding and Removing Digital ID Files from the File List Adobe Acrobat and Adobe Reader only allow deletion of user-created self-signed digital IDs created with those applications. A file can have one or more IDs.
Page 21: Changing A Pkcs#12 File's Password Timeout
Acrobat 9 Family of Products Getting and Using Your Digital ID Security Feature User Guide Changing a PKCS#12 File’s Password Timeout 4. Choose Change Password. 5. Enter the old password. 6. Enter a new password and confirm it. 7. Choose OK. Figure 10 Digital ID files: Password configuration 2.3.5 Changing a PKCS#12 File’s Password Timeout Passwords and password time-outs can only be set for PKCS#12 IDs.
Page 22: Logging In To Pkcs#12 Files
Acrobat 9 Family of Products Getting and Using Your Digital ID Security Feature User Guide Logging in to PKCS#12 Files Figure 11 Digital ID files: Timeout settings 2.3.6 Logging in to PKCS#12 Files The digital ID Login feature provides access to the IDs in a particular file. Login behavior is dependant on the user-specified password timeout feature.
Page 23 These files should always be backed up. On Windows XP, the default location is C:\Documents and Settings\ <username>\Application Data\Adobe\<application name>\<version>\Security\ Windows Certificate Store: (Windows only) Stores the ID in the Windows Certificate Store where it ...
Page 24 Acrobat 9 Family of Products Getting and Using Your Digital ID Security Feature User Guide Creating a Self-Signed Digital ID Figure 13 Digital ID: Configuration 6. Configure the digital ID. The dialog is prepopulated if the Identity preferences have been previously configured: Tip: If you use non-Roman characters, choose Enable Unicode Support before continuing.
Page 25: Deleting A Pkcs#12 Digital Id
Figure 14 Digital ID: PKCS#12 location and password 2.3.8 Deleting a PKCS#12 Digital ID Adobe Acrobat and Adobe Reader only allow deletion of user-created, self-signed digital IDs created by them. The methodology for deleting other types of IDs varies with the type of ID.
Page 26: Managing Windows Digital Ids
The Windows store makes these IDs available to other Windows applications such as Acrobat and Adobe Reader. When an ID in the Windows store is registered with the application, it appears in the Security Settings Console.
Page 27: Your Server May Require Additional Or Different Authentication Steps. Follow Directions That
Digital IDs can reside on hardware such as a smart card or token with a USB interface. In these cases, the card is inserted into a smart card reader or the token is inserted directly into an USB port. Adobe products can be configured to look for and use IDs on these devices by adding the device’s module (software driver)
Page 28: Changing Passwords
PKCS#11 workflows vary by the device supplier. For example, additional passwords or PINs may or may not be required. The login interface may be provided by the Adobe application or by the device supplier.
Page 29 Acrobat 9 Family of Products Getting and Using Your Digital ID Security Feature User Guide Logging in to a Device To log in to a device: 1. Choose Advanced (Acrobat) or Document (Reader) > Security Settings. 2. Expand the tree under PKCS#11 Modules and Tokens. 3.
Page 30: Managing Certificate Trust And Trusted Identities
Managing Certificate Trust and Trusted Identities As described in “What is a Digital ID?” on page 11, a digital ID consists of two main parts: a certificate with a public key and a private key. Participants in signing and certificate security workflows need to exchange the public part (the certificate) of their digital ID.
Page 31 Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide What is a Trusted Identity? security workflows must share their certificates ahead of time. Both operations involve importing other people’s certificates into your Trusted Identities list. When a person’s certificate information appears in the Trusted Identity Manager, they become a trusted identity.
Page 32: Adding Someone To Your Trusted Identity List
Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Adding Someone to Your Trusted Identity List Figure 21 Digital ID: Managing trusted identities From within the Manage Trusted Identities dialog, users import and manage the certificates and certificate owner data for document recipients they wish to trust.
Page 33: Requesting A Digital Id Via Email
161. 3.3.2 Importing a Certificate From a File Acrobat and Adobe Reader are can export certificates to a file so that they can be shared as needed. To import certificates, follow the instructions described in “Migrating and Sharing Security Settings” on page 149.
Page 34: Searching For Digital Id Certificates
Search button will NOT appear. The list of search servers in the Directories drop-down list is populated through three mechanisms: The default server settings that ship with Adobe Acrobat and Adobe Reader.  The Windows Certificate Store if the user has turned on this option.
Page 35: Certificate Trust Settings
Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Certificate Trust Settings 6. Select a name from the search results. 7. Choose OK. 8. If the desired entries are found, choose Import. 9. Choose OK when the confirmation dialog appears. Figure 26 Searching for a document recipients 3.4 Certificate Trust Settings Contacts in the trusted identities list should be associated with one or more certificates.
Page 36 1. Do one of the following: If you already have the certificate:  1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop down list. 3. Select the certificate. 4. Choose Edit Trust.
Page 37 Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Certificate Trust Settings 1. Right click and choose Signature Properties. 2. Choose Show Certificate. 3. Select the Trust tab. 4. Choose Add to Trusted Identities. Tip: If Add to Trusted Identities is disabled, the identity is already on your Trusted Identities list.
Page 38: Using Certificates For Certificate Security (Encryption)
Businesses often use a centrally managed certificate repository such as an LDAP directory server. Directory servers are capable of returning X.509 public key certificates. These servers are searchable so that you can easily expand your list of trusted identities. Both Adobe Acrobat and Adobe Reader for Windows ship with default servers:...
Page 39: Manually Configuring A Directory Server
Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Manually Configuring a Directory Server Versions 7.x:  VeriSign Internet Directory Service  GeoTrust Directory Service  IDtree Directory Service  Version 8.x and 9x: ...
Page 40: Editing Directory Servers Details
Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Editing Directory Servers Details Port: The server port. 389 is the default port.  Search Base: A comma-separated list of name-value pairs used in the search. For example, ...
Page 41: Deleting A Directory Server
Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Deleting a Directory Server 3.5.3 Deleting a Directory Server Previously configured directory servers can be removed from the server list at any time. To delete a directory server: 1.
Page 42: Managing Contacts
Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Managing Contacts 3.6 Managing Contacts Contacts are those people that will send you documents or receive documents from you. Each contact may be associated with one or more certificates. Like certificates, contacts can be added, removed, edited, and so on from the trusted identity list.
Page 43: Emailing Certificate Or Contact Data
Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Emailing Certificate or Contact Data 5. Choose OK. 3.6.2 Emailing Certificate or Contact Data You can export certificate and contact data via email directly from the Trusted Identity Manager. Doing so allows other users to add that data their trusted identity list, thereby expanding the number of users that can participate in secure document workflows.
Page 44: Changing A Trusted Identity's Certificate Association
Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Changing a Trusted Identity’s Certificate Association 3.6.5 Changing a Trusted Identity’s Certificate Association Contacts in the Trusted Identity Manager only have value when they are associated with certificates. Therefore, removing a certificate association only makes sense when it is being replaced by another certificate.
Page 45 Acrobat 9 Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Deleting Contacts and Certificates 1. Choose Advanced (Acrobat) or Document (Reader) > Manage Trusted Identities. 2. Choose Contacts from the Display drop-down list. 3. Choose a contact in the left-hand list (Figure 33).
Page 46: Authoring Signable Documents
Authoring Signable Documents Acrobat’s digital signature capabilities allow authors to set up a secure signing environment and create simple documents and complex forms with one or more fields. Document authors can design documents with multiple signature fields each with unique behavioral characteristics and appearances. A signed field can lock other fields so that signed data can’t be changed, and authors can force certain signature fields to be a required part of a workflow.
Page 47: Setting Signing Preferences
Acrobat (Macintosh): Acrobat > Preferences > Security  Adobe Reader (Windows): Edit > Preferences > Security  Adobe Reader (Macintosh): Adobe Reader > Preferences > Security  2. Set your preferences as described in the following sections: “Requiring Preview Mode” on page 47 ...
Page 48: Changing The Default Signing Method
Figure 38 Preview document mode preference 4.2.1.2 Changing the Default Signing Method In some enterprise situations administrators may require a method other than Adobe Default Security. For example, non-Adobe plugins may be used in business environments that require support of biometrics, signature escrow, alternative methods of private key access, and so on.
Page 49: Embedding Signature Revocation Status
Acrobat (Windows): Edit > Preferences > Security  Acrobat (Macintosh): Acrobat > Preferences > Security  Adobe Reader (Windows): Edit > Preferences > Security  Adobe Reader (Macintosh): Adobe Reader > Preferences > Security  2. Choose Advanced Preferences. 3. Choose the Creation tab (Figure 39).
Page 50: Allowing Signing Reason
Acrobat (Windows): Edit > Preferences > Security  Acrobat (Macintosh): Acrobat > Preferences > Security  Adobe Reader (Windows): Edit > Preferences > Security  Adobe Reader (Macintosh): Adobe Reader > Preferences > Security  2. Choose Advanced Preferences. 3. Choose the Creation tab (Figure 39).
Page 51: Requiring Document Warning Review Prior To Signing
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Setting Signing Preferences Adobe Reader (Macintosh): Adobe Reader > Preferences > Security  2. Choose Advanced Preferences. 3. Choose the Creation tab (Figure 39). 4. Set Enable Reviewing of Document Warnings. Select from the following: Never: Turns off document warning review.
Page 52: Customizing Signature Appearances
A watermark is a partially transparent graphic or logo that appears “behind” a signature. By default, the watermark is the Adobe PDF logo. Line (vector) art that is simple and unobtrusive often works best. 1. Import a logo or create a new one in a program such as Adobe Illustrator.
Page 53: Creating A Custom Signature Appearance
Name: Your text name will appear instead of a graphic. The name is extracted from the signing  certificate. Note: By default, the signature watermark is the Adobe PDF logo but it can be customized. To avoid obscuring a background, use line art with a transparent background.
Page 54: Editing Or Deleting A Signature Appearance
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Customizing Signature Appearances Set the text options in the Configure Text panel  Name: The name associated with the certificate.  Date: The date signed.  Note: Signature appearances can only display local (computer) time, and it will likely differ from that in the Date/Time tab on the Signature Properties dialog when a timestamp server is used.
Page 55: Using Timestamps During Signing
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Using Timestamps During Signing 1. Choose Edit > Preferences (Windows) or Acrobat > Preferences (Macintosh). 2. Choose Security in the left-hand list. 3. Highlight an appearance in the Appearance panel. 4.
Page 56: Working With Signature Fields
Figure 46 Timestamps: Entering server details 4.3 Working with Signature Fields Signature fields are a type of form field, and both Acrobat and Adobe Reader ignore whether they are authored with Forms Designer or Acrobat. Digital signatures behave uniformly irrespective of the...
Page 57: Creating A Blank Signature Field
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Creating a Blank Signature Field For details about customizing one or more fields, see the following: Specifying General Field Properties  Customizing Field Appearances  Changing the Default Field Appearance ...
Page 58: Specifying General Field Properties
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Specifying General Field Properties 4.3.2 Specifying General Field Properties A signature field’s general properties include name, tooltip, display behavior, and so on. For example, fields are numbered sequentially and are associated with a generic tooltip. However, the field can be given a unique name, provided with tooltip instructions for an eventual signer, and configured to display only in the Signatures tab and not in the document.
Page 59: Customizing Field Appearances
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Customizing Field Appearances Figure 48 Signature field: General properties 4.3.3 Customizing Field Appearances Field border properties, fill color, fonts, and so on can be individually specified. These properties are NOT editable during signing workflows.
Page 60: Changing The Default Field Appearance
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Changing the Default Field Appearance 4.3.4 Changing the Default Field Appearance The default appearance of a blank signature field is a light blue box with no borders that performs no action on signing.
Page 61: Creating Multiple Copies Of A Signature Field
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Creating Multiple Copies of a Signature Field To arrange multiple fields: 1. Place the fields in edit mode by selecting Forms > Add or Edit Fields. 2. Drag a rectangle around the fields to arrange. 3.
Page 62: Authoring Signable Forms
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Authoring Signable Forms 4.4 Authoring Signable Forms Many documents that require signatures are forms. Some forms may have multiple signatures fields, with different signers providing data in certain other form fields. In such cases, document design, field layout, and even field appearance may contribute to the ease with which the form can be integrated into an efficient business process.
Page 63: Making A Field A Required Part Of A Workflow
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Making a Field a Required Part of a Workflow Preventing users from changing form data after the document has been signed.  To automatically lock one or more fields after signing: 1.
Page 64: Specifying A Post-Signing Action
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Specifying a Post-Signing Action 2. Right click on the field and choose Properties. 3. Check Required on the General tab. 4. Choose Close. Users can still open, close, save, and send the document without any indication that the field is required until the document author sets up a check for the required flag.
Page 65 Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Specifying a Post-Signing Action Figure 54 Signature field: Action properties 3. Configure the options: Select Trigger: Choose a type of action.  Mouse Up: The user clicks on the field and releases. ...
Page 66: Unlocking A Field Locked By A Signature
Acrobat 9 Family of Products Authoring Signable Documents Security Feature User Guide Unlocking a Field Locked by a Signature Table 6 Actions that can be associated with a signature field Action Description Open a File Launches and opens a file. If you are distributing a PDF file with a link to a non-PDF file, the reader needs the native application of the non-PDF file to open it successfully.
Page 67: Controlling Signing With Seed Values
To set seed values for Acrobat forms, JavaScript calls must be used because no direct user interface is provided. To set seed values for LiveCycle Forms, the Adobe LiveCycle Designer user interface can be used to set seed values in the signature field Properties panel.
Page 68: Changes Across Releases
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Changes Across Releases Seed values should not be set on signed documents and cannot be set on certified documents after  the document is certified. They are primarily used to configure fields on documents that are not yet signed.
Page 69: Supported Seed Values
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Supported Seed Values 5.1.2 Supported Seed Values Note: The examples in this document demonstrate the simplest case. For more information, refer to the Acrobat JavaScript Scripting Guide and JavaScript for Acrobat API Reference. Table 8 Seed values: Object properties and descriptions Property Type...
Page 70: Enabling Javascript To Set Seed Values
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Enabling JavaScript to Set Seed Values Table 8 Seed values: Object properties and descriptions Property Type Description reasons array of A list of reasons that the user is allowed to use when signing. strings (Acrobat 8.0) If this array contains a single empty string and reasons are marked as required using the flags variable, Acrobat will not allow a signing reason.
Page 71: Forcing A Certification Signature
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Forcing a Certification Signature 3. Check Enable JavaScript. 4. Check Enable JavaScript debugger after Acrobat is restarted. 5. Restart Acrobat. To set seed values with the console (JavaScript debugger) in Acrobat, do the following: 1.
Page 72 Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Forcing a Certification Signature Note: If a document is already signed, fields with the property specified will NOT invoke the certifying workflow. No error is given. Do not use unless you are sure the requisite field will be the first one signed.
Page 73: Giving Signers The Option To Lock A Document
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Giving Signers the Option to Lock a Document Figure 57 Seed values: Custom legal attestations 5. Highlight the JavaScript and choose Control + Enter or choose the Enter key on the numeric keypad. When someone signs the field, the certifying workflow is invoked and only the specified settings will be available...
Page 74: Forcing Signers To Use A Specific Signature Appearance
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Forcing Signers to Use a Specific Signature Appearance false: A false value indicates that the document should not be locked after signing. By default, the user ...
Page 75: Adding Custom Signing Reasons
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Adding Custom Signing Reasons Authors in such environments can specify which signature appearance is required for any given signature field. As with other seed values, a flag bit is used to indicate whether or not the field is a recommendation or mandatory.
Page 76: Specifying Timestamps For Signing
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying Timestamps for Signing Table 9 Reason field behavior # of Reasons UI Pref Flag Reason Behavior 0 (empty array) Required Reason field does not appear in UI. 0 (empty array) Optional Reason field does not appear in UI.
Page 77: Specifying Alternate Signature Handlers And Formats
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying Alternate Signature Handlers and Formats 2. Create the JavaScript that gets the field object and uses the seed value method (Example 5.5). 3. Provide a URL for the object.
Page 78 Signature handlers perform a number of filter  functions including signature validation. While Acrobat ships with a default handler (Adobe.PPKLite), custom or third-party handlers such as those from Entrust and VeriSign may be used. The Acrobat SDK describes how to write a custom handler (Adbe.DocSign).
Page 79: Specifying A Signature Hash Algorithm
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying a Signature Hash Algorithm 5.8 Specifying a Signature Hash Algorithm When a signer’s digital ID contains RSA public and private keys, it is possible to specify alternative signature hash algorithms.
Page 80: Specifying Certificate Properties For Signing
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying Certificate Properties for Signing 4. Run the JavaScript, save the document, and test the field. Example 5.8 Hash algorithm seed value // Obtain the signature field object: var f = this.getField("mySigFieldName");...
Page 81 Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying Certificate Properties for Signing Table 11 Seed values: certSpec properties Property Type Description flags number A set of bit flags controlling which of the following properties of this object are required.
Page 82: Specifying Signing Certificates Origin
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying Signing Certificates Origin Table 11 Seed values: certSpec properties Property Type Description subject array of One or more subjects that are acceptable for signing. The subject property identifies certificate specific individuals (as certificate owners) that can sign.
Page 83: Specifying Certificates By Key Usage
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying Certificates by Key Usage 1. Create a signature field with an intuitive name and tooltip. 2. Get the required certificates and install them in some accessible location. Tip: They must be in a .
Page 84: Specifying Certificates By Policy
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying Certificates by Policy 1. Specify 00, 01, 10, or 11 for each of the keyUsage values beginning with the least significant bit (the last one in the list in Table 11).
Page 85: Specifying A Url When A Valid Certificate Is Not Found
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Specifying a URL When a Valid Certificate is not Found Figure 62 Policy OID Example 5.11 Certificate policy seed value var myIssuerCert = security.importFromFile("Certificate", "/C/Temp/nebsCompany_DER.cer"); // Obtain the signature field object: var f = this.getField("mySigFieldName");...
Page 86: Restricting Signing To A Roaming Id
Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Restricting Signing to a Roaming ID Example 5.12 Alternate certificate URL seed value // Obtain the signature field object: var f = this.getField("mySigFieldName"); var mySubjectCert = security.importFromFile("Certificate", "/C/Temp/nebwhifflesnit_DER.cer");...
Page 87 Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Custom Workflows and Beyond can easily create custom signing menu items, automate tasks, and perform other operations beyond those described in the preceding seed value sections. For example, Example 5.14 performs a number of operations that would simplify signing operations in an...
Page 88 Acrobat 9 Family of Products Controlling Signing with Seed Values Security Feature User Guide Custom Workflows and Beyond field.borderStyle = border.s; field.fillColor = color.ltGray; //a text field to display what seed values set to the sig field var textField = this.addField("aText", "text",0, [110,360,500,550]); textField.borderStyle = border.s;...
Page 89: Signing Documents
Signing Documents Like a conventional, handwritten signature, digital signatures identify the signer. However, digital signatures also enhance security because they store information about the signer as well as the signed document. For example, signatures can be used to verify signed content has not been altered, confirm the signer’s identity and to prevent the signer from denying their own signature.
Page 90: Signing User Interface
Acrobat 9 Family of Products Signing Documents Security Feature User Guide Signing User Interface Approval Signature: An approval signature is any signature that was applied without choosing Certify  Document. Any signature other the first one must be an approval signature. Use approval signatures for the following: For any signature other than the first.
Page 91: Document Locking
Acrobat 9 Family of Products Signing Documents Security Feature User Guide Signing With a Certification Signature Because certification is designed to carry more legal weight than an uncertified document, greater  attention to the content and process is typically warranted. Certification signatures are automatically validated even if the application preference to automatically ...
Page 92: Certification Workflow For Documents With Multiple Signers
Acrobat 9 Family of Products Signing Documents Security Feature User Guide Certification Workflow for Documents with Multiple Signers Figure 63 Certified document indicators Legal Attestations and Warnings Comments For documents with dynamic content, signer’s may want to add a legal attestation or comment indicating the included content has been reviewed is specifically permitted.
Page 93: Setting Up A Document For Certification
Acrobat 9 Family of Products Signing Documents Security Feature User Guide Setting up a Document for Certification Note: The certifier’s warning comment is not viewable via preview mode. 6. The recipient decides whether or not to continue modifying and signing the document based on the list of warnings and certifier’s warning comment (if any).
Page 94 Acrobat 9 Family of Products Signing Documents Security Feature User Guide You can customize the way a certified document behaves for signers by giving form fields additional features 2. Choose View Report to invoke the PDF Signature Report dialog. Acrobat checks to see if the document contains dynamic content that could adversely impact the integrity of the document.
Page 95: Certifying A Dynamic Form
Acrobat 9 Family of Products Signing Documents Security Feature User Guide Certifying a Dynamic Form Figure 64 Certifying a document: Document integrity warnings 8. If there are any document warnings in the PDF Signature Report , do the following: Review the warnings and determine whether it is acceptable to certify the document as is. If not ...
Page 96: Why Can't I Certify
To configure a dynamic form for certifying: Choose File > Form Properties and display the Defaults tab. In the Scripting panel, set Preserve Scripting Changes to Form When Saved to Manual. When the form is subsequently opened in Acrobat or Adobe Reader (with signing rights), certification will be possible. Figure 66 Dynamic form certification setting 6.2.5 Why Can’t I Certify?
Page 97 Acrobat 9 Family of Products Signing Documents Security Feature User Guide Signing Documents in Acrobat To sign a document with an approval signature: 1. Initiate the approval signing process by doing one of the following: Sign an existing field:  Click on a signature field.
Page 98: Signing In A Browser
Acrobat 9 Family of Products Signing Documents Security Feature User Guide Signing in a Browser Figure 68 Signing a document: Signature details 5. Configure the Sign Document dialog: Digital ID: Select a digital ID. The digital ID selected as the default for signing is automatically ...
Page 99: Clearing One Or More Signatures
Acrobat 9 Family of Products Signing Documents Security Feature User Guide Clearing One or More Signatures 6.3.3 Clearing One or More Signatures Clearing a signature field deletes the signature but leaves the empty field. Not all signatures can be cleared. You may be prevented from deleting the signature in the following cases: You cannot delete someone else’s signature.
Page 100: Validating Signatures
“Viewing and Comparing Changes and Versions” on page 122  7.1 Signature Validity Basics As part of the signature validation process, Acrobat and Adobe Reader verify the signer’s identity as well as the document’s integrity. 7.1.1 What Makes a Signature Valid? Signature validity is determined by checking the signature’s digital ID certificate status (is it valid and...
Page 101: Authenticity Verification
To verify if a document has changed after signing (has integrity), Acrobat or Adobe Reader must have a way to uniquely identify what was signed. To do this, it uses a message digest. A message digest is a number which is created algorithmically from a file and which uniquely represents that file.
Page 102: Setting Up Your Environment For Signature Validation
 A signature applies to a version (e.g. signature X with version X and signature Y with version Y, etc.).  When you open a document in Adobe Acrobat or Adobe Reader, the current version always displays.  Note: To learn more about how each signature results in a new version of the document, refer to http: //www.adobe.com/devnet/acrobat/pdfs/DigitalSignaturesInPDF.pdf.
Page 103: Setting Digital Signature Validation Preferences
To configure automatic signature validation: 1. Choose Edit > Preferences (Windows) or Acrobat (or Adobe Reader) > Preferences (Macintosh). 2. Choose Security in the left-hand list. 3. Check Verify signatures when document is opened.
Page 104: Using Root Certificates In The Windows Certificate Store
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Using Root Certificates in the Windows Certificate Store 5. Check or uncheck Require that certificate revocation checking be done whenever possible during signature validation. This option checks certificates against a list of revoked certificates during validation, either with the Online Certificate Status Protocol (OCSP) or the Certificate Revocation List (CRL).
Page 105: Validating Signatures With Timestamps And Certificate Policies
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Validating Signatures with Timestamps and Certificate Policies Figure 71 Trusting Windows root certificates 2. Specify the trust level for all root certificates in the Windows Certificates Store: Validating signatures: Certificates will be trusted for approval signature validation. ...
Page 106: Validating Signatures Manually
7.3.1 Validating Signatures with Adobe Reader The process for validating one or more signatures in Adobe Reader is similar to Acrobat. However, the top level menu item is labelled Document instead of Advanced. Therefore, the validation paths are as follows: Document >...
Page 107: Validating All Signatures In Acrobat
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Validating All Signatures in Acrobat Highlight a signature in the Signatures tab, and choose Advanced > Sign & Certify > Validate  Signature or open the Signature Properties dialog and choose Validate Signature. Figure 72 Signatures tab: Validate signature 7.3.3 Validating All Signatures in Acrobat All signatures in a document may be validated simultaneously.
Page 108: Validating An Problematic Signature (Trusting A Signer On-The-Fly)
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Validating an Problematic Signature (trusting a signer on-the-fly) 7.3.4 Validating an Problematic Signature (trusting a signer on-the-fly) If a signer’s digital ID certificate has not been explicitly trusted, the signer is untrusted and the signer’s signature validity will be problematic.
Page 109 Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Validating an Problematic Signature (trusting a signer on-the-fly) willing to trust. Revocation checking starts at the bottom of a chain (begins with the end entity), and once it reaches a trusted root revocation checking stops. Figure 76 Certificate viewer: Trust tab 6.
Page 110: Validating Signatures For Other Document Versions
Documents with multiple signatures contain the elements needed to reconstruct any previous version of itself as it existed at the time of signing. In other words, Acrobat and Adobe Reader “remembers” that version A is signed, that changes were made to version B, and so on. Therefore, it may be necessary to view the signed version in order to see what content was actually signed.
Page 111 Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Validating Signature Timestamps What is a timestamp? A timestamp is like a signature inside of a signature. Like signatures, timestamps are provided by someone (a timestamp authority) who uses a certificate to confirm their identity. A timestamp’s certificate must be valid (not revoked by the issuer) and trusted (by you) for the timestamp to be valid.
Page 112: When Timestamps Can't Be Verified
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Validating Signature Timestamps Note: The following steps add a timestamp certificate to your list of trusted identities. 3. Choose Show Certificate. 4. When the Certificate Viewer appears, choose the Trust tab. 5.
Page 113: Status Icons And Their Meaning
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Status Icons and Their Meaning 7.4 Status Icons and Their Meaning By default, signatures are validated automatically when a document opens. You can change this behavior as described in “Validating Signatures Automatically”...
Page 114: Signature Status Cheat Sheet
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Document Status Definitions 7.4.2.1 Signature status cheat sheet...
Page 115: Troubleshooting A Signature Or Document Status
Note: Trust does not happen automatically. For a signature to be trusted, your application must be configured for that trust. That configuration could be the result of actions by Adobe, your administrator, or you. To troubleshoot authenticity problems, open the signature panel and expand the information for the problematic signature.
Page 116: Troubleshooting Digital Id Certificates
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Troubleshooting an Identity Problem Show Signature Properties and then Show Certificate). Specify the certificate’s trust settings as described in “Certificate Trust Settings” on page Verify that a revocation check occurred. Open the Certificate Viewer’s Revocation tab (right click on ...
Page 117: Displaying The Signer's Certificate
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Troubleshooting an Identity Problem Table 12 Certificate Viewer information What it shows What you can do Policies Lists policy OIDs associated with this certificate, View policy details. if any. Describes the policy. Legal Notice Displays a generic legal disclaimer, the If an issuer policy is used, the policy can be displayed.
Page 118: Verifying The Identity Of Self-Signed Certificates
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Troubleshooting an Identity Problem Figure 83 Certificate Viewer 7.5.1.3 Verifying the Identity of Self-Signed Certificates Certificates are usually issued by a trusted, third-party certificate authority such as VeriSign. However, anyone can set up a certificate authority or create a self-signed certificate purporting to be anyone else.
Page 119: Checking Certificate Revocation Status
Only the certificate issuer (a certificate authority) has the right to revoke a certificate. A certificate could be revoked because its security might be compromised, it could be invalid for some reason, or the owner of the ID might have left the company. Adobe applications check revocation status as part of its public key authentication.
Page 120: Exporting A Certificate Other Than Yours To A File
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Troubleshooting a Document Integrity Problem Figure 85 Trusted Identities: Viewing revocation status 7.5.1.5 Exporting a Certificate Other than Yours to a File Users in enterprise settings can send problem certificates to their system administrator or help personnel for troubleshooting.
Page 121: Livecycle Dynamic Forms And The Warning Triangle
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Troubleshooting a Document Integrity Problem Right click on a signature and choose View Signed Version or choose Click to view this version in  the Signature pane to view the version that signed. Review the status for this version. For details, see Chapter 8, “Document Integrity and Preview Mode”...
Page 122: Viewing And Comparing Changes And Versions
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Troubleshooting a Document Integrity Problem 7.5.2.2 Viewing and Comparing Changes and Versions Document authors and recipients often need to know if a document has changed since it was signed. Acrobat keeps track of a document’s version number, stores previous document versions in their entirety, and enables users to compare document versions by work and page.
Page 123: Comparing A Signed Version To The Current Version
7.5.2.4 Comparing a Signed Version to the Current Version Note: The Compare feature is not available in Adobe Reader. As you revise a document and save it to a different name or location, you can verify that you have the latest version by comparing it against an older version.
Page 124: Document Behavior After Signing
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Document Behavior After Signing Figure 87 Compare: By page summary report Figure 88 Compare: By page 7.6 Document Behavior After Signing A document’s behavior will likely change after it has been signed. Some of it’s content may not work (multimedia may not play), some of the application’s menu items may be disabled so that you can’t use them, and so on.
Page 125: Javascript And Dynamic Content Won't Run
Acrobat 9 Family of Products Validating Signatures Security Feature User Guide JavaScript and Dynamic Content Won’t Run 7.6.1 JavaScript and Dynamic Content Won’t Run High privilege JavaScript and dynamic content in documents will only run if you have explicitly trusted the sender’s digital ID certificate for such actions.
Page 126: Document Integrity And Preview Mode
Document Integrity and Preview Mode Since 8.1, Acrobat has defined PDF features that should be avoided when producing a document that has a deterministic and repeatable visual rendering. Acrobat’s preview mode feature is designed to display that rendering to users during signing and signature validation. Preview mode analyzes a document for signing best practices and generates a report and messages which indicate the presence of content that might violate those practices.
Page 127: Preview Mode And Validation (View Signed Version)
8.2 Preview Mode and Validation (View Signed Version) Acrobat and Adobe Reader store in signed documents a unique document version for every signature in the document. In other words, they “remember” that version A is signed, that changes were made to version B, and so on.
Page 128: Content Preview Mode Cannot Suppress
Acrobat 9 Family of Products Document Integrity and Preview Mode Security Feature User Guide PDF Signature Reports Content preview mode cannot suppress Documents that contain content or behaviors which are dynamic or invisible and which cannot be suppressed in preview mode automatically invoke the PDF Signature Report dialog. For example, preview mode cannot suppress (eliminate from the document or make static) externally referenced images, multimedia content outside of the PDF file, and TrueType fonts.
Page 129: Signature Report Error Codes
Acrobat 9 Family of Products Document Integrity and Preview Mode Security Feature User Guide Signature Report Error Codes Figure 93 PDF Signature Report: Suppressed content No external dependencies or dynamic content For the highest level of document integrity insurance, do not allow dynamic content or any content with external dependencies.
Page 130 Some or all of the content is encrypted and the encryption method is not available in standard Acrobat open in the future installations. For example, the document may be protected by the Adobe Policy Server. Document contain streams encrypted using crypt filter.
Page 131 Acrobat 9 Family of Products Document Integrity and Preview Mode Security Feature User Guide Signature Report Error Codes Table 15 External Content String Code Description Document links to 3000 Document links to images not in the PDF. No external XObjects allowed. external content Document links to 3001...
Page 132: External Content And Document Security
External Content and Document Security Document access to internal and external content such as the Internet, attachments, and embedded multimedia represents a security risk. Users should configure their application so that it operates at an acceptable risk level. In enterprise settings, administrators should either preconfigure client installations or distribute instructions for setting up the application correctly.
Page 133: Enabling Enhanced Security
Add Folder Path: If you have a large number of files that you trust, specify an entire directory.  Add Host: Enter the name of the root URL only. For example, enter www.adobe.com but not www.  adobe.com/products. To only allow higher privileges for files accessed from secure connections, select the option for Secure Connections Only (https:).
Page 134: Changes In Fdf Behavior
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Changes in FDF Behavior Figure 95 Enhanced security: Configuration dialog 9.1.2 Changes in FDF Behavior FDF files are data exchange files. Like .acrobatsecurity files, they help you move certificate, server, and other data from one machine to another.
Page 135: Examples Of Prevented Behavior
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Changes in FDF Behavior Table 17 Rules for opening a PDF via FDF Action location location 8.x behavior 9.x behavior Data injection Allowed Allowed if: Data retuned via a form submit with ...
Page 136: Interaction With Trust Manager
9.1.4 Make Privileged Folder Locations Recursive You can extend privileged locations to be recursive by configuring the registry a reg setting. For details, refer to the Security Administration Guide for Acrobat 9.0 and Adobe Reader 9.0. 9.2 Controlling Multimedia The Acrobat family of products have a notion of trusted documents and other documents (documents that have not been trusted).
Page 137: Configuring Multimedia Trust Preferences
Controlling multimedia behavior in documents begins with specifying preferences for trusted documents and other documents. To configure multimedia preferences: 1. Open the Multimedia Trust Manager: Acrobat and Adobe Reader (Windows): Edit > Preferences > Multimedia Trust  Acrobat and Adobe Reader (Macintosh): (Application) > Preferences > Multimedia Trust ...
Page 138: Controlling Multimedia In Certified Documents
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Controlling Multimedia in Certified Documents 1. Check or uncheck Allow multimedia operations. 2. Set multimedia player permissions as follows: Select the player in the list and select an option from the Change permission for selected multimedia player to drop-down list: Always: The player is used without prompting.
Page 139: Setting Javascript Options
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Setting JavaScript Options Never allow multimedia for untrusted documents: Never trust any certificate for dynamic content and  clear your trusted document list. Then configure your Other Document multimedia settings to Never or Prompt.
Page 140: Adobe Trusted Identity Updates
Figure 99 JavaScript Security option 9.4 Adobe Trusted Identity Updates In order to facilitate workflows that use certificates, Adobe occasionally sends new certificates configured as trust anchors to application users. These certificates allow you to validate signatures that are signed with certificates that chain up to those trusted certificates.
Page 141: Working With Attachments
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Working with Attachments Figure 100 Automatic updates 9.5 Working with Attachments Before attempting to modify the application’s default behavior, you should understand the default behavior. For details, see the following: “Default Behavior: Black and White Lists”...
Page 142 Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Default Behavior: Black and White Lists Table 4 Default prohibited file types Extension Description .cer Internet Security Certificate file (MIME x-x509-ca-cert) .chm Compiled HTML Help .class Java Class file .cmd DOS CP/M Command file, Command file for Windows NT...
Page 143 Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Default Behavior: Black and White Lists Table 4 Default prohibited file types Extension Description .mau Media Attachment Unit .mav Access View Shortcut (Microsoft) .maw Access Data Access Page (Microsoft) .mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) .mde...
Page 144: Adding Files To The Black And White Lists
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Adding Files to the Black and White Lists Table 4 Default prohibited file types Extension Description .vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft) .vss Visio Stencil (Microsoft) .vst Visio Template (Microsoft) .vsw...
Page 145: Allowing Attachments To Launch Applications
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Allowing Attachments to Launch Applications Figure 102 Attachment panel in Trust Manager 9.5.4 Allowing Attachments to Launch Applications The Trust Manager enables users to control whether or not non-PDF attachments can open with other applications.
Page 146: Internet Url Access
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Internet URL Access 5. Choose OK. Figure 103 Resource access 9.7 Internet URL Access Your application can inform you when a PDF file is attempting to connect to an Internet site. Opening a Web page represents a security risk because malicious content can be transferred whenever the application communicates with the Internet.
Page 147: Allowing And Blocking Specific Web Sites
Acrobat 9 Family of Products External Content and Document Security Security Feature User Guide Allowing and Blocking Specific Web Sites Figure 105 Manage Internet Access dialog 9.7.2 Allowing and Blocking Specific Web Sites The Acrobat family of products maintain a white and black list of URLs called the Trust List. Users can specify whether or not URL access is allowed on a global or per-URL basis.
Page 148 To configure Internet resource access on a per-URL basis, add specific Web sites to the black and white lists: 1. Choose Edit > Preferences (Windows) or Acrobat (or Adobe Reader) > Preferences (Macintosh). 2. Select Trust Manager in the Categories panel.
Page 149: Migrating And Sharing Security Settings
ID data, trust, server details, signing preferences, and so on. Settings can only be exported from Acrobat but settings can be imported by both Acrobat and Adobe Reader. 10.1.1 Exporting Security Settings to a File Settings can only be exported from Acrobat.
Page 150: Importing Security Settings From A File
9. You will be required to certify the file by signing it with a certification signature. When the certification workflow begins, choose OK. 10. Sign and save the file. 10.1.2 Importing Security Settings from a File Settings can be imported by both Acrobat and Adobe Reader. To import security settings:...
Page 151 Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Security Settings from a File 1. Choose Advanced > Security > Import Security Settings. 2. Browse to an .acrobatsecuritysettings file. 3. Choose Open. 4. acrobatsecuritysettings files must be certified and are therefore signed. You can verify the signer’s identity by choosing the Signature Properties in the Document Message Bar and reviewing the signer’s details.
Page 152: Importing Security Settings From A Server
Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Security Settings from a Server Figure 112 Security setting import: Success dialog 10.1.3 Importing Security Settings from a Server If your organization distributes security settings periodically, you can set up Acrobat to regularly check for updates to these policies.
Page 153 Acrobat and Adobe Reader support the use of FDF files to exchange data between the Acrobat family of client and server products. FDF files use a .fdf extension, and like .pdf, it is registered by Adobe so that the required application is used to open these files via a browser or file explorer. Acrobat provides the following FDF features: Import and export of digital ID certificates.
Page 154: Fdf Files And Security
Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide FDF Files and Security “Distributing a Trust Anchor or Trust Root” on page 155  “Setting the Certificate Trust Level” on page 158  “Exporting Your Certificate” on page 158 ...
Page 155: Exporting Application Settings With Fdf Files
Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide Exporting Application Settings with FDF Files Table 5 Rules for opening a PDF via FDF Action location location 8.x behavior 9.x behavior Data injection server browser Allowed Allowed if: Link to PDF contains #FDF=url.
Page 156: Exporting A Trust Anchor
When Acrobat exports a certificate, it automatically exports other selected certificates in that certificate’s chain and includes them in the FDF file. 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop-down list.
Page 157 Figure 115 Selecting a certificate chain for export 6. Choose Export. 7. Choose one of the following: Email the data to someone: Emailing the data automatically creates an FDF file that other Adobe  product users can easily import. Save the exported data to a file: Acrobat FDF Data Exchange. FDF is a format recognized by the ...
Page 158: Setting The Certificate Trust Level
When distributing a trusted root in a signed file that the FDF recipient can validate, set the certificate trust level: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop-down list.
Page 159: Emailing Your Certificate
To email a digital ID certificate: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Security Settings. 2. Select Digital IDs in the left-hand tree. 3. Highlight an ID in the list on the right. If you have more than one, choose the one that is appropriate for the usage context.
Page 160: Saving Your Digital Id Certificate To A File
Certificate Message Syntax - PKCS#7: Save the file as a PKCS7 file. Use this format when the data  will be imported into a non-Adobe store such as the Macintosh key store or Windows Certificate Store. 7. Choose Next.
Page 161: Requesting A Certificate Via Email
When you request digital ID information from someone, the application automatically attaches to the email an FDF file containing your contact information and certificate. To request a certificate from someone: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Request Contact. Figure 119 Emailing a certificate request 3.
Page 162: Emailing Server Details
Save, and then choose OK. Tell the intended recipient(s) where to find the file. 10.2.2.7 Emailing Server Details Adobe LiveCycle Rights Management Server, directory server, roaming credential server, and timestamp server details can be exported to an FDF file for distribution to one or more people. Server information sent via an email resides in an attached FDF file.
Page 163: Exporting Server Details
12. Choose Finish. 10.2.2.8 Exporting Server Details Adobe LiveCycle Rights Management Server, directory server, roaming ID, and timestamp server details can be exported to an FDF file for distribution to one or more people. Server information can be written to a file and saved to any location.
Page 164: Importing Application Settings With Fdf Files
ID so that it can be added to their trusted identities list. One way someone can get your ID is to request it in an email. To request your certificate, a user will simply choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities and then choose Request Contact. Acrobat automatically attaches an FDF file with their public certificate to an email that requests your digital ID.
Page 165 Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files To respond to an email digital ID request: 1. Double click the attached FDF file. 2. Choose Email your Certificate. Figure 125 Emailing your certificate 3.
Page 166: Importing Someone's Certificate
To add someone’s certificate to your list of trusted identities: 1. Click on the FDF file or from Acrobat or Adobe Reader choose File > Open. The digital ID certificate may be sent directly from Acrobat as an email attachment or may reside in a networked directory.
Page 167: Importing Multiple Certificates
To add multiple certificate to the trusted identities list all at once: 1. Click on the FDF file or from Acrobat or Adobe Reader choose File > Open. The digital ID certificate may be sent directly from Acrobat as an email attachment or may reside in a networked directory.
Page 168 Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Figure 129 Importing multiple certificates 2. If the FDF file is signed, the signature can be validated, AND a trust level has been specified by the sender, check or uncheck Accept the level of Trust specified by the signer for all Contacts in this file.
Page 169: Importing Timestamp Server Settings
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Time Stamp Servers in the left-hand list, and choosing Import.
Page 170 If No is selected, a default timestamp server must be set before timestamps can be used. To set a default timestamp server, Choose Advanced (Acrobat) or Document (Adobe Reader) > Security Settings > Time Stamp Servers, select a server, and choose Set Default.
Page 171: Importing Directory Server Settings
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Directory Servers in the left-hand list, and choosing Import.
Page 172: Importing Adobe Livecycle Rights Management Server Settings
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Adobe LiveCycle Rights Management Servers in the left-hand list, and choosing Import.
Page 173: Importing Roaming Id Account Settings
4. Choose OK. 5. Choose Import. 6. If you do not already have a default Adobe LiveCycle Rights Management Server, a dialog appears asking whether or not you want to make this your default server, choose Yes or No. 7. Choose OK.
Page 174 Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Figure 136 Importing roaming ID server settings 3. Choose Import. 4. Verify the roaming ID account name and server URL. Figure 137 Roaming ID server name and URL 5.
Page 175: Importing A Trust Anchor And Setting Trust
Click on the FDF file. It may be an email attachment or a file on a network or your local system.  In Acrobat or Adobe Reader choose File > Open, browse to the FDF file, and choose Open. ...
Page 176 Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Tip: If Add to Trusted Identities is disabled, the identity is already on your Trusted Identities list. To change the trust settings, you must use the first method above. 5.
Page 177 Acrobat 9 Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Dynamic content: Trusts multimedia and other dynamic content in certified documents.  Selecting this option automatically adds documents that are certified with this certificate to the Trusted Documents list which is maintained by the Multimedia Trust Manager.
Page 178: Glossary Of Security Terms
See PKCS#7. .pfx See PKCS#12. Adobe Profile Files Adobe's legacy certificate format not used after Acrobat 5. The certificates are stored in .apf files. This format is not supported as of version 9.0. ALCRMS Adobe LiveCycle Rights Management Server. approval signature A signature used to indicate approval of, or consent on, the document terms.
Page 179 An Adobe security partner that has joined the Adobe CDS program to provide CDS digital IDs to end users and organizations. As of Acrobat 6, Adobe Reader and Acrobat trust CDS digital IDs and are able to validate signatures that use GeoTrust digital IDs, without requiring any special application configuration.
Page 180 Acrobat’s OCSP revocation checker adheres to RFC 2560. organization digital ID, desktop A digital ID issued to an organization or non-human entity (for example, the Adobe Public Relations Department). It can be used by an authorized employee to perform signing operations, at the desktop, on behalf of the company.
Page 181 Acrobat 9 Family of Products Glossary of Security Terms Security Feature User Guide Table 5 Security Terms SSCD See Secure signature-creation devices timestamp The date and time that a digital signature was applied. The time stamp data is embedded in the digital signature using a trusted time server (instead of the time clock of the computer that is used to apply the digital signature).
Page 182: Index
Index .mdw 143 .mdz 143 .ade 141 .msc 143 .adp 141 .msi 143 .apf 178 .msp 143 .apf Digital IDs no longer supported 14 .mst 143 .app 141 .ocx 143 .asp 141 .ops 143 .bas 141 .p12 178 .bat 141 .p7b 178 .bz 141 .p7c 178...
Page 183 1006 130 Adding Someone to Your Trusted Identity List 32 1007 130 Adobe Profile Files 178 1008 130 Adobe Trusted Identity Updates 140 1009 130 ALCRMS 178 Allowing and Blocking Specific Web Sites 147 Allowing Attachments to Launch Applications 145...
Page 184 Acrobat 9 Family of Products Index Security Feature User Guide Certificates in the Trusted Identities list 158 Custom Workflows and Beyond 86 Certification Signature 89 Customizing a Digital ID Name 17 certification signature 178 Customizing Field Appearances 59 Certification Workflow for Documents with Multiple Signers Customizing Signature Appearances 52 Cut, Copy, and Paste Signature Fields 60 certified document 178...
Page 185 Importing a Certificate From a File 33 end entity certificate (EE) 179 Importing a Trust Anchor and Setting Trust 175 end entity certificate. 179 Importing Adobe LiveCycle Rights Management Server Enhanced Security 132 Settings 172 Enhanced security Importing Adobe LiveCycle Server settings 172...
Page 186 Logging in to a Device 28 Logging in to a Digital ID File 19 Logging in to a roaming ID server 174 Logging in to an Adobe LiveCycle Rights Management Page content may silently change 130, 131 Server 173 Password 40...
Page 187 Acrobat 9 Family of Products Index Security Feature User Guide Port 40 Security setting preferences for server import 152 Presentation elements may change appearance 130 Security settings Preventing Multimedia Playback in Certified Documents Document message bar 151 Encryption method 150 Preview document mode preference 48 Export dialog 150 Preview Mode and Signing Workflows 126...
Page 188 Validating Signatures for other Document Versions 110 Tape Archive file 143 Validating Signatures Manually 106 Temporary file or Folder 143 Validating Signatures with Adobe Reader 106 Text appearance may silently change 130 Validating Signatures with Timestamps and Certificate The document contains a dynamic form 130...
Page 189: Your Server May Require Additional Or Different Authentication Steps. Follow Directions That Appear In The Dialogs.managing Ids Stored On Hardware Devices
Acrobat 9 Family of Products Index Security Feature User Guide Viewing All of Your Digital IDs 16 Windows Program Information file (Microsoft) 143 Viewing and Comparing Changes and Versions 122 Windows Screen Saver 143 Viewing and Editing Contact Details 42 Windows Script Component 144 Viewing Digital ID Certificates in the Certificate Viewer 17 Windows Script Component, Foxpro Screen (Microsoft) 143...

This manual is also suitable for:

Digital signature

Adobe 22002486 User Manual

1 Getting Started

2 Getting and Using Your Digital ID

3 Managing Certificate Trust and Trusted Identities

4 Authoring Signable Documents

5 Controlling Signing with Seed Values

6 Signing Documents

7 Validating Signatures

8 Document Integrity and Preview Mode

9 External Content and Document Security

10 Migrating and Sharing Security Settings

11 Glossary of Security Terms

12 Index

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for Adobe 22002486

Summary of Contents for Adobe 22002486