Adobe 22002486 User Manual page 179

Acrobat 9 Family of Products
Security Feature User Guide
Table 5 Security Terms
Certificate Revocation List (CRL)
CSP
Cryptographic Service Provider
digital ID
digital signature
digitally sign
document integrity
EE
electronic signatures
embedded JavaScript
embedded validation response
end entity certificate (EE)
GeoTrust
ICA
individual digital ID
intermediate certificate
authority (ICA)
Message digest
CRL is a method that public key infrastructures use to maintain access to cached or networked lists of
unexpired but revoked certificates. The list specifies revoked certificates, the reasons for revocation
(optional), and the certificate issue date and issuing entities. Each list contains a proposed date for the
next release. Acrobat's CRL revocation checker adheres to RFC 3280 and NIST PKITS except for delta
CRLs.
See Cryptographic Service Provider
Application software that allows it to use MSCAPI to communicate with cryptographic module APIs such
as PKCS#11 modules, PFX files, and so on
An electronic representation of data based on the ITU-T X.509 v3 standard, associated with a person or
entity. It is often stored in a password-protected file on a computer or network, a USB token, a smart
card, or other security hardware device. It can be used for digital signatures and certificate security.
"Digital ID" is sometimes used interchangeably with "certificate"; however, a certificate is only one part
of a digital ID which also contains a private key and other data.
An electronic signature that can be used to verify the identity of the signer through the use of public key
infrastructure (PKI) technology. Signers need a digital ID and an application capable of creating a
signature.
To apply a digital signature using a digital ID.
In signing workflows, document integrity refers to whether or not what was signed has changed after
signing. That is, what the signer signed should be reproducible and viewable on the document
recipient's end. For the document recipient to validate a signature, its important to determine to what
document or what document version that signature applies. See message digest.
See end entity certificate.
A digital signature.
JavaScript that exists within a document rather than that which is executed from the JavaScript Console
or through a batch process.
Information from the digital ID issuer that was used to apply the digital signature and that indicates if
the digital ID was valid when the signature was applied. If the digital ID was valid and no one has
tampered with the document, the signature will have a status of VALID.
Once the digital ID expires or is cancelled (revoked), it won't be possible to determine if the signature
was valid at the time it was applied unless there is an embedded revocation response.
The bottom-most and end user certificate in a certificate chain is called an "end entity" (EE) certificate. It
is the certificate that the holder uses for signing and others use for certificate encryption.
An Adobe security partner that has joined the Adobe CDS program to provide CDS digital IDs to end
users and organizations. As of Acrobat 6, Adobe Reader and Acrobat trust CDS digital IDs and are able to
validate signatures that use GeoTrust digital IDs, without requiring any special application configuration.
See intermediate certificate authority.
A digital ID issued to an individual to digitally sign as them self (e.g. John Smith) as opposed to an
organization or other non-human entity.
Certificates in between the end entity and root certificates are sometimes called "intermediate
certificates" (ICAs) and are issued by the CA or ICAs underneath the CA.
Before Acrobat or Adobe Reader can verify if a document the signed version of the document has
changed or not (has integrity), it must first have a way to uniquely identify what was signed. To do this, it
uses a message digest. A message digest is a number which is created algorithmically from a file and
which uniquely represents that file. If the file changes, the message digest changes. Sometimes referred
to as a checksum or hash, a message digest is simply a unique number created at signing time that
identifies what was signed and is then embedded in the signature and the document for later
verification.
Glossary of Security Terms
179