manualshive.com logo in svg

Adobe 22002486, User Manual, Page: 102 / 189

Share
Download
Adobe 22002486 User Manual Download Page 102

Acrobat 9 Family of Products

Validating Signatures

Security Feature User Guide

 Setting up Your Environment for Signature Validation     102

time a document is signed, a new digest is created. Thus, each signature is only valid for a specific version 
of the document. 

Because the application stores and numbers a document version for each signature, signature validators 
can determine what was actually signed. When you validate a signature, a new message digest is created 
and compared to the digest that was embedded in the document at signing time. 

If the two digests are not identical the signature is invalid.

Both signers and signature validators should understand the following about the relationship between 
signatures and document versions:

Every time a document is signed, the document’s state at the point of signing is stored in the PDF.

Versions are incrementally numbered beginning with “1.” 

A document with 10 signatures will have 10 versions.

A signature applies to a version (e.g. signature X with version X and signature Y with version Y, etc.).

When you open a document in Adobe Acrobat or Adobe Reader, the current version always displays.

Note:

To learn more about how each signature results in a new version of the document, refer to 

http:

//www.adobe.com/devnet/acrobat/pdfs/DigitalSignaturesInPDF.pdf

.

  7.2  Setting up Your Environment for Signature Validation

Document recipients should configure their environment to handle incoming documents in a way that 
enhances workflow efficiency or meets some business need. While Adobe Acrobat and Adobe Reader 
provide default options, customizing the environment often provides a better user experience. In large, 
enterprise environments, your environment may be preconfigured by a system administrator. 

Options include the following: 

Validating Signatures Automatically

: By default, validation occurs automatically. If signatures should 

not be validated automatically when a document opens, turn this option off. 

Setting Digital Signature Validation Preferences

: Accept the defaults or configure validation methods 

such as plugin usage, time display, automatic revocation checking, and other settings.

Using Root Certificates in the Windows Certificate Store

: If you would like to trust and use certificates in 

the Windows Certificate Store for signature validation, turn this option on. Trusting all of these 
certificates is not recommended.

Controlling Multimedia

: When certified documents may contain multimedia, specify whether or not it 

is allowed to run.

Certificate Trust Settings

: Specify whether a certificate should be a trust anchor, trusted for signing, and 

trusted for certain behaviors in certified documents. 

7.2.1  Validating Signatures Automatically

By default, signatures are automatically validated. However, you may want to turn it off for reasons such as: 

You don’t care whether the signatures are valid.

The desktop cannot be configured to validate the signature. 

Summary of Contents for 22002486

Page 1: ...PDF Creation Date November 17 2008 bbc Digital Signature User Guide for Acrobat 9 0 and Adobe Reader 9 0 Acrobat and Adobe Reader Version 9 0...

Page 2: ...at Reader and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and or other countries Windows Windows NT and Windows XP are registered t...

Page 3: ...19 2 3 3 Adding and Removing Digital ID Files from the File List 20 2 3 4 Changing an ID File s Password 20 2 3 5 Changing a PKCS 12 File s Password Timeout 21 2 3 6 Logging in to PKCS 12 Files 22 2 3...

Page 4: ...1 4 Allowing Signing Reason 50 4 2 1 5 Showing Location and Contact Details 50 4 2 1 6 Enabling Document Warning Review 50 4 2 1 7 Requiring Document Warning Review Prior to Signing 51 4 2 1 8 Enabli...

Page 5: ...for Documents with Multiple Signers 92 6 2 2 Setting up a Document for Certification 93 6 2 3 You can customize the way a certified document behaves for signers by giving form fields additional featur...

Page 6: ...er Signing 124 7 6 1 JavaScript and Dynamic Content Won t Run 125 7 6 2 Certifying a Document is Prevented 125 7 6 3 Form Field Fill in Signing and or Other Actions Don t Work 125 8 Document Integrity...

Page 7: ...8 10 2 2 3 Exporting Your Certificate 158 10 2 2 4 Emailing Your Certificate 159 10 2 2 5 Saving Your Digital ID Certificate to a File 160 10 2 2 6 Requesting a Certificate via Email 161 10 2 2 7 Emai...

Page 8: ...n page 139 Working with Attachments on page 141 Controlling Access to Referenced Files and XObjects on page 145 only available in 7 0 5 and later Internet URL Access on page 146 1 2 Who Should Read Th...

Page 9: ...curity Documentation In many enterprise environments there is no clear distinction between audience types Some end users are power users and don t shy away from modifying the registry and tweaking app...

Page 10: ...Acrobat on the Windows platform Acrobat Security Administration Guide Administrators Application deployment and configuration in enterprise settings Digital Signature User Guide for Adobe Acrobat and...

Page 11: ...thereby creating what is known as a certificate chain Digital IDs operate by using a key pair data encrypted with one key can only be decrypted by the other corresponding key When you sign PDF docume...

Page 12: ...e applications provide tools for configuring and managing directory servers For details see Using Directory Servers to Add Trusted Identities on page 38 Figure 2 Trusted identities 2 1 2 Digital ID St...

Page 13: ...nd private keys Export Import Export Import Export Import Export Import fdf An Adobe file data exchange format used for importing and exporting settings and certificates usually PKCS 12 files Export I...

Page 14: ...r Security Settings opens a dialog for adding removing and setting the usage preferences for digital IDs stored on pfx files PKCS 11 modules and tokens roaming ID servers and the Windows Certificate S...

Page 15: ...g before using your ID Specifying Digital ID Usage Set an ID to automatically use each time one is required for signing or certificate encryption Sharing Exporting a Digital ID Certificate Since a dig...

Page 16: ...annot be used 2 2 2 Sharing Exporting a Digital ID Certificate Digital ID certificates must be distributed among participants in signing and certificate encryption workflows Other users must have acce...

Page 17: ...list in workflows where you are asked to select an ID To provide a friendly name 1 Choose Advanced Acrobat or Document Reader Security Settings 2 Select Digital IDs in the left hand tree Figure 4 3 H...

Page 18: ...icate can be used for signing encryption or both An Export button allow you to export the certificate to a file Details tab Lists all the certificate fields extensions and their values Revocation tab...

Page 19: ...ted your ID or obtained a new one then you should be logged in However you may need to log in for the following cases You logged out of the file for some reason You are importing an acrobatsecurityset...

Page 20: ...er created self signed digital IDs created with those applications A file can have one or more IDs To delete or add an ID file 1 Choose Advanced Acrobat or Document Reader Security Settings 2 Select D...

Page 21: ...word timeout 1 Choose Advanced Acrobat or Document Reader Security Settings 2 Highlight Digital ID Files in the left hand tree Figure 9 3 Select a file in the right hand panel Figure 9 4 Choose Passwo...

Page 22: ...ause the dialog prompts for a password the batch sequence is effectively stopped until a user intervenes Logging in to a file provides the ID to the process without stopping it or requiring user input...

Page 23: ...t and storage location New PKCS 12 Digital ID File Stores the IDs in a password protected file with a pfx Win or p12 Mac extension The file is in a PKCS 12 standard format The files can be copied move...

Page 24: ...able Unicode Support Optional Use Unicode when your information cannot be adequately displayed with Roman characters Note Many applications do not support non ASCII characters in certificates Be sure...

Page 25: ...ll not be affected Deleting the last self signed PKCS 12 ID in a pfx or p12 file also deletes the digital ID file Caution Because deleting an ID deletes its private key operations that require that ke...

Page 26: ...r in the Security Settings Console automatically without any special configuration Acrobat products automatically find that ID However if there is a problem you can browse to and add Windows Certifica...

Page 27: ...may be used as a general guide IDs stored on a PKCS 11 device are subject to the same operations as described in Generic ID Operations on page 15 2 5 1 Adding an ID that Resides on External Hardware...

Page 28: ...bel should appear in the right hand panel If there is more than one select one 4 Choose Change Password 5 Enter the old password 6 Enter a new password and confirm it 7 Choose OK Figure 19 Digital ID...

Page 29: ...vice 1 Choose Advanced Acrobat or Document Reader Security Settings 2 Expand the tree under PKCS 11 Modules and Tokens 3 Highlight any module 4 A card or token label should appear in the right hand pa...

Page 30: ...rust is complex and it may mean different things in different contexts In Acrobat security workflows trust can mean the following Trusting participants in your workflows In both document security and...

Page 31: ...th the certificates of document recipients you trust For example Acrobat s user interface prompts authors to select one or more recipients when applying certificate security Because it is often the ca...

Page 32: ...d to all group members with a single action Users manage contacts groups and certificates by choosing Advanced Acrobat or Document Reader Manage Trusted Identities and opening the Trusted Identities M...

Page 33: ...a Certificate From a File Acrobat and Adobe Reader are can export certificates to a file so that they can be shared as needed To import certificates follow the instructions described in Migrating and...

Page 34: ...etails see Using Directory Servers to Add Trusted Identities on page 38 Tip Home users do not usually need to change the directory server list Users in enterprise environments typically have the list...

Page 35: ...he trusted identities list should be associated with one or more certificates Those certificate s trust settings may be individually configured Choosing to not trust a certificate does not prevent a d...

Page 36: ...Certificate Viewer Figure 28 Certificates can be separately trusted for approval signatures and certification signatures Certificates can be individually configured to trust operations such as signin...

Page 37: ...nder you usually want to accept these settings so you can use the certificate they way the sender intended Figure 29 Certificate trust settings Use this certificate as a trusted root Makes the certifi...

Page 38: ...rs Acrobat considers the following operations potential threats to a secure application operating environment Internet connections cross domain scripting silent printing external object references and...

Page 39: ...machines tells the user how to configure the server manually or sends the server configuration details in a file as described in Migrating and Sharing Security Settings on page 149 Figure 30 Digital...

Page 40: ...n to look up LDAP entries User name The login username Password The login password Timeout The number of seconds to keep trying to connect Maximum Number of Records to Receive The number of records to...

Page 41: ...5 4 Specifying a Default Directory Server A default server may be specified so that it is always used when searching for digital IDs To set default directory server 1 Choose Advanced Acrobat or Docume...

Page 42: ...rtificates Like certificates contacts can be added removed edited and so on from the trusted identity list 3 6 1 Viewing and Editing Contact Details When a contact s details change it is possible to u...

Page 43: ...anager Doing so allows you to email it later or locate it on a shared network directory Other users can then add that data to their trusted identity list For details see Saving Your Digital ID Certifi...

Page 44: ...t Figure 33 3 Choose Details 4 Choose a certificate from the list 5 Choose Remove Association Figure 36 6 Choose a certificate from the list Note The certificate list is populated with the currently a...

Page 45: ...igure 33 4 Choose Delete 5 Choose whether or not to delete the certificates along with contact Once a certificate is deleted it can no longer be used to validate someone s signature or encrypt a docum...

Page 46: ...horized or the application allows such changes the changes are not flagged as problematic or warnings In general the goal should be to design documents and workflows so that both the signature status...

Page 47: ...cintosh Acrobat Preferences Security Adobe Reader Windows Edit Preferences Security Adobe Reader Macintosh Adobe Reader Preferences Security 2 Set your preferences as described in the following sectio...

Page 48: ...those cases administrators may preconfigure Acrobat to use an alternate plugin or provide user training on how to choose the right one Third party plugins include Entrust plug in for Acrobat 4 and 6 T...

Page 49: ...es 3 Choose the Creation tab Figure 39 Figure 39 Signature creation preferences 4 Recommended Set Include signature s revocation status when signing Embedding the signing certificate s revocation stat...

Page 50: ...y Adobe Reader Macintosh Adobe Reader Preferences Security 2 Choose Advanced Preferences 3 Choose the Creation tab Figure 39 4 Set Show location and contact information when signing 4 2 1 6 Enabling D...

Page 51: ...ghest degree of assurance that the signing process is not adversely impacted by malicious content 1 Choose one of the following Acrobat Windows Edit Preferences Security Acrobat Macintosh Acrobat Pref...

Page 52: ...Signature Appearances 4 2 2 1 Creating a Custom Signature Acrobat creates a default signature from the signer s name However a signature can be any graphic such an scanned signatures text or a combin...

Page 53: ...nce panel Figure 41 Note If you have created a watermark file as described in Creating a Custom Watermark or Background on page 52 the watermark should automatically appear in all of your signature ap...

Page 54: ...ing Distinguished name A name with details such as country organization organizational unit and so on Labels A label for each of the items above For example Reason Logo The logo or graphic used as a b...

Page 55: ...ecause signature appearances only display local time the appearance time will be different from the timestamp time shown in the Date Time tab of the Signature Properties dialog Figure 43 Timestamps Lo...

Page 56: ...ministrators preconfigure end user machines or provide the server information in an FDF file If you have an FDF file see Importing Timestamp Server Settings on page 169 4 Enter the server settings Nam...

Page 57: ...are stored in a signature field embedded on the page A signature field is an Acrobat form field Signature fields are automatically created at the time of signing but it is also possible to create empt...

Page 58: ...mode by selecting Forms Add or Edit Fields and then double click on them OR right click and choose Properties 2 Display the General tab 3 Configure the options Name Any arbitrary name Tooltip Any arb...

Page 59: ...n author must create a blank signature field and edit the properties before initiating the signing process Invisible field properties cannot be edited To change a signature field s appearance 1 Create...

Page 60: ...the following Customizing Field Appearances Specifying a Post Signing Action 2 Choose Close 3 Right click on the field 4 Choose Use Current Properties as New Defaults 4 3 5 Cut Copy and Paste Signatu...

Page 61: ...Field Once a field is configured multiple copies of the field can be placed on the same page To create multiple copies of a field 1 Place the field in edit mode by selecting Forms Add or Edit Fields 2...

Page 62: ...e If there is more than one signature field make sure end users can understand which signature fields are associated with specific data Appearance Signature fields can look similar to other form field...

Page 63: ...PDF file AND compares the object hash in the signature to the object hash from the objects in memory This allows the application to detect prohibited changes 4 Use the drop down list to select from t...

Page 64: ...o that an action occurs whenever the user interacts with the field in some predefined way However documents are usually signed to protect guarantee and or attest to the signed content Signers usually...

Page 65: ...The user stops hovering over or tabs away from the field Select Action See Table 6 4 Choose Add 5 Follow the action instructions that appear in the action dialog 6 Optional Move actions Up Down Edit o...

Page 66: ...in a cross platform format that plays in Windows and Macintosh Play Media Acrobat 5 Compatible Plays the specified QuickTime or AVI movie that was created as Acrobat 5 compatible There must already be...

Page 67: ...Specifying a Signature Hash Algorithm Embedding Revocation Information in a Signature Specifying Certificate Properties for Signing Specifying Signing Certificates Origin Specifying Certificates by K...

Page 68: ...1 filter 2 subFilter 4 version and 8 reasons 8 0 16 legalAttestations 32 shouldAddRevInfo and 64 digestMethod X X X X legalAttestations A list of legal attestations that the user can use when creatin...

Page 69: ...reasons 16 legalAttestations Acrobat 8 0 32 shouldAddRevInfo Acrobat 8 0 64 digestMethod Acrobat 8 0 128 lockDocument 256 appearanceFilter Usage 1 specifies filter 3 specifies filter and sub filter a...

Page 70: ...Acrobat 7 0 A seed value timeStamp specifier object It uses the url and flags properties to specify a timestamp server For details see Specifying Timestamps for Signing on page 76 version number The m...

Page 71: ...ted correctly the debugger returns undefined 6 Save the document and test the field Figure 55 Seed values JavaScript debugger 5 2 Forcing a Certification Signature By default signature fields can be s...

Page 72: ...onal signatures Other changes to the document invalidates the signature Note that annotations can be used to obscure portions of a document and thereby affect the visual presentation of the document T...

Page 73: ...rtain document features for example subsequent signing and filling out forms these permissions are set at the document level and cannot become more restrictive as signatures are applied Acrobat 9 prov...

Page 74: ...the required flag based on the properties of the document Example 5 2 Seed value lockDocument f this getField mySigFieldName f signatureSetSeedValue lockDocument true false auto Set the setting as re...

Page 75: ...signers can choose one of the provided reasons or create a new one by typing in the Reason field Specifying a signing reason will remove all of the default reasons from the reason drop down list User...

Page 76: ...esponding application level settings if any Use the timeStampspec specifier object s url and flags properties to specify a timestamp server Table 10 Seed values timeStampspec properties Property Type...

Page 77: ...amp server seed value Obtain the signature field object var f this getField mySigFieldName f signatureSetSeedValue timeStampspec url http 153 32 69 130 tsa flags 1 Figure 60 Time stamp server error 5...

Page 78: ...r format Tip Since it is possible that different handlers might be used for signing and validating filter and subfilter are used together to assure that signing workflows with different components are...

Page 79: ...SigFieldName f signatureSetSeedValue digestMethod SHA384 5 9 Embedding Revocation Information in a Signature Users signers have the option to embed certificate revocation status in a signature by turn...

Page 80: ...ect identifiers or OIDs Authors specify which certificate signers must use by setting the certSpec object s properties Table 11 These can be preferences or requirements If a certificate cannot be foun...

Page 81: ...sage array of integers Acrobat 8 0 Integers in HEX or decimal that specify the keyUsage extension that must be present in the signing certificate Each integer is constructed as follows There are two b...

Page 82: ...e subjects that are acceptable for signing The subject property identifies specific individuals as certificate owners that can sign Access to the physical DER encoded certificate is required It is ide...

Page 83: ...flesnit_DER cer var myIssuerCert security importFromFile Certificate C Temp nebsCompany_DER cer f signatureSetSeedValue certspec subject mySubjectCert issuer myIssuerCert flags 3 5 10 2 Specifying Cer...

Page 84: ...me f signatureSetSeedValue certspec keyUsage 0x7FFFFFF1 Set KeyUsage to digitalSignature flags 32 Require keyUsage 5 10 3 Specifying Certificates by Policy For legal reasons policies are often associa...

Page 85: ...When a valid certificate is not found users can be redirected to a URL during the signing workflow The URL may be to a server with a certificate repository or more likely the URL may be a link to a We...

Page 86: ...with the specified server will appear in the signing dialog s digital ID drop down list when a user attempts to sign the field To require signing only with a roaming ID 1 Create a signature field wit...

Page 87: ...nu item under Tools called Request Employee Signature 2 Add a signature and text field for display to the current open file 3 Set seed value 3 1 Wrap certificate object 3 2 Set seed value to the added...

Page 88: ...mysubjectDN CN Example Root CA OU Example Trust Services O Example Systems Incorporated C US var myusage endUserSigning true var ExampleRootCertBinary 308204A130820389A00302010202043E1CBD28300D06092A...

Page 89: ...k a signature type Learn about approval and certification signatures so you know which to use 6 1 2 Signature Types A document can contain certification and or approval signatures Which signature type...

Page 90: ...y invokes the Sign Document dialog 6 2 Signing With a Certification Signature Certifying a document enables the first signer attest to its contents and specify the types of changes permitted for the d...

Page 91: ...4 of the PDF Reference manual Note that aside from when a signer is certifying Acrobat does not actively inform the user about the document s legal defensibility In any case a document s legal defens...

Page 92: ...it allows the recipient to identify whether a document s problematic features content that could change the document appearance originated with the certifier or not More importantly this gives the re...

Page 93: ...to Individual Form Fields 6 2 3 You can customize the way a certified document behaves for signers by giving form fields additional features with seed values For example you can preconfigure custom s...

Page 94: ...e 15 Password Enter a password if the selected digital ID requires it Appearance Select an appearance or use the default one Reason If the application is configured to display the Reason for Signing D...

Page 95: ...able to certify the document as is If not remove the problematic content and start over If the content is ok enter a Warnings Comment for the document recipient Select the default or enter a custom co...

Page 96: ...en a document is ineligible for certification the certification user interface items are disabled In order to certify the document clear existing signatures remove the restrictions if you have permiss...

Page 97: ...g 1 Review the text in the Document Message Bar at the top of the document 2 Choose View Report to invoke the PDF Signature Report dialog Acrobat checks to see if the document contains dynamic content...

Page 98: ...or install a new digital ID now Password Enter a password if the selected digital ID requires it Appearance Select an appearance or use the default one Reason If the application is configured to disp...

Page 99: ...deleting the signature in the following cases You cannot delete someone else s signature If the author of a signature field has marked it to become read only after it is signed it can only be cleared...

Page 100: ...ms and the Warning Triangle on page 121 Save as 8 1 except that changes to document behavior are detected and invalidate an approval signature prior versions displayed a yellow triangle upon discovery...

Page 101: ...document looked like at the signing point in time Only very limited changes are possible after a signature is applied At most form field values additional signatures and annotations can be changed or...

Page 102: ...dation Document recipients should configure their environment to handle incoming documents in a way that enhances workflow efficiency or meets some business need While Adobe Acrobat and Adobe Reader p...

Page 103: ...checking is automatic what time is associated with a validated signature and whether or not a status icon appears with the signature Figure 70 Signature verification preferences 3 Select the signatur...

Page 104: ...ndows Certificate Store contains a store called Trusted Root Certificate Authorities that contains numerous root certificates issued by different certification authorities Certificates are root certif...

Page 105: ...a specified policy constraint If the timestamp server returns a response that doesn t include a matching policy OID then the client would reject the timestamp and it s status would be invalid The use...

Page 106: ...signing or that it has only changed in ways specifically permitted by the signer Signatures can be validated one at a time or all at once Before validating a signature it is a good idea to understand...

Page 107: ...alidated simultaneously This feature is particularly useful if the auto validate option has been turned off To validate all signatures 1 Choose Advanced Sign Certify Validate All Signatures 2 If a dia...

Page 108: ...Choose the Summary tab Figure 75 Figure 75 Signature Properties Summary 3 Choose Show Certificate Adding an unverified digital ID certificate to the trusted identity list could pose a security threat...

Page 109: ...sted Identities 7 When asked if the certificate should be trusted choose OK Figure 77 Trusting certificate from a document warning 8 When the Import Contact Settings dialog appears configure its trust...

Page 110: ...101 7 3 6 Validating Signature Timestamps If you know a signature is timestamped or your workflow requires timestamps read the following sections At a high level the rules are as follows You can confi...

Page 111: ...which you check to see if the timestamp was applied and that its certificate is valid In order to validate a timestamp you need to manually verify The timestamp was applied If a timestamp fails for so...

Page 112: ...ns with the end entity and once it reaches a trusted root revocation checking stops 6 Choose Add to Trusted Identities 7 When asked if the certificate should be trusted from within the document choose...

Page 113: ...nature validity state has not been checked Invalid signatures either have an invalid certificate or the document has changed in ways specifically prohibited by the author 7 4 2 Document Status Definit...

Page 114: ...Acrobat 9 Family of Products Validating Signatures Security Feature User Guide Document Status Definitions 114 7 4 2 1 Signature status cheat sheet...

Page 115: ...ject the document as insecure 7 5 1 Troubleshooting an Identity Problem If the signature status or overall document status indicates that there is a problem with verifying the authenticity of the sign...

Page 116: ...Certificates on page 118 Checking Certificate Revocation Status on page 119 Exporting a Certificate Other than Yours to a File on page 120 7 5 1 1 Troubleshooting Digital ID Certificates Someone becom...

Page 117: ...cription of the certificate path validity statement path validation time and sometimes the type of validation Summary tab Owner issuer validity period intended usage An Export button allow users to ex...

Page 118: ...them trusted identity list To verify the origin of the certificate 1 Display the certificate in the Certificate Viewer If the certificate is embedded in a signature right click on the signature choos...

Page 119: ...s and so on For details see Certificate Trust Settings on page 35 7 5 1 4 Checking Certificate Revocation Status Only the certificate issuer a certificate authority has the right to revoke a certifica...

Page 120: ...e or save it to a file as described in Exporting Your Certificate on page 158 7 5 2 Troubleshooting a Document Integrity Problem If the signature status or overall document status indicates that there...

Page 121: ...npoint the problem or you need help with some of the steps above read the following Troubleshooting Digital ID Certificates on page 116 7 5 2 1 LiveCycle Dynamic Forms and the Warning Triangle Documen...

Page 122: ...ning Modifications on page 122 Comparing a Signed Version to the Current Version on page 123 7 5 2 3 Viewing a List of Post Signing Modifications Because it is possible to change a document without ch...

Page 123: ...e review the highlighted areas to review what was changed This method compares the two versions page by page Compare completes by opening a temporary document that summarizes the differences The first...

Page 124: ...a document behaves on your desktop could be the result of one or more factors How the document was authored Were restrictions or requirements placed on the signature fields How a document was signed...

Page 125: ...s by default For details see Certificate Trust Settings on page 35 7 6 2 Certifying a Document is Prevented Only one certification signature is allowed in a document therefore it must be the first one...

Page 126: ...eview mode or warnings are reviewed analyzing the result to determine if a document should be trusted Tip There is only a loose correlation between signature or document status and the information dis...

Page 127: ...hoose View Signed Version View Signed Version is essentially a rollback feature that enables the signature validator to view the document version as ut was at the point in time when it was signed 3 Ch...

Page 128: ...not the author contact the author for additional information Figure 91 PDF Signature Report Content which cannot be suppressed in preview mode Content preview mode can suppress Preview mode can suppre...

Page 129: ...g Dynamic features Presentations user launched multimedia JavaScript dynamic forms and so on PDF content with variable rendering JavaScript non embedded fonts and so on External content Hyperlinks alt...

Page 130: ...s not available in standard Acrobat installations For example the document may be protected by the Adobe Policy Server Document contain streams encrypted using crypt filter Page content may silently c...

Page 131: ...or printing Form XObject must not contain an OPI alternate version Table 16 Uncategorized warnings String Code Description Unrecognized PDF content 4000 Unrecognized PDF content The document contains...

Page 132: ...ed location These behaviors include silent printing cross domain access external stream access and internet access and script and data injection For example if a PDF from your company has an embedded...

Page 133: ...y to transport data and that turning on enhanced security will impair FDF s ability to do that External streams access Access to external XObjects that is references to objects such as images that res...

Page 134: ...e FDF functionality unless those FDF files originate from a specifically privileged file folder or server Table 17 lists the high level rules defining FDF behavior Tip If you need to configure your en...

Page 135: ...ting to a different PDF which needs to get loaded everything is happening in the browser The FDF data gets injected into the second PDF Same as above except it all happens in the Acrobat rather than i...

Page 136: ...in the Multimedia Trust panel one for documents that are trusted and one for documents that are not In order to understand multimedia behavior then you need to know whether or not a document is trust...

Page 137: ...rences for trusted documents and other documents To configure multimedia preferences 1 Open the Multimedia Trust Manager Acrobat and Adobe Reader Windows Edit Preferences Multimedia Trust Acrobat and...

Page 138: ...ent and the security of the workflow before enabling dynamic content Whether dynamic content executes in certified documents based on the Trusted Document or Other Document settings depends on two ite...

Page 139: ...u event is no longer privileged You can execute security restricted methods through menu events in one of the following ways By going to Edit Preferences JavaScript and checking the item named Enable...

Page 140: ...to application users These certificates allow you to validate signatures that are signed with certificates that chain up to those trusted certificates In other words you can validate those signatures...

Page 141: ...s However Table 4 File types on the white list These can be attached and may be opened or saved if the file extension is associated with the requisite program File types on the black list These can be...

Page 142: ...mpressed Archive hta Hypertext Application inf Information or Setup file ini Initialization Configuration file ins IIS Internet Communications Settings Microsoft isp IIS Internet Service Provider Sett...

Page 143: ...le pcd Visual Test Microsoft pkg Mac OS X Installer Package pif Windows Program Information file Microsoft prf Windows System file prg Program file pst MS Exchange Address Book file Outlook Personal F...

Page 144: ...etting the Black and White Lists Because the registry list could grow over time and users do not have direct access to the lists through the user interface resetting the list to its original state may...

Page 145: ...chment can be opened Unchecked Clicking or opening an attachment will never result in launching it s associated viewing application Use this option if a higher level of security is needed 9 6 Controll...

Page 146: ...he Internet Tip This feature interacts with the new Security Enhanced preference feature URLs that are set as privileged locations are exempt from enhanced security restrictions even if enhanced secur...

Page 147: ...products maintain a white and black list of URLs called the Trust List Users can specify whether or not URL access is allowed on a global or per URL basis For URLs that aren t explicitly trusted or bl...

Page 148: ...egories panel 3 Choose Change Settings in the Internet Access panel 4 Choose Let me specify a list of allowed and blocked web sites 5 Configure the black and white lists Add a URL to the URL fields an...

Page 149: ...rypted Files can be used to backup and restore settings to distribute settings in a workgroup or enterprise and to send specific information to another user Sharing Settings Certificates with FDF FDF...

Page 150: ...encryption method Encrypting the file ensures that the settings can t be viewed by anyone other than the intended recipients Figure 109 Security settings Encryption method 7 Follow the dialog instruc...

Page 151: ...are the same Details about each individual setting are found in the FDF section as well as elsewhere in this document Caution The settings in the imported file will overwrite your current settings Be...

Page 152: ...s Security 2 Check Load security settings from a server 3 Enter the server address in the URL field 4 Select a signing certificate if any The acrobatsecurity file will be signed with a certified signa...

Page 153: ...ments for a number of people in her organization An administrator sends her an FDF file that contains a large group of contacts When Alice opens the FDF file she is walked through the FDF Data Exchang...

Page 154: ...ew security feature that when turned on disables some FDF functionality unless those FDF files originate from a specifically privileged file folder or server The new feature is called Enhanced Securit...

Page 155: ...ng an FDF file 10 2 2 1 Distributing a Trust Anchor or Trust Root Distributing a trusted certificate from Acrobat involves wrapping one or more certificates in an FDF file and making it available to o...

Page 156: ...t is absolutely trusted by you or your organization It also allows users to trust other certificates that chain up to the same root The trust anchor is often an ICA for example since if the root is is...

Page 157: ...configured your identity details this screen may not appear For details see Setting Identity Information on page 14 10 Do not sign if the certificate you use to sign uses the same trust anchor or you...

Page 158: ...y need to manually set the imported certificate s trust level When distributing a trusted root in a signed file that the FDF recipient can validate set the certificate trust level 1 Choose Advanced Ac...

Page 159: ...Export on the Summary tab 10 2 2 4 Emailing Your Certificate If you do not have an email program on your machine save the data to a file as described in Saving Your Digital ID Certificate to a File o...

Page 160: ...o a file 1 Choose Advanced Acrobat or Document Adobe Reader Security Settings 2 Select Digital IDs in the left hand tree 3 Highlight an ID in the list on the right 4 Choose Export 5 Choose Save the ex...

Page 161: ...2 Choose Request Contact Figure 119 Emailing a certificate request 3 Confirm or enter your identity so that the recipient can identify you The identity panel is prepopulated if the information has be...

Page 162: ...ave and then choose OK Tell the intended recipient s where to find the file 10 2 2 7 Emailing Server Details Adobe LiveCycle Rights Management Server directory server roaming credential server and tim...

Page 163: ...mplete the signing workflow Figure 133 Sign FDF files so that recipients of the file can easily trust the file and its contents 8 Choose Next 9 Enter the email information Figure 124 Digital ID Direct...

Page 164: ...ettings with FDF Files There are several ways to import Acrobat and Adobe Reader data from an FDF file By choosing File Open Double clicking on an FDF file fdf Tip The first two options above automati...

Page 165: ...te Figure 125 Emailing your certificate 3 Choose a digital ID from the list of existing digital IDs Note If you do not have a digital ID or choose Cancel an alert appears that says A certificate was n...

Page 166: ...porting this information ahead of time enables you to configure your trusted identities list before needing to validate a signature or encrypt a document for someone To add someone s certificate to yo...

Page 167: ...ertificates You can use an FDF file to import multiple certificates or a company wide address book into your list of trusted identities This enables you to encrypt a document using the public key of t...

Page 168: ...your list of trusted identities To do so choose Signature Properties Show Certificate select the Trust tab and choose Add to Trusted Identities If the checkbox is selected all contacts associated with...

Page 169: ...e Security Settings user interface or simply by double clicking on the FDF file containing the data To import the server settings 1 Locate the FDF file find the file in an email or on the local file s...

Page 170: ...ere is more than one server and you do not want to import all of them highlight those that should not be imported and select Remove 4 Choose Import A dialog appears asking if the first or only server...

Page 171: ...file system and double click on it The FDF can also be imported through the Security Settings Console by choosing Advanced Acrobat or Document Adobe Reader Security Settings selecting Directory Serve...

Page 172: ...nd the file in an email or on the local file system and double click on it The FDF can also be imported through the Security Settings Console by choosing Advanced Acrobat or Document Adobe Reader Secu...

Page 173: ...up user machines or export the configuration details to an FDF file which is emailed or made available on a network In the latter case you can import the server settings through the Security Settings...

Page 174: ...and URL 5 Choose Next 6 Enter a user name and password Tip The topmost portion of this dialog is customizable and server dependant The fields will remain the same but the branding will vary Figure 138...

Page 175: ...following methods Click on the FDF file It may be an email attachment or a file on a network or your local system In Acrobat or Adobe Reader choose File Open browse to the FDF file and choose Open No...

Page 176: ...one will also be trusted for signing At least one certificate in the chain and preferably only one must be a trusted root trust anchor to validate signatures and timestamps Tip There is no need to mak...

Page 177: ...t Options on page 139 Privileged system operations networking printing file access etc Some operations represent a security risk more serious than others Acrobat considers the following operations pot...

Page 178: ...ital ID A digital ID issued by a certified document services provider CDS digital ID certificate See CDS digital ID certificate authority CA An entity that issues trusted roots certificates That part...

Page 179: ...ipt that exists within a document rather than that which is executed from the JavaScript Console or through a batch process embedded validation response Information from the digital ID issuer that was...

Page 180: ...gistered by the Windows OS If you double click on a p7c file it will be viewed by a Windows application Policy Server As of Acrobat 9 Adobe Policy Server is renamed to Adobe LiveCycle Rights Managemen...

Page 181: ...d of the time clock of the computer that is used to apply the digital signature trust anchor A certificate in a certificate chain that is trusted for selected operations It could be an intermediate ce...

Page 182: ...2 lzh 142 mad 142 maf 142 mag 142 mam 142 maq 142 mar 142 mas 142 mat 142 mau 143 mav 143 maw 143 mda 143 mde 143 mdt 143 mdw 143 mdz 143 msc 143 msi 143 msp 143 mst 143 ocx 143 ops 143 p12 178 p7b 17...

Page 183: ...tity List 32 Adobe Profile Files 178 Adobe Trusted Identity Updates 140 ALCRMS 178 Allowing and Blocking Specific Web Sites 147 Allowing Attachments to Launch Applications 145 Allowing Signing Reason...

Page 184: ...ure Field 57 Creating a Custom Signature 52 Creating a Custom Signature Appearance 53 Creating a Custom Watermark or Background 52 Creating a Self Signed Digital ID 22 Creating Multiple Copies of a Si...

Page 185: ...tails 163 Exporting Your Certificate 158 External connection warning 148 External Content 131 External Content and Document Security 132 External streams access 133 F FDF Files and Security 154 filter...

Page 186: ...ge Trusted Identities menu item 32 Managing Certificate Trust and Trusted Identities 30 Managing Contacts 42 Managing PKCS 12 Digital ID Files 19 Managing Windows Digital IDs 26 Manually Configuring a...

Page 187: ...hod 180 Security setting import Success dialog 152 Security Setting Import and Export 149 Security setting preferences for server import 152 Security settings Document message bar 151 Encryption metho...

Page 188: ...ue 77 Timestamps Date Time tab 111 Entering server details 56 Importing a server 170 Importing server details from an FDF file 170 Local machine time 55 110 Trusted stamp 55 111 Untrusted stamp 55 111...

Page 189: ...and 143 Windows Help file 142 Windows Installer file Microsoft 143 Windows Installer Patch 143 Windows Program Information file Microsoft 143 Windows Screen Saver 143 Windows Script Component 144 Wind...

Reviews:

No comments