FAQ for Adobe Certified Document Services (CDS) — Technote Article

Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-04-22 09:23:58.0

TN 7781 - FAQ for Adobe Certified Document Services (CDS)

1. What are Certified Document Services (CDS)?
Certified Document Services (CDS) is a validation service for electronic documents specifically to attest to the authenticity and integrity of data through industry standard highly ubiquitous software (>800Million installations). Created by the Adobe® Root Certificate authority, CDS enables document authors to sign Portable Document Format (PDF) files, using digital certificates, which then automatically validate when recipients use the freely available Adobe® Acrobat® Reader software. No additional client software or configuration is required and the solution is multi-lingual through the wide variety of languages supported. (http://www.adobe.com/products/reader/productinfo/languages/ )

CDS was designed to enable organizations and individuals who publish high-value documents to large and disparate recipient groups to increase the assurance level Signatures and Approver Signature(s) to PDF that the document's integrity and authenticity are preserved. By adding Certifying files document authors can increase this assurance level while at the same time reduce the burden of the recipient regarding how to determine if the document can be trusted.

Click here to learn more about CDS http://www.adobe.com/security/digsig/certifieddocs.html.

2. How does it work?
Entrust certificates for Adobe CDS are “chained” to the inherently trusted Adobe root certificate found in Adobe Reader 6.0+ and Acrobat 6.0+. Recipients who open certified documents signed with CDS certificates receive one of three easy to understand trust messages.

Adobe Reader
Version

Certification VALID

Validity of author
NOT confirmed

Certification INVALID

Version 6 through 8

Version 9 onwards

3. Why does my private key associated with my Entrust certificate for Adobe CDS need to be stored on cryptographic hardware?
The Adobe CDS Certificate Policy highlights the need to ensure the security of the CDS program by ensuring all digital IDs are created on FIPS compliant Cryptographic Hardware. This maintains the 'singularity' of the Digital ID such that it cannot be duplicated, and therefore preserves non repudiation capabilities of the solution.

4. What information does the Entrust certificate for Adobe CDS contain?
Certificates for Adobe PDF typically contain the following information:
Organization: ABC Company
Organization Unit: 123 Business Unit
Common Name: e.g. John Doe or Marketing Department
Email: e.g. john.doe@yahoo.com
Country Code: e.g. US
State: e.g. Massachusetts
Locality:: e.g. Boston

5. What Adobe applications work with CDS?

Acrobat CDS Authoring Products:

Acrobat Professional v6.x through 9.x
Acrobat Standard v6.x through 9.x
Adobe LiveCycle Document Security Server v8.x and LiveCycle ES Digital Signatures

Acrobat CDS Validation Products:

Acrobat Professional v6.x through 9.x
Acrobat Standard v6.x through 9.x
Acrobat Elements v6.x through 9.x
Adobe Reader v6.x through 9.x
Adobe LiveCycle Document Security Server v.8.x and LiveCycle ES Digital Signatures

6. Where can I learn more about digitally signing Adobe PDF documents?
Go to the Adobe product help section and search under “digital signature” for detailed information.

7. What technical requirements do I need to use a Entrust certificate for Adobe CDS?

Software requirements for the SafeNet iKey 2032 USB token
Your computers must contain:
One of the following Microsoft operating systems:

· Windows 2000 Professional SP 4

· Windows 2000 Server SP 4

· Windows Server 2003

· Windows XP Professional (SP 2)

· Windows Vista

· At this time support for the iKey supports both 32 bit and 64 bit versions of the Vista operating system

Hardware requirements for the SafeNet iKey 2032 USB token

· An available USB port for your USB iKey token

· Minimum of 128MB of RAM

Software requirements for Adobe Acrobat Reader.
http://www.adobe.com/products/reader/productinfo/systemreqs/index.html
Software requirements for the Adobe Acrobat Family.
http://www.adobe.com/products/acrobatpro/productinfo/systemreqs/

8. Where can I find the USB token drivers for XP / Vista systems?
The drivers can be found on SafeNet’s website:

http://www.safenet-inc.com/support/tech/ikey.asp

Remember to reboot after driver installation and prior to initiating your first signature through Acrobat.

Please note that previous programs you have installed may also have used InstallShield and therefore may require temporary files to be removed. You will be presented with the following error screen if this is the case.

To correct the problem, please delete the following directories.
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10
and/or
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11

9. How does a Entrust certificate for Adobe CDS differ from any other x.509v3 certificate?
No need for pre-established or pre-understood trust decisions, no need for software plug ins, no desktop or client side configuration, no swapping trusted CAs. No special configuration for time-stamping and OCSP. It’s already integrated and ready to use out of the box. .

10. How does time-stamping work?
Entrust certificates for Adobe CDS contain a special extension that supported Adobe products will use to gain access to a highly available and highly trusted RFC 3161 trusted clock. This assures relying parties of the exact date and time of the signature.

11. How long will my signature remain valid?
If digitally signed on-line, with a valid timestamp and revocation check using Acrobat default settings, your signature shall remain valid well after the certificate has expired or even if it was revoked after the fact. However, note both Adobe Acrobat and LiveCycle Server are highly configurable. Depending on configuration settings on particular versions, signature validation may rely on different methods. Consult your Adobe product specific documentation for more details.

12. What are the differences between Certified and Approval signatures?
Most digital signatures are referred to as approval signatures. Signatures that certify a PDF are called certifying signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature. A certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel.

Approval signatures are performed when someone signs a document to show consent, approval, or acceptance. A certified document is one that has a certification signature applied by the originator when the document is ready for use. The originator specifies what changes are allowed; choosing one of three levels of modification permitted:

no changes
form fill-in only
form fill-in and commenting

Valid approval signatures produce a “green check mark” and certified signatures produce a “blue ribbon”. Both types of digital signatures provide embedded OCSP and RFC 3161 compliant services resulting in valid signatures well past the life of the Entrust certificate for Adobe CDS that signed them.

13. What are some possible reasons on why my valid Entrust certificate for Adobe CDS produced a “question mark” at document opening?
Potential issues could be as follows:

Port 80 is blocked, therefore supported Adobe products cannot reach the OCSP and/ or Time-stamping servers needed for validation
The document of digital signature was performed “off-line”
Author or recipients are not signing or validating with Adobe Reader or Acrobat 6.0+

14. Why isn’t the ikey USB token drivers installing on my Vista operating system?
One reason may be your User Account Control (UAC) setting. You may need to disable the UAC by going to the Windows Vista Control Panel and select User Accounts:

Click on the option for Turn User Account Control On or Off:

Uncheck the Use User Account Control (UAC) to help protect your computer:

This must be done prior to installing the drivers and re-enable after successful driver installation. You may reinstate User Account Control after installation for security for your system.

Affected Products:

Entrust Certificate Services 2 year Group CDS with Token (manual) Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 2 year Individual CDS with Token International Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 2 year Individual CDS with Token Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 3 year Group CDS for HSM Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 3 year Group CDS with Token (automatic) Intl Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 3 year Group CDS with Token (automatic) Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 3 year Group CDS with Token (manual) International Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 3 year Group CDS with Token (manual) Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 3 year Individual CDS with Token International Version Not Applicable Language Not Applicable Platform Not Applicable
Entrust Certificate Services 3 year Individual CDS with Token Version Not Applicable Language Not Applicable Platform Not Applicable

SSL Certificates

Extended Validation (EV)

Advantage SSL

Standard SSL

Unified Communications

Code Signing Certificates

Adobe CDS