Signature validation using AIA extension (not enabled by default)
Hello,
We discovered that Adobe signature validation doesn’t build the certificate path using the Authority Information Access (AIA) extension by default. This causes validation issues when validating qualified electronic signatures issued by an intermediate CA (not listed in a EU Trusted List) for which the Root CA is listed in a EU Trusted List; Adobe can't build the certificate path until this Root CA and so can't validate this signature as qualified.
The only way we found (cf. here) to activate the certificate path building using the AIA extension via Adobe in Windows is:
- Open the “Registry Editor”;
- Access to “HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Security\cASPKI\cAdobe_ChainBuilder”;
- Create a new “DWORD Value” named “bFollowURIsFromAIA” and set the value to “1”.
But, as this manipulation may not be easy for everyone, we were wondering if there were other ways to activate this feature? Or if a user-friendly ‘enabling checkbox’ is planned in the future?
We were also wondering why this ‘feature’ is not activated by default? Is it for security purposes (e.g. not downloading a certificate from an untrusted source)? Otherwise, is this ‘feature’ planned to be enabled by default in the future?
Thank you in advance.
AdChoices