cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
1
Upvote

Signature validation using AIA extension (not enabled by default)

xschl
New Here ,
Nov 10, 2019 Nov 10, 2019

Copy link to clipboard

Copied

Hello,

 

We discovered that Adobe signature validation doesn’t build the certificate path using the Authority Information Access (AIA) extension by default. This causes validation issues when validating qualified electronic signatures issued by an intermediate CA (not listed in a EU Trusted List) for which the Root CA is listed in a EU Trusted List; Adobe can't build the certificate path until this Root CA and so can't validate this signature as qualified.

 

The only way we found (cf. here) to activate the certificate path building using the AIA extension via Adobe in Windows is:

  1. Open the “Registry Editor”;
  2. Access to “HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Security\cASPKI\cAdobe_ChainBuilder”;
  3. Create a new “DWORD Value” named “bFollowURIsFromAIA” and set the value to “1”.

But, as this manipulation may not be easy for everyone, we were wondering if there were other ways to activate this feature? Or if a user-friendly ‘enabling checkbox’ is planned in the future?

 

We were also wondering why this ‘feature’ is not activated by default? Is it for security purposes (e.g. not downloading a certificate from an untrusted source)? Otherwise, is this ‘feature’ planned to be enabled by default in the future?

 

Thank you in advance.

TOPICS
Security digital signatures and esignatures

Views

2.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

AndreaValle Adobe Employee
Adobe Employee , Feb 03, 2020 Feb 03, 2020

Acrobat by default does not build certificate path using the AIA extension because this creates issues with multiple cross-certified path that exist under the AATL (mainly from the US Federal Bridge PKI). Normally this is not required if the signature follows the recommended practice to include the full certificate chain in the signature.

In the future Acrobat might expose this option in the Signature Preference panel, but at the moment this has not been confirmed.

Votes

Translate

Translate
replies 3 Replies 3
latest latest Jump to latest reply
AndreaValle Adobe Employee
Adobe Employee ,
Feb 03, 2020 Feb 03, 2020

Copy link to clipboard

Copied

Acrobat by default does not build certificate path using the AIA extension because this creates issues with multiple cross-certified path that exist under the AATL (mainly from the US Federal Bridge PKI). Normally this is not required if the signature follows the recommended practice to include the full certificate chain in the signature.

In the future Acrobat might expose this option in the Signature Preference panel, but at the moment this has not been confirmed.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
xschl
New Here ,
Feb 04, 2020 Feb 04, 2020

Copy link to clipboard

Copied

In Response To AndreaValle

Dear Andrea,

Thank you for your answer. An option in the Signature Preference panel would be indeed very useful.

Best regards.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
mogli
New Here ,
Jul 16, 2020 Jul 16, 2020

Copy link to clipboard

Copied

LATEST
In Response To AndreaValle

This affects more TSPs in Europe. It is worth mentioning that this "recommended practice to include the full certificate chain" does not apply to signatures created by the Adobe Reader unless the intermediate CA has been manually added to the certificate store. 

So it would be great if the AIA URIs would be followed (at least at an best effort level) during signature creation by the Adobe Reader.

 

Best regards Christof 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
About Adobe Acrobat
Adobe Acrobat Learn & Support
Adobe Inc
Whats new in Acrobat DC
Adobe Inc
Plan and Pricing
Adobe Inc
Adobe Acrobat features and tools
Adobe Inc
Adobe Acrobat Feature & Workflow
Edit PDFs
Edit Scanned PDFs
PDF Forms
Sign a PDF
FAQs
How to Edit Scanned or Secured document
Rotate | move | delete and renumber PDF pages
Acrobat download and installation help
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices