Welcome Dialog

Welcome to the Community!

We have a brand new look! Take a tour with us and explore the latest updates on Adobe Support Community.


Signature validation using AIA extension (not enabled by default)

New Here ,
Nov 10, 2019 Nov 10, 2019

Copy link to clipboard

Copied

Hello,

 

We discovered that Adobe signature validation doesn’t build the certificate path using the Authority Information Access (AIA) extension by default. This causes validation issues when validating qualified electronic signatures issued by an intermediate CA (not listed in a EU Trusted List) for which the Root CA is listed in a EU Trusted List; Adobe can't build the certificate path until this Root CA and so can't validate this signature as qualified.

 

The only way we found (cf. here) to activate the certificate path building using the AIA extension via Adobe in Windows is:

  1. Open the “Registry Editor”;
  2. Access to “HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Security\cASPKI\cAdobe_ChainBuilder”;
  3. Create a new “DWORD Value” named “bFollowURIsFromAIA” and set the value to “1”.

But, as this manipulation may not be easy for everyone, we were wondering if there were other ways to activate this feature? Or if a user-friendly ‘enabling checkbox’ is planned in the future?

 

We were also wondering why this ‘feature’ is not activated by default? Is it for security purposes (e.g. not downloading a certificate from an untrusted source)? Otherwise, is this ‘feature’ planned to be enabled by default in the future?

 

Thank you in advance.

TOPICS
Security digital signatures and esignatures

Views

776

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Feb 03, 2020 Feb 03, 2020
Acrobat by default does not build certificate path using the AIA extension because this creates issues with multiple cross-certified path that exist under the AATL (mainly from the US Federal Bridge PKI). Normally this is not required if the signature follows the recommended practice to include the full certificate chain in the signature.In the future Acrobat might expose this option in the Signature Preference panel, but at the moment this has not been confirmed.

Likes

Translate

Translate
Adobe Employee ,
Feb 03, 2020 Feb 03, 2020

Copy link to clipboard

Copied

Acrobat by default does not build certificate path using the AIA extension because this creates issues with multiple cross-certified path that exist under the AATL (mainly from the US Federal Bridge PKI). Normally this is not required if the signature follows the recommended practice to include the full certificate chain in the signature.

In the future Acrobat might expose this option in the Signature Preference panel, but at the moment this has not been confirmed.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2020 Feb 04, 2020

Copy link to clipboard

Copied

Dear Andrea,

Thank you for your answer. An option in the Signature Preference panel would be indeed very useful.

Best regards.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 16, 2020 Jul 16, 2020

Copy link to clipboard

Copied

LATEST

This affects more TSPs in Europe. It is worth mentioning that this "recommended practice to include the full certificate chain" does not apply to signatures created by the Adobe Reader unless the intermediate CA has been manually added to the certificate store. 

So it would be great if the AIA URIs would be followed (at least at an best effort level) during signature creation by the Adobe Reader.

 

Best regards Christof 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines