HOME




© 2017 Adobe Systems, Inc. All rights reserved.

Updated Nov 16, 2017.

OIDs and Certificates

Acrobat products suppport using OIDs to define policies for processing certificates. Signatures that do not conform to the specified policies are deemed invalid. 9.x products and earlier use the explicit OID processing model defined by the X.509 specification. 10.0 products introduce support for the non explicit OID processing model.

Acrobat products store the processing instructions and information in the addressbook.acrodata file for both models. A typical path is C:\Documents and Settings\<username>\Application Data\Adobe\(product name)\(version)\Security.

What is an OID?

OIDs are like the Internet domain name space: organizations that need such an identifier may have a root OID assigned to them. They can thus create their own sub OIDs much like they can create subdomains. A very large and standardized set of OIDs already exists.

An object identifier (OID) is simply another name for an object. OIDs are a dot-separated series of numbers. Each dot-separated number has a specific meaning. In Acrobat, the series is made up of an immutable arc (1.2.840.113583) and subarcs such as {iso(1) member-body(2) us(840) adbe(113583)}. In the context of computer security, OIDs name nearly all X.509 certificate object types, including components of policies, distinguished names, CPSs, and so on. OIDs are associated with objects in data structures defined using the standard Abstract Syntax Notation number One (ASN.1) so that OIDs may be generated and processed by client and server software.

Most CAs do not create new OIDs. OIDs are typically attached to a certificate when it is created by a certificate authority using 3rd party software. For example, certificates can be associated with a policy represented by a numeric string (the OID) that controls how Acrobat will behave. When Acrobat encounters a certificate, it processes the OIDs, and in this case it looks for a corresponding certificate policy and changes its behavior accordingly. Acrobat recognizes two kinds of certificate policy OIDs:

  • Acrobat-conformant OIDs: These OIDs conform to the format described in this specification. There are a limited number of predefined OIDs, and each OID is associated with specific Acrobat behavior. These OIDs have a structure defined in X.208 from the International Telecommunications Union (ITU).
  • Arbitrary OIDs: Any user-defined OID may be associated with a certificate.

Adobe OIDs

Category OID Remarks
Adobe-Arc 1.2.840.113583 All the Adobe-defined OIDs must be under this arc.
Acrobat Adobe-Arc.1 Acrobat OIDs.
Security Acrobat.1 OIDs for managing PKCS#7 and PKCS#12 files.
CPS Acrobat.2 Certificate Practice Statement OIDs subarc.
Ubiquity Acrobat.7 Ubiquity OIDs subarc.
X509-Extension Acrobat.9 Contains all OIDs used to define Adobe proprietary X509 extensions. Note, an OID is defined under this arc, only if it doesn’t fall under any of the above arcs (e.g. Ubiquity Sub Rights extension is defined under Ubiquity arc whereas extension is defined under this arc).

Security OIDs

Security OIDs
Name OID Remarks
Password Security.1 Acrobat 7 and earlier: Special casing for APF file encryption/decryption using algorithms not directly supported by BSafe.
DefaultSigningCredential Security.2 Acrobat 6 and earlier: Sets the default signing credential when a P12 file contains more than one digital ID.
DefaultEncryptionCredential Security.3 Acrobat 6 and earlier: Sets the default encryption credential when a P12 file contains more than one digital ID.
PasswordTimeout Security.4 Set within the P12 file SecretBag along with the timeout value.
AuthenticDocumentsTrust Security.5 Used in ExtendedKeyUsage X509 extension. The presence indicates that the particular credential can be used for CDS.
DynamicContentTrust Security.6 NOT USED CURRENTLY.
UbiquityTrust Security.7 Used in ExtendedKeyUsage X509 extension. The presence indicates that the particular credential can be used for CDS.
RevInfoArchival Security.8 Used in PKCS#7 signature to identify the revocation information archival attribute.
X509-Extension Security.9 Contains all OIDs used to define Adobe proprietary X.509 extensions. Note: an OID is defined under this arc only if it doesn’t fall under any of the above arcs (e.g. Ubiquity Sub Rights extension is defined under Ubiquity arc whereas Timestamp extension is defined under this arc).
PPLKLiteCredential Security.10 Used in digital IDs created in Acrobat/Reader v8.0 and later.

RevInfoArchival signature property format

adbe-revocationInfoArchival OBJECT IDENTIFIER ::= { adbe(1.2.840.113583) acrobat(1) security(1) 8 }

RevocationInfoArchival ::= SEQUENCE {
 crl  [0] EXPLICIT SEQUENCE of CRLs OPTIONAL,
 ocsp  [1] EXPLICIT SEQUENCE of OCSP Responses OPTIONAL,
 otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo OPTIONAL }

OhterRevInfo ::= SEQUENCE {
 Type  OBJECT IDENTIFIER
 ValValue OCTET STRING
}

Certificate Practice Statement OIDs

CPS OIDs
Name OID Format
AuthenticDocuments CPS.1 CDS CPS OID. Present in the Certificate Policies X509 extension. Acrobat doesn’t look at this OID.
Test CPS.2 Test CPS OID. Indicates that the given certificate has been issued for testing purposed only, and brings up the infamous dialog.
Ubiquity CPS.3 Ubiquity CPS OID. Acrobat doesn’t look at this OID.
Adhoc CPS.4 Indicates that the certificate has been issued under an “Adhoc” policy, where the certificate isn’t supposed to provide any kind of authentication.

Ubiquity OIDs

Ubiquity OIDs
Name OID Format
UbiquitySubRights Ubiquity.1 Adobe proprietary X509 extension. Indicates the UB sub rights that can be enabled by this credential.

Ubiquity Sub rights format

adbe-readerEnablement OBJECT IDENTIFIER ::=  { adbe(1.2.840.113583) acrobat(1) security(1) ubiquity(7) 1 }

UbiquityRights ::= SEQUENCE {
    version             INTEGER  { v1(1) }, -- extension version
    ubSubRights         UBSubRights,
    mode                DeploymentMode
}

UBSubRights ::= BIT STRING {
        FormFillInAndSave(0),
        FormImportExport(1),
        FormAddDelete(2),
        SubmitStandalone(3),
        SpawnTemplate(4),
        Signing(5),
        AnnotModify(6),
        AnnotImportExport(7),
        BarcodePlaintext(8)
        AnnotOnline(9),
        FormOnline(10),
        EFModify(11)
}

DeploymentMode ::= ENUMERATED {
    evaluation  (0), -- Eval cert. Docs are disabled when certificate is invalid.
    production  (1)  -- Production cert. Docs remain valid for eternity.
}

X.509 Extension OIDs

X509 Extension OIDs
Name OID Format
Time-stamp X509-Extension.1 Adobe proprietary X509 extension. Provides the server with the URL to use to signatures created using this credential.
ArchiveRevInfo X509-Extension.2 Adobe proprietary X509 extension. Indicates that the signatures created using this credential should archive the relevant revocation info.

Time-stamp X509 extension format

adbe- OBJECT IDENTIFIER ::=  { adbe(1.2.840.113583) acrobat(1) security(1) x509Ext(9) 1 }

 ::= SEQUENCE {
    version INTEGER  { v1(1) }, -- extension version
    location GeneralName (In v1 GeneralName can be only uniformResourceIdentifier)
    requiresAuth        boolean (default false), OPTIONAL
}

ArchiveRevInfo extension format

adbe-archiveRevInfo OBJECT IDENTIFIER ::=  { adbe(1.2.840.113583) acrobat(1) security(1) x509Ext(9) 2 }

ArchiveRevInfo ::= SEQUENCE {
    version             INTEGER  { v1(1) }, -- extension version
}

User Interface Configuration

Administrators configure policies across the organization via the addressbook.acrodata file. However, it is possible to set policies via the user interface. You can configure a policy constraint for a trust anchor or any other certificate in the trusted identities list.

To require a certificate to be associated with a particular certificate policy:

  1. Open the Security Settings Console.

  2. In the Display drop down list, choose Certificates.

  3. Select the timestamp server’s certificate that will be used as a trust anchor.

  4. Choose Edit Trust.

  5. Choose the Policy Restrictions tab and enter the restrictions:

    • Certificate Policies: Required. Enter the policy OID.
    • Description: Optional. Enter a meaningful description.
  6. Choose the radio button that specifies whether to apply policy restrictions to all certificates in the chain or only to the signing certificate. The latter choice is supported by 10.0 and later only.

  7. Choose OK.

Policy restrictions

_images/policy_restrictions.png

Non-Explicit OID Processing

The X.509 specification allows applications to define their own non-explicit policy restrictions processing models, and Acrobat products support non-explicit OIDs with 10.0. In the explicit model, all certificates in a chain must contain one of the OIDs defined in the initial-policy-set associated with the trust anchor. In the non-explicit model, processing is defined by the application. Support for the non-explicit model allows Acrobat products to conform to the processing model used by many European Qualified CAs, SAFE, and others in which only the signing certificate (end entity) is checked against the initial-policy-set.

The non-explicit policy restriction processing model requires the following conditions:

  • The trust anchor’s trust flags field contains the new flag that indicates non-explicit policy restrictions processing model (Set via the user interface or in the addressbook.acrodata file).
  • Preferences do not contain policy restrictions entries.
  • None of the intermediate certificates in the chain contains the requireExplicitPolicy extension.

Note

This feature is not backward compatible.