These settings pertain to content security (security features) rather than application security (securing the software environment). Content security includes digital signatures, security methods such as password and certificate security, and other rights management features.
Note the following:
- Most of these settings are applicable to Windows, Macintosh, Unix, and Linux systems.
- The examples use Acrobat; other applications may provide different menu options.
- The security preferences folder does not appear in the registry until a security feature is used. Many subdirectories also appear as the code is exercised.
For more information, refer to the
Digital Signatures Guide and related documentation.
This preference category contains the following subfeature(s):
Signing: RSA-PSS Configuration
The DC release supports RSA-PSS Signing on Windows (April, 2017) and Macintosh (August 2017). Classic track (Windows and Macintosh both) support was added in November 2018. RSA-PSS is an RSA cryptosystem signature scheme that provides increased security assurance. For more details see https://www.emc.com/emc-plus/rsa-labs/historical/raising-standard-rsa-signatures-rsa-pss.htm. Support currently includes:
- Acrobat and Reader DC
- Signature validation
- Signature creation with digital ID files (PFX/P12)
- Signature creation with digital IDs imported to Windows Certificate Store and devices such as smart cards supporting Cryptography API: Next Generation (CNG). CNG is designed to replace the legacy CryptoAPI. In addition to increased security, CNG is extensible and cryptography agnostic. For more detail and a list of features, see https://msdn.microsoft.com/en-us/library/windows/desktop/bb204775(v=vs.85).aspx
Signature creation with devices using Crypto API's are not supported.
Summary table
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
DC Continuous: Windows April, 2017; Mac August 2017 |
Lock Path |
Not lockable |
Summary |
Specifies whether a signature should be created with the RSA-PSS algorithm. |
Details |
Possible values include:
- 0: Do not sign with the RSA-PSS algorithm.
- 1: Use the RSA-PSS algorithm.
|
GUI mapping |
N/A |
|
Data type |
2 (atom)
|
Default |
null |
Version # |
DC Continuous: Windows April, 2017; Mac August 2017 |
Lock Path |
Not lockable |
Summary |
Specifies the hash algorithm used for RSA-PSS signing. |
Details |
If bEnableRSAPSSSigning is enabled, this preference specifies the hash algorithm. If this preference is not present or has a null value, then the value specified by aSignHash is used. If aSignHash is not specified, then SHA256 is used. Possible values include:
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
|
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
32 |
Version # |
DC Continuous: Windows April, 2017; Mac August 2017 |
Lock Path |
Not lockable |
Summary |
Specifies the Salt Length the RSA-PSS algorithm uses. |
Details |
When setting the salt length, you must assure the default base is hexadecimal. Either change the base to decimal or input its hex value. For example, if the salt length decimal value is 32, then set the hex value to 20.
|
GUI mapping |
N/A |
Addressbook Import
The address book stores data for certificates used in digital signature and certificate encryption workflows. During a major upgrade (e.g. 10.x to 11.x), the product looks for existing address books on each user machine. Prior to install, you should decide whether to deploy a generic, enterprise address book or let the existing address book on each machine be imported into the new product. By default, when end users first launch the product, the application prompts them to import any discovered address book. The application looks for existing addressbooks from previous product versions by searching directories in this order.
- (root)\AppData\Roaming\Adobe\Acrobat\11.0\addressbook.acrodata
- (root)\AppData\Roaming\Adobe\Acrobat\10.0\addressbook.acrodata
- (root)\AppData\Roaming\Adobe\Acrobat\9.0\addressbook.acrodata
- (root)\Program Files (x86)\Adobe\Acrobat {current version such as 11.0}\Acrobat\Replicate
Summary table
ImportAddressBook |
Specifies whether the addressbook.acrodata file should be imported during a new install. |
|
Data type |
1 (int)
|
Default |
1 |
Version # |
11.0.06+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Specifies whether the addressbook.acrodata file should be imported during a new install. |
Details |
Many admins set a value of 2 so that the import dialog does not appear for end users. Possible values include:
- 0: Do not copy the old address book. The user is NOT prompted and the address book should NOT be installed.
- 1 or null: Default: The user is asked whether the address book should either be installed or not.
- 2: Import the address book silently.
|
GUI mapping |
N/A |
Security Setting Import
9.x products introduced a security feature that includes the ability to import and export security settings via an .acrobatsecuritysettings file, thereby enabling easier version upgrades as well as configuration of multiple machines. The security settings import/export features offers several advantages over FDF files:
- Most document security and digital signature related settings can be encapsulated in an acrobatsecuritysettings file whereas FDF could only transport one setting type and a time and could not encapsulate registry settings at all.
- One file can be used instead of many files.
- Trust can be assigned to imported files on the fly, thereby simplifying workflows. Files can be signed and encrypted.
- Updates can be configured to occur automatically on a specified schedule.
Use security settings files to backup and restore settings, to distribute settings in a workgroup or enterprise, and to send specific information to another user. Importing settings simply involves importing a file from a network (including automatically from a server) that has been exported from Acrobat and has then been made available from a trusted source.
The following options are available:
- Specifying whether or not to poll a server for settings to import at regular intervals.
- Configuring whether or not the user should grant permission prior to installing new settings.
- Specifying a particular certificate so the signed settings will only be imported from a trusted source.
Summary table
AskBeforeInstalling |
Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. |
CheckEvery |
The polling interval to check the specified server for an updated security settings file. |
data |
Binary data used for internal purposes. |
iResourceID |
An internally used number created by Acrobat when it first sets up the "resource" pointed to by the URL. It is not user customizable. |
LoadSettingsCERT |
Specifies a certificate that must be used to sign the imported security settings file. |
LoadSettingsFromURL |
Specifies whether to load security settings from a server. |
LoadSettingsNAME |
Specifies the signing certificate for the imported settings file. |
LoadSettingsURL |
The server URL where the acrobatsecuritysettings file to import resides. |
|
Data type |
1 (int)
|
Default |
1209600 |
Version # |
9.0+ |
User Path |
Security\DigSig\CustomDownload |
Lock Path |
Not lockable |
Summary |
The polling interval to check the specified server for an updated security settings file. |
Details |
The application can automatically check for and import a security settings file at regular intervals. The value is the number of seconds between checks for updates. Prior to March 2012, the default was 2419200. Possible values include:
- 604800: 1 week
- 1209600: 2 weeks (Default)
- 2419200: 1 month
- 7257600: 3 months
|
GUI mapping |
Preferences > Security > Security Settings panel > "Check every" radio buttons |
|
Data type |
4 (string)
|
Default |
null |
Version # |
9.0+ |
User Path |
Security\DigSig\CustomDownload |
Lock Path |
Not lockable |
Summary |
The server URL where the acrobatsecuritysettings file to import resides. |
Details |
These settings include all the settings that can be configured, imported, and exported from an .acrobatsecuritysettings file. |
GUI mapping |
Preferences > Security > Security Settings panel > URL text box |
|
Data type |
4 (string)
|
Default |
9.0: 0; 10.0: 1 |
Version # |
9.0+ |
User Path |
Security\DigSig\CustomDownload |
Lock Path |
Not lockable |
Summary |
Specifies whether to load security settings from a server. |
Details |
Possible values include:
- 0: Don't load settings from a server.
- 1: Do load settings from a server.
|
GUI mapping |
Preferneces > Security > Security Settings panel > URL text box |
|
Data type |
8 (cab)
|
Default |
null |
Version # |
9.0+ |
User Path |
Security\DigSig\CustomDownload |
Lock Path |
Not lockable |
Summary |
Specifies a certificate that must be used to sign the imported security settings file. |
Details |
The value is a hexadecimal string corresponding to the SHA-1 hash of the certificate used to sign the settings file. |
GUI mapping |
Preferences > Security > Security Settings panel > Settings must be signed by field |
|
Data type |
5 (text)
|
Default |
Allow Any Certificate |
Version # |
9.0+ |
User Path |
Security\DigSig\CustomDownload |
Lock Path |
Not lockable |
Summary |
Specifies the signing certificate for the imported settings file. |
Details |
Admins can specify specific certificates that must be used to sign a settings file.
- 0: Allow Any Certificate
- 1: Any user-specified certificate
|
GUI mapping |
Preferences > Security > Settings must be signed by |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
9.0+ |
User Path |
Security\DigSig\CustomDownload |
Lock Path |
Not lockable |
Summary |
Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. |
Details |
- 0: Enable and install silently
- 1: Enable and ask before installing
|
GUI mapping |
Preferences > Security > Security Settings panel > Ask before updating |
Extended Certificate Information
Summary table
CertIssuerInfo |
Contains a subkey for each certificate with extended information. |
ExtendedCertInfo |
Contains a subkey for each certificate with extended information provided by attribute certificates. |
|
Data type |
8 (cab)
|
Default |
n/a |
Version # |
8.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Contains a subkey for each certificate with extended information provided by attribute certificates. |
Details |
The subkeys take the form c{DIGEST} where {DIGEST} is a SHA-1 digest of the associated certificate's public key encoded as hexadecimal. For example, \cPubSec\cExtendedCertInfo\cAD6716326BDAC87628DFAD6716326. Each subkey contains the friendly name, related ID card, and associated attribute certificates. |
GUI mapping |
N/A |
|
Data type |
8 (cab)
|
Default |
n/a |
Version # |
8.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Contains a subkey for each certificate with extended information. |
Details |
The subkeys take the form c|{DN} where {DN} is the issuer certificate's distinguished name. For example, \cPubSec\cCertIssuers\c|cn=Adobe Systems, o=Acrobat Engineering. Each subkey contains the associated ID card for this issuer certificate. |
GUI mapping |
N/A |
Indentrust Preferences
Summary table
(someInteger) |
The default chain scope in which to look for the policy OIDs. |
Value |
An array of strings containing the policy OIDs for a certificate to be considered acceptable. |
|
Data type |
8 (cab)
|
Default |
See desc. |
Version # |
7.x+ |
User Path |
Security\AcceptablePolicyOIDs\(some integer)\ |
Lock Path |
Not lockable |
Summary |
An array of strings containing the policy OIDs for a certificate to be considered acceptable. |
Details |
For ICA certificates: Set to 1.2.840.114021.1.6.1 and 1.2.840.114021.1.2.1 For EE certificates: Set to 1.2.840.114021.1.4.1, 1.2.840.114021.1.4.2, 1.2.840.114021.1.7.2, 1.2.840.114021.1.10.1, 1.2.840.114021.1.10.2, 1.2.840.114021.1.13.2, 1.2.840.114021.1.16.2, 1.2.840.114021.1.19.2, 1.2.840.114021.1.22.2, 1.2.840.114021.1.25.2, 1.2.840.114021.1.28.2, 1.2.840.114021.1.30.2 |
GUI mapping |
N/A |
Custom Security Handlers
Security handlers are Acrobat plugins. Information about creating plugins in general and security handlers in particular can be found in the Acrobat Software Development Kit (SDK) and its HFTs, header files, and other API documentation. Because Acrobat's Adobe.PPKLite is becoming more feature rich with each release, it is unlikely that you will need a custom security handler.
Adobe.PPKLite is the default security handler used for performing private key functions, validating signatures, and signing and encrypting documents. This is represented in the user interface as Adobe Default Security in the Digital Signatures Advanced Preferences dialog on both the Verification and Creation tabs. Administrators can install custom handlers to perform these functions, in which case the drop down lists on these tabs will list the additional handlers. All entries in the cHandler folder are reset by the Digital Signature Preferences dialog's Reset button.
If a custom handler is used, you can specify the following:
- Separate handlers for signing/encryption and signature validation.
- The default method displayed in the drop-down list of handlers.
- Lock down the selections so they cannot be modified by end users.
Summary table
AddressBook |
Remembers a preferred handler for accessing Trusted Identity Manager functions including certificate data import from an FDF file. |
Dialogs:xSelHandler |
The last on-screen coordinates of a handler's digital ID selection dialog |
Directory |
Remembers a preferred handler for directory functions (e.g. LDAP), including for importing directory information from an FDF data exchange file. |
PrivKey |
Used by DigSig and PubSec to store the handler that accesses private key functions. |
Verify |
Remembers the name of the preferred handler to use when verifying signatures. |
VerifyUseAlways |
Qualifies the use of aVerify. |
|
Data type |
2 (atom)
|
Default |
Adobe.PPKLite |
Version # |
7.x+ |
User Path |
Security\Handlers |
Lock Path |
FeatureLockDown\Security\Handlers |
Summary |
Used by DigSig and PubSec to store the handler that accesses private key functions. |
Details |
It is used for signing, decryption, and responding to an FDF file request to export contact information. The value should be set to Adobe.NoHandler if it is desired that the user be asked to select a handler. |
GUI mapping |
Preferences > Security > Advanced Preferences > Creation tab > Method to use When Signing and Encrypting Documents |
|
Data type |
2 (atom)
|
Default |
Adobe.NoHandler |
Version # |
7.x+ |
User Path |
Security\Handlers |
Lock Path |
FeatureLockDown\Security\Handlers |
Summary |
Remembers the name of the preferred handler to use when verifying signatures. |
Details |
If this value is not set, then the handler used to verify signatures is the handler that matches the Filter attribute in the signature dictionary; if this handler is not available, then the user is prompted to select a handler. If this value is set then, its meaning is qualified by the value of bVerifyUseAlways.
- Adobe.NoHandler: Use the document-specified method, prompt if it is not available.
- Adobe.PPKLite: Use the document-specified method, use the default method if it is not available.
- The value set in aPrivKey: Always use the default method (overrides the document-specified method). Takes the value selected from Default Method for Verifying Signatures.
|
GUI mapping |
Preferences > Security > Advanced Preferences > Verification tab > the radio button selections under "When Verifying:" |
|
Data type |
|
Default |
0 |
Version # |
7.x+ |
User Path |
Security\Handlers |
Lock Path |
FeatureLockDown\Security\Handlers |
Summary |
Qualifies the use of aVerify. |
Details |
If true and aVerify is set to a handler name, then this handler is used to verify all signatures. If false, then the aVerify handler is used only to verify signatures when the handler specified by the signature dictionary Filter attribute is not present. |
GUI mapping |
Preferences > Security > Advanced Preferences > Always use the default method (overrides the document-specified method) |
|
Data type |
1 (int)
|
Default |
null |
Version # |
7.x+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
The last on-screen coordinates of a handler's digital ID selection dialog |
Details |
It is a subkey containing 4 keys: Top, Bottom, Left, and Right. This preference could be used by 3rd party handlers or by someone invoking a non-signing digital ID selection dialog via JavaScript. |
GUI mapping |
N/A |
FDF Import and Export
The File Data Exchange Format (FDF) provides a format for easily importing and exporting certificate data and application settings. These settings appear in Security\cPubSec after a client uses the feature.
The default values are stored internally by the application and are not visible in the registry. An administrator can set the default behavior, but your configuration is subject to modification by end users via the user interface.
The following features are available:
- Specifying whether the default export behavior is to save or email the file.
- Specifying whether the default export behavior is to sign the file.
- Specifying whether the default certificate request behavior is to save or email the file.
- Enabling or disabling WebBuy FDF processing (deprecated).
Summary table
FDFExportSave |
Persists whether user chose to save (1) or email (0) the FDF during export. |
FDFExportSign |
Persists whether the user chose to sign the FDF during export. |
FDFRequestExcludeCert |
Similar to the bFDFRequestSave. |
FDFRequestSave |
Caches a user's answer to the question whether they want to save the request as an FDF or email it directly when that user requests a certificate. |
WebBuyFDF |
Enables WebBuy FDF file processing. |
Security Settings Console
Security Settings Console preferences persist information about the state of the console user interface. These preferences are user generated and implementation specific and are likely to change across application versions. These keys are not customizable and are provided for informational purposes only.
Summary table
Category |
A binary ID of the last-selected category in the tree view. |
OpenCategories |
An array of binary IDs for all categories in the tree view that were opened. |
SHS |
Indicates (in pixels) the position of the horizontal window splitter. |
SVS |
Indicates (in pixels) the position of the vertical window splitter. |
Certificate Viewer Configuration
By default, the Certificate Viewer builds and displays the trusted chain from the EE to the trust anchor. However, it is possible to show all found chains whether they are trusted or not. While most users do not need this information, it can be used for troubleshooting and verification. End users can turn this option on and off by using the Certificate Viewer's checkbox Show all certification paths found.
Summary table
ShowAllChains |
Specifies whether to show all chains in the Certificate Viewer. |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\PPKHandler |
Lock Path |
Not lockable |
Summary |
Specifies whether to show all chains in the Certificate Viewer. |
Details |
If true, the Certificate Viewer shows all the chains; otherwise, it shows only the trusted chain. If there are no trusted chains, then all the chains are shown and this preference is ignored. |
GUI mapping |
N/A |
Password Caching
By default, password caching is turned on so that users will not always have to enter a password when one is required. This feature affects Adobe LiveCycle Rights Management Server log in, signing with digital IDs in the Acrobat store (pfx or p12 files), changing password timeout policies, and creating new password security policies. For example, setting the option to false disables the menu option
Save password with the policy when creating a new policy.
The following options are available:
- Controlling whether some passwords are cached to disk.
- Disabling the option to save a password with a policy.
- Streamlining Adobe LiveCycle Rights Management Server workflows. This key does not exist in HKCU. It can only be used in HKLM.
Note:
Disabling
Never ask for password on a digital ID's password timeout dialog does not work in version 9.0.
Summary table
AllowPasswordSaving |
Controls whether certain passwords can be cached to disk; for example, passwords for digital IDs. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0+ |
Lock Path |
FeatureLockDown\Security\PPKLite |
Summary |
Controls whether certain passwords can be cached to disk; for example, passwords for digital IDs. |
Details |
If false, users are prompted to enter a password every time one is required. Not all passwords are affected by this setting. |
GUI mapping |
User interface items where passwords are used: Save passwords with the policy in the New Security Policy dialog; Never checkbox on the Password timeout dialog. |
Examine Document
The Examine Document dialog box identifies hidden document information that might pose a risk to the integrity of security and signature workflows. Found content is listed and linked to in the Examine Document pane. Users can click on a link to view the content and check/uncheck items to mark them for removal. Checked items are removed when the user selects the
Remove button.
The following options are available:
- Examining a document each time it is closed.
- Examining a document each time it is emailed.
Summary table
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
October, 2020 Continuous |
User Path |
Security |
Lock Path |
Not lockable |
Summary |
Specifies whether to remove hidden content when sanitizing a document. |
Details |
During sanitization workflows, the app automatically rasterizes the document if overlapping content exists. This can result in a large file size increase. Disable this feature to avoid extremely large files.
- 0: Remove hidden (overlapping) content.
- 1: Do not remove hidden content when sanitizing a document.
|
GUI mapping |
Preferences > Document > Do not remove overlapping conent while sanitizing document. |
Roaming ID Configuration
These preferences are only used for signature workflows where users access roaming IDs on a roaming ID server. While the needed configuration can be handled through the user interface by end users, you can set the following:
- Specifying a Default Roaming ID Server : When a user adds a roaming ID account through the GUI, a dialog asks for a friendly name and a server URL. If no other accounts have been configured and cDefaultServerInfo exists in the preferences, its values populate both the friendly server name and URL fields in the Add a Roaming ID dialog.
- Specifying one or more authentication methods.
Summary table
ServerName |
A user friendly roaming ID server name. |
URL |
The URL of the Roaming ID server. |
Roaming ID Provider Persistent Storage
These preferences store roaming ID server data. Some values are provided by the user and some are provided by the server. These keys cannot be customized and are provided for informational purposes only.
Summary table
Accounts |
Contains entries for user accounts on roaming ID servers that the provider knows about. |
RecentServerURLs |
Contains an array of roaming ID server URLs recently entered by the user. |
Roaming ID Server Data
These preferences are created as a result of communications with a roaming ID server. Whether or not you customize these settings is determined by the needs or your particular implementation.
Summary table
Credentials |
The value is provided by the server. |
SAML_Assertion |
Holds an encrypted SAML assertion obtained during last successful authentication. |
SAML_Assertion_Expiration |
Holds the time after which roaming ID provider will not attempt to use the SAML assertion stored in cSAML_Assertion. |
SAML_Assertion_Source |
Holds the URL of the authentication server from which the SAML assertion stored in cSAML_Assertion was obtained. |
SAML_Name_Format |
SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. |
SAML_Name_Qualifier |
SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. |
SAML_Name_Value |
SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. |
SASL_Mechanism |
The SASL id of the authentication mechanism. |
SASL_UserName |
The mechanism-specific persistent data. |
|
Data type |
8 (cab)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\PPKHandler\RC |
Lock Path |
Not lockable |
Summary |
Holds an encrypted SAML assertion obtained during last successful authentication. |
Details |
Possession of this assertion is proof of a user's identity. Therefore, the assertion is encrypted using 256-bit AES algorithm in CBC mode. The encryption key is stored in Microsafe database that is protected by the OS login. There are two binary entries under the cSAML_Assertion cab: xEncryptedData contains the encrypted assertion, 'xIV' contains the initialization vector used by the AES encryption algorithm for this assertion. |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\PPKHandler\RC |
Lock Path |
Not lockable |
Summary |
Holds the time after which roaming ID provider will not attempt to use the SAML assertion stored in cSAML_Assertion. |
Details |
This time is calculated when an assertion is first obtained and takes into account the clock difference between the client machine and the server that generated the assertion. Time is represented in BER GeneralizedTime format without the type and length octets. |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\PPKHandler\RC |
Lock Path |
Not lockable |
Summary |
SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. |
Details |
The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms. |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\PPKHandler\RC |
Lock Path |
Not lockable |
Summary |
SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. |
Details |
The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms. |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\PPKHandler\RC |
Lock Path |
Not lockable |
Summary |
SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. |
Details |
The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms. |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\PPKHandler\RC |
Lock Path |
Not lockable |
Summary |
The mechanism-specific persistent data. |
Details |
Some authentication implementations may store user data. For example, a user name and password mechanism may store the username so that only the password needs to be entered during consequent authentications. |
GUI mapping |
N/A |
Roaming ID Authentication
The authentication mechanism provider pertains only to roaming IDs. It enables you to specify one or more authentication mechanisms. The mechanism must be supported by the roaming ID server with which the application communicates.
The following features are available:
- Enabling multiple authentication mechanisms.
- Limiting the authentication mechanism to one specified type.
- Turning off authentication so that roaming IDs cannot be used.
Summary table
AuthMechanisms |
Specifies which registered provider(s) to use. |
AuthMechanisms |
An array of text entries (t0-tn) where each entry contains the name of a registered provider. |
|
Data type |
8 (cab)
|
Default |
An array of all values listed in the description. |
Version # |
8.0+ |
User Path |
Security\ASPKI\SPIs |
Lock Path |
Not lockable |
Summary |
An array of text entries (t0-tn) where each entry contains the name of a registered provider. |
Details |
- PLAIN: A mechanism defined in RFC2595 consisting of a single message specifying the user's ID and password.
- ASSP-Kerberos: A mechanism commonly used on Windows that passes a Single Sign On token and receives back a SAML assertion.
- ASSP-ArcotID: A mechanism recognized by Arcot roaming ID servers.
- ASSP-QnA: A mechanism that initiates a question-answer dialog between the user and server.
|
GUI mapping |
N/A |
Kerberos Authentication
This option is only relevant if the ASSP-Kerberos SPI is selected.
Summary table
ServiceName |
The administrator-specified roaming ID Kerberos service name. |
|
Data type |
4 (string)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\ASPKI\Kerberos_AuthMechanism |
Lock Path |
Not lockable |
Summary |
The administrator-specified roaming ID Kerberos service name. |
Details |
If the key is not present, the default value of ASSP is assumed. If the key is present and the value is empty string, Acrobat asks the roaming ID service for it's Kerberos service name. This method is not secure and enterprises are advised not to use this option. |
GUI mapping |
N/A |
Self Sign Digital IDs
By default, users can create self signed digital IDs. However, if you would like to prevent users from creating their own IDs, turn this feature off. Disabling this option prevents users from selecting Create a self-signed ID option in Add ID workflows.
Summary table
SelfSignCertGen |
Specifies whether or not the Create a self-signed ID option in Add ID workflows is available. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.x+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Specifies whether or not the Create a self-signed ID option in Add ID workflows is available. |
Details |
Prevents users from creating a self-signed digital ID. Note that for products released after June 2016, disabling a user's ability to create a self-signed digital ID requires setting both bSelfSignCertGen and bEnableCEFBasedUI to 0. Possible values include:
- 0: Don't allow creating self-signed digital IDs.
- 1: Allow self-signed digital IDs.
|
GUI mapping |
Create a self-signed digital ID for use with Acrobat. |
PKCS#11 Configuration
The key contains a list of P11 modules the user has loaded by choosing Attach Modules in the Security Settings console. By specifying a valid path to a PKCS#11 DLL, modules can be pre-attached to installed clients. Because various errors appear as a result of a bad filename or pointing to a dll that is not a valid PKCS#11 module, test the settings and file before distributing them.
The following options are available:
- Preconfiguring the key when tuning the installer and distributing the module file or when modules are already installed.
- Setting the default browse path in which to look for additional modules.
For Reader X (10.0), not all PKCS#11 devices may work with Protected Mode (PM) enabled. However, in most cases, they do. Installation of such devices usually involves disabling Protected Mode, installing the driver, restarting the application, and then re-enabling Protected Mode. For the latest information about PM compatibility with certain features, see http://kb2.adobe.com/cps/860/cpsid_86063.html.
Summary table
Modules |
Array of dynamic library paths to PKCS#11 modules. |
P11Credentials |
Contains an array of subcabs for all known PKCS#11 digital IDs. |
P11Path |
Stores the last folder in which the user browsed for a P11 module. |
|
Data type |
8 (cab)
|
Default |
n/a |
Version # |
7.x+ |
User Path |
Security\ASPKI\Adobe_P11CredentialProvider\ |
Lock Path |
Not lockable |
Summary |
Array of dynamic library paths to PKCS#11 modules. |
Details |
These may not necessarily be full paths but just something that the OS dynamic library loading functions will accept. For example, t0 may be a path to C:\WINDOWS\system32\dkck201.dll. |
GUI mapping |
Security Settings console > Attach Module |
|
Data type |
8 (cab)
|
Default |
n/a |
Version # |
7.x+ |
User Path |
Security\PPKHandler |
Lock Path |
Not lockable |
Summary |
Contains an array of subcabs for all known PKCS#11 digital IDs. |
Details |
The format is as follows:
- xCert: Binary value of the certificate
- 1: xTokenKey: Binary value generated from the IDs PKCS#11 token. The binary value is generated with the following method: Initialize SHA-1 digest, add the digest the value of the token label, token manufacturer, token model, and token serial. Finish the SHA-1 digest operation. The resulting 20-byte value is the token key.
|
GUI mapping |
N/A |
Digital ID Defaults
Most digital ID default values are set by the application when a user first uses an ID or manually specifies a default value in the Security Settings Console. Moreover, since user actions will overwrite some preconfigured value an administrator might provide, setting many of these properties is usually not worthwhile. However, it is possible and the following options are available:
- Specifying a default URL to obtain a new digital ID. This value is NOT overwritten by user actions.
- Listing a set of attribute certificates.
- Specifying a default signing ID. This value is end user-specific.
- Specifying a default encryption ID. This value is end user-specific.
- Customizing a default directory server used to locate certificates that can be imported into the Trusted Identity Manager.
Note : Acrobat 9.0 users who configure a 3rd party security handler plugin may find that their non-default choice does not stick if the plugin calls PSUNregisterHandler(). That is, each time Acrobat restarts, the non-default security handler choice is lost. To fix the problem, change the plugin code to not call PSUNregisterHandler().
Summary table
ACs |
Contains a set of attribute certificates as binary data. |
CertSHA1 |
Identifies the default signing digital ID by its SHA1 hash of the public key. |
CertSHA1 |
Identifies the default encryption digital ID by its SHA1 hash of the public key. |
CredProvider |
Identifies credential service provider interface for the default signing digital ID. |
CredProvider |
Identifies credential service provider interface for the ASPKI provider which exposes this digital ID. |
CustomPrefsCreated |
Indicates whether a custom certificate specific preference (e.g. Identrus) has already been created and written to the registry. |
DefDirectory |
Default directory to use when searching for digital IDs. |
DefEnrollmentURL |
The destination URL when the user selects <b>Enroll at an online CA</b> while adding a new digital ID. |
DigitalIDFiles |
Contains an array of subcabs for all application-known digital ID files. |
|
Data type |
8 (cab)
|
Default |
null |
Version # |
7.x+ |
User Path |
Security\PPKHandler |
Lock Path |
Not lockable |
Summary |
Contains an array of subcabs for all application-known digital ID files. |
Details |
The format is as follows:
- cPath: The path of to the digital ID file.
- cCredentials: An array of certificates that have corresponding private keys in the file.
- cCertificates: An array of certificates that are in the file but do not have an associated private key (usually CA certs). Certificates are stored as binary data.
|
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
7.x+ |
User Path |
Security\PPKHandler\CredSign |
Lock Path |
Not lockable |
Summary |
Identifies credential service provider interface for the default signing digital ID. |
Details |
The value is set when a user opens the Security Settings Console and specifies a default signing ID. The value depends on the type of selected ID. For example, setting a self signed digital ID would result in a value of Adobe_FileCredentialProvider. See also xCertSHA1. |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
7.x+ |
User Path |
Security\PPKHandler\CredSign |
Lock Path |
Not lockable |
Summary |
Identifies the default signing digital ID by its SHA1 hash of the public key. |
Details |
The value is set when a user opens the Security Settings Console and specifies a default signing ID. See also tCredProvider . |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
7.x+ |
User Path |
Security\PPKHandler\CredCrypt |
Lock Path |
Not lockable |
Summary |
Identifies credential service provider interface for the ASPKI provider which exposes this digital ID. |
Details |
The value is set when a user opens the Security Settings Console and specifies a default signing ID. The value depends on the type of selected ID. For example, setting a self signed digital ID would result in a value of Adobe_FileCredentialProvider . See also xCertSHA1. |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
7.x+ |
User Path |
Security\PPKHandler\CredCrypt |
Lock Path |
Not lockable |
Summary |
Identifies the default encryption digital ID by its SHA1 hash of the public key. |
Details |
The value is set when a user opens the Security Settings Console and specifies a encryption signing ID. See also tCredProvider. |
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.x+ |
User Path |
Security\PPKHandler |
Lock Path |
Not lockable |
Summary |
Indicates whether a custom certificate specific preference (e.g. Identrus) has already been created and written to the registry. |
Details |
If true, it doesn't get created again. Deleting or setting this key to 0 forces Acrobat to recreate custom certificate preferences after which it will reset this key to 1. |
GUI mapping |
N/A |
|
Data type |
2 (atom)
|
Default |
Adobe.PPKMS.ADSI.dir0 |
Version # |
7.x+ |
User Path |
Security\PPKHandler |
Lock Path |
Not lockable |
Summary |
Default directory to use when searching for digital IDs. |
Details |
On Windows, the Adobe.PPKMS security handler provides access through the Microsoft Active Directory Script Interface (ADSI) to all the directories the user created in the Security Settings Console. These directories are named in the format of (directory handler) + (index). For example, Adobe.PPKMS.ADSI.dir0, Adobe.PPKMS.ADSI.dir1, and so on. Unsupported for Linux and Macintosh. |
GUI mapping |
Setting a default search directory affects the UI in two places: A star appears next to the default directory in the Security Settings Console and the directory is moved to the top of the directories' drop down list in the Trusted Identities Manager's Search for Recipients dialog. |
Digital ID File Import and Export
The digital ID default path preferences point to the application security folder. For example, C:\Documents and Settings\(user name)\Application Data\Adobe\Acrobat\8.0\Security. The path is used when the user imports or exports an ID from the Security Settings Console. Since the application remembers the last accessed directory, if a user chooses a different directory, that action will overwrite the preconfigured value an administrator might provide.
The following options are available:
- Specifying a default path for exporting and importing digital ID certificates (does not include private keys).
- Specifying a default path for saving newly created digital ID files.
Summary table
EmbeddedFilePath |
The path last chosen for extracting an embedded file from a WebBuy FDF. |
ExportPath |
Default path for exporting credentials. |
ImportPath |
Default path for importing credentials. |
ProfilePath |
Default path for storing profile files such as PKCS#12 files. |
|
Data type |
8 (cab)
|
Default |
See description below. |
Version # |
7.x+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Default path for exporting credentials. |
Details |
Used by all security plugins. The default value is the application security folder. For example, C:\Documents and Settings\<user name>\Application Data\Adobe\Acrobat\8.0\Security. |
GUI mapping |
N/A |
|
Data type |
8 (cab)
|
Default |
See the description. |
Version # |
7.x+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Default path for importing credentials. |
Details |
Used by all security plugins. The default value is the application security folder. For example, C:\Documents and Settings\<user name>\Application Data\Adobe\Acrobat\8.0\Security. |
GUI mapping |
N/A |
Adobe Acrobat Trust List
The Adobe Approved Trust List (AATL) program allows signers to automatically trust digital signatures chain to the trustworthy AATL certificates. By default, both Acrobat and Reader download a list of "trusted" root digital certificates automatically. 9.x products download every 90 days while 10.x and later products download every 30 days.
To assure that downloaded (as well as any other) trust anchors have not been revoked, configure
bRevCheckTrust.For more about the AATL program, see the
AATL pageand this blog.
Summary table
AskBeforeInstalling |
Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. |
CheckEvery |
The value in seconds that the application should check for new certificates to download from Adobe. |
data |
Binary data used for internal purposes. |
LoadSettingsFromURL |
Specifies whether or not trust anchors should be periodically downloaded from Adobe. |
ResourceID |
An internally used number created by Acrobat when it first sets up the resource pointed to by the URL. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
9.0+ |
User Path |
Security\DigSig\AdobeDownload |
Lock Path |
Not lockable |
Summary |
Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. |
Details |
- 0: Enable and install silently
- 1: Enable and ask before installing
|
GUI mapping |
Preferences > Trust Manager > Adobe certificate settings panel > Ask before installing checkbox |
|
Data type |
0 (bool)
|
Default |
9.x and earlier: 0; 10: 1 |
Version # |
9.0+ |
User Path |
Security\DigSig\AdobeDownload |
Lock Path |
Not lockable |
Summary |
Specifies whether or not trust anchors should be periodically downloaded from Adobe. |
Details |
- 0: Don't load settings from an URL.
- 1: Do load settings from an URL.
|
GUI mapping |
Preferences > Trust Manager > Adobe certificate settings panel > Load security settings from a server |
|
Data type |
1 (int)
|
Default |
604800 |
Version # |
9.0+ |
User Path |
Security\DigSig\AdobeDownload |
Lock Path |
Not lockable |
Summary |
The value in seconds that the application should check for new certificates to download from Adobe. |
Details |
If this preference exists, the default is one week. Set this to 0 if you'd like the application to check on startup. |
GUI mapping |
N/A |
European Union Trust List
Like the AATL program, the European Union Trust List (EUTL) program allows signers to automitically trust digital signatures that chain to trustworthy EUTL certificates. While the feature was introduced with 11.0.06, the first EUTL trust lists were made available with the October 13, 2015 release.
To assure that downloaded (as well as any other) trust anchors have not been revoked, configure
bRevCheckTrust.
Note that both the AATL and EUTL features load certificates into the user's Acrobat Address Book (Acrobat Trust Store). The addition of the EUTL certificates increases the size of the address book and can affect the performance of signature validation in versions 11.0.06 to 11.0.10. Later product versions should validate in about 1/2 second. If you experience performance issues, update to the latest product. Alternatively, you can remove the EUTL preference (not recommended).
For more about the EUTL program, see
the blog.
Summary table
AskBeforeInstalling |
Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. |
CheckEvery |
The value in seconds that the application should check for new certificates to download from Adobe. |
data |
Binary data used for internal purposes. |
LoadSettingsFromURL |
Specifies whether or not trust anchors should be periodically downloaded from Adobe. |
ResourceID |
An internally used number created by Acrobat when it first sets up the resource pointed to by the URL. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
11.0.06+ |
User Path |
Security\DigSig\EUTLDownload |
Lock Path |
Not lockable |
Summary |
Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. |
Details |
- 0: Enable and install silently
- 1: Enable and ask before installing
|
GUI mapping |
Preferences > Trust Manager > European Union certificate settings panel > Ask before installing checkbox |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
11.0.06+ |
User Path |
Security\DigSig\EUTLDownload |
Lock Path |
Not lockable |
Summary |
Specifies whether or not trust anchors should be periodically downloaded from Adobe. |
Details |
- 0: Don't load settings from an URL.
- 1: Do load settings from an URL.
|
GUI mapping |
Preferences > Trust Manager > European Union certificate settings panel > Load security settings from a server |
|
Data type |
1 (int)
|
Default |
604800 |
Version # |
11.0.06+ |
User Path |
Security\DigSig\EUTLDownload |
Lock Path |
Not lockable |
Summary |
The value in seconds that the application should check for new certificates to download from Adobe. |
Details |
If this preference exists, the default is one week. Set this to 0 if you'd like the application to check on every startup. |
GUI mapping |
N/A |
Windows Integration
While Acrobat has its own store, the Windows store may already contain needed certificates or your enterprise may simply be a Windows shop. Windows integration allows end users to search for and use certificates in the Windows Certificate Store.
End users can configure their application for Windows integration through the application's Preference panel. Configuration options allow users to search the Windows store from the Trusted Identity Manager (through the Search button), set trust levels for any found certificate, and choose which certificates to use for encryption (once the certificate is located and added to the Trusted Identity Manager). If a user has a personal ID in the Windows store, it appears in the Security Settings Console automatically without any special configuration.
Administrators can control whether clients can access MSCAPI through Acrobat so that users can find, use, and set trust levels for Windows certificates.
The following options are available:
- Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable.
- Setting separate trust levels for approval and certification signatures.
- Preventing end user modification of certificate trust levels.
- Tuning the service provider interface for:
- Certificate Providers (for Signing and Decryption)
- Revocation Checker Providers
- Signature Validation Directory Providers
Summary table
CertStoreImportEnable |
If true, then users can import from MSCAPI certificate stores into their Trusted Identity Manager. |
MSStoreTrusted |
Controls whether or not certificates in the Windows Certificate Store are trusted for signing and certifying. |
MSStoreTrusted |
Locks the UI so that end users cannot change the value set by iMSStoreTrusted |
|
Data type |
1 (int)
|
Default |
0x00 |
Version # |
7.0+ |
User Path |
Security\ASPKI\MSCAPI_DirectoryProvider |
Lock Path |
Not lockable |
Summary |
Controls whether or not certificates in the Windows Certificate Store are trusted for signing and certifying. |
Details |
To lock this setting, use bMSStoreTrusted. Allowable values include:
- 0x00: No checkbox selected.
- 0x60: Validating Signatures.
- 0x62: Validating Certified Documents and Signatures. Note that this setting disables the Validating Signatures checkbox because it also controls non-certified signatures and users should not be able to uncheck that checkbox.
|
GUI mapping |
Preferences > Security > Advanced Preferences > Windows Integration > (both Windows settings: Validating Signatures and Validating Certified Documents.) |
|
Data type |
1 (int)
|
Default |
null |
Version # |
7.0+ |
Lock Path |
FeatureLockDown\Security\ASPKI\MSCAPI_DirectoryProvider |
Summary |
Locks the UI so that end users cannot change the value set by iMSStoreTrusted |
Details |
Set iMSStoreTrusted first, then use this preference to lock it. Allowable values include:
- 0: Lock the UI.
- 1: Same as null. Don't lock the UI.
|
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.x+ |
User Path |
Security\PPKHandler |
Lock Path |
Not lockable |
Summary |
If true, then users can import from MSCAPI certificate stores into their Trusted Identity Manager. |
GUI mapping |
Preferences > Security > Advanced Preferences > Windows Integration tab > Enable searching the Windows Certificate Store for certificates other than yours |
Trusted Identity List Configuration
The trusted identity list contains all of a users imported certificates that they use for validating someone else's signature or encrypting a document for them. The list is maintained and managed via the Trusted Identity Manager; however, administrators can preconfigure applications to use non-default list files, add certificates from the Windows, store, and so on.
The following options are available:
- Creating a custom filename/file for the trusted identity list.
- Specifying a non-default security handler to control Trusted Identity Manager functions. For details, see aAddressBook.
- Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable.
- Turning off and on the ability to automatically download certificates sent by Adobe to users over the internet via bLoadSettingsFromURL.
Summary table
AddressBook |
The filename the Trusted Identity Manager uses to read and write addressbook data. |
Signature Validation Directory Providers
The directory provider SPI provides access to trust anchors and intermediate CAs used for signature validation. By default, certificates in all of the supported locations are used.
The following options are available:
- Preventing or allowing access to certificates in P12 files. End users must also be logged in to the file.
- Preventing or allowing access to certificates in the Trusted Identity Manager.
- Preventing or allowing access to certificates in the Window Certificate Store.
- Preventing or allowing access to self-signed certificates created by an Adobe application.
Summary table
DirectoryProvider |
Specifies a directory provider for signature validation. |
DirectoryProvider |
An array of text entries (t0-tn) containing the name of a registered provider. |
|
Data type |
8 (cab)
|
Default |
All of the available values. See the description. |
Version # |
7+ |
User Path |
Security\ASPKI\SPIs |
Lock Path |
Not lockable |
Summary |
An array of text entries (t0-tn) containing the name of a registered provider. |
Details |
- Adobe_FileCredentialDirectoryProvider: Provides access to PKCS#12 files.
- AAB_DirectoryProvider: Provides access to the Trusted Identity Manager.
- MSCAPI_DirectoryProvider: Provides access to the Windows Certificate Store.
- Adobe_SelfSignedCredDirectoryProvider: Provides access to self signed certificates created by Acrobat.
|
GUI mapping |
N/A |
Signature Validation (Main Settings)
While users can configure these general signature validation preferences via the GUI, admins usually preconfigure the application.
The following options are available:
- Controlling whether all signatures are validated when a document opens.
- Specifying which time to use when validating a signature.
- Specifying when to do revocation checking as well as the affect of a failed or bad response.
- Using expired timestamps.
- Showing timestamp warnings in the Document Message Bar.
Summary table
enableCTK |
Controls support for CryptoTokenKit-based smart cards on Mac |
ReqRevCheck |
Specifies whether revocation checks are required to succeed. |
ReqRevCheck |
Locks Security\cASPKI\cASPKI\cVerify\iReqRevCheck and disables the user interface item. |
ShowSignerWarnings |
Specifies whether to show a warning that there is a greater forgery risk when revocation information is embedded in the signature. |
ShowTSWarnsInDMB |
Specifies whether to show timestamp warnings in the Document Message Bar. |
SigVerificationTime |
Indicates the time at which signature validation should occur. |
ValidateOnOpen |
Specifies whether to automatically validate all signatures on document open. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
2019.012.20036, 2017.011.30144 (both tracks) |
User Path |
Security\ASPKI\ASPKI\enableCTK |
Lock Path |
Not lockable |
Summary |
Controls support for CryptoTokenKit-based smart cards on Mac |
Details |
Possible values include:
- 0: Don't allow CryptoTokenKit-based smart cards.
- 1: Use CryptoTokenKit-based smart cards for signing.
|
GUI mapping |
Preferences > Signatures > Creation and Appearance > More > Enable CryptoTokenKit framework support |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0+ |
User Path |
Security\DigSig |
Lock Path |
FeatureLockDown\Security\DigSig |
Summary |
Specifies whether to automatically validate all signatures on document open. |
Details |
Note that the lockable setting does not configure the feature; instead, it locks what is set in HKCU and the user interface.
- 0: Don't validate signatures on document open.
- 1: Validate signatures on document open.
|
GUI mapping |
Preferences > Security > Verify signatures when the document is opened |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
9.4.6+ |
User Path |
Security\PPKHandler |
Lock Path |
Not lockable |
Summary |
Specifies whether to show a warning that there is a greater forgery risk when revocation information is embedded in the signature. |
Details |
Because this warning was removed from 10.x products, this preference is only applicable to 9.4.6 and later products in the 9.x line. Possible values include:
- 0: Don't show the warnings.
- 1: Do show the warnings.
|
GUI mapping |
The Signer tab in the Signature Properties dialog. |
|
Data type |
1 (int)
|
Default |
1 (9.1 and later: 2) |
Version # |
7.0+ |
User Path |
Security\PPKHandler |
Lock Path |
Not lockable |
Summary |
Indicates the time at which signature validation should occur. |
Details |
Possible values include:
- 0: Always carry out the verification at current time
- 1: Use the signing time if it's secure (e.g. timestamped), else use current time
- 2: Always use signing time
|
GUI mapping |
Preferences > Security > Advanced Preferences > Verification tab |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
9.1-10.0 |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Specifies whether to show timestamp warnings in the Document Message Bar. |
Details |
For 9.1, a bug prevented this feature from working.
- 0: Warnings do not appear in the DMB.
- 1: Warnings appear in the DMB.
|
GUI mapping |
Preferences > Security > Advanced Preferences > Verification tab > Show timestamp warnings in Document Message Bar |
|
Data type |
1 (int)
|
Default |
2 |
Version # |
7.0+ |
User Path |
Security\ASPKI\ASPKI\Verify |
Lock Path |
Not lockable |
Summary |
Specifies whether revocation checks are required to succeed. |
Details |
The user interface exposes this preference as a binary value to simplify the end user experience. A checked checkbox translates to 2 (RequiredIfInfoAvailable). An unchecked checkbox translates to 0 (No checks). This check doesn't affect ubiquity signature verification where the value is always 1. Interacts with other iReqRevCheck settings. Possible values include the following:
- 0: Don't do revocation checks.
- 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; don't fail if the check fails.
- 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.
- 3: Require a check; it must succeed under all circumstances.
Note:
Lockable via bReqRevCheck
|
GUI mapping |
Preferences > Security > Advanced Preferences > Verification tab > Require certificate revocation checking to succeed. . . |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
8.0+ |
Lock Path |
FeatureLockDown\Security\ASPKI\ASPKI\Verify |
Summary |
Locks Security\cASPKI\cASPKI\cVerify\iReqRevCheck and disables the user interface item. |
GUI mapping |
Preferences > Security > Advanced Preferences > Verification tab > Require certificate revocation checking to succeed . . . |
Signature Validation Status Icons
By default, when an application validates a signature it displays a signature status icon in the Signature Properties dialog, and in the Signatures Pane. You can customize status icon behavior for a particular enterprise requirement. For example, a blue i appears on a signature status icon based on certain rules when a document is changed after it was signed.
The following options are available:
- Turning on the icon for signature appearances with bSigAPStatusIconDisable. This is off by default because displaying the signature status within the document represents a security vulnerability.
- Turning off the icon for signature appearances AND remove the Hide signature field validity icon when signature is valid from the user interface so the user cannot change the setting with iDisplayValidIcon.
- Turning on the icon for valid signatures only with iDisplayValidIcon.
- Turning off the blue i in the Signature Properties dialog, and Signatures Pane with bShowWarningForChanges.
Summary table
DisplayValidIcon |
Determines when the signature status icon is displayed in a signature appearance. |
ShowWarningForChanges |
Determines whether or not to show a blue i on validated signature(s) if the document changes after it was signed. |
SigAPStatusIconDisable |
Controls whether the signature status icon is displayed in the signature appearance on the document. |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Controls whether the signature status icon is displayed in the signature appearance on the document. |
Details |
If true, status icon is not displayed regardless of signature status. This setting overrides iDisplayValidIcon and bShowWarningForChanges. |
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
null for 9.0 and later; 0 for pre 9. |
Version # |
7.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Determines when the signature status icon is displayed in a signature appearance. |
Details |
Possible values include:
- 0: Always.
- 1: Display except when the signature is valid.
- 2: Never. This value disables bShowWarningForChanges and removes the
Hide signature field validity icon option from the GUI. This setting does not affect the icons in the Signatures Pane or in the Signature Properties dialog
Note:
This UI item was removed from versions 9.x and later because signature status was moved to the Document Message Bar.
|
GUI mapping |
Versions prior to 9.x only: Preferences > Security > Advanced Preferences > Verification tab > Hide signature field validity icon when signature is valid. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Determines whether or not to show a blue i on validated signature(s) if the document changes after it was signed. |
Details |
If true, a document change results in a blue i status icon appearing for validated approval signatures. Use this setting when users need to know a document has changed after it was signed.
If false, the status icon remains a green check and pen even if a document changes after it is signed. The setting provides a method for administrators to turn off the blue i in workflows where documents can be changed or signed multiple times.
This setting does not affect certification signatures. The warning icon never appears for valid certification or approval signatures in certified documents if the signatures were allowed by the certifier.
Interacts with iDisplayValidIcon which cannot be set to 2, or the icons will not appear regardless of how bShowWarningForChanges is set. |
GUI mapping |
N/A |
Signature Validation Logging
Versions 8.x and later enable logging certificate validation and revocation checking information. You can set both the logging level and log location. The path must already exist for logging to take place. Note that when Protected Mode is enabled, the log file path must be one that Protected Mode permits.
The following options are available:
- Specifying a logging path and filename.
- Setting a logging level.
Chain building log file settings
[HKEY_CURRENT_USER\Software\Adobe\Adobe
Acrobat\8.0\Security\cASPKI\cAdobe_ChainBuilder]
"iLogLevel"=dword:00000008
"sLogFilePath"=(BINARYpathtoexistingdirectoryforlogfile)
Log file for troubleshooting certificate validation
20070207000213Z:---------------------------
20070207000213Z:Chainbuilder:Startingchainvalidation.Chainlength=
3
20070207000213Z:ProcessingCertificate:DN:ou=VeriSignTrust
Network,ou=(c)1998VeriSign,Inc.-Forauthorizeduseonly,ou=Class2
PublicPrimaryCertificationAuthority-G2,o=VeriSign,Inc.,c=USSerial:
00B92F60CC889FA17A4609B85B706C8AAF
20070207000213Z:verificationtime=20070207000213Z
20070207000213Z:ProcessingCertificate:DN:cn=EnterpriseServices
CA,ou=Class2OnSiteIndividualSubscriberCA,ou=Termsofuseat
https://www.verisign.com/rpa(c)01,ou=VeriSignTrustNetwork,o=AdobeSystems
IncorporatedSerial:0C0DB7043D0427BEB15AECA02DC95903
20070207000213Z:verificationtime=20070207000213Z
20070207000213Z:ProcessingCertificate:DN:email=example@adobe.com,
cn=BenWriter,ou=AdobeCPS-http://www.adobe.com/misc/CPS.html,
ou=www.verisign.com/repository/CPSIncorp.byRef.,LIAB.LTD(c)99Serial:
5C41B5256825491A4981D4FABFCCA044
20070207000213Z:verificationtime=20070207000213Z
20070207000213Z:FinishedChainValidation.TroubleFlags:0
Summary table
LogFilePath |
Specifies the full path of the text log file; for example: C:\ASPKI.log. |
LogLevel |
Specifies the log level during chain building and validation. |
|
Data type |
4 (string)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\ASPKI\Adobe_ChainBuilder |
Lock Path |
Not lockable |
Summary |
Specifies the full path of the text log file; for example: C:\ASPKI.log. |
Details |
You must use in hexadecimal formatting. The file must already exist. When Protected Mode is enabled, the log file path must be one that Protected Mode permits such as sandbox's Temp directory or the product AppData directory. Alternatively, enable bUseWhitelistConfigFile, and specify a custom location. |
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\ASPKI\Adobe_ChainBuilder |
Lock Path |
Not lockable |
Summary |
Specifies the log level during chain building and validation. |
Details |
The supported levels include:
- 1: fatal errors
- 2: possible errors
- 4: informational messages
- 8: verbose information
- 0xFFFFFFFF: all messages
|
GUI mapping |
N/A |
Signature Validation Rev Check Constraints
The following options are available:
- Requiring signature property verification such as timestamps. Signatures will not be valid if this key is true and timestamp verification does not succeed.
- Limiting the number of nested verification sessions to prevent looping.
- Limiting the amount of time the signing time can be after the validation time.
- Forcing revocation checks on intermediate and self-signed trust anchors (those which aren't roots).
Summary table
MaxClockSkew |
The maximum difference in minutes the signing time is allowed to be after the validation time for the signature to be valid. |
MaxVerifySession |
Specifies the maximum number of nested verification sessions allowed. |
ReqSigPropVerification |
Specifies whether signature property verification must succeed for a signature to be valid. |
RevCheckTrust |
Specifies whether to perform revocation checks on intermediate trust anchors (those which aren't roots). |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
10.1.2 and 9.5+ |
User Path |
ASPKI\ASPKI\Verify |
Lock Path |
Not lockable |
Summary |
Specifies whether to perform revocation checks on intermediate trust anchors (those which aren't roots). |
Details |
In previous versions, the application did not perform revocation checks on any intermediate trust anchors since it was assumed they were self-signed. With 10.1.2 and 9.5, this setting enables revocation checking on intermediate trust anchors if such information is available.
Trust anchors from 3rd parties are often installed locally to facilitate signature validation. Since it is possible that the trust anchors could become compromised and thereby open the host machine to malicious attack, those 3rd party providers in such cases would revoke their certificates. This preference enables detecting that revocation by forcing a revocation check on any intermediate trust anchors. Root and self-signed certificates are exempt from checking. Possible values include:
- 0: Don't perform a revocation check on intermediate trust anchors.
- 1: Perform a revocation check on intermediate trust anchors.
|
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
5 |
Version # |
8.0+ |
User Path |
Security\ASPKI\ASPKI\Verify |
Lock Path |
Not lockable |
Summary |
Specifies the maximum number of nested verification sessions allowed. |
Details |
This is used to prevent the application from going into infinite loop verifying the OCSP and/or CRL signer certificates caused by incorrect OCSP and/or CRL certificate setup. |
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
65 (minutes) |
Version # |
8.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
The maximum difference in minutes the signing time is allowed to be after the validation time for the signature to be valid. |
Details |
PubSec verifies that a document is not signed in the future by looking at the verifier's system time and the time embedded in the signature dictionary. Whenever time comes into the picture, there is always the possibility that the signer and verifier's times are out of sync. MaxClockSkew accommodates such differences. |
GUI mapping |
N/A |
Signature Validation Rev Check (OCSP)
OCSP revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses. It is possible to require certain features for certificates used to sign OCSP requests and responses. If either does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. See RFC 2560 for details.
Prior to 10.1, OCSP responses without nextUpdate were never embedded in a signature. For 10.1 and later, OCSP responses are always embedded irrespective of the presence of nextUpdate; however, whether they are used for signature validation depends on certain conditions:
- Validation time is greater than thisUpdate minus the value of iMaxClockSkew (the default is 5 minutes). This test is always performed.
- When nextUpdate is present and the validation time is less than the nextUpdate time plus the value of iMaxClockSkew.
- When nextUpdate is not present and the validation time is less than the thisUpdate time or the producedAt time (whichever is greater) plus the value of iMaxClockSkew.
If you need a relaxed security environment (for example, when the responder is caching OCSP responses), bIgnoreNextUpdate can be set to 1 to ignore the last test. In this case, embedded responses without nextUpdate are always used for signature validation provided that they pass first test.
This behavior is designed to support the long term validation feature and allows validating a signature with embedded responses that were valid at signing time. The following options are available:
- Specifying when to do revocation checking as well as the effect of a failed or bad response.
- Specifying when and where to go online to get a response.
- Specifying whether to include a nonce. Nonces are random generated numbers that are sent with a request and matched by a response. They improve security by assuring communication with an active, non-spoofed server.
- Using or ignoring a response's thisUpdate and nextUpdate times to control its validity.
- Setting a limit on the amount of time difference between the local time and response's publish time.
- Allowing or disallowing the OCSPNoCheck extension.
- Requiring the presence of a public key hash extension (bRequireOCSPCertHash).
- Specifying whether OCSP requests should by signed (bSignRequest).
- Requiring the presence of a particular OID in a request (sSignCertOID).
It is possible to require certain features for certificates used to sign OCSP responses. If a response does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. The following options are available:
- Allowing or disallowing the OCSPNoCheck extension.
- Requiring the presence of a public key hash extension via bRequireOCSPCertHash.
Summary table
AllowOCSPNoCheck |
Specifies whether the OCSPNoCheck extension is allowed in the response signing certificate. |
ExpiredCertGoOnline |
Specifies whether to go online to get the revocation information for an expired certificate. |
GoOnline |
Specifies whether to go online to do revocation checking. |
IgnoreNextUpdate |
Specifies whether to use embedded OCSP responses when nextUpdate is not present and the validation time is less than the greater of thisUpdate or producedAt time plus the value of iMaxClockSkew. |
IgnoreValidityDates |
Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity. |
MaxClockSkew |
The number of minutes the local machine time can vary from the response's published time to account for a network delay, time synchronization issues, and so on. |
ReqRevCheck |
Indicates whether revocation checks are required to succeed on the OCSP response. |
RequireOCSPCertHash |
Specifies whether a certificate public key hash extension must be present in OCSP responses. |
ResponseFreshness |
Specifies the amount of time in minutes after the response's published thisUpdate time for which the response will be valid. |
SendNonce |
Specifies signature validation behavior with respect to nonces. |
SendNonce |
Specifies signature validation behavior with respect to nonces. |
SignRequest |
Specifies whether the OCSP request should be signed. |
URL |
The URL used to fetch OCSP responses. |
URLToConsult |
Specifies how the revocation checker chooses which responder to use. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
9.0+ |
User Path |
Security\ASPKI\Adobe_OCSPRevChecker |
Lock Path |
Not lockable |
Summary |
Specifies whether the OCSP request should be signed. |
Details |
Some OCSP providers require that OCSP requests are signed (e.g IdenTrust).
- 0: Don't sign the OCSP request.
- 1: Force Acrobat to sign OCSP requests prior to sending.
|
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
2 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_OCSPRevChecker |
Lock Path |
Not lockable |
Summary |
Indicates whether revocation checks are required to succeed on the OCSP response. |
Details |
Interacts with other iReqRevCheck settings. Possible values include:
- 0: Don't do revocation checks.
- 1: Do a check IF certificate has AIA extension or responder info is in registry; don't fail if the check fails.
- 2: Do a check IF certificate has AIA extension or responder info is in registry; all checks must succeed if there is data and a check occurs.
- 3: Require a check; it must succeed under all circumstances.
|
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_OCSPRevChecker |
Lock Path |
Not lockable |
Summary |
Specifies how the revocation checker chooses which responder to use. |
Details |
Possible values include:
- 0: Use the AIA extension in the certificate.
- 1: Use the URL key in sURL.
- 2: Use the AIA extension in the certificate. If it is not present, use the URL key in sURL.
- 3: Use the OCSP request signer's certificate AIA extension. Relevant only if SignRequest is 0.
|
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0 < 10.0 |
User Path |
Security\ASPKI\Adobe_OCSPRevChecker |
Lock Path |
Not lockable |
Summary |
Specifies signature validation behavior with respect to nonces. |
Details |
Deprecated with 10.0. If true, nonces are included in the OCSP request and expected to be present in the response and should match the request's nonce. If false, nonces are not sent. |
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
2 |
Version # |
10.0+ |
User Path |
Security\ASPKI\Adobe_OCSPRevChecker |
Lock Path |
Not lockable |
Summary |
Specifies signature validation behavior with respect to nonces. |
Details |
With 10.0, this preference replaces bSendNonce. Possible values include:
- 0: No nonces are sent.
- 1: Nonces are included in the OCSP request and expected to be present in the response and should match the request's nonce.
- 2: Nonces are included in the OCSP request, but if none are present in the response, their abscence is ignored.
|
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_OCSPRevChecker |
Lock Path |
Not lockable |
Summary |
Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity. |
Details |
The value is set to true for ubiquity signatures created by enabling usage rights for Adobe Reader.
Note: With 11.0.16, this preference interacts with bExpiredCertGoOnline. |
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
11.0.16+ |
User Path |
Security\ASPKI\cASPKI |
Lock Path |
Not lockable |
Summary |
Specifies whether to go online to get the revocation information for an expired certificate. |
Details |
11.0.16 introduced a signature validation change so that signatures are invalid if they are based on expired certificates and there is no embedded revocation information even if bIgnoreValidityDates is 1. For previous product versions, the signature would be valid. Now, to be standard's compliant, if a certificate has expired, the client should not check for the revocation information online. bExpiredCertGoOnline set to 1 re-enables the pre-11.0.16 behavior.
- 0: Do not go online for revocation even if bIgnoreValidityDates = 1
- 1: Do go online.
|
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
5 minutes |
Version # |
10.1+ |
User Path |
Security\ASPKI\Adobe_OCSPRevChecker |
Lock Path |
Not lockable |
Summary |
The number of minutes the local machine time can vary from the response's published time to account for a network delay, time synchronization issues, and so on. |
Details |
For 10.1 and later, this preference is used along with bIgnoreNextUpdate to determine whether or not embedded OCSP responses are actually used for signature validation. For details, see the subfeature description above. |
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_OCSPRevChecker |
Lock Path |
Not lockable |
Summary |
Specifies whether to use embedded OCSP responses when nextUpdate is not present and the validation time is less than the greater of thisUpdate or producedAt time plus the value of iMaxClockSkew. |
Details |
For 10.1 and later, this preference is used along with iMaxClockSkew to determine whether or not embedded OCSP responses are actually used for signature validation. For details, see the subfeature description above. This behavior is designed to support Acrobat's long term validation feature and allows validating a signature with embedded responses that were valid at signing time.Possible values include:
- 0: iMaxClockSkew is applied to thisUpdate on both sides of the validation time, i.e. thisUpdate - iMaxClockSkew < validation time < checkTime + iMaxClockSkew where checkTime is the later of the producedAt and thisUpdate. When true, iMaxClockSkew is applied to thisUpdate only before the validation time: thisUpdate - iMaxClockSkew < validation time.
- 1: If there is no nextUpdate, then we accept the OCSP response indefinitely (we do not check for if the validation time is too late) and don't check whether validation time is < than checkTime)
|
GUI mapping |
N/A |
Signature Validation Rev Check (CRL)
CRL revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses.
The following options are available:
- Specifying when to do revocation checking as well as the effect of a failed or bad response.
- Specifying when and where to go online to get a response.
- Setting a time limit for caching a response after which the application must get a new response.
- Specifying a LDAP server to query for CRLs. Querying an LDAP server can result in poor application performance depending on the quality of the network connection and the number of directories to search.
- Specifying whether to ignore the response certificate's times in the thisUpdate and nextUpdate extensions.
- Requiring the presence of the Authority Key Identifier extension.
It is possible to require certain features for certificates used to sign CRL responses. If a response does not meet the specified parameters, the response will be considered invalid and the signature status may be Unknown or Invalid.
The following options are available:
- Specifying whether to ignore the response certificate's times in the thisUpdate and nextUpdate extensions.
- Requiring the presence of the Authority Key Identifier extension.
Summary table
AlwaysConsult |
Determines when the URL is used for an additional URL CRL distribution point. |
GoOnline |
Indicates whether it's acceptable to go online to fetch a CRL. |
IgnoreValidityDates |
Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity. |
LDAP |
The LDAP server to get CRLs from in the form www.ldap.com. |
MaxRevokeInfoCacheLifetime |
Maximum lifetime in hours the cached CRL is used for revocation checking. |
ReqRevCheck |
Indicates whether revocation checks are required to succeed on the CRL response. |
RequireAKI |
Specifies whether the Authority Key Identifier extension must be present in a CRL. |
RevokeInfoCacheLifeTime |
Specifies the length of time to cache the CRL. |
URL |
The URL used to fetch CRL responses for an additional URL CRL Distribution point. |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_CRLRevChecker |
Lock Path |
Not lockable |
Summary |
Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity. |
Details |
The value is set to true for ubiquity signatures created by enabling usage rights for Adobe Reader. |
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
1 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_CRLRevChecker |
Lock Path |
Not lockable |
Summary |
Indicates whether revocation checks are required to succeed on the CRL response. |
Details |
Interacts with other iReqRevCheck settings. Values include:
- 0: Don't do revocation checks.
- 1: Do a check IF responder details are in CRLDp certificate extension or the registry; don't fail if the check fails.
- 2: Do a check IF responder details are in CRLDp certificate extension or the registry; all checks must succeed if there is data and a check occurs.
- 3: Require a check; it must succeed under all circumstances.
|
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_CRLRevChecker |
Lock Path |
Not lockable |
Summary |
Indicates whether it's acceptable to go online to fetch a CRL. |
Details |
If false, only cached CRLs (on local disk or ones embedded with signature) are consulted. Internally set to false for ubiquity signatures in Reader enabled documents. |
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
24 |
Version # |
7.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Maximum lifetime in hours the cached CRL is used for revocation checking. |
Details |
iMaxRevokeInfoCacheLifetime is only used if the validation method is set to "current time". Possible values include:
- The number of hours for which the cached CRL is valid.
|
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
null |
Version # |
Oct. 2018 (both tracks) |
User Path |
Security\cASPKI\cASPKI\ |
Lock Path |
Not lockable |
Summary |
Specifies the length of time to cache the CRL. |
Details |
CRLs often have a lifespan determined by fields such as nextUpdate. This preference determines the validity in seconds of a cached CRL file calculated from its download time. A fresh CRL is downloaded if the signature validation occurs after the number of seconds specified by iRevokeInfoCacheLifeTime passes from the time of the last cached CRL download OR if it occurs after the time provided in its NextUpdate field. Possible values include:
- The number of seconds for which the cached CRL is valid from its last modification time. There is no max second limit.
|
GUI mapping |
N/A |
Signature Validation Cert. Chain Building
The revocation checking process includes building the certificate chain so that each discovered certificate can be analyzed and processed as specified by other application preferences. Administrators do have some control over what certificates are used to build a chain.
The following options are available:
- Controlling whether AIA extensions are followed.
- Requiring the use of valid RSA signatures on all certificates in a chain.
- Requiring the presence of specific policy OIDs in the specified chain scope for it to be valid.
- Pointing to an LDAP server for path discovery purposes. Querying an LDAP server can result in poor application performance depending on the quality of the network connection and the number of directories to search.
Summary table
FollowURIsFromAIA |
Specifies whether to allow the chain builder to follow URIs in AIA certificate extensions so that certificates can be downloaded if they are not available locally. |
LDAP |
Specifies the URL of an LDAP server to be used for path discovery. |
RequireValidSigForChaining |
Specifies whether to allow the chain builder to build chains with invalid RSA signatures on certificates. |
ValidityModel |
Specifies the validity model for validating signatures and certificates. |
Value |
An array of strings c0-cN containing the required certificate policy OIDs. |
|
Data type |
1 (int)
|
Default |
0 |
Version # |
8.0+ |
User Path |
Security\ASPKI\Adobe_Validation |
Lock Path |
Not lockable |
Summary |
Specifies the validity model for validating signatures and certificates. |
Details |
The application uses shell validation by default, but chain validation may be used when required. Compliance with the German signature law requires chain validation. Allowabled values include:
- 0: PKIX shell model
- 1: Chain validity model.
Chain validation is used to validate all or part of a certificate chain when any certificate chaining up to a CA certificate containing the qualified certificate policy extension (OID 1.3.36.8.1.1) or the validity model certificate extension OID (1.3.6.1.4.1.8301.3.5) with the value set to the chain model OID (1.3.6.1.4.1.8301.3.5.1). |
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_ChainBuilder |
Lock Path |
Not lockable |
Summary |
Specifies whether to allow the chain builder to follow URIs in AIA certificate extensions so that certificates can be downloaded if they are not available locally. |
Details |
The default does not allow phone-home capability. CRLdps and OCSP AIA extensions do allow following URIs because they require that the certificate chain up to a trust anchor. |
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
8.0+ |
User Path |
Security\ASPKI\Adobe_ChainBuilder |
Lock Path |
Not lockable |
Summary |
Specifies whether to allow the chain builder to build chains with invalid RSA signatures on certificates. |
Details |
Consider chain CA > ICA > EE where the CA's signature on an ICA is invalid. If this setting is true, the chain building will stop at the ICA and the CA will not be included in the chain. If this preference is false, the full 3-certificate chain is produced. This setting does not affect DSA signatures. |
GUI mapping |
N/A |
Signing: Rev Check
Applying a signature to a document involves both creating a signature and then validating it. Despite the fact that end users see only one step (the signature appears with a status icon), there are actually two phases which an administrator independently configure. Revocation checking can occur during the initial signing phase to control whether or not a signature is created.
The following option is available:
- Specifying when to do revocation checking as well as the effect of a failed or bad response.
Note:
Interacts with bIsEnabled. For more detail about how revocation checking affects signing and signature validation, see Certificate Processing.
Summary table
ReqRevCheck |
Indicates whether revocation checks are required to succeed to create the signature. |
|
Data type |
1 (int)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\ASPKI\ASPKI\Sign |
Lock Path |
Not lockable |
Summary |
Indicates whether revocation checks are required to succeed to create the signature. |
Details |
Interacts with other iReqRevCheck settings. Allowable values include:
- 0: Dont do revocation checks.
- 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; dont fail if the check fails.
- 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.
- 3: (New in 10.1.5 and 11.0) Require a check; it must succeed under all circumstances.
|
GUI mapping |
N/A |
Signing: Long Term Validation
Whether revocation checking information is stored in a signature varies by version. Storing such data in a signature enables offline revocation checking and a determination of whether the signing certificate was valid at the time of signing.
Setting bIsEnabled to 1 via the GUI or registry automatically sets cSign\iReqRevCheck to 2. The rationale is that if you choose to embed the revocation status you probably want a status to embed. A consequence of this choice is that you must do a check and retrieve a good result; otherwise, no signature is created. In other words, signing with a revoked certificate is prevented when this setting is on.
The following options are available:
- Embedding revocation status in a signature.
- Specifying the embedded data cache size to limit the amount of cached data.
- Specifying when archived revocation data is used for revocation checking.
- Controlling whether or not revocation data is stored in a JavaScript object.
Note:
If you are setting up a signing workflow for both signers and signature validators, you may want to set iUseArchivedRevInfo so that document recipients can validate signatures based on a signer's bIsEnabled setting.
Summary table
AutoAddLTV |
Specifies whether LTV information should be automatically added to all signatures. |
IsEnabled |
Specifies whether the signature revocation status is included in the signature. |
MaxRevInfoArchiveSize |
The maximum size of the revocation archival information in kilobytes. |
ReturnRevInfoToUser |
If true, the revocation information is maintained within the SignatureInfo object and can be retrieved through JavaScript. |
UseArchivedRevInfo |
Indicates whether the revocation information archived with the signature is used for revocation checking. |
|
Data type |
1 (int)
|
Default |
2 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_LTVProvider |
Lock Path |
Not lockable |
Summary |
Indicates whether the revocation information archived with the signature is used for revocation checking. |
Details |
Allowable values include:
- 0: Never (always require fresh revocation information to be successfully downloaded).
- 1: Deprecated. Do not use.
- 2: Always use (if embedded revocation information is available do not download fresh revocation information).
|
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
Pre 9.1 0; 9.1 and later: 1 |
Version # |
8.0+ |
User Path |
Security\ASPKI\Adobe_LTVProvider |
Lock Path |
Not lockable |
Summary |
Specifies whether the signature revocation status is included in the signature. |
Details |
Possible values include:
- 0: Don't enable LTV and inlcude the signature revocation status information in the signature.
- 1: Do enable LTV.
|
GUI mapping |
Include signatures revocation status when signing |
|
Data type |
1 (int)
|
Default |
1500Kb |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_LTVProvider |
Lock Path |
Not lockable |
Summary |
The maximum size of the revocation archival information in kilobytes. |
Details |
An attempt is made to store as much revocation information as possible without exceeding the limit. Note that older product versions may have a smaller supported size limit. |
GUI mapping |
N/A |
|
Data type |
1 (int)
|
Default |
1 |
Version # |
11.0+ |
User Path |
Security\ASPKI\Adobe_LTVProvider |
Lock Path |
Not lockable |
Summary |
Specifies whether LTV information should be automatically added to all signatures. |
Details |
Possible values include:
- 0: Never add LTV information.
- 1: (default) Ask whether LTV information should be added if it is too big.
- 2: Always add LTV information.
When the cumulative size of the LTV data is greater than the sum of 10% of the PDF file size plus 10KB and
Automatically add verification information on Save is set to "Ask..." a dialog appears asking the user if they would like to continue embedding the LTV information. Note that in workflows where the dialog appears asking whether to enable LTV, if the user selects the "Do not show this message again" checkbox, AND click the No button, then this preference is set to zero. |
GUI mapping |
Preferences > Signatures > Verification panel (More) > Verification Information > Automatically add verification information when saving signed PDF. |
Signature Validation Rev Check (Providers)
The revocation checker provider provides revocation checking services. You can specify one or more revocation checking methods and choose whether to use the default methods or some MSCAPI-specific method.
The following options are available:
- Use one or both of Adobe's revocation checking methods (CRL and OCSP).
- Use of the MSCAPI revocation checking plugin model as an alternative to Adobe mechanisms. For example, administrators may have standardized on MSCAPI or might prefer the MSCAPI method of using a CRL registry cache (Acrobat has its own cache).
Note : Acrobat's default CRL cache location is C:\Documents and Settings\(user)\Application Data\Adobe\(application)\(version)\Security\CRLCache
Summary table
|
Data type |
8 (cab)
|
Default |
Adobe_OCSPRevChecker, Adobe_CRLRevChecker |
Version # |
7+ |
User Path |
Security\ASPKI\SPIs |
Lock Path |
Not lockable |
Summary |
An array of text entries (t0-tn) containing the name of a registered provider. |
Details |
- Adobe_OCSPRevChecker: Adobe's default OCSP method.
- Adobe_CRLRevChecker: Adobe's default CRL method.
- MSCAPI_RevocationChecker: Accesses MSCAP revocation checking plugin framework.
The rules of operation are as follows:
- If cRevocationChecker is empty, the default OCSP and CRL methods are used.
- If cRevocationChecker is not empty, then only the methods listed are used.
- Regardless of the order in which the validators are listed, the validators are always called in the following order: OCSP, CRL, MSCAPI.
- The first validator present that produces a result is the only one used.
|
GUI mapping |
N/A |
Signing: Preview Mode
Preview mode turns off (suppresses) rich content and dynamic document behavior that could prevent the signer from seeing what they are signing. While the use of preview mode adds an extra step in the signing workflow, it turns off potentially bad content, checks the document for the presence of any PDF constructs that may cause problems with signature integrity and provides a report about any found problems.
The following option is available:
- Force the use of preview mode during signing.
Summary table
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Specifies whether a signer is forced to use preview mode during signing. |
Details |
If true, preview mode is automatically invoked on a sign action. Users should read the document message bar text, view a report about any warnings, and then choose Sign Document. |
GUI mapping |
Preferences > Security > View documents in preview mode when signing |
Signing: Appearances
The application remembers what signature appearance a signer used and stores its index number in iAPIndex. Because an end user's appearance selection will overwrite any custom value here, customization by an administrator would serve no useful purpose.
Summary table
APIndex |
Remembers the last used signature appearance index. |
Signing: Signer Details
The signing dialog has the capability of showing a location and contact information fields during a signing workflow. Field fill-in is optional. By default, the option is off, but end users and administrators can turn this option on. The location will appear in the Signature Properties dialog and in the Signature's pane and may optionally appear in the signature appearance.
The following options are available:
- Showing or not showing the Contact and Location fields in the signing dialog.
- Setting default contact information.
- Setting default location information.
Note:
If the end user changes the field data in the signing dialog, those values will overwrite the registry-specified values.
Summary table
AllowOtherInfoWhenSigning |
Specifies whether the location and contact information UI will appear during signing. |
ContactInfo |
When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field. |
Location |
Stores the location information of the signer. |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
8.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Specifies whether the location and contact information UI will appear during signing. |
GUI mapping |
Preferences > Security > Advanced Preferences > Creation tab > Show location and contact information when signing |
|
Data type |
5 (text)
|
Default |
null |
Version # |
8.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Stores the location information of the signer. |
Details |
When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field. User data is saved and reused during subsequent signing events. |
GUI mapping |
Location field in the Sign dialog |
Signing: Reasons
The signing dialog has the capability of showing a signing reasons drop down list during a signing workflow. By default, the option is off, but end users and administrators can turn this option on. If a reason is used, it appears in the signature appearance, the Signature Properties dialog, and in the Signatures pane.
The following options are available:
- Showing or not showing the Reasons field in the signing dialog.
- Changing the default reasons. Administrators can add, delete, and modify the reason list.
- Locking the reason list so that it can't be modified by end users.
Summary table
AllowReasonWhenSigning |
Specifies whether the reason UI will appear during signing. |
Reasons |
Stores a list of signing reasons. |
Reasons |
Prevents users from modifying reason's settings. |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
8.0+ |
User Path |
Security\PubSec |
Lock Path |
FeatureLockDown\Security\PubSec |
Summary |
Specifies whether the reason UI will appear during signing. |
Details |
The preference can be overridden by a document seed value set on a field. For 8.1 and later, if cReasons is locked and is empty, bAllowSigningReasons is 0 and read only (The UI is turned off). If cReasons is locked and has values, then bAllowSigningReasons is true and read only. |
GUI mapping |
Preferences > Security > Advanced Preferences > Creation tab > Show reasons when signing |
|
Data type |
5 (text)
|
Default |
See details. |
Version # |
7.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Stores a list of signing reasons. |
Details |
Entries in this folder are named t0, t1, etc. Subject to override by the document seed value: reasons.
The default reasons are:
- t0: I am the author of this document
- t1: I have reviewed this document
- t2: I am approving this document
- t3: I attest to the accuracy and integrity of this document
- t4: I agree to the terms defined by the placement of my signature on this document
- t5: I agree to specified portions of this document
|
GUI mapping |
Reasons drop down list in signing dialog |
|
Data type |
0 (bool)
|
Default |
null |
Version # |
8.1+ |
Lock Path |
FeatureLockDown\Security\PubSec |
Summary |
Prevents users from modifying reason's settings. |
Details |
v8.1: If locked and cReasons if empty, bAllowSigningReasons is 0 and read only. If locked and cReasons has values, then bAllowSigningReasons is true and read only. |
GUI mapping |
N/A |
Signing: Certification
A "certification signature" is simply the first signature in a document where the user has indicated via a user interface choice to "certify" the document. These preferences only control certification signature behavior and have no effect on approval signature behavior.
In addition to the general signature preferences described elsewhere in this document, the following options are available:
- Preventing invisible signatures: By default, users can sign with a visible or invisible signature. Prohibit invisible certification signatures by setting bAllowInvisibleSig to 0.
- Legal attestations (warning comments): When certifying a document that contains dynamic content, a signer can choose a default warning comment from a list or create a custom one. You can prepopulate this list with custom comments with cAttest.
- (Pre v. 8.0) Control certification based on document content: For versions prior to 8.0, you can control certification rights based on the nature of the document content and whether it generates LegalPDF warnings. These preferences are deprecated in 8.0.
- 11.0: Elevating certified documents to a privileged location so that they are trusted for operations that would otherwise be restricted (See TrustManager).
- 11.0.04: Showing the document's certification status in the Protected View document message bar (See FeatureLockDown).
Summary table
AllowCertNonGreen |
Specifies whether a certification signature may be applied to a document containing Legal PDF warnings. |
AllowInvisibleSig |
Specifies whether to allow invisible certification signatures. |
AllowSigCertGreenOnly |
Specifies whether any subsequent signers can sign a certified document that does not contain LegalPDF warnings with additional approval signatures. |
AllowSigCertOnly |
Specifies whether any subsequent signers can sign a certified document containing LegalPDF warnings with additional approval signatures. |
Attest |
Stores a list of the most recently used attestations regarding LegalPDF warnings in a document. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0+ |
User Path |
Security\DigSig |
Lock Path |
FeatureLockDown\Security\DigSig |
Summary |
Specifies whether to allow invisible certification signatures. |
Details |
False disables the menu option, prevents signing and certifying with invisible signatures, and limits JavaScript support by signature fields. |
GUI mapping |
Certify with Invisible Signature |
|
Data type |
|
Default |
null |
Version # |
7.0+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Stores a list of the most recently used attestations regarding LegalPDF warnings in a document. |
Details |
Entries in this folder are named t0, t1, etc. The application may have one or more default strings such as "I have included this content to make the document more interactive." |
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0 ONLY+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Specifies whether any subsequent signers can sign a certified document containing LegalPDF warnings with additional approval signatures. |
Details |
In other words, the presence of any LegalPDF warning prevent any additonal signatures. |
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0 ONLY+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Specifies whether any subsequent signers can sign a certified document that does not contain LegalPDF warnings with additional approval signatures. |
Details |
In other words, the presence of any LegalPDF warning does not prevent any additonal signatures. |
GUI mapping |
N/A |
Signing: User interface
Summary table
EnableCEFBasedUI |
Specifies whether to enable the CEF-based, modern UI for digital signature workflows. |
|
Data type |
0 (bool)
|
Default |
null |
Version # |
June, 2016: Both tracks |
User Path |
Security\cPubSec |
Lock Path |
Security\PubSec |
Summary |
Specifies whether to enable the CEF-based, modern UI for digital signature workflows. |
Details |
The newer UI streamlines the user interface. All values also disable the UI option to change the preference. Note that for products released after June 2016, disabling a user's ability to create a self-signed digital ID requires setting both bSelfSignCertGen and bEnableCEFBasedUI to 0. Possible values include:
- 0: Disable the modern UI and shows the legacy UI.
- 1: Enable the Modern UI.
|
GUI mapping |
Preferences > Signatures > Creation and Appearance > More > Use modern user interface for signing and Digital ID configuration |
Signing: Document Warnings
The Sign dialog is capable of showing a Review button. The button invokes the PDF Signature Report which analyzes the document for the presence of any dynamic content that could adversely affect the integrity of signing workflows. If none is found, a dialog appears indicating that there are no problems. If content such as a comment or JavaScript is discovered, the PDF Signature Report appears with a list of any PDF constructs that may cause problems with signature integrity.
The following options are available:
- Never showing or allowing the review of document warnings.
- Limiting warning review to certification workflows.
- Requiring warning review prior to applying an approval and/or certification signature.
- Always requiring review of warnings for every signature.
Summary table
RequireReviewWarnings |
Specifies whether the user is required to review document warnings before signing via the signing dialog. |
ShowDocumentWarnings |
Specifies whether a button to allow reviewing document warnings shows up on the signing dialog. |
|
Data type |
1 (int)
|
Default |
1; 11.0 = 0; 11.0.01 = 1 |
Version # |
8.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Specifies whether a button to allow reviewing document warnings shows up on the signing dialog. |
Details |
Interacts with iRequireDocumentWarnings. The possible values include:
- 0: Never
- 1: Show when certifying only
- 2: Always
|
GUI mapping |
Preferences > Security > Advanced Preferences > Creation tab > Enable reviewing of document warnings |
|
Data type |
1 (int)
|
Default |
0 |
Version # |
8.0+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Specifies whether the user is required to review document warnings before signing via the signing dialog. |
Details |
Interacts with iShowDocumentWarnings. The possible values include:
- 0: Never
- 1: Show when certifying only
- 2: Always
|
GUI mapping |
Preferences > Security > Advanced Preferences > Creation tab > Prevent signing until document warnings are reviewed |
Signing: Font Warnings
LegalPDF warnings have been replaced by PDF Signature Report errors in versions 8.0 and later. Both mechanisms provide similar warnings. The following option is available:
- Toggling warnings for true type and non-embedded fonts on and off.
Summary table
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0+ |
User Path |
Security\DigSig |
Lock Path |
Not lockable |
Summary |
Turns on and off warnings about non-embedded fonts. |
Details |
A warning appears when the LegalPDF dictionary NonEmbeddedFonts attribute has a non zero value. Turning this value on causes a warning to appear in the PDF Signature Report which indicates the document contains unembedded fonts. |
GUI mapping |
N/A |
Signing: Hash Algorithm
The default algorithm used to create a message digest (document hash) during signing can be customized. In some enterprise situations, such as when FIPS compliance is required, you may need a more secure algorithm. Alternate hashing algorithms can be specified by name or OID as shown below. The algorithm that is used is displayed in the Hash Algorithm field of the Signature Properties dialog's Document tab. Usage rules:
- MSCAPI supports different algorithms across versions. For example, early XP versions only supported SHA1 and MD5. The use of other algorithms will require that the signer use a digital ID that resides in a .pfx/.p12 file in the Acrobat cache.
- With XP SP3, MSCAPI supports SHA256 on certificates and some token devices.
- Pre 9.1: Acrobat uses SHA1 as the default.
- 9.1 and later: Acrobat uses SHA256 as the default, but will use SHA1 if the token does not support SHA256. If using FIPS mode, do not use MD5 or RIPEMD160.
The following options are available:
- Specifying an alternate algorithm.
Summary table
SignHash |
The hashing algorithm to use while signing. |
SignHash |
A text entry that contains the OID of the hashing algorithm. |
|
Data type |
4 (string)
|
Default |
SHA1 for 9.0 and earlier; SHA256 for 9.1 and later |
Version # |
7.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
The hashing algorithm to use while signing. |
Details |
For an alternative, see tSignHash.
NOTE : The data type prefix is incorrect, as the key is not an atom. The entry is binary. You can manually create the binary value by right clicking in the preference area and choosing New Binary Value. Right click on your new preference and choose Modify Binary Data. When the Edit Binary Value dialog appears, click in the right-hand side of the Value data field and type the name of a supported algorithm. As you type the string, the binary value appears on the left-hand side of the dialog. For example, type SHA384. Once done, click in the binary field and add a zero the end and press Enter. The null terminator is required (the registry editor will change it to 00).
- MD5
- SHA1
- SHA256 (v. 7.0)
- RIPEMD160 (v. 8.0)
- SHA384 (v. 8.0)
- SHA512 (v. 8.0)
|
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
SHA1 for 9.0 and earlier; SHA256 for 9.1 and later |
Version # |
7.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
A text entry that contains the OID of the hashing algorithm. |
Details |
For an alternative, see aSignHash. Allowable values include:
- 1.2.840.113549.2.5: MD5
- 1.3.14.3.2.26: SHA1
- 2.16.840.1.101.3.4.2.1: SHA256 (v. 7.0)
- 1.3.36.3.2.1: RIPEMD160 (v. 8.0)
- 2.16.840.1.101.3.4.2.2: SHA384 (v. 8.0)
- 2.16.840.1.101.3.4.2.3: SHA512 (v. 8.0)
|
GUI mapping |
N/A |
Signing: Format
The default format for creating the signature object that is embedded in a signed document is PKCS#7. The object contains the encrypted message digest, certificates, timestamps, and other information. It does not include the signature appearance and data outside of Contents in the signature dictionary. Format choices are limited so that a signature encoded by one handler can be unencoded (validated) by another handler. Providing a value for aSignFormat writes that value to the signature dictionary's SubFilter object. For details, see "Signature Interoperability" in the
PDF Reference.
- PKCS#1 : For signing PDF files using PKCS#1, the only recommended value of SubFilter is adbe.x509.rsa_sha1, which uses the RSA encryption algorithm and SHA-1 digest method. The certificate chain of the signer is stored in the Cert entry.
- PKCS#7 : The value of Contents is a DER-encoded PKCS#7 binary data object containing the signature. The PKCS#7 object must conform to the PKCS#7 specification in Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5. SubFilter can take one of the following values:
- adbe.pkcs7.detached : No data is encapsulated in the PKCS#7 signed-data field.
- adbe.pkcs7.sha1 : The SHA1 digest of the byte range is encapsulated in the PKCS#7 signed-data field with ContentInfo of type Data.
- ETSI.CAdES.detached : Supports long term validation of signatures even when the signing certificate is revoked; this is part of the feature which allows adding an invisible timestamp signature to a document.
Summary table
SignFormat |
The format to use when signing a document using public key cryptography when a format is not specified by a seed value, javascript parameter, or the PubSec Handler. |
|
Data type |
2 (atom)
|
Default |
adbe.pkcs7.detached |
Version # |
7.0+ |
User Path |
Security\PubSec |
Lock Path |
FeatureLockDown\Security\PubSec |
Summary |
The format to use when signing a document using public key cryptography when a format is not specified by a seed value, javascript parameter, or the PubSec Handler. |
Details |
Allowable values include:
- adbe.pkcs7.detached
- adbe.pkcs7.sha1
- adbe.x509.rsa_sha1
- ETSI.CAdES.detached
|
GUI mapping |
10.0 and later: Preferences > Security > Advanced Preferences > Creation tab > Default Signature Signing Format |
Signing: Digest Comparison
When signing a PDF document, a message digest is created for the document and sent to the cryptographic module that performs the signing operation. Setting the registry entry bEnforceSecureChannel to 1 ensures the message digest sent to the cryptographic module is checked against the signed message digest that it returns. This flag ensures that intermediate layers of software between Acrobat and the cryptographic module do not tamper with the signing operation.
The following rules apply:
- When using a certificate that includes a DSA public key with omitted parameters, the test to detect signature validity is not performed. In these cases, setting bEnforceSecureChannel has no effect.
- When this preference is turned on, a digest mismatch results in a warning dialog. The signature is removed from the document and the signing application aborts the signing process.
Summary table
EnforceSecureChannel |
Specifies whether to prevent signing when the original message digest and the signed message digest do not match. |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
8.0+ |
User Path |
Security\PubSec |
Lock Path |
Not lockable |
Summary |
Specifies whether to prevent signing when the original message digest and the signed message digest do not match. |
Details |
When set to 1, the user sees a warning dialog when the digest mismatch occurs. This error can be caused by a modification of the original message digest, a modification of the signed message digest, or a mismatch between the private and public key used for signing.
When using a certificate that doesn't include a public key (such as a DSA certificate with an omitted public key), the test to detect signature validity is not performed. Do not turn this setting on if such certificates are used. |
GUI mapping |
N/A |
Signature Clearing
Summary table
EnableSignatureClear |
Specifies whether to disable and lock the ability for a signer to clear their own signature. |
|
Data type |
0 (bool)
|
Default |
null |
Version # |
11.0+ |
Lock Path |
FeatureLockDown\Security\DigSig |
Summary |
Specifies whether to disable and lock the ability for a signer to clear their own signature. |
Details |
Possible values include:
- 0: Disable signature clearing.
- 1: Enable signature clearing.
|
GUI mapping |
The Clear Signature menu item which appears when a user right clicks on a signature. |
Timestamp Server: Usage
Summary table
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
7.0+ |
User Path |
Security\ASPKI\ASPKI\Sign |
Lock Path |
Not lockable |
Summary |
Indicates whether retrieving a signature property must succeed. |
Details |
Acrobat currently provides a signature property for timestamps. By default, retrieving a valid and trusted timestamp is not required, and property retrieval failure only results in creating a signature which uses the local time. When property retrieval is required during signature creation and fetching a timestamp fails for any reason (bad URL, no network connection, etc.) the signature creation process is aborted, no signature is created, and an error appears.
- 0: Make best effort, but success is not required. A signature is created.
- 1: Property retrieval must succeed. On failure, a signature is not created and an error dialog appears.
|
GUI mapping |
N/A |
|
Data type |
0 (bool)
|
Default |
0 |
Version # |
11.0+ |
Lock Path |
Not lockable |
Summary |
Specifies whether the timestamp time should be displayed in the signature appearance. |
Details |
By default, the signature appearance displays the signing time from the signer's computer clock. To display the timestamp server time in a signature appearance:
- Go to HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product)\(version)\FeatureLockDown\cSecurity\cPubSec\
- Create the new DWORD bUseTSAsSigningTime and set it to 1.
- Go to HKCU\Software\Adobe\(product)\(version)\Security\cASPKI\cASPKI\cSign.
- Set bReqSigPropRetrieval to 1. Create the preference if it does not exist.
- Verify the computer time does not vary from the signature validation revocation check response time specified by HKCU\Software\Adobe\(product)\(version)\Security\cPubSec\iMaxClockSkew . The default is 65 minutes. iMaxClockSkew allows admins to account for a network delay, time synchronization issues, and so on without invalidation signatures.
Possible values include:
- 0: Don't show the timestamp time.
- 1: Do show the timestamp time.
|
GUI mapping |
N/A |
Timestamp Server: List
Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler.
The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available:
- Specifying a list of servers that will appear in the Security Settings Console. Preferences are represented as a list c0-cN and contain the server name, URL, and whether the authentication is required.
- Specifying when to do revocation checking as well as the effect of a failed or bad response.
- Increasing security by choosing a more robust hashing algorithm. The algorithm must be supported by the timestamp server.
- Requiring signature property retrieval (a valid and trusted server URL) in order to create a signature.
Summary table
AuthReqd |
This is an internal copy of bAuthReqd that cannot be modified. |
AuthRequired |
Specifies whether or not the timestamp server requires authentication. |
LockboxId |
If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID. |
Name |
The user-defined server name. |
Server |
The server URL. |
|
Data type |
0 (bool)
|
Default |
null |
Version # |
7.0+ |
User Path |
Security\PPKHandler\TimeStampServers\(index) |
Lock Path |
Not lockable |
Summary |
Specifies whether or not the timestamp server requires authentication. |
Details |
If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID. The service provider needs to know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment. |
GUI mapping |
Security Settings Console > Timestamp Servers > Configuration panel > This server requires me to log on |
|
Data type |
4 (string)
|
Default |
null |
Version # |
7.0+ |
User Path |
Security\PPKHandler\TimeStampServers\(index) |
Lock Path |
Not lockable |
Summary |
If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID. |
Details |
The service provider needs to know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment. |
GUI mapping |
The preference is populated when the user checks This server requires me to log on and then enters a username and password. |
Timestamp Server: Default
Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler.
The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available:
- Setting a default server.
Summary table
AuthRequired |
Specifies whether the timestamp server requires authentication. |
HashAlgo |
Identifies the hashing algorithm used to hash the timestamped data. |
HashAlgo |
The hashing algorithm OID used to hash the data to be timestamped. |
LockboxId |
If a timestamp server requires authentication, the authentication data is stored in a secure store identified by this ID (e.g. Microsafe). |
Password |
The server log in password. |
ReqRevCheck |
Indicates whether revocation checks on timestamps are required to succeed before signing. |
Size |
ASPKI requires the signature property to predict the size (in bytes) so that enough space can be set aside. |
URL |
A timestamp server URL such as http://www.example.com/tsp. |
User |
The server login username. |
|
Data type |
1 (int)
|
Default |
2 |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_TSPProvider |
Lock Path |
Not lockable |
Summary |
Indicates whether revocation checks on timestamps are required to succeed before signing. |
Details |
Failure does not affect signature creation or validation, it only results in defaulting to the local, machine time. Interacts with other iReqRevCheck settings. The possible values include:
- 0: Dont do revocation checks.
- 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; dont fail if the check fails.
- 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.
- 3: Require a check; it must succeed under all circumstances.
|
GUI mapping |
N/A |
|
Data type |
4 (string)
|
Default |
null |
Version # |
7.0+ |
User Path |
Security\ASPKI\Adobe_TSPProvider |
Lock Path |
Not lockable |
Summary |
If a timestamp server requires authentication, the authentication data is stored in a secure store identified by this ID (e.g. Microsafe). |
Details |
The service provider needs know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment. |
GUI mapping |
The preference is populated when the user checks This server requires me to log on and then enters a username and password. |
|
Data type |
4 (string)
|
Default |
SHA1 |
Version # |
8.0+ |
User Path |
Security\ASPKI\Adobe_TSPProvider |
Lock Path |
Not lockable |
Summary |
The hashing algorithm OID used to hash the data to be timestamped. |
Details |
The valid values are:
- MD5: 1.2.840.113549.2.5
- SHA1:1.3.14.3.2.26
- SHA256: 2.16.840.1.101.3.4.2.1
- SHA384: 2.16.840.1.101.3.4.2.2
- SHA512: 2.16.840.1.101.3.4.2.3
|
GUI mapping |
N/A |
Security Envelopes
These keys appear after a user creates a security envelope to deliver one or more documents securely. The keys in cMain remember the user choices such as the last search path for finding attachments and so on. An administrator could set a default value, but these values would be changed by user actions.
Summary table
LastEnvelope |
The ASPath to the last envelope used for Secure PDF Delivery. |
LastSearchPath |
The last path used for selecting files to include in an eEnvelope. |
LiveCycle Server Configuration
The preferences in EDC (a legacy name) define Adobe LiveCycle Right Management Server connections. Users can specify servers through the Security Settings Console. However, administrators can preconfigure user machines to control the end user experience.
The following options are available:
- Setting a default server under cEDC. The default server appears with a star icon in the Security Settings Console.
- Controlling whether to use HTTP or HTTPS with bAllowConnectViaHTTP.
- Adding one or more servers in to the known server list cEDC\KnownServers. These server definitions will appear in the Security Settings Console's server list.
- Locking down the settings so that the server configuration dialog will not appear in the user interface, thereby preventing end users from adding servers or changing server settings.
Summary table
AllowAPSConfig |
Prevents a LiveCycle Right Management Server from being configured by disabling the menu option in the Security Settings Console. |
AllowConnectViaHTTP |
If true, the server connection URI uses the format http://server:port/path; otherwise, it uses the format https://server:port/path. |
LastServerURL |
The last APS server used to open a document and the server used for off line key synchronization. |
LockboxId |
Set if bSavePassword is not 0 to look up the password in a user's secure password cache. |
Name |
The user defined name for this server. |
SavePassword |
Indicates whether the password has been cached for this server. |
Server |
The DNS server name (i.e. alrms.adobe.com). |
ServerName |
The Adobe LiveCycle Rights Management Server selected by the user as the default. |
ServerURL |
The default server URL. |
|
Data type |
0 (bool)
|
Default |
1 |
Version # |
7.0+ |
User Path |
Security\EDC |
Lock Path |
Not lockable |
Summary |
If true, the server connection URI uses the format http://server:port/path; otherwise, it uses the format https://server:port/path. |
Details |
In either case, if the connection fails, an error message appears. For more information, see
Guidelines for Developing CSPs for Acrobat on Windows. |
GUI mapping |
N/A |
|
Data type |
5 (text)
|
Default |
null |
Version # |
7.0+ |
User Path |
Security\EDC |
Lock Path |
Not lockable |
Summary |
The Adobe LiveCycle Rights Management Server selected by the user as the default. |
Details |
This is set via the user interface in the Security Settings Console either by creating a new server (the first one is the default) or by selecting an existing one. |
GUI mapping |
See details. |
Security Policy Favorites
The keys at Security\cPPKLite\cSP_Favorites contain an array of subkeys c0-cN where each index defines a favorite security policy. Both user and organizational policies can be favorites. Any policy marked as a favorite will appear in the user's favorite's list. End users make a policy a favorite by opening the Manage Security Policies dialog, highlighting the policy, and choosing Favorites. A star icon appears to the left of the policy name and the policy becomes available in the top level menu.
The following options are available:
- Specifying an non-default handler for a policy.
- Marking one or more policies as a favorite.
- Specifying policy names.
Summary table
Handler |
An ASAtom specifying which PDCrypt handler knows how to handle this security policy. |
Id |
A string containing the security-policy.acrodata file key used to reference the policy that is being applied. |
IsFavorite |
Determines whether the referenced security policy is displayed as a favorite. |
Name |
The security policy name. |