Adding Revocation Data in Acrobat 9.1
The recent release of Acrobat 9.1 included a new feature that helps enable an organization to preserve records of validation information on signed documents. This new feature is called “Document Validation Information”, and using it is quite simple. (Note: this can only be performed in Acrobat 9.1 full, or Reader 9.1 using a Reader-Enabled document.)
The digital signature must be validated in the currently open document, as this feature is only available for valid signatures. In an open PDF document, right-click the digital signature (either in the document, or from the signature panel), and the following context menu is shown:
Click the Add Verification Information shortcut to embed the certificates and revocation objects used to validate the signature, and save the file. These objects are saved as unsigned objects appended to the PDF file. Now, when the document is opened, the embedded validation information can be used to check the signature, unless the user specifically configures Acrobat to ignore it.
In addition to being useful from a long term validation standpoint, this feature would also be beneficial in a bridge PKI environment. When a document is signed by one participant in a bridged PKI with the “Embed revocation information” option selected in Acrobat, only the certificates and CRLs/OCSP responses that chain up to the signer’s trust root are included. When this signature is verified by a member of another organization across the bridge, this is insufficient, as members of the bridged organizations typically do not explicitly trust the other’s root certificate. When the relying party embeds the document verification information, this will include the certificates and CRLs required to validate the signer’s certificate, through the bridge CA, and up to their own trust anchor.
Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!
