44
394
Electronic signatures
Last updated 5/10/2016
How does it work?
Certificate authorities (CAs) — entities that provide digital signing credentials to other organizations and users — as
well as governments and businesses that provide certificates to their citizens and employees can apply to Adobe to join
the AATL program by submitting application materials and their root certificates (or another qualifying certificate).
After verifying that the applicant's services and credentials meet the assurance levels imposed by the AATL technical
requirements, Adobe adds the certificate(s) to the Trust List itself, digitally signs the Trust List with an Adobe corporate
digital ID that is linked to the Adobe Root certificate embedded in Adobe products, and then posts the list to a website
hosted by Adobe.
Afterwards, when any user receives a digitally signed document from a signer whose digital certificate can trace its
lineage (chain) back to a certificate on the AATL, that signature will automatically be trusted.
Why is this feature important?
When you receive a digitally signed document, both Reader and Acrobat ask three key questions to validate the
signature:
1 Is the digital certificate that signed the document still valid? Has it expired or been revoked?
2 Has the document been changed since it was signed? Has the integrity of the document been affected? If there are
changes, are they allowed changes or not?
3 Finally, does this certificate chain up to a certificate listed in the Trusted Identity list? If so, the signature will be
trusted automatically.
The answers to the first two questions are handled by Acrobat and Reader based on an analysis of the information
contained within the certificate and the signed document itself. However, it's the answer to the third question that has
always posed a challenge to the electronic signatures marketplace. How do you know if you can trust a digital signature?
What aspects of the signer's digital certificate/credential should be noted? How important is verifying the signer's
identity, and how critical is the storage of the signing key itself?
Adobe understands that the relying party must be free to make its own trust decisions based on its unique
circumstances. However, Adobe has also been looking at ways to help relying parties make this determination and in
so doing make the process of using digital signatures that much easier. The Adobe Approved Trust List is simply the
latest in these efforts.
How does this program compare to the CDS program?
Back in 2005, Adobe unveiled the Certified Document Services (CDS) program, which automatically trusts new digital
IDs that are chained to (part of the family of) the Adobe Root certificate embedded in Adobe products. CDS, the
predecessor to the AATL, has five certificate authorities offering certificates. While the high-level benefits of the Adobe
Approved Trust List program are similar, existing certificate communities, such as government eID programs, can join
the Trust List, as the chain to the Adobe Root certificate is not required.
Why would my organization want to join?
If you represent an organization or government that already has a significant investment in digital certificates (that is,
hundreds of thousands of users), and these certificates are being used to sign PDF documents, then you already know
the importance of trust and how confusion over a digital signature can lead to support calls, questions, and general
uneasiness about using a digital signature. The AATL program provides an easy way for all your certificate holders,
assuming they meet the technical requirements, to sign documents confidently, knowing that recipients will not only
get the cost savings and a resulting "green" benefit from staying with an electronic document, but also the integrity-
checking and trusted green checkmark/blue ribbon experience when they open the document.