当前位置:   article > 正文

signature=99d87437cab1487c89a59a65cc379430,Digital Signatures

hftscc

These settings pertain to content security (security features) rather than application security (securing the software environment). Content security includes digital signatures, security methods such as password and certificate security, and other rights management features.

Note the following:Most of these settings are applicable to Windows, Macintosh, Unix, and Linux systems.

The examples use Acrobat; other applications may provide different menu options.

The security preferences folder does not appear in the registry until a security feature is used. Many subdirectories also appear as the code is exercised.For more information, refer to the Digital Signatures Guide and related documentation.

This preference category contains the following subfeature(s):

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: RSA-PSS Configuration

The DC release supports RSA-PSS Signing on Windows (April, 2017) and Macintosh (August 2017). Classic track (Windows and Macintosh both) support was added in November 2018. RSA-PSS is an RSA cryptosystem signature scheme that provides increased security assurance. For more details see https://www.emc.com/emc-plus/rsa-labs/historical/raising-standard-rsa-signatures-rsa-pss.htm. Support currently includes:Acrobat and Reader DC

Signature validation

Signature creation with digital ID files (PFX/P12)

Signature creation with digital IDs imported to Windows Certificate Store and devices such as smart cards supporting Cryptography API: Next Generation (CNG). CNG is designed to replace the legacy CryptoAPI. In addition to increased security, CNG is extensible and cryptography agnostic. For more detail and a list of features, see https://msdn.microsoft.com/en-us/library/windows/desktop/bb204775(v=vs.85).aspx

Signature creation with devices using Crypto API's are not supported.

Summary table

Specifies the hash algorithm used for RSA-PSS signing.

Specifies whether a signature should be created with the RSA-PSS algorithm.

Specifies the Salt Length the RSA-PSS algorithm uses.

boolean: DWORD value > REG_DWORD

DC continuous track only: Windows April, 2017; Mac August 2017

Security\cPubSec\cRSAPSSSigning\

Not lockable

Specifies whether a signature should be created with the RSA-PSS algorithm.

Possible values include:

0: Do not sign with the RSA-PSS algorithm.

1: Use the RSA-PSS algorithm.

atom: String value > REG_SZ

DC continuous track only: Windows April, 2017; Mac August 2017

Security\cPubSec\cRSAPSSSigning\

Not lockable

Specifies the hash algorithm used for RSA-PSS signing.

If bEnableRSAPSSSigning is enabled, this preference specifies the hash algorithm. If this preference is not present or has a null value, then the value specified by aSignHash is used. If aSignHash is not specified, then SHA256 is used. Possible values include:

SHA1

SHA224

SHA256

SHA384

SHA512

integer: DWORD value > REG_DWORD

DC continuous track only: Windows April, 2017; Mac August 2017

Security\cPubSec\cRSAPSSSigning\

Not lockable

Specifies the Salt Length the RSA-PSS algorithm uses.

When setting the salt length, you must assure the default base is hexadecimal. Either change the base to decimal or input its hex value. For example, if the salt length decimal value is 32, then set the hex value to 20.

4d60bc78fdce9e9dd668facb4ae47a99.gifAddressbook Import

The address book stores data for certificates used in digital signature and certificate encryption workflows. During a major upgrade (e.g. 10.x to 11.x), the product looks for existing address books on each user machine. Prior to install, you should decide whether to deploy a generic, enterprise address book or let the existing address book on each machine be imported into the new product. By default, when end users first launch the product, the application prompts them to import any discovered address book. The application looks for existing addressbooks from previous product versions by searching directories in this order.(root)\AppData\Roaming\Adobe\Acrobat\11.0\addressbook.acrodata

(root)\AppData\Roaming\Adobe\Acrobat\10.0\addressbook.acrodata

(root)\AppData\Roaming\Adobe\Acrobat\9.0\addressbook.acrodata

(root)\Program Files (x86)\Adobe\Acrobat {current version such as 11.0}\Acrobat\Replicate

Summary table

Specifies whether the addressbook.acrodata file should be imported during a new install.

integer: DWORD value > REG_DWORD

Security\cDigSig

Not lockable

Specifies whether the addressbook.acrodata file should be imported during a new install.

Many admins set a value of 2 so that the import dialog does not appear for end users. Possible values include:

0: Do not copy the old address book. The user is NOT prompted and the address book should NOT be installed.

1 or null: Default: The user is asked whether the address book should either be installed or not.

2: Import the address book silently.

4d60bc78fdce9e9dd668facb4ae47a99.gifSecurity Setting Import

9.x products introduced a security feature that includes the ability to import and export security settings via an .acrobatsecuritysettings file, thereby enabling easier version upgrades as well as configuration of multiple machines. The security settings import/export features offers several advantages over FDF files:Most document security and digital signature related settings can be encapsulated in an acrobatsecuritysettings file whereas FDF could only transport one setting type and a time and could not encapsulate registry settings at all.

One file can be used instead of many files.

Trust can be assigned to imported files on the fly, thereby simplifying workflows. Files can be signed and encrypted.

Updates can be configured to occur automatically on a specified schedule.Use security settings files to backup and restore settings, to distribute settings in a workgroup or enterprise, and to send specific information to another user. Importing settings simply involves importing a file from a network (including automatically from a server) that has been exported from Acrobat and has then been made available from a trusted source.

The following options are available:

Specifying whether or not to poll a server for settings to import at regular intervals.

Configuring whether or not the user should grant permission prior to installing new settings.

Specifying a particular certificate so the signed settings will only be imported from a trusted source.

Summary table

Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.

The polling interval to check the specified server for an updated security settings file.

An internally used number created by Acrobat when it first sets up the "resource" pointed to by the URL. It is not user customizable.

Specifies a certificate that must be used to sign the imported security settings file.

Specifies whether to load security settings from a server.

Specifies the signing certificate for the imported settings file.

The server URL where the acrobatsecuritysettings file to import resides.

Binary data used for internal purposes.

integer: DWORD value > REG_DWORD

1209600

Security\cDigSig\cCustomDownload

Not lockable

The polling interval to check the specified server for an updated security settings file.

The application can automatically check for and import a security settings file at regular intervals. The value is the number of seconds between checks for updates. Prior to March 2012, the default was 2419200. Possible values include:

604800: 1 week

1209600: 2 weeks (Default)

2419200: 1 month

7257600: 3 months

Preferences > Security > Security Settings panel > "Check every" radio buttons

string: Binary value > REG_BINARY

Security\cDigSig\cCustomDownload

Not lockable

The server URL where the acrobatsecuritysettings file to import resides.

These settings include all the settings that can be configured, imported, and exported from an .acrobatsecuritysettings file.

Preferences > Security > Security Settings panel > URL text box

string: Binary value > REG_BINARY

9.0: 0; 10.0: 1

Security\cDigSig\cCustomDownload

Not lockable

Specifies whether to load security settings from a server.

Possible values include:

0: Don't load settings from a server.

1: Do load settings from a server.

Preferneces > Security > Security Settings panel > URL text box

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cDigSig\cCustomDownload

Not lockable

Specifies a certificate that must be used to sign the imported security settings file.

The value is a hexadecimal string corresponding to the SHA-1 hash of the certificate used to sign the settings file.

Preferences > Security > Security Settings panel > Settings must be signed by field

text: String value > REG_SZ

Allow Any Certificate

Security\cDigSig\cCustomDownload

Not lockable

Specifies the signing certificate for the imported settings file.

Admins can specify specific certificates that must be used to sign a settings file.

0: Allow Any Certificate

1: Any user-specified certificate

Preferences > Security > Settings must be signed by

boolean: DWORD value > REG_DWORD

Security\cDigSig\cCustomDownload

Not lockable

Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.

0: Enable and install silently

1: Enable and ask before installing

Preferences > Security > Security Settings panel > Ask before updating

string: Binary value > REG_BINARY

Security\cDigSig\cCustomDownload

Not lockable

An internally used number created by Acrobat when it first sets up the "resource" pointed to by the URL. It is not user customizable.

string: Binary value > REG_BINARY

Security\cDigSig\cCustomDownload\cLastChecked\

Not lockable

Binary data used for internal purposes.

It is not set during installation or for tuning pre-deployment clients. It can safely be deleted in an existing environment.

4d60bc78fdce9e9dd668facb4ae47a99.gifExtended Certificate Information

Summary table

Contains a subkey for each certificate with extended information.

Contains a subkey for each certificate with extended information provided by attribute certificates.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPubSec

Not lockable

Contains a subkey for each certificate with extended information provided by attribute certificates.

The subkeys take the form c{DIGEST} where {DIGEST} is a SHA-1 digest of the associated certificate's public key encoded as hexadecimal. For example, \cPubSec\cExtendedCertInfo\cAD6716326BDAC87628DFAD6716326. Each subkey contains the friendly name, related ID card, and associated attribute certificates.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPubSec

Not lockable

Contains a subkey for each certificate with extended information.

The subkeys take the form c|{DN} where {DN} is the issuer certificate's distinguished name. For example, \cPubSec\cCertIssuers\c|cn=Adobe Systems, o=Acrobat Engineering. Each subkey contains the associated ID card for this issuer certificate.

4d60bc78fdce9e9dd668facb4ae47a99.gifIndentrust Preferences

Summary table

The default chain scope in which to look for the policy OIDs.

An array of strings containing the policy OIDs for a certificate to be considered acceptable.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

"iEnd"=dword:00000002 and "iStart"=dword:00000002

Security\cAcceptablePolicyOIDs\

Not lockable

The default chain scope in which to look for the policy OIDs.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

See desc.

Security\cAcceptablePolicyOIDs\c(some integer)\

Not lockable

An array of strings containing the policy OIDs for a certificate to be considered acceptable.

For ICA certificates: Set to 1.2.840.114021.1.6.1 and 1.2.840.114021.1.2.1 For EE certificates: Set to 1.2.840.114021.1.4.1, 1.2.840.114021.1.4.2, 1.2.840.114021.1.7.2, 1.2.840.114021.1.10.1, 1.2.840.114021.1.10.2, 1.2.840.114021.1.13.2, 1.2.840.114021.1.16.2, 1.2.840.114021.1.19.2, 1.2.840.114021.1.22.2, 1.2.840.114021.1.25.2, 1.2.840.114021.1.28.2, 1.2.840.114021.1.30.2

4d60bc78fdce9e9dd668facb4ae47a99.gifCustom Security Handlers

Security handlers are Acrobat plugins. Information about creating plugins in general and security handlers in particular can be found in the Acrobat Software Development Kit (SDK) and its HFTs, header files, and other API documentation. Because Acrobat's Adobe.PPKLite is becoming more feature rich with each release, it is unlikely that you will need a custom security handler.

Adobe.PPKLite is the default security handler used for performing private key functions, validating signatures, and signing and encrypting documents. This is represented in the user interface as Adobe Default Security in the Digital Signatures Advanced Preferences dialog on both the Verification and Creation tabs. Administrators can install custom handlers to perform these functions, in which case the drop down lists on these tabs will list the additional handlers. All entries in the cHandler folder are reset by the Digital Signature Preferences dialog's Reset button.

If a custom handler is used, you can specify the following:Separate handlers for signing/encryption and signature validation.

The default method displayed in the drop-down list of handlers.

Lock down the selections so they cannot be modified by end users.

Summary table

Remembers a preferred handler for accessing Trusted Identity Manager functions including certificate data import from an FDF file.

Remembers a preferred handler for directory functions (e.g. LDAP), including for importing directory information from an FDF data exchange file.

Used by DigSig and PubSec to store the handler that accesses private key functions.

Remembers the name of the preferred handler to use when verifying signatures.

Qualifies the use of aVerify.

The last on-screen coordinates of a handler's digital ID selection dialog

atom: String value > REG_SZ

Adobe.PPKLite

Security\cHandlers

FeatureLockDown\cSecurity\cHandlers

Used by DigSig and PubSec to store the handler that accesses private key functions.

It is used for signing, decryption, and responding to an FDF file request to export contact information. The value should be set to Adobe.NoHandler if it is desired that the user be asked to select a handler.

Preferences > Security > Advanced Preferences > Creation tab > Method to use When Signing and Encrypting Documents

atom: String value > REG_SZ

Adobe.NoHandler

Security\cHandlers

FeatureLockDown\cSecurity\cHandlers

Remembers the name of the preferred handler to use when verifying signatures.

If this value is not set, then the handler used to verify signatures is the handler that matches the Filter attribute in the signature dictionary; if this handler is not available, then the user is prompted to select a handler. If this value is set then, its meaning is qualified by the value of bVerifyUseAlways.

Adobe.NoHandler: Use the document-specified method, prompt if it is not available.

Adobe.PPKLite: Use the document-specified method, use the default method if it is not available.

The value set in aPrivKey: Always use the default method (overrides the document-specified method). Takes the value selected from Default Method for Verifying Signatures.

Preferences > Security > Advanced Preferences > Verification tab > the radio button selections under "When Verifying:"

boolean: DWORD value > REG_DWORD

Security\cHandlers

FeatureLockDown\cSecurity\cHandlers

Qualifies the use of aVerify.

If true and aVerify is set to a handler name, then this handler is used to verify all signatures. If false, then the aVerify handler is used only to verify signatures when the handler specified by the signature dictionary Filter attribute is not present.

Preferences > Security > Advanced Preferences > Always use the default method (overrides the document-specified method)

atom: String value > REG_SZ

Security\cHandlers

Not lockable

Remembers a preferred handler for accessing Trusted Identity Manager functions including certificate data import from an FDF file.

atom: String value > REG_SZ

Security\cHandlers

Not lockable

Remembers a preferred handler for directory functions (e.g. LDAP), including for importing directory information from an FDF data exchange file.

integer: DWORD value > REG_DWORD

Security\cDigSig

Not lockable

The last on-screen coordinates of a handler's digital ID selection dialog

It is a subkey containing 4 keys: Top, Bottom, Left, and Right. This preference could be used by 3rd party handlers or by someone invoking a non-signing digital ID selection dialog via JavaScript.

4d60bc78fdce9e9dd668facb4ae47a99.gifFDF Import and Export

The File Data Exchange Format (FDF) provides a format for easily importing and exporting certificate data and application settings. These settings appear in Security\cPubSec after a client uses the feature.

The default values are stored internally by the application and are not visible in the registry. An administrator can set the default behavior, but your configuration is subject to modification by end users via the user interface.

The following features are available:Specifying whether the default export behavior is to save or email the file.

Specifying whether the default export behavior is to sign the file.

Specifying whether the default certificate request behavior is to save or email the file.

Enabling or disabling WebBuy FDF processing (deprecated).

Summary table

Persists whether user chose to save (1) or email (0) the FDF during export.

Persists whether the user chose to sign the FDF during export.

Similar to the bFDFRequestSave.

Caches a user's answer to the question whether they want to save the request as an FDF or email it directly when that user requests a certificate.

Enables WebBuy FDF file processing.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Persists whether user chose to save (1) or email (0) the FDF during export.

Save as and Email radio buttons in export dialog.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Persists whether the user chose to sign the FDF during export.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Similar to the bFDFRequestSave.

False includes the user's certificate in all certificate requests. True excludes it.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Caches a user's answer to the question whether they want to save the request as an FDF or email it directly when that user requests a certificate.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Enables WebBuy FDF file processing.

4d60bc78fdce9e9dd668facb4ae47a99.gifSecurity Settings Console

Security Settings Console preferences persist information about the state of the console user interface. These preferences are user generated and implementation specific and are likely to change across application versions. These keys are not customizable and are provided for informational purposes only.

Summary table

An array of binary IDs for all categories in the tree view that were opened.

Indicates (in pixels) the position of the horizontal window splitter.

Indicates (in pixels) the position of the vertical window splitter.

A binary ID of the last-selected category in the tree view.

integer: DWORD value > REG_DWORD

Security\cSecurityConsole\

Not lockable

Indicates (in pixels) the position of the vertical window splitter.

integer: DWORD value > REG_DWORD

Security\cSecurityConsole\

Not lockable

Indicates (in pixels) the position of the horizontal window splitter.

Security\cSecurityConsole\

Not lockable

A binary ID of the last-selected category in the tree view.

Security\cSecurityConsole\

Not lockable

An array of binary IDs for all categories in the tree view that were opened.

4d60bc78fdce9e9dd668facb4ae47a99.gifCertificate Viewer Configuration

By default, the Certificate Viewer builds and displays the trusted chain from the EE to the trust anchor. However, it is possible to show all found chains whether they are trusted or not. While most users do not need this information, it can be used for troubleshooting and verification. End users can turn this option on and off by using the Certificate Viewer's checkbox Show all certification paths found.

Summary table

Specifies whether to show all chains in the Certificate Viewer.

boolean: DWORD value > REG_DWORD

Security\cPPKHandler

Not lockable

Specifies whether to show all chains in the Certificate Viewer.

If true, the Certificate Viewer shows all the chains; otherwise, it shows only the trusted chain. If there are no trusted chains, then all the chains are shown and this preference is ignored.

4d60bc78fdce9e9dd668facb4ae47a99.gifPassword Caching

By default, password caching is turned on so that users will not always have to enter a password when one is required. This feature affects Adobe LiveCycle Rights Management Server log in, signing with digital IDs in the Acrobat store (pfx or p12 files), changing password timeout policies, and creating new password security policies. For example, setting the option to false disables the menu option

Save password with the policy when creating a new policy.

The following options are available:Controlling whether some passwords are cached to disk.

Disabling the option to save a password with a policy.

Streamlining Adobe LiveCycle Rights Management Server workflows. This key does not exist in HKCU. It can only be used in HKLM.

Note:

Disabling

Never ask for password on a digital ID's password timeout dialog does not work in version 9.0.

Summary table

Controls whether certain passwords can be cached to disk; for example, passwords for digital IDs.

boolean: DWORD value > REG_DWORD

FeatureLockDown\cSecurity\cPPKLite

Controls whether certain passwords can be cached to disk; for example, passwords for digital IDs.

If false, users are prompted to enter a password every time one is required. Not all passwords are affected by this setting.

User interface items where passwords are used: Save passwords with the policy in the New Security Policy dialog; Never checkbox on the Password timeout dialog.

4d60bc78fdce9e9dd668facb4ae47a99.gifExamine Document

The Examine Document dialog box identifies hidden document information that might pose a risk to the integrity of security and signature workflows. Found content is listed and linked to in the Examine Document pane. Users can click on a link to view the content and check/uncheck items to mark them for removal. Checked items are removed when the user selects the

Remove button.

The following options are available:Examining a document each time it is closed.

Examining a document each time it is emailed.

Summary table

Automatically examines the document for hidden content when it is closed.

Automatically examines the document for hidden content when it is sent in an email.

Specifies whether to remove hidden content when sanitizing a document.

boolean: DWORD value > REG_DWORD

Not lockable

Automatically examines the document for hidden content when it is closed.

Preferences > Document > Examine document when closing document

boolean: DWORD value > REG_DWORD

Not lockable

Automatically examines the document for hidden content when it is sent in an email.

Preferences > Document > Examine document when sending document by email

boolean: DWORD value > REG_DWORD

October, 2020 Continuous track only

Not lockable

Specifies whether to remove hidden content when sanitizing a document.

During sanitization workflows, the app automatically rasterizes the document if overlapping content exists. This can result in a large file size increase. Disable this feature to avoid extremely large files.

0: Remove hidden (overlapping) content.

1: Do not remove hidden content when sanitizing a document.

Preferences > Document > Do not remove overlapping conent while sanitizing document.

4d60bc78fdce9e9dd668facb4ae47a99.gifRoaming ID Configuration

These preferences are only used for signature workflows where users access roaming IDs on a roaming ID server. While the needed configuration can be handled through the user interface by end users, you can set the following:Specifying a Default Roaming ID Server : When a user adds a roaming ID account through the GUI, a dialog asks for a friendly name and a server URL. If no other accounts have been configured and cDefaultServerInfo exists in the preferences, its values populate both the friendly server name and URL fields in the Add a Roaming ID dialog.

Specifying one or more authentication methods.

Summary table

A user friendly roaming ID server name.

The URL of the Roaming ID server.

text: String value > REG_SZ

Security\cASPKI\cAdobe_RoamingID\cDefaultServerInfo

Not lockable

A user friendly roaming ID server name.

Add a Roaming ID panel.

text: String value > REG_SZ

Security\cASPKI\cAdobe_RoamingID\cDefaultServerInfo

Not lockable

The URL of the Roaming ID server.

Add a Roaming ID panel.

4d60bc78fdce9e9dd668facb4ae47a99.gifRoaming ID Provider Persistent Storage

These preferences store roaming ID server data. Some values are provided by the user and some are provided by the server. These keys cannot be customized and are provided for informational purposes only.

Summary table

Contains entries for user accounts on roaming ID servers that the provider knows about.

Contains an array of roaming ID server URLs recently entered by the user.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPPKHandler\cRC(version)

Not lockable

Contains entries for user accounts on roaming ID servers that the provider knows about.

Every account is identified by a unique 9-character key such as cAB2CFECD.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPPKHandler\cRC(version)

Not lockable

Contains an array of roaming ID server URLs recently entered by the user.

4d60bc78fdce9e9dd668facb4ae47a99.gifRoaming ID Server Data

These preferences are created as a result of communications with a roaming ID server. Whether or not you customize these settings is determined by the needs or your particular implementation.

Summary table

The value is provided by the server.

Holds an encrypted SAML assertion obtained during last successful authentication.

Holds the time after which roaming ID provider will not attempt to use the SAML assertion stored in cSAML_Assertion.

Holds the URL of the authentication server from which the SAML assertion stored in cSAML_Assertion was obtained.

SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.

SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.

SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.

The SASL id of the authentication mechanism.

The mechanism-specific persistent data.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPPKHandler\cRC

Not lockable

The value is provided by the server.

An array of certificates corresponding to digital IDs available through this account. The certificates are in the binary X.509 format.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPPKHandler\cRC

Not lockable

Holds an encrypted SAML assertion obtained during last successful authentication.

Possession of this assertion is proof of a user's identity. Therefore, the assertion is encrypted using 256-bit AES algorithm in CBC mode. The encryption key is stored in Microsafe database that is protected by the OS login. There are two binary entries under the cSAML_Assertion cab: xEncryptedData contains the encrypted assertion, 'xIV' contains the initialization vector used by the AES encryption algorithm for this assertion.

text: String value > REG_SZ

Security\cPPKHandler\cRC

Not lockable

Holds the time after which roaming ID provider will not attempt to use the SAML assertion stored in cSAML_Assertion.

This time is calculated when an assertion is first obtained and takes into account the clock difference between the client machine and the server that generated the assertion. Time is represented in BER GeneralizedTime format without the type and length octets.

text: String value > REG_SZ

Security\cPPKHandler\cRC

Not lockable

Holds the URL of the authentication server from which the SAML assertion stored in cSAML_Assertion was obtained.

text: String value > REG_SZ

Security\cPPKHandler\cRC

Not lockable

SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.

The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms.

text: String value > REG_SZ

Security\cPPKHandler\cRC

Not lockable

SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.

The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms.

text: String value > REG_SZ

Security\cPPKHandler\cRC

Not lockable

SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.

The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms.

text: String value > REG_SZ

Security\cPPKHandler\cRC

Not lockable

The SASL id of the authentication mechanism.

For example, a user name and password mechanism may store the username so that only the password needs to be entered during consequent authentications.

text: String value > REG_SZ

Security\cPPKHandler\cRC

Not lockable

The mechanism-specific persistent data.

Some authentication implementations may store user data. For example, a user name and password mechanism may store the username so that only the password needs to be entered during consequent authentications.

4d60bc78fdce9e9dd668facb4ae47a99.gifRoaming ID Authentication

The authentication mechanism provider pertains only to roaming IDs. It enables you to specify one or more authentication mechanisms. The mechanism must be supported by the roaming ID server with which the application communicates.

The following features are available:Enabling multiple authentication mechanisms.

Limiting the authentication mechanism to one specified type.

Turning off authentication so that roaming IDs cannot be used.

Summary table

An array of text entries (t0-tn) where each entry contains the name of a registered provider.

Specifies which registered provider(s) to use.

integer: DWORD value > REG_DWORD

Security\cASPKI\cSPIs

Not lockable

Specifies which registered provider(s) to use.

0: Use none of the registered providers.

1: Use first registered provider.

2: Use all registered providers.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

An array of all values listed in the description.

Security\cASPKI\cSPIs

Not lockable

An array of text entries (t0-tn) where each entry contains the name of a registered provider.

PLAIN: A mechanism defined in RFC2595 consisting of a single message specifying the user's ID and password.

ASSP-Kerberos: A mechanism commonly used on Windows that passes a Single Sign On token and receives back a SAML assertion.

ASSP-ArcotID: A mechanism recognized by Arcot roaming ID servers.

ASSP-QnA: A mechanism that initiates a question-answer dialog between the user and server.

4d60bc78fdce9e9dd668facb4ae47a99.gifKerberos Authentication

This option is only relevant if the ASSP-Kerberos SPI is selected.

Summary table

The administrator-specified roaming ID Kerberos service name.

string: Binary value > REG_BINARY

Security\cASPKI\cKerberos_AuthMechanism

Not lockable

The administrator-specified roaming ID Kerberos service name.

If the key is not present, the default value of ASSP is assumed. If the key is present and the value is empty string, Acrobat asks the roaming ID service for it's Kerberos service name. This method is not secure and enterprises are advised not to use this option.

4d60bc78fdce9e9dd668facb4ae47a99.gifSelf Sign Digital IDs

By default, users can create self signed digital IDs. However, if you would like to prevent users from creating their own IDs, turn this feature off. Disabling this option prevents users from selecting Create a self-signed ID option in Add ID workflows.

Summary table

Specifies whether or not the Create a self-signed ID option in Add ID workflows is available.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Specifies whether or not the Create a self-signed ID option in Add ID workflows is available.

Prevents users from creating a self-signed digital ID. Note that for products released after June 2016, disabling a user's ability to create a self-signed digital ID requires setting both bSelfSignCertGen and bEnableCEFBasedUI to 0. Possible values include:

0: Don't allow creating self-signed digital IDs.

1: Allow self-signed digital IDs.

Create a self-signed digital ID for use with Acrobat.

4d60bc78fdce9e9dd668facb4ae47a99.gifPKCS#11 Configuration

The key contains a list of P11 modules the user has loaded by choosing Attach Modules in the Security Settings console. By specifying a valid path to a PKCS#11 DLL, modules can be pre-attached to installed clients. Because various errors appear as a result of a bad filename or pointing to a dll that is not a valid PKCS#11 module, test the settings and file before distributing them.

The following options are available:Preconfiguring the key when tuning the installer and distributing the module file or when modules are already installed.

Setting the default browse path in which to look for additional modules.For Reader X (10.0), not all PKCS#11 devices may work with Protected Mode (PM) enabled. However, in most cases, they do. Installation of such devices usually involves disabling Protected Mode, installing the driver, restarting the application, and then re-enabling Protected Mode. For the latest information about PM compatibility with certain features, see http://kb2.adobe.com/cps/860/cpsid_86063.html.

Summary table

Array of dynamic library paths to PKCS#11 modules.

Contains an array of subcabs for all known PKCS#11 digital IDs.

Stores the last folder in which the user browsed for a P11 module.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cASPKI\ \

Not lockable

Array of dynamic library paths to PKCS#11 modules.

These may not necessarily be full paths but just something that the OS dynamic library loading functions will accept. For example, t0 may be a path to C:\WINDOWS\system32\dkck201.dll.

Security Settings console > Attach Module

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPubSec

Not lockable

Stores the last folder in which the user browsed for a P11 module.

The next time the user goes to add a P11 module browsing starts in that folder.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPPKHandler

Not lockable

Contains an array of subcabs for all known PKCS#11 digital IDs.

The format is as follows:

xCert: Binary value of the certificate

1: xTokenKey: Binary value generated from the IDs PKCS#11 token. The binary value is generated with the following method: Initialize SHA-1 digest, add the digest the value of the token label, token manufacturer, token model, and token serial. Finish the SHA-1 digest operation. The resulting 20-byte value is the token key.

4d60bc78fdce9e9dd668facb4ae47a99.gifDigital ID Defaults

Most digital ID default values are set by the application when a user first uses an ID or manually specifies a default value in the Security Settings Console. Moreover, since user actions will overwrite some preconfigured value an administrator might provide, setting many of these properties is usually not worthwhile. However, it is possible and the following options are available:Specifying a default URL to obtain a new digital ID. This value is NOT overwritten by user actions.

Listing a set of attribute certificates.

Specifying a default signing ID. This value is end user-specific.

Specifying a default encryption ID. This value is end user-specific.

Customizing a default directory server used to locate certificates that can be imported into the Trusted Identity Manager.Note : Acrobat 9.0 users who configure a 3rd party security handler plugin may find that their non-default choice does not stick if the plugin calls PSUNregisterHandler(). That is, each time Acrobat restarts, the non-default security handler choice is lost. To fix the problem, change the plugin code to not call PSUNregisterHandler().

Summary table

Default directory to use when searching for digital IDs.

Indicates whether a custom certificate specific preference (e.g. Identrus) has already been created and written to the registry.

Contains a set of attribute certificates as binary data.

Contains an array of subcabs for all application-known digital ID files.

Identifies credential service provider interface for the default signing digital ID.

Identifies credential service provider interface for the ASPKI provider which exposes this digital ID.

Identifies the default signing digital ID by its SHA1 hash of the public key.

Identifies the default encryption digital ID by its SHA1 hash of the public key.

The destination URL when the user selects Enroll at an online CA while adding a new digital ID.

text: String value > REG_SZ

Security\cPubSec

Not lockable

The destination URL when the user selects Enroll at an online CA while adding a new digital ID.

Enroll at an online CA in the New Digital ID workflow

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPPKHandler

Not lockable

Contains an array of subcabs for all application-known digital ID files.

The format is as follows:

cPath: The path of to the digital ID file.

cCredentials: An array of certificates that have corresponding private keys in the file.

cCertificates: An array of certificates that are in the file but do not have an associated private key (usually CA certs). Certificates are stored as binary data.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPPKHandler

Not lockable

Contains a set of attribute certificates as binary data.

Each certificate is indexed with an integer 0 to N. The value is only set when a user imports attribute certificates.

text: String value > REG_SZ

Security\cPPKHandler\cCredSign

Not lockable

Identifies credential service provider interface for the default signing digital ID.

The value is set when a user opens the Security Settings Console and specifies a default signing ID. The value depends on the type of selected ID. For example, setting a self signed digital ID would result in a value of Adobe_FileCredentialProvider. See also xCertSHA1.

text: String value > REG_SZ

Security\cPPKHandler\cCredSign

Not lockable

Identifies the default signing digital ID by its SHA1 hash of the public key.

The value is set when a user opens the Security Settings Console and specifies a default signing ID. See also tCredProvider .

text: String value > REG_SZ

Security\cPPKHandler\cCredCrypt

Not lockable

Identifies credential service provider interface for the ASPKI provider which exposes this digital ID.

The value is set when a user opens the Security Settings Console and specifies a default signing ID. The value depends on the type of selected ID. For example, setting a self signed digital ID would result in a value of Adobe_FileCredentialProvider . See also xCertSHA1.

text: String value > REG_SZ

Security\cPPKHandler\cCredCrypt

Not lockable

Identifies the default encryption digital ID by its SHA1 hash of the public key.

The value is set when a user opens the Security Settings Console and specifies a encryption signing ID. See also tCredProvider.

boolean: DWORD value > REG_DWORD

Security\cPPKHandler

Not lockable

Indicates whether a custom certificate specific preference (e.g. Identrus) has already been created and written to the registry.

If true, it doesn't get created again. Deleting or setting this key to 0 forces Acrobat to recreate custom certificate preferences after which it will reset this key to 1.

atom: String value > REG_SZ

Adobe.PPKMS.ADSI.dir0

Security\cPPKHandler

Not lockable

Default directory to use when searching for digital IDs.

On Windows, the Adobe.PPKMS security handler provides access through the Microsoft Active Directory Script Interface (ADSI) to all the directories the user created in the Security Settings Console. These directories are named in the format of (directory handler) + (index). For example, Adobe.PPKMS.ADSI.dir0, Adobe.PPKMS.ADSI.dir1, and so on. Unsupported for Linux and Macintosh.

Setting a default search directory affects the UI in two places: A star appears next to the default directory in the Security Settings Console and the directory is moved to the top of the directories' drop down list in the Trusted Identities Manager's Search for Recipients dialog.

4d60bc78fdce9e9dd668facb4ae47a99.gifDigital ID File Import and Export

The digital ID default path preferences point to the application security folder. For example, C:\Documents and Settings\(user name)\Application Data\Adobe\Acrobat\8.0\Security. The path is used when the user imports or exports an ID from the Security Settings Console. Since the application remembers the last accessed directory, if a user chooses a different directory, that action will overwrite the preconfigured value an administrator might provide.

The following options are available:Specifying a default path for exporting and importing digital ID certificates (does not include private keys).

Specifying a default path for saving newly created digital ID files.

Summary table

The path last chosen for extracting an embedded file from a WebBuy FDF.

Default path for exporting credentials.

Default path for importing credentials.

Default path for storing profile files such as PKCS#12 files.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

See description below.

Security\cPubSec

Not lockable

Default path for exporting credentials.

Used by all security plugins. The default value is the application security folder. For example, C:\Documents and Settings\\Application Data\Adobe\Acrobat\8.0\Security.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

See the description.

Security\cPubSec

Not lockable

Default path for importing credentials.

Used by all security plugins. The default value is the application security folder. For example, C:\Documents and Settings\\Application Data\Adobe\Acrobat\8.0\Security.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

See description below.

Security\cPubSec

Not lockable

The path last chosen for extracting an embedded file from a WebBuy FDF.

The first time an embedded file is extracted from an FDF the user is asked where to save it.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

See the description.

Security\cPubSec

Not lockable

Default path for storing profile files such as PKCS#12 files.

This is used both when creating new digital ID files and when browsing for existing files. Used by all security plugins.

4d60bc78fdce9e9dd668facb4ae47a99.gifAdobe Acrobat Trust List

The Adobe Approved Trust List (AATL) program allows signers to automatically trust digital signatures chain to the trustworthy AATL certificates. By default, both Acrobat and Reader download a list of "trusted" root digital certificates automatically. 9.x products download every 90 days while 10.x and later products download every 30 days.

To assure that downloaded (as well as any other) trust anchors have not been revoked, configure

bRevCheckTrust.For more about the AATL program, see the

AATL pageand this blog.

Summary table

Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.

Specifies whether or not trust anchors should be periodically downloaded from Adobe.

The value in seconds that the application should check for new certificates to download from Adobe.

An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.

Binary data used for internal purposes.

boolean: DWORD value > REG_DWORD

Security\cDigSig\cAdobeDownload

Not lockable

Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.

0: Enable and install silently

1: Enable and ask before installing

Preferences > Trust Manager > Adobe certificate settings panel > Ask before installing checkbox

boolean: DWORD value > REG_DWORD

9.x and earlier: 0; 10: 1

Security\cDigSig\cAdobeDownload

Not lockable

Specifies whether or not trust anchors should be periodically downloaded from Adobe.

0: Don't load settings from an URL.

1: Do load settings from an URL.

Preferences > Trust Manager > Adobe certificate settings panel > Load security settings from a server

integer: DWORD value > REG_DWORD

Security\cDigSig\cAdobeDownload

Not lockable

The value in seconds that the application should check for new certificates to download from Adobe.

If this preference exists, the default is one week. Set this to 0 if you'd like the application to check on startup.

integer: DWORD value > REG_DWORD

Security\cDigSig\cAdobeDownload

Not lockable

An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.

string: Binary value > REG_BINARY

Security\cDigSig\cAdobeDownload\cLastChecked\

Not lockable

Binary data used for internal purposes.

4d60bc78fdce9e9dd668facb4ae47a99.gifEuropean Union Trust List

Like the AATL program, the European Union Trust List (EUTL) program allows signers to automitically trust digital signatures that chain to trustworthy EUTL certificates. While the feature was introduced with 11.0.06, the first EUTL trust lists were made available with the October 13, 2015 release.

To assure that downloaded (as well as any other) trust anchors have not been revoked, configure

bRevCheckTrust.

Note that both the AATL and EUTL features load certificates into the user's Acrobat Address Book (Acrobat Trust Store). The addition of the EUTL certificates increases the size of the address book and can affect the performance of signature validation in versions 11.0.06 to 11.0.10. Later product versions should validate in about 1/2 second. If you experience performance issues, update to the latest product. Alternatively, you can remove the EUTL preference (not recommended).

For more about the EUTL program, see

the blog.

Summary table

Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.

Specifies whether or not trust anchors should be periodically downloaded from Adobe.

The value in seconds that the application should check for new certificates to download from Adobe.

An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.

Binary data used for internal purposes.

boolean: DWORD value > REG_DWORD

Security\cDigSig\cEUTLDownload

Not lockable

Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.

0: Enable and install silently

1: Enable and ask before installing

Preferences > Trust Manager > European Union certificate settings panel > Ask before installing checkbox

boolean: DWORD value > REG_DWORD

Security\cDigSig\cEUTLDownload

Not lockable

Specifies whether or not trust anchors should be periodically downloaded from Adobe.

0: Don't load settings from an URL.

1: Do load settings from an URL.

Preferences > Trust Manager > European Union certificate settings panel > Load security settings from a server

integer: DWORD value > REG_DWORD

Security\cDigSig\cEUTLDownload

Not lockable

The value in seconds that the application should check for new certificates to download from Adobe.

If this preference exists, the default is one week. Set this to 0 if you'd like the application to check on every startup.

integer: DWORD value > REG_DWORD

Security\cDigSig\cEUTLDownload

Not lockable

An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.

string: Binary value > REG_BINARY

Security\cDigSig\cEUTLDownload\cLastChecked\

Not lockable

Binary data used for internal purposes.

4d60bc78fdce9e9dd668facb4ae47a99.gifWindows Integration

While Acrobat has its own store, the Windows store may already contain needed certificates or your enterprise may simply be a Windows shop. Windows integration allows end users to search for and use certificates in the Windows Certificate Store.

End users can configure their application for Windows integration through the application's Preference panel. Configuration options allow users to search the Windows store from the Trusted Identity Manager (through the Search button), set trust levels for any found certificate, and choose which certificates to use for encryption (once the certificate is located and added to the Trusted Identity Manager). If a user has a personal ID in the Windows store, it appears in the Security Settings Console automatically without any special configuration.

Administrators can control whether clients can access MSCAPI through Acrobat so that users can find, use, and set trust levels for Windows certificates.

The following options are available:Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable.

Setting separate trust levels for approval and certification signatures.

Preventing end user modification of certificate trust levels.

Tuning the service provider interface for:

Certificate Providers (for Signing and Decryption)

Revocation Checker Providers

Signature Validation Directory Providers

Summary table

If true, then users can import from MSCAPI certificate stores into their Trusted Identity Manager.

Locks the UI so that end users cannot change the value set by iMSStoreTrusted

Controls whether or not certificates in the Windows Certificate Store are trusted for signing and certifying.

integer: DWORD value > REG_DWORD

Security\cASPKI\cMSCAPI_DirectoryProvider

Not lockable

Controls whether or not certificates in the Windows Certificate Store are trusted for signing and certifying.

To lock this setting, use bMSStoreTrusted. Allowable values include:

0x00: No checkbox selected.

0x60: Validating Signatures.

0x62: Validating Certified Documents and Signatures. Note that this setting disables the Validating Signatures checkbox because it also controls non-certified signatures and users should not be able to uncheck that checkbox.

Preferences > Security > Advanced Preferences > Windows Integration > (both Windows settings: Validating Signatures and Validating Certified Documents.)

integer: DWORD value > REG_DWORD

FeatureLockDown\cSecurity\cASPKI\cMSCAPI_DirectoryProvider\

Locks the UI so that end users cannot change the value set by iMSStoreTrusted

Set iMSStoreTrusted first, then use this preference to lock it. Allowable values include:

0: Lock the UI.

1: Same as null. Don't lock the UI.

boolean: DWORD value > REG_DWORD

Security\PPKHandler

Not lockable

If true, then users can import from MSCAPI certificate stores into their Trusted Identity Manager.

Preferences > Security > Advanced Preferences > Windows Integration tab > Enable searching the Windows Certificate Store for certificates other than yours

4d60bc78fdce9e9dd668facb4ae47a99.gifTrusted Identity List Configuration

The trusted identity list contains all of a users imported certificates that they use for validating someone else's signature or encrypting a document for them. The list is maintained and managed via the Trusted Identity Manager; however, administrators can preconfigure applications to use non-default list files, add certificates from the Windows, store, and so on.

The following options are available:Creating a custom filename/file for the trusted identity list.

Specifying a non-default security handler to control Trusted Identity Manager functions. For details, see aAddressBook.

Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable.

Turning off and on the ability to automatically download certificates sent by Adobe to users over the internet via bLoadSettingsFromURL.

Summary table

The filename the Trusted Identity Manager uses to read and write addressbook data.

text: String value > REG_SZ

addressbook.acrodata

Security\cPubSec

Not lockable

The filename the Trusted Identity Manager uses to read and write addressbook data.

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation Directory Providers

The directory provider SPI provides access to trust anchors and intermediate CAs used for signature validation. By default, certificates in all of the supported locations are used.

The following options are available:Preventing or allowing access to certificates in P12 files. End users must also be logged in to the file.

Preventing or allowing access to certificates in the Trusted Identity Manager.

Preventing or allowing access to certificates in the Window Certificate Store.

Preventing or allowing access to self-signed certificates created by an Adobe application.

Summary table

An array of text entries (t0-tn) containing the name of a registered provider.

Specifies a directory provider for signature validation.

integer: DWORD value > REG_DWORD

Security\cASPKI\cSPIs

Not lockable

Specifies a directory provider for signature validation.

0: Use none of the registered providers.

1: Use first registered provider.

2: Use all registered providers.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

All of the available values. See the description.

Security\cASPKI\cSPIs

Not lockable

An array of text entries (t0-tn) containing the name of a registered provider.

Adobe_FileCredentialDirectoryProvider: Provides access to PKCS#12 files.

AAB_DirectoryProvider: Provides access to the Trusted Identity Manager.

MSCAPI_DirectoryProvider: Provides access to the Windows Certificate Store.

Adobe_SelfSignedCredDirectoryProvider: Provides access to self signed certificates created by Acrobat.

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation (Main Settings)

While users can configure these general signature validation preferences via the GUI, admins usually preconfigure the application.

The following options are available:Controlling whether all signatures are validated when a document opens.

Specifying which time to use when validating a signature.

Specifying when to do revocation checking as well as the affect of a failed or bad response.

Using expired timestamps.

Showing timestamp warnings in the Document Message Bar.

Summary table

Locks Security\cASPKI\cASPKI\cVerify\iReqRevCheck and disables the user interface item.

Specifies whether to show a warning that there is a greater forgery risk when revocation information is embedded in the signature.

Specifies whether to show timestamp warnings in the Document Message Bar.

Specifies whether to automatically validate all signatures on document open.

Specifies whether revocation checks are required to succeed.

Indicates the time at which signature validation should occur.

boolean: DWORD value > REG_DWORD

Security\cDigSig

FeatureLockDown\cSecurity\cDigSig

Specifies whether to automatically validate all signatures on document open.

Note that the lockable setting does not configure the feature; instead, it locks what is set in HKCU and the user interface.

0: Don't validate signatures on document open.

1: Validate signatures on document open.

Preferences > Security > Verify signatures when the document is opened

boolean: DWORD value > REG_DWORD

Security\cPPKHandler

Not lockable

Specifies whether to show a warning that there is a greater forgery risk when revocation information is embedded in the signature.

Because this warning was removed from 10.x products, this preference is only applicable to 9.4.6 and later products in the 9.x line. Possible values include:

0: Don't show the warnings.

1: Do show the warnings.

The Signer tab in the Signature Properties dialog.

integer: DWORD value > REG_DWORD

1 (9.1 and later: 2)

Security\cPPKHandler

Not lockable

Indicates the time at which signature validation should occur.

Possible values include:

0: Always carry out the verification at current time

1: Use the signing time if it's secure (e.g. timestamped), else use current time

2: Always use signing time

Preferences > Security > Advanced Preferences > Verification tab

boolean: DWORD value > REG_DWORD

Security\cDigSig

Not lockable

Specifies whether to show timestamp warnings in the Document Message Bar.

For 9.1, a bug prevented this feature from working.

0: Warnings do not appear in the DMB.

1: Warnings appear in the DMB.

Preferences > Security > Advanced Preferences > Verification tab > Show timestamp warnings in Document Message Bar

integer: DWORD value > REG_DWORD

Security\cASPKI\cASPKI\cVerify

Not lockable

Specifies whether revocation checks are required to succeed.

The user interface exposes this preference as a binary value to simplify the end user experience. A checked checkbox translates to 2 (RequiredIfInfoAvailable). An unchecked checkbox translates to 0 (No checks). This check doesn't affect ubiquity signature verification where the value is always 1. Interacts with other iReqRevCheck settings. Possible values include the following:

0: Don't do revocation checks.

1: Do a check IF CRLDp or AIA information resides in the certificate or registry; don't fail if the check fails.

2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.

3: Require a check; it must succeed under all circumstances.

Note:

Lockable via bReqRevCheck

Preferences > Security > Advanced Preferences > Verification tab > Require certificate revocation checking to succeed. . .

boolean: DWORD value > REG_DWORD

FeatureLockDown\cSecurity\cASPKI\cASPKI\cVerify

Locks Security\cASPKI\cASPKI\cVerify\iReqRevCheck and disables the user interface item.

Preferences > Security > Advanced Preferences > Verification tab > Require certificate revocation checking to succeed . . .

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation Status Icons

By default, when an application validates a signature it displays a signature status icon in the Signature Properties dialog, and in the Signatures Pane. You can customize status icon behavior for a particular enterprise requirement. For example, a blue i appears on a signature status icon based on certain rules when a document is changed after it was signed.

The following options are available:Turning on the icon for signature appearances with bSigAPStatusIconDisable. This is off by default because displaying the signature status within the document represents a security vulnerability.

Turning off the icon for signature appearances AND remove the Hide signature field validity icon when signature is valid from the user interface so the user cannot change the setting with iDisplayValidIcon.

Turning on the icon for valid signatures only with iDisplayValidIcon.

Turning off the blue i in the Signature Properties dialog, and Signatures Pane with bShowWarningForChanges.

Summary table

Determines whether or not to show a blue i on validated signature(s) if the document changes after it was signed.

Controls whether the signature status icon is displayed in the signature appearance on the document.

Determines when the signature status icon is displayed in a signature appearance.

boolean: DWORD value > REG_DWORD

Security\cDigSig

Not lockable

Controls whether the signature status icon is displayed in the signature appearance on the document.

If true, status icon is not displayed regardless of signature status. This setting overrides iDisplayValidIcon and bShowWarningForChanges.

integer: DWORD value > REG_DWORD

null for 9.0 and later; 0 for pre 9.

Security\cPubSec

Not lockable

Determines when the signature status icon is displayed in a signature appearance.

Possible values include:

0: Always.

1: Display except when the signature is valid.

2: Never. This value disables bShowWarningForChanges and removes the

Hide signature field validity icon option from the GUI. This setting does not affect the icons in the Signatures Pane or in the Signature Properties dialog

Note:

This UI item was removed from versions 9.x and later because signature status was moved to the Document Message Bar.

Versions prior to 9.x only: Preferences > Security > Advanced Preferences > Verification tab > Hide signature field validity icon when signature is valid.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Determines whether or not to show a blue i on validated signature(s) if the document changes after it was signed.

If true, a document change results in a blue i status icon appearing for validated approval signatures. Use this setting when users need to know a document has changed after it was signed.

If false, the status icon remains a green check and pen even if a document changes after it is signed. The setting provides a method for administrators to turn off the blue i in workflows where documents can be changed or signed multiple times.

This setting does not affect certification signatures. The warning icon never appears for valid certification or approval signatures in certified documents if the signatures were allowed by the certifier.

Interacts with iDisplayValidIcon which cannot be set to 2, or the icons will not appear regardless of how bShowWarningForChanges is set.

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation Logging

Versions 8.x and later enable logging certificate validation and revocation checking information. You can set both the logging level and log location. The path must already exist for logging to take place. Note that when Protected Mode is enabled, the log file path must be one that Protected Mode permits.

The following options are available:Specifying a logging path and filename.

Setting a logging level.

Chain building log file settings

[HKEY_CURRENT_USER\Software\Adobe\Adobe

Acrobat\8.0\Security\cASPKI\cAdobe_ChainBuilder]

"iLogLevel"=dword:00000008

"sLogFilePath"=(BINARYpathtoexistingdirectoryforlogfile)

Log file for troubleshooting certificate validation

20070207000213Z:---------------------------

20070207000213Z:Chainbuilder:Startingchainvalidation.Chainlength=

3

20070207000213Z:ProcessingCertificate:DN:ou=VeriSignTrust

Network,ou=(c)1998VeriSign,Inc.-Forauthorizeduseonly,ou=Class2

PublicPrimaryCertificationAuthority-G2,o=VeriSign,Inc.,c=USSerial:

00B92F60CC889FA17A4609B85B706C8AAF

20070207000213Z:verificationtime=20070207000213Z

20070207000213Z:ProcessingCertificate:DN:cn=EnterpriseServices

CA,ou=Class2OnSiteIndividualSubscriberCA,ou=Termsofuseat

https://www.verisign.com/rpa(c)01,ou=VeriSignTrustNetwork,o=AdobeSystems

IncorporatedSerial:0C0DB7043D0427BEB15AECA02DC95903

20070207000213Z:verificationtime=20070207000213Z

20070207000213Z:ProcessingCertificate:DN:email=example@adobe.com,

cn=BenWriter,ou=AdobeCPS-http://www.adobe.com/misc/CPS.html,

ou=www.verisign.com/repository/CPSIncorp.byRef.,LIAB.LTD(c)99Serial:

5C41B5256825491A4981D4FABFCCA044

20070207000213Z:verificationtime=20070207000213Z

20070207000213Z:FinishedChainValidation.TroubleFlags:0

Summary table

Specifies the log level during chain building and validation.

Specifies the full path of the text log file; for example: C:\ASPKI.log.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_ChainBuilder

Not lockable

Specifies the full path of the text log file; for example: C:\ASPKI.log.

You must use in hexadecimal formatting. The file must already exist. When Protected Mode is enabled, the log file path must be one that Protected Mode permits such as sandbox's Temp directory or the product AppData directory. Alternatively, enable bUseWhitelistConfigFile, and specify a custom location.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_ChainBuilder

Not lockable

Specifies the log level during chain building and validation.

The supported levels include:

1: fatal errors

2: possible errors

4: informational messages

8: verbose information

0xFFFFFFFF: all messages

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation Rev Check Constraints

The following options are available:Requiring signature property verification such as timestamps. Signatures will not be valid if this key is true and timestamp verification does not succeed.

Limiting the number of nested verification sessions to prevent looping.

Limiting the amount of time the signing time can be after the validation time.

Forcing revocation checks on intermediate and self-signed trust anchors (those which aren't roots).

Summary table

Specifies whether signature property verification must succeed for a signature to be valid.

Specifies whether to perform revocation checks on intermediate trust anchors (those which aren't roots).

The maximum difference in minutes the signing time is allowed to be after the validation time for the signature to be valid.

Specifies the maximum number of nested verification sessions allowed.

boolean: DWORD value > REG_DWORD

10.1.2 and 9.5+

cASPKI\cASPKI\cVerify

Not lockable

Specifies whether to perform revocation checks on intermediate trust anchors (those which aren't roots).

In previous versions, the application did not perform revocation checks on any intermediate trust anchors since it was assumed they were self-signed. With 10.1.2 and 9.5, this setting enables revocation checking on intermediate trust anchors if such information is available.

Trust anchors from 3rd parties are often installed locally to facilitate signature validation. Since it is possible that the trust anchors could become compromised and thereby open the host machine to malicious attack, those 3rd party providers in such cases would revoke their certificates. This preference enables detecting that revocation by forcing a revocation check on any intermediate trust anchors. Root and self-signed certificates are exempt from checking. Possible values include:

0: Don't perform a revocation check on intermediate trust anchors.

1: Perform a revocation check on intermediate trust anchors.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cASPKI\cVerify

Not lockable

Specifies whether signature property verification must succeed for a signature to be valid.

As of 8.0, the only property used is the timestamp URL.

integer: DWORD value > REG_DWORD

Security\cASPKI\cASPKI\cVerify

Not lockable

Specifies the maximum number of nested verification sessions allowed.

This is used to prevent the application from going into infinite loop verifying the OCSP and/or CRL signer certificates caused by incorrect OCSP and/or CRL certificate setup.

integer: DWORD value > REG_DWORD

65 (minutes)

Security\cPubSec

Not lockable

The maximum difference in minutes the signing time is allowed to be after the validation time for the signature to be valid.

PubSec verifies that a document is not signed in the future by looking at the verifier's system time and the time embedded in the signature dictionary. Whenever time comes into the picture, there is always the possibility that the signer and verifier's times are out of sync. MaxClockSkew accommodates such differences.

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation Rev Check (OCSP)

OCSP revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses. It is possible to require certain features for certificates used to sign OCSP requests and responses. If either does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. See RFC 2560 for details.

Prior to 10.1, OCSP responses without nextUpdate were never embedded in a signature. For 10.1 and later, OCSP responses are always embedded irrespective of the presence of nextUpdate; however, whether they are used for signature validation depends on certain conditions:Validation time is greater than thisUpdate minus the value of iMaxClockSkew (the default is 5 minutes). This test is always performed.

When nextUpdate is present and the validation time is less than the nextUpdate time plus the value of iMaxClockSkew.

When nextUpdate is not present and the validation time is less than the thisUpdate time or the producedAt time (whichever is greater) plus the value of iMaxClockSkew.If you need a relaxed security environment (for example, when the responder is caching OCSP responses), bIgnoreNextUpdate can be set to 1 to ignore the last test. In this case, embedded responses without nextUpdate are always used for signature validation provided that they pass first test.

This behavior is designed to support the long term validation feature and allows validating a signature with embedded responses that were valid at signing time. The following options are available:

Specifying when to do revocation checking as well as the effect of a failed or bad response.

Specifying when and where to go online to get a response.

Specifying whether to include a nonce. Nonces are random generated numbers that are sent with a request and matched by a response. They improve security by assuring communication with an active, non-spoofed server.

Using or ignoring a response's thisUpdate and nextUpdate times to control its validity.

Setting a limit on the amount of time difference between the local time and response's publish time.

Allowing or disallowing the OCSPNoCheck extension.

Requiring the presence of a public key hash extension (bRequireOCSPCertHash).

Specifying whether OCSP requests should by signed (bSignRequest).

Requiring the presence of a particular OID in a request (sSignCertOID).It is possible to require certain features for certificates used to sign OCSP responses. If a response does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. The following options are available:

Allowing or disallowing the OCSPNoCheck extension.

Requiring the presence of a public key hash extension via bRequireOCSPCertHash.

Summary table

Specifies whether the OCSPNoCheck extension is allowed in the response signing certificate.

Specifies whether to go online to get the revocation information for an expired certificate.

Specifies whether to go online to do revocation checking.

Specifies whether to use embedded OCSP responses when nextUpdate is not present and the validation time is less than the greater of thisUpdate or producedAt time plus the value of iMaxClockSkew.

Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.

Specifies whether a certificate public key hash extension must be present in OCSP responses.

Specifies signature validation behavior with respect to nonces.

Specifies whether the OCSP request should be signed.

The number of minutes the local machine time can vary from the response's published time to account for a network delay, time synchronization issues, and so on.

Indicates whether revocation checks are required to succeed on the OCSP response.

Specifies the amount of time in minutes after the response's published thisUpdate time for which the response will be valid.

Specifies signature validation behavior with respect to nonces.

Specifies how the revocation checker chooses which responder to use.

The URL used to fetch OCSP responses.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies whether the OCSP request should be signed.

Some OCSP providers require that OCSP requests are signed (e.g IdenTrust).

0: Don't sign the OCSP request.

1: Force Acrobat to sign OCSP requests prior to sending.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies whether the OCSPNoCheck extension is allowed in the response signing certificate.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies whether a certificate public key hash extension must be present in OCSP responses.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Indicates whether revocation checks are required to succeed on the OCSP response.

Interacts with other iReqRevCheck settings. Possible values include:

0: Don't do revocation checks.

1: Do a check IF certificate has AIA extension or responder info is in registry; don't fail if the check fails.

2: Do a check IF certificate has AIA extension or responder info is in registry; all checks must succeed if there is data and a check occurs.

3: Require a check; it must succeed under all circumstances.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies how the revocation checker chooses which responder to use.

Possible values include:

0: Use the AIA extension in the certificate.

1: Use the URL key in sURL.

2: Use the AIA extension in the certificate. If it is not present, use the URL key in sURL.

3: Use the OCSP request signer's certificate AIA extension. Relevant only if SignRequest is 0.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

The URL used to fetch OCSP responses.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies whether to go online to do revocation checking.

Never used for Reader enabled signatures (UR3).

boolean: DWORD value > REG_DWORD

7.0 < 10.0

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies signature validation behavior with respect to nonces.

Deprecated with 10.0. If true, nonces are included in the OCSP request and expected to be present in the response and should match the request's nonce. If false, nonces are not sent.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies signature validation behavior with respect to nonces.

With 10.0, this preference replaces bSendNonce. Possible values include:

0: No nonces are sent.

1: Nonces are included in the OCSP request and expected to be present in the response and should match the request's nonce.

2: Nonces are included in the OCSP request, but if none are present in the response, their abscence is ignored.

integer: DWORD value > REG_DWORD

525600 (1 year)

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies the amount of time in minutes after the response's published thisUpdate time for which the response will be valid.

After that time, the response will be invalid.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.

The value is set to true for ubiquity signatures created by enabling usage rights for Adobe Reader.

Note: With 11.0.16, this preference interacts with bExpiredCertGoOnline.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cASPKI

Not lockable

Specifies whether to go online to get the revocation information for an expired certificate.

11.0.16 introduced a signature validation change so that signatures are invalid if they are based on expired certificates and there is no embedded revocation information even if bIgnoreValidityDates is 1. For previous product versions, the signature would be valid. Now, to be standard's compliant, if a certificate has expired, the client should not check for the revocation information online. bExpiredCertGoOnline set to 1 re-enables the pre-11.0.16 behavior.

0: Do not go online for revocation even if bIgnoreValidityDates = 1

1: Do go online.

integer: DWORD value > REG_DWORD

5 minutes

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

The number of minutes the local machine time can vary from the response's published time to account for a network delay, time synchronization issues, and so on.

For 10.1 and later, this preference is used along with bIgnoreNextUpdate to determine whether or not embedded OCSP responses are actually used for signature validation. For details, see the subfeature description above.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_OCSPRevChecker

Not lockable

Specifies whether to use embedded OCSP responses when nextUpdate is not present and the validation time is less than the greater of thisUpdate or producedAt time plus the value of iMaxClockSkew.

For 10.1 and later, this preference is used along with iMaxClockSkew to determine whether or not embedded OCSP responses are actually used for signature validation. For details, see the subfeature description above. This behavior is designed to support Acrobat's long term validation feature and allows validating a signature with embedded responses that were valid at signing time.Possible values include:

0: iMaxClockSkew is applied to thisUpdate on both sides of the validation time, i.e. thisUpdate - iMaxClockSkew < validation time < checkTime + iMaxClockSkew where checkTime is the later of the producedAt and thisUpdate. When true, iMaxClockSkew is applied to thisUpdate only before the validation time: thisUpdate - iMaxClockSkew < validation time.

1: If there is no nextUpdate, then we accept the OCSP response indefinitely (we do not check for if the validation time is too late) and don't check whether validation time is < than checkTime)

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation Rev Check (CRL)

CRL revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses.

The following options are available:Specifying when to do revocation checking as well as the effect of a failed or bad response.

Specifying when and where to go online to get a response.

Setting a time limit for caching a response after which the application must get a new response.

Specifying a LDAP server to query for CRLs. Querying an LDAP server can result in poor application performance depending on the quality of the network connection and the number of directories to search.

Specifying whether to ignore the response certificate's times in the thisUpdate and nextUpdate extensions.

Requiring the presence of the Authority Key Identifier extension.It is possible to require certain features for certificates used to sign CRL responses. If a response does not meet the specified parameters, the response will be considered invalid and the signature status may be Unknown or Invalid.

The following options are available:

Specifying whether to ignore the response certificate's times in the thisUpdate and nextUpdate extensions.

Requiring the presence of the Authority Key Identifier extension.

Summary table

Determines when the URL is used for an additional URL CRL distribution point.

Indicates whether it's acceptable to go online to fetch a CRL.

Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.

Specifies whether the Authority Key Identifier extension must be present in a CRL.

Maximum lifetime in hours the cached CRL is used for revocation checking.

Indicates whether revocation checks are required to succeed on the CRL response.

Specifies the length of time to cache the CRL.

The LDAP server to get CRLs from in the form www.ldap.com.

The URL used to fetch CRL responses for an additional URL CRL Distribution point.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_CRLRevChecker

Not lockable

Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.

The value is set to true for ubiquity signatures created by enabling usage rights for Adobe Reader.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_CRLRevChecker

Not lockable

Specifies whether the Authority Key Identifier extension must be present in a CRL.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_CRLRevChecker

Not lockable

Indicates whether revocation checks are required to succeed on the CRL response.

Interacts with other iReqRevCheck settings. Values include:

0: Don't do revocation checks.

1: Do a check IF responder details are in CRLDp certificate extension or the registry; don't fail if the check fails.

2: Do a check IF responder details are in CRLDp certificate extension or the registry; all checks must succeed if there is data and a check occurs.

3: Require a check; it must succeed under all circumstances.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_CRLRevChecker\cURLDP

Not lockable

The URL used to fetch CRL responses for an additional URL CRL Distribution point.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_CRLRevChecker\cURLDP

Not lockable

Determines when the URL is used for an additional URL CRL distribution point.

If false, the URL is only used when the certificate does not have a CRLDp extension.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_CRLRevChecker

Not lockable

Indicates whether it's acceptable to go online to fetch a CRL.

If false, only cached CRLs (on local disk or ones embedded with signature) are consulted. Internally set to false for ubiquity signatures in Reader enabled documents.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_CRLRevChecker

Not lockable

The LDAP server to get CRLs from in the form www.ldap.com.

Without the protocol prefix, as LDAP is assumed. All DN-based queries for CRLs will be directed to this server.

integer: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Maximum lifetime in hours the cached CRL is used for revocation checking.

iMaxRevokeInfoCacheLifetime is only used if the validation method is set to "current time". Possible values include:

The number of hours for which the cached CRL is valid.

integer: DWORD value > REG_DWORD

Oct. 2018 (both tracks)

Security\cASPKI\cASPKI\

Not lockable

Specifies the length of time to cache the CRL.

CRLs often have a lifespan determined by fields such as nextUpdate. This preference determines the validity in seconds of a cached CRL file calculated from its download time. A fresh CRL is downloaded if the signature validation occurs after the number of seconds specified by iRevokeInfoCacheLifeTime passes from the time of the last cached CRL download OR if it occurs after the time provided in its NextUpdate field. Possible values include:

The number of seconds for which the cached CRL is valid from its last modification time. There is no max second limit.

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation Cert. Chain Building

The revocation checking process includes building the certificate chain so that each discovered certificate can be analyzed and processed as specified by other application preferences. Administrators do have some control over what certificates are used to build a chain.

The following options are available:Controlling whether AIA extensions are followed.

Requiring the use of valid RSA signatures on all certificates in a chain.

Requiring the presence of specific policy OIDs in the specified chain scope for it to be valid.

Pointing to an LDAP server for path discovery purposes. Querying an LDAP server can result in poor application performance depending on the quality of the network connection and the number of directories to search.

Summary table

Specifies whether to allow the chain builder to follow URIs in AIA certificate extensions so that certificates can be downloaded if they are not available locally.

Specifies whether to allow the chain builder to build chains with invalid RSA signatures on certificates.

An array of strings c0-cN containing the required certificate policy OIDs.

Specifies the validity model for validating signatures and certificates.

Specifies the URL of an LDAP server to be used for path discovery.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_Validation

Not lockable

Specifies the validity model for validating signatures and certificates.

The application uses shell validation by default, but chain validation may be used when required. Compliance with the German signature law requires chain validation. Allowabled values include:

0: PKIX shell model

1: Chain validity model.Chain validation is used to validate all or part of a certificate chain when any certificate chaining up to a CA certificate containing the qualified certificate policy extension (OID 1.3.36.8.1.1) or the validity model certificate extension OID (1.3.6.1.4.1.8301.3.5) with the value set to the chain model OID (1.3.6.1.4.1.8301.3.5.1).

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_ChainBuilder

Not lockable

Specifies the URL of an LDAP server to be used for path discovery.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_ChainBuilder

Not lockable

Specifies whether to allow the chain builder to follow URIs in AIA certificate extensions so that certificates can be downloaded if they are not available locally.

The default does not allow phone-home capability. CRLdps and OCSP AIA extensions do allow following URIs because they require that the certificate chain up to a trust anchor.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_ChainBuilder

Not lockable

Specifies whether to allow the chain builder to build chains with invalid RSA signatures on certificates.

Consider chain CA > ICA > EE where the CA's signature on an ICA is invalid. If this setting is true, the chain building will stop at the ICA and the CA will not be included in the chain. If this preference is false, the full 3-certificate chain is produced. This setting does not affect DSA signatures.

string: Binary value > REG_BINARY

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cASPKI\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c(index)

Not lockable

An array of strings c0-cN containing the required certificate policy OIDs.

Note that c(index) can be associated with a chain.

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Rev Check

Applying a signature to a document involves both creating a signature and then validating it. Despite the fact that end users see only one step (the signature appears with a status icon), there are actually two phases which an administrator independently configure. Revocation checking can occur during the initial signing phase to control whether or not a signature is created.

The following option is available:Specifying when to do revocation checking as well as the effect of a failed or bad response.

Note:

Interacts with bIsEnabled. For more detail about how revocation checking affects signing and signature validation, see Certificate Processing.

Summary table

Indicates whether revocation checks are required to succeed to create the signature.

integer: DWORD value > REG_DWORD

Security\cASPKI\cASPKI\cSign

Not lockable

Indicates whether revocation checks are required to succeed to create the signature.

Interacts with other iReqRevCheck settings. Allowable values include:

0: Dont do revocation checks.

1: Do a check IF CRLDp or AIA information resides in the certificate or registry; dont fail if the check fails.

2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.

3: (New in 10.1.5 and 11.0) Require a check; it must succeed under all circumstances.

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Long Term Validation

Whether revocation checking information is stored in a signature varies by version. Storing such data in a signature enables offline revocation checking and a determination of whether the signing certificate was valid at the time of signing.

Setting bIsEnabled to 1 via the GUI or registry automatically sets cSign\iReqRevCheck to 2. The rationale is that if you choose to embed the revocation status you probably want a status to embed. A consequence of this choice is that you must do a check and retrieve a good result; otherwise, no signature is created. In other words, signing with a revoked certificate is prevented when this setting is on.

The following options are available:Embedding revocation status in a signature.

Specifying the embedded data cache size to limit the amount of cached data.

Specifying when archived revocation data is used for revocation checking.

Controlling whether or not revocation data is stored in a JavaScript object.

Note:

If you are setting up a signing workflow for both signers and signature validators, you may want to set iUseArchivedRevInfo so that document recipients can validate signatures based on a signer's bIsEnabled setting.

Summary table

Specifies whether the signature revocation status is included in the signature.

If true, the revocation information is maintained within the SignatureInfo object and can be retrieved through JavaScript.

Specifies whether LTV information should be automatically added to all signatures.

The maximum size of the revocation archival information in kilobytes.

Indicates whether the revocation information archived with the signature is used for revocation checking.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_LTVProvider

Not lockable

Indicates whether the revocation information archived with the signature is used for revocation checking.

Allowable values include:

0: Never (always require fresh revocation information to be successfully downloaded).

1: Deprecated. Do not use.

2: Always use (if embedded revocation information is available do not download fresh revocation information).

boolean: DWORD value > REG_DWORD

Security\cPPKHandler

Not lockable

If true, the revocation information is maintained within the SignatureInfo object and can be retrieved through JavaScript.

For more information, see the

Acrobat JavaScript Reference.

boolean: DWORD value > REG_DWORD

Pre 9.1 0; 9.1 and later: 1

Security\cASPKI\cAdobe_LTVProvider

Not lockable

Specifies whether the signature revocation status is included in the signature.

Possible values include:

0: Don't enable LTV and inlcude the signature revocation status information in the signature.

1: Do enable LTV.

Include signatures revocation status when signing

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_LTVProvider

Not lockable

The maximum size of the revocation archival information in kilobytes.

An attempt is made to store as much revocation information as possible without exceeding the limit. Note that older product versions may have a smaller supported size limit.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_LTVProvider

Not lockable

Specifies whether LTV information should be automatically added to all signatures.

Possible values include:

0: Never add LTV information.

1: (default) Ask whether LTV information should be added if it is too big.

2: Always add LTV information.When the cumulative size of the LTV data is greater than the sum of 10% of the PDF file size plus 10KB and

Automatically add verification information on Save is set to "Ask..." a dialog appears asking the user if they would like to continue embedding the LTV information. Note that in workflows where the dialog appears asking whether to enable LTV, if the user selects the "Do not show this message again" checkbox, AND click the No button, then this preference is set to zero.

Preferences > Signatures > Verification panel (More) > Verification Information > Automatically add verification information when saving signed PDF.

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Validation Rev Check (Providers)

The revocation checker provider provides revocation checking services. You can specify one or more revocation checking methods and choose whether to use the default methods or some MSCAPI-specific method.

The following options are available:Use one or both of Adobe's revocation checking methods (CRL and OCSP).

Use of the MSCAPI revocation checking plugin model as an alternative to Adobe mechanisms. For example, administrators may have standardized on MSCAPI or might prefer the MSCAPI method of using a CRL registry cache (Acrobat has its own cache).Note : Acrobat's default CRL cache location is C:\Documents and Settings\(user)\Application Data\Adobe\(application)\(version)\Security\CRLCache

Summary table

An array of text entries (t0-tn) containing the name of a registered provider.

Specifies a provider for revocation checking.

integer: DWORD value > REG_DWORD

Security\cASPKI\cSPIs

Not lockable

Specifies a provider for revocation checking.

0: Use none of the registered providers.

1: Use first registered provider.

2: Use all registered providers.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Adobe_OCSPRevChecker, Adobe_CRLRevChecker

Security\cASPKI\cSPIs

Not lockable

An array of text entries (t0-tn) containing the name of a registered provider.

Adobe_OCSPRevChecker: Adobe's default OCSP method.

Adobe_CRLRevChecker: Adobe's default CRL method.

MSCAPI_RevocationChecker: Accesses MSCAP revocation checking plugin framework.The rules of operation are as follows:

If cRevocationChecker is empty, the default OCSP and CRL methods are used.

If cRevocationChecker is not empty, then only the methods listed are used.

Regardless of the order in which the validators are listed, the validators are always called in the following order: OCSP, CRL, MSCAPI.

The first validator present that produces a result is the only one used.

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Preview Mode

Preview mode turns off (suppresses) rich content and dynamic document behavior that could prevent the signer from seeing what they are signing. While the use of preview mode adds an extra step in the signing workflow, it turns off potentially bad content, checks the document for the presence of any PDF constructs that may cause problems with signature integrity and provides a report about any found problems.

The following option is available:Force the use of preview mode during signing.

Summary table

Specifies whether a signer is forced to use preview mode during signing.

boolean: DWORD value > REG_DWORD

Security\cDigSig

Not lockable

Specifies whether a signer is forced to use preview mode during signing.

If true, preview mode is automatically invoked on a sign action. Users should read the document message bar text, view a report about any warnings, and then choose Sign Document.

Preferences > Security > View documents in preview mode when signing

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Appearances

The application remembers what signature appearance a signer used and stores its index number in iAPIndex. Because an end user's appearance selection will overwrite any custom value here, customization by an administrator would serve no useful purpose.

Summary table

Remembers the last used signature appearance index.

integer: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Remembers the last used signature appearance index.

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Signer Details

The signing dialog has the capability of showing a location and contact information fields during a signing workflow. Field fill-in is optional. By default, the option is off, but end users and administrators can turn this option on. The location will appear in the Signature Properties dialog and in the Signature's pane and may optionally appear in the signature appearance.

The following options are available:Showing or not showing the Contact and Location fields in the signing dialog.

Setting default contact information.

Setting default location information.

Note:

If the end user changes the field data in the signing dialog, those values will overwrite the registry-specified values.

Summary table

Specifies whether the location and contact information UI will appear during signing.

When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field.

Stores the location information of the signer.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Specifies whether the location and contact information UI will appear during signing.

Preferences > Security > Advanced Preferences > Creation tab > Show location and contact information when signing

text: String value > REG_SZ

Security\cPubSec

Not lockable

When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field.

User data is saved and reused during subsequent signing events.

Contact field in the Sign dialog.

text: String value > REG_SZ

Security\cPubSec

Not lockable

Stores the location information of the signer.

When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field. User data is saved and reused during subsequent signing events.

Location field in the Sign dialog

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Reasons

The signing dialog has the capability of showing a signing reasons drop down list during a signing workflow. By default, the option is off, but end users and administrators can turn this option on. If a reason is used, it appears in the signature appearance, the Signature Properties dialog, and in the Signatures pane.

The following options are available:Showing or not showing the Reasons field in the signing dialog.

Changing the default reasons. Administrators can add, delete, and modify the reason list.

Locking the reason list so that it can't be modified by end users.

Summary table

Specifies whether the reason UI will appear during signing.

Prevents users from modifying reason's settings.

Stores a list of signing reasons.

56e71f4da6ebd964a83fd097b46755fb.png

b9d34a6144ac8e99c64f481abef8dd7b.png

a0a9f27a010a20fad845c0b34b85776d.png

f5ab1f4e2746cf31265d25aefe46b7f7.png

Top > Security > Signing: Reasons > bAllowReasonWhenSigning

boolean: DWORD value > REG_DWORD

Security\cPubSec

FeatureLockDown\cSecurity\cPubSec

Specifies whether the reason UI will appear during signing.

The preference can be overridden by a document seed value set on a field. For 8.1 and later, if cReasons is locked and is empty, bAllowSigningReasons is 0 and read only (The UI is turned off). If cReasons is locked and has values, then bAllowSigningReasons is true and read only.

Preferences > Security > Advanced Preferences > Creation tab > Show reasons when signing

text: String value > REG_SZ

See details.

Security\cPubSec

Not lockable

Stores a list of signing reasons.

Entries in this folder are named t0, t1, etc. Subject to override by the document seed value: reasons.

The default reasons are:

t0: I am the author of this document

t1: I have reviewed this document

t2: I am approving this document

t3: I attest to the accuracy and integrity of this document

t4: I agree to the terms defined by the placement of my signature on this document

t5: I agree to specified portions of this document

Reasons drop down list in signing dialog

boolean: DWORD value > REG_DWORD

FeatureLockDown\cSecurity\cPubSec

Prevents users from modifying reason's settings.

v8.1: If locked and cReasons if empty, bAllowSigningReasons is 0 and read only. If locked and cReasons has values, then bAllowSigningReasons is true and read only.

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Certification

A "certification signature" is simply the first signature in a document where the user has indicated via a user interface choice to "certify" the document. These preferences only control certification signature behavior and have no effect on approval signature behavior.

In addition to the general signature preferences described elsewhere in this document, the following options are available:Preventing invisible signatures: By default, users can sign with a visible or invisible signature. Prohibit invisible certification signatures by setting bAllowInvisibleSig to 0.

Legal attestations (warning comments): When certifying a document that contains dynamic content, a signer can choose a default warning comment from a list or create a custom one. You can prepopulate this list with custom comments with cAttest.

(Pre v. 8.0) Control certification based on document content: For versions prior to 8.0, you can control certification rights based on the nature of the document content and whether it generates LegalPDF warnings. These preferences are deprecated in 8.0.

11.0: Elevating certified documents to a privileged location so that they are trusted for operations that would otherwise be restricted (See TrustManager).

11.0.04: Showing the document's certification status in the Protected View document message bar (See FeatureLockdown).

Summary table

Specifies whether a certification signature may be applied to a document containing Legal PDF warnings.

Specifies whether to allow invisible certification signatures.

Specifies whether any subsequent signers can sign a certified document that does not contain LegalPDF warnings with additional approval signatures.

Specifies whether any subsequent signers can sign a certified document containing LegalPDF warnings with additional approval signatures.

Stores a list of the most recently used attestations regarding LegalPDF warnings in a document.

boolean: DWORD value > REG_DWORD

Security\cDigSig

FeatureLockDown\cSecurity\cDigSig

Specifies whether to allow invisible certification signatures.

False disables the menu option, prevents signing and certifying with invisible signatures, and limits JavaScript support by signature fields.

Certify with Invisible Signature

text: String value > REG_SZ

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cDigSig

Not lockable

Stores a list of the most recently used attestations regarding LegalPDF warnings in a document.

Entries in this folder are named t0, t1, etc. The application may have one or more default strings such as "I have included this content to make the document more interactive."

boolean: DWORD value > REG_DWORD

7.0 ONLY+

Security\cDigSig

Not lockable

Specifies whether a certification signature may be applied to a document containing Legal PDF warnings.

If false, then its not allowed and the author is informed of the reason.

boolean: DWORD value > REG_DWORD

7.0 ONLY+

Security\cDigSig

Not lockable

Specifies whether any subsequent signers can sign a certified document containing LegalPDF warnings with additional approval signatures.

In other words, the presence of any LegalPDF warning prevent any additonal signatures.

boolean: DWORD value > REG_DWORD

7.0 ONLY+

Security\cDigSig

Not lockable

Specifies whether any subsequent signers can sign a certified document that does not contain LegalPDF warnings with additional approval signatures.

In other words, the presence of any LegalPDF warning does not prevent any additonal signatures.

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: User interface

Summary table

Specifies whether to enable the CEF-based, modern UI for digital signature workflows.

boolean: DWORD value > REG_DWORD

June, 2016: Both tracks

Security\cPubSec

FeatureLockDown\cSecurity\cPubSec

Specifies whether to enable the CEF-based, modern UI for digital signature workflows.

The newer UI streamlines the user interface. All values also disable the UI option to change the preference. Note that for products released after June 2016, disabling a user's ability to create a self-signed digital ID requires setting both bSelfSignCertGen and bEnableCEFBasedUI to 0. Possible values include:

0: Disable the modern UI and shows the legacy UI.

1: Enable the Modern UI.

Preferences > Signatures > Creation and Appearance > More > Use modern user interface for signing and Digital ID configuration

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Document Warnings

The Sign dialog is capable of showing a Review button. The button invokes the PDF Signature Report which analyzes the document for the presence of any dynamic content that could adversely affect the integrity of signing workflows. If none is found, a dialog appears indicating that there are no problems. If content such as a comment or JavaScript is discovered, the PDF Signature Report appears with a list of any PDF constructs that may cause problems with signature integrity.

The following options are available:Never showing or allowing the review of document warnings.

Limiting warning review to certification workflows.

Requiring warning review prior to applying an approval and/or certification signature.

Always requiring review of warnings for every signature.

Summary table

Specifies whether the user is required to review document warnings before signing via the signing dialog.

Specifies whether a button to allow reviewing document warnings shows up on the signing dialog.

integer: DWORD value > REG_DWORD

1; 11.0 = 0; 11.0.01 = 1

Security\cPubSec

Not lockable

Specifies whether a button to allow reviewing document warnings shows up on the signing dialog.

Interacts with iRequireDocumentWarnings. The possible values include:

0: Never

1: Show when certifying only

2: Always

Preferences > Security > Advanced Preferences > Creation tab > Enable reviewing of document warnings

integer: DWORD value > REG_DWORD

Security\cDigSig

Not lockable

Specifies whether the user is required to review document warnings before signing via the signing dialog.

Interacts with iShowDocumentWarnings. The possible values include:

0: Never

1: Show when certifying only

2: Always

Preferences > Security > Advanced Preferences > Creation tab > Prevent signing until document warnings are reviewed

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Font Warnings

LegalPDF warnings have been replaced by PDF Signature Report errors in versions 8.0 and later. Both mechanisms provide similar warnings. The following option is available:Toggling warnings for true type and non-embedded fonts on and off.

Summary table

Turns on and off warnings about non-embedded fonts.

Turns on and off warnings about True Type fonts.

boolean: DWORD value > REG_DWORD

Security\cDigSig

Not lockable

Turns on and off warnings about non-embedded fonts.

A warning appears when the LegalPDF dictionary NonEmbeddedFonts attribute has a non zero value. Turning this value on causes a warning to appear in the PDF Signature Report which indicates the document contains unembedded fonts.

boolean: DWORD value > REG_DWORD

Security\cDigSig

Not lockable

Turns on and off warnings about True Type fonts.

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Hash Algorithm

The default algorithm used to create a message digest (document hash) during signing can be customized. In some enterprise situations, such as when FIPS compliance is required, you may need a more secure algorithm. Alternate hashing algorithms can be specified by name or OID as shown below. The algorithm that is used is displayed in the Hash Algorithm field of the Signature Properties dialog's Document tab. Usage rules:MSCAPI supports different algorithms across versions. For example, early XP versions only supported SHA1 and MD5. The use of other algorithms will require that the signer use a digital ID that resides in a .pfx/.p12 file in the Acrobat cache.

With XP SP3, MSCAPI supports SHA256 on certificates and some token devices.

Pre 9.1: Acrobat uses SHA1 as the default.

9.1 and later: Acrobat uses SHA256 as the default, but will use SHA1 if the token does not support SHA256. If using FIPS mode, do not use MD5 or RIPEMD160.The following options are available:

Specifying an alternate algorithm.

Summary table

The hashing algorithm to use while signing.

A text entry that contains the OID of the hashing algorithm.

string: Binary value > REG_BINARY

SHA1 for 9.0 and earlier; SHA256 for 9.1 and later

Security\cPubSec

Not lockable

The hashing algorithm to use while signing.

For an alternative, see tSignHash.

NOTE : The data type prefix is incorrect, as the key is not an atom. The entry is binary. You can manually create the binary value by right clicking in the preference area and choosing New Binary Value. Right click on your new preference and choose Modify Binary Data. When the Edit Binary Value dialog appears, click in the right-hand side of the Value data field and type the name of a supported algorithm. As you type the string, the binary value appears on the left-hand side of the dialog. For example, type SHA384. Once done, click in the binary field and add a zero the end and press Enter. The null terminator is required (the registry editor will change it to 00).

MD5

SHA1

SHA256 (v. 7.0)

RIPEMD160 (v. 8.0)

SHA384 (v. 8.0)

SHA512 (v. 8.0)

text: String value > REG_SZ

SHA1 for 9.0 and earlier; SHA256 for 9.1 and later

Security\cPubSec

Not lockable

A text entry that contains the OID of the hashing algorithm.

For an alternative, see aSignHash. Allowable values include:

1.2.840.113549.2.5: MD5

1.3.14.3.2.26: SHA1

2.16.840.1.101.3.4.2.1: SHA256 (v. 7.0)

1.3.36.3.2.1: RIPEMD160 (v. 8.0)

2.16.840.1.101.3.4.2.2: SHA384 (v. 8.0)

2.16.840.1.101.3.4.2.3: SHA512 (v. 8.0)

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Format

The default format for creating the signature object that is embedded in a signed document is PKCS#7. The object contains the encrypted message digest, certificates, timestamps, and other information. It does not include the signature appearance and data outside of Contents in the signature dictionary. Format choices are limited so that a signature encoded by one handler can be unencoded (validated) by another handler. Providing a value for aSignFormat writes that value to the signature dictionary's SubFilter object. For details, see "Signature Interoperability" in the

PDF Reference.PKCS#1 : For signing PDF files using PKCS#1, the only recommended value of SubFilter is adbe.x509.rsa_sha1, which uses the RSA encryption algorithm and SHA-1 digest method. The certificate chain of the signer is stored in the Cert entry.

PKCS#7 : The value of Contents is a DER-encoded PKCS#7 binary data object containing the signature. The PKCS#7 object must conform to the PKCS#7 specification in Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5. SubFilter can take one of the following values:

adbe.pkcs7.detached : No data is encapsulated in the PKCS#7 signed-data field.

adbe.pkcs7.sha1 : The SHA1 digest of the byte range is encapsulated in the PKCS#7 signed-data field with ContentInfo of type Data.

ETSI.CAdES.detached : Supports long term validation of signatures even when the signing certificate is revoked; this is part of the feature which allows adding an invisible timestamp signature to a document.

Summary table

The format to use when signing a document using public key cryptography when a format is not specified by a seed value, javascript parameter, or the PubSec Handler.

atom: String value > REG_SZ

adbe.pkcs7.detached

Security\cPubSec

FeatureLockDown\cSecurity\cPubSec

The format to use when signing a document using public key cryptography when a format is not specified by a seed value, javascript parameter, or the PubSec Handler.

Allowable values include:

adbe.pkcs7.detached

adbe.pkcs7.sha1

adbe.x509.rsa_sha1

ETSI.CAdES.detached

10.0 and later: Preferences > Security > Advanced Preferences > Creation tab > Default Signature Signing Format

4d60bc78fdce9e9dd668facb4ae47a99.gifSigning: Digest Comparison

When signing a PDF document, a message digest is created for the document and sent to the cryptographic module that performs the signing operation. Setting the registry entry bEnforceSecureChannel to 1 ensures the message digest sent to the cryptographic module is checked against the signed message digest that it returns. This flag ensures that intermediate layers of software between Acrobat and the cryptographic module do not tamper with the signing operation.

The following rules apply:When using a certificate that includes a DSA public key with omitted parameters, the test to detect signature validity is not performed. In these cases, setting bEnforceSecureChannel has no effect.

When this preference is turned on, a digest mismatch results in a warning dialog. The signature is removed from the document and the signing application aborts the signing process.

Summary table

Specifies whether to prevent signing when the original message digest and the signed message digest do not match.

boolean: DWORD value > REG_DWORD

Security\cPubSec

Not lockable

Specifies whether to prevent signing when the original message digest and the signed message digest do not match.

When set to 1, the user sees a warning dialog when the digest mismatch occurs. This error can be caused by a modification of the original message digest, a modification of the signed message digest, or a mismatch between the private and public key used for signing.

When using a certificate that doesn't include a public key (such as a DSA certificate with an omitted public key), the test to detect signature validity is not performed. Do not turn this setting on if such certificates are used.

4d60bc78fdce9e9dd668facb4ae47a99.gifSignature Clearing

Summary table

Specifies whether to disable and lock the ability for a signer to clear their own signature.

boolean: DWORD value > REG_DWORD

FeatureLockDown\cSecurity\cDigSig

Specifies whether to disable and lock the ability for a signer to clear their own signature.

Possible values include:

0: Disable signature clearing.

1: Enable signature clearing.

The Clear Signature menu item which appears when a user right clicks on a signature.

4d60bc78fdce9e9dd668facb4ae47a99.gifTimestamp Server: Usage

Summary table

Indicates whether retrieving a signature property must succeed.

Specifies whether expired timestamps should be used.

Specifies whether the timestamp time should be displayed in the signature appearance.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cASPKI\cSign

Not lockable

Indicates whether retrieving a signature property must succeed.

Acrobat currently provides a signature property for timestamps. By default, retrieving a valid and trusted timestamp is not required, and property retrieval failure only results in creating a signature which uses the local time. When property retrieval is required during signature creation and fetching a timestamp fails for any reason (bad URL, no network connection, etc.) the signature creation process is aborted, no signature is created, and an error appears.

0: Make best effort, but success is not required. A signature is created.

1: Property retrieval must succeed. On failure, a signature is not created and an error dialog appears.

boolean: DWORD value > REG_DWORD

Security\cAdobe_TSPProvider

Not lockable

Specifies whether expired timestamps should be used.

If true, an expired timestamp will not invalidate a signature.

Preferences > Security > Advanced Preferences > Verification tab > Use expired timestamps

boolean: DWORD value > REG_DWORD

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\(product)\(version)\FeatureLockDown\cSecurity\cPubSec\

Specifies whether the timestamp time should be displayed in the signature appearance.

By default, the signature appearance displays the signing time from the signer's computer clock. To display the timestamp server time in a signature appearance:

Go to HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product)\(version)\FeatureLockDown\cSecurity\cPubSec\

Create the new DWORD bUseTSAsSigningTime and set it to 1.

Go to HKCU\Software\Adobe\(product)\(version)\Security\cASPKI\cASPKI\cSign.

Set bReqSigPropRetrieval to 1. Create the preference if it does not exist.

Verify the computer time does not vary from the signature validation revocation check response time specified by HKCU\Software\Adobe\(product)\(version)\Security\cPubSec\iMaxClockSkew . The default is 65 minutes. iMaxClockSkew allows admins to account for a network delay, time synchronization issues, and so on without invalidation signatures.Possible values include:

0: Don't show the timestamp time.

1: Do show the timestamp time.

4d60bc78fdce9e9dd668facb4ae47a99.gifTimestamp Server: List

Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler.

The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available:Specifying a list of servers that will appear in the Security Settings Console. Preferences are represented as a list c0-cN and contain the server name, URL, and whether the authentication is required.

Specifying when to do revocation checking as well as the effect of a failed or bad response.

Increasing security by choosing a more robust hashing algorithm. The algorithm must be supported by the timestamp server.

Requiring signature property retrieval (a valid and trusted server URL) in order to create a signature.

Summary table

This is an internal copy of bAuthReqd that cannot be modified.

Specifies whether or not the timestamp server requires authentication.

The user-defined server name.

The server URL.

If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID.

n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel.

Security\cPPKHandler\cTimeStampServers\c(index)

Not lockable

The server URL.

Security Settings Console > Timestamp Servers > configuration details

text: String value > REG_SZ

Security\cPPKHandler\cTimeStampServers\c(index)

Not lockable

The user-defined server name.

This can be Unicode.

Security Settings Console > Timestamp Servers > configuration details

boolean: DWORD value > REG_DWORD

Security\cPPKHandler\cTimeStampServers\c(index)

Not lockable

Specifies whether or not the timestamp server requires authentication.

If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID. The service provider needs to know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment.

Security Settings Console > Timestamp Servers > Configuration panel > This server requires me to log on

boolean: DWORD value > REG_DWORD

Security\cPPKHandler\cTimeStampServers\c(index)

Not lockable

This is an internal copy of bAuthReqd that cannot be modified.

string: Binary value > REG_BINARY

Security\cPPKHandler\cTimeStampServers\c(index)

Not lockable

If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID.

The service provider needs to know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment.

The preference is populated when the user checks This server requires me to log on and then enters a username and password.

4d60bc78fdce9e9dd668facb4ae47a99.gifTimestamp Server: Default

Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler.

The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available:Setting a default server.

Summary table

Specifies whether the timestamp server requires authentication.

Identifies the hashing algorithm used to hash the timestamped data.

Indicates whether revocation checks on timestamps are required to succeed before signing.

ASPKI requires the signature property to predict the size (in bytes) so that enough space can be set aside.

The hashing algorithm OID used to hash the data to be timestamped.

The server log in password.

A timestamp server URL such as http://www.example.com/tsp.

The server login username.

If a timestamp server requires authentication, the authentication data is stored in a secure store identified by this ID (e.g. Microsafe).

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_TSPProvider

Not lockable

Indicates whether revocation checks on timestamps are required to succeed before signing.

Failure does not affect signature creation or validation, it only results in defaulting to the local, machine time. Interacts with other iReqRevCheck settings. The possible values include:

0: Dont do revocation checks.

1: Do a check IF CRLDp or AIA information resides in the certificate or registry; dont fail if the check fails.

2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.

3: Require a check; it must succeed under all circumstances.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_TSPProvider

Not lockable

A timestamp server URL such as http://www.example.com/tsp.

Because no default is specified, it must be configured for timestamping to work. Only the HTTP(s) protocol is supported.

boolean: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_TSPProvider

Not lockable

Specifies whether the timestamp server requires authentication.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_TSPProvider

Not lockable

The server login username.

Relevant only if bAuthRequired is true. Only username and password-based authentication is supported.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_TSPProvider

Not lockable

The server log in password.

Relevant only if bAuthRequired is true.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_TSPProvider

Not lockable

If a timestamp server requires authentication, the authentication data is stored in a secure store identified by this ID (e.g. Microsafe).

The service provider needs know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment.

The preference is populated when the user checks This server requires me to log on and then enters a username and password.

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_TSPProvider

Not lockable

Identifies the hashing algorithm used to hash the timestamped data.

The valid values are:

0: MD5

1: SHA1

2: SHA256For an alternative, see sHashAlgo which supports more options.

string: Binary value > REG_BINARY

Security\cASPKI\cAdobe_TSPProvider

Not lockable

The hashing algorithm OID used to hash the data to be timestamped.

The valid values are:

MD5: 1.2.840.113549.2.5

SHA1:1.3.14.3.2.26

SHA256: 2.16.840.1.101.3.4.2.1

SHA384: 2.16.840.1.101.3.4.2.2

SHA512: 2.16.840.1.101.3.4.2.3

integer: DWORD value > REG_DWORD

Security\cASPKI\cAdobe_TSPProvider

Not lockable

ASPKI requires the signature property to predict the size (in bytes) so that enough space can be set aside.

4d60bc78fdce9e9dd668facb4ae47a99.gifSecurity Envelopes

These keys appear after a user creates a security envelope to deliver one or more documents securely. The keys in cMain remember the user choices such as the last search path for finding attachments and so on. An administrator could set a default value, but these values would be changed by user actions.

Summary table

The ASPath to the last envelope used for Secure PDF Delivery.

The last path used for selecting files to include in an eEnvelope.

Security\cMain

Not lockable

The last path used for selecting files to include in an eEnvelope.

Security\cMain

Not lockable

The ASPath to the last envelope used for Secure PDF Delivery.

4d60bc78fdce9e9dd668facb4ae47a99.gifLiveCycle Server Configuration

The preferences in EDC (a legacy name) define Adobe LiveCycle Right Management Server connections. Users can specify servers through the Security Settings Console. However, administrators can preconfigure user machines to control the end user experience.

The following options are available:Setting a default server under cEDC. The default server appears with a star icon in the Security Settings Console.

Controlling whether to use HTTP or HTTPS with bAllowConnectViaHTTP.

Adding one or more servers in to the known server list cEDC\KnownServers. These server definitions will appear in the Security Settings Console's server list.

Locking down the settings so that the server configuration dialog will not appear in the user interface, thereby preventing end users from adding servers or changing server settings.

Summary table

Prevents a LiveCycle Right Management Server from being configured by disabling the menu option in the Security Settings Console.

If true, the server connection URI uses the format http://server:port/path; otherwise, it uses the format https://server:port/path.

Indicates whether the password has been cached for this server.

The last APS server used to open a document and the server used for off line key synchronization.

Set if bSavePassword is not 0 to look up the password in a user's secure password cache.

The user defined name for this server.

The DNS server name (i.e. alrms.adobe.com).

The Adobe LiveCycle Rights Management Server selected by the user as the default.

The default server URL.

boolean: DWORD value > REG_DWORD

FeatureLockDown\cSecurity\cEDC

Prevents a LiveCycle Right Management Server from being configured by disabling the menu option in the Security Settings Console.

By default, configuration is allowed.

boolean: DWORD value > REG_DWORD

Security\cEDC

Not lockable

If true, the server connection URI uses the format http://server:port/path; otherwise, it uses the format https://server:port/path.

In either case, if the connection fails, an error message appears. For more information, see

Guidelines for Developing CSPs for Acrobat on Windows.

text: String value > REG_SZ

Security\cEDC

Not lockable

The last APS server used to open a document and the server used for off line key synchronization.

It is set automatically when opening a document.

text: String value > REG_SZ

Security\cEDC

Not lockable

The Adobe LiveCycle Rights Management Server selected by the user as the default.

This is set via the user interface in the Security Settings Console either by creating a new server (the first one is the default) or by selecting an existing one.

See details.

text: String value > REG_SZ

Security\cEDC

Not lockable

The default server URL.

boolean: DWORD value > REG_DWORD

Security\cEDC\cKnownServers

Not lockable

Indicates whether the password has been cached for this server.

ALRMS settings in the Security Settings Console

text: String value > REG_SZ

Security\cEDC\cKnownServers

Not lockable

The user defined name for this server.

ALRMS settings in the Security Settings Console

text: String value > REG_SZ

Security\cEDC\cKnownServers

Not lockable

The DNS server name (i.e. alrms.adobe.com).

There is no scheme specified.

ALRMS settings in the Security Settings Console

text: String value > REG_SZ

Security\cEDC\cKnownServers

Not lockable

Set if bSavePassword is not 0 to look up the password in a user's secure password cache.

This is not directly exposed via the user interface.

4d60bc78fdce9e9dd668facb4ae47a99.gifSecurity Policy Favorites

The keys at Security\cPPKLite\cSP_Favorites contain an array of subkeys c0-cN where each index defines a favorite security policy. Both user and organizational policies can be favorites. Any policy marked as a favorite will appear in the user's favorite's list. End users make a policy a favorite by opening the Manage Security Policies dialog, highlighting the policy, and choosing Favorites. A star icon appears to the left of the policy name and the policy becomes available in the top level menu.

The following options are available:Specifying an non-default handler for a policy.

Marking one or more policies as a favorite.

Specifying policy names.

Summary table

An ASAtom specifying which PDCrypt handler knows how to handle this security policy.

Determines whether the referenced security policy is displayed as a favorite.

A string containing the security-policy.acrodata file key used to reference the policy that is being applied.

The security policy name.

atom: String value > REG_SZ

Security\PPKLite\cSP_Favorites\c(index)\

Not lockable

An ASAtom specifying which PDCrypt handler knows how to handle this security policy.

boolean: DWORD value > REG_DWORD

Security\PPKLite\cSP_Favorites\c(index)\

Not lockable

Determines whether the referenced security policy is displayed as a favorite.

boolean: DWORD value > REG_DWORD

Security\PPKLite\cSP_Favorites\c(index)\

Not lockable

A string containing the security-policy.acrodata file key used to reference the policy that is being applied.

text: String value > REG_SZ

Security\PPKLite\cSP_Favorites\c(index)\

Not lockable

The security policy name.

声明:本文内容由网友自发贡献,转载请注明出处:【wpsshop】
推荐阅读
相关标签
  

闽ICP备14008679号