Manual Block Adobe From Checking Validation Protocol
These settings pertain to content security (security features) rather than application security (securing the software environment). Content security includes digital signatures, security methods such as password and certificate security, and other rights management features. Note the following: • Most of these settings are applicable to Windows, Macintosh, Unix, and Linux systems. • The examples use Acrobat; other applications may provide different menu options. • The security preferences folder does not appear in the registry until a security feature is used.
Many subdirectories also appear as the code is exercised. For more information, refer to the and related documentation. This preference category contains the following subfeature(s): • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Signing: RSA-PSS Configuration. The DC release supports RSA-PSS Signing on Windows (April, 2017) and Macintosh (August 2017). RSA-PSS is a new signature scheme that is based on the RSA cryptosystem and provides increased security assurance.
For more details see Support currently includes: • Windows only • Acrobat and Reader DC (not supported on the classic track: Acrobat and Reader 2015) • Signature validation • Signature creation with digital ID files (PFX/P12) • Signature creation with digital IDs imported to Windows Certificate Store and devices such as smart cards supporting Cryptography API: Next Generation (CNG). CNG is designed to replace the legacy CryptoAPI.
In addition to increased security, CNG is extensible and cryptography agnostic. For more detail and a list of features, see Signature creation with devices using Crypto API's are not supported.
Summary table Specifies the hash algorithm used for RSA-PSS signing. Specifies whether a signature should be created with the RSA-PSS algorithm. Specifies the Salt Length the RSA-PSS algorithm uses. >>>aRSAPSSHashAlgorithm atom: String value >REG_SZ null DC continuous track only: Windows April, 2017; Mac August 2017 Security cPubSec cRSAPSSSigning Not lockable Specifies the hash algorithm used for RSA-PSS signing. If bEnableRSAPSSSigning is enabled, this preference specifies the hash algorithm. If this preference is not present or has a null value, then the value specified by aSignHash is used. If aSignHash is not specified, then SHA256 is used.
C: Program Files Adobe Acrobat 10.0 Acrobat. (Permanently block any attempt of Acrobat 10 to connect to internet.) 3. Do NOT update Acrobat 10 (do NOT check for program updates)! All this was only to edit the hosts file manually.com #192.com #192.1 127.1 127.adobe.85 wwis-dubc1-vip86.com #192.Re-enable your.
Possible values include: • SHA1 • SHA224 • SHA256 • SHA384 • SHA512. >>>iImportAddressBook integer: DWORD value >REG_DWORD 1 11.0.06+ Security cDigSig Not lockable Specifies whether the addressbook.acrodata file should be imported during a new install. Many admins set a value of 2 so that the import dialog does not appear for end users.
Possible values include: • 0: Do not copy the old address book. The user is NOT prompted and the address book should NOT be installed. • 1 or null: Default: The user is asked whether the address book should either be installed or not. • 2: Import the address book silently. Security Setting Import.
9.x products introduced a security feature that includes the ability to import and export security settings via an.acrobatsecuritysettings file, thereby enabling easier version upgrades as well as configuration of multiple machines. The security settings import/export features offers several advantages over FDF files: • Most document security and digital signature related settings can be encapsulated in an acrobatsecuritysettings file whereas FDF could only transport one setting type and a time and could not encapsulate registry settings at all. • One file can be used instead of many files.
• Trust can be assigned to imported files on the fly, thereby simplifying workflows. Files can be signed and encrypted. • Updates can be configured to occur automatically on a specified schedule. Use security settings files to backup and restore settings, to distribute settings in a workgroup or enterprise, and to send specific information to another user. Importing settings simply involves importing a file from a network (including automatically from a server) that has been exported from Acrobat and has then been made available from a trusted source. The following options are available: • Specifying whether or not to poll a server for settings to import at regular intervals.
• Configuring whether or not the user should grant permission prior to installing new settings. • Specifying a particular certificate so the signed settings will only be imported from a trusted source. Summary table Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. The polling interval to check the specified server for an updated security settings file which the application can import. An internally used number created by Acrobat when it first sets up the 'resource' pointed to by the URL.
It is not user customizable. Specifies a certificate that must be used to sign the imported security settings file. Specifies whether to load security settings from a server. Specifies the signing certificate for the imported settings file. The server URL where the acrobatsecuritysettings file to import resides. Binary data used for internal purposes.
>>>iCheckEvery integer: DWORD value >REG_DWORD 2419200 9.0+ Security cDigSig cCustomDownload Not lockable The polling interval to check the specified server for an updated security settings file which the application can import. - The polling interval to check the server for updated settings to import.
Specifies the number of seconds it should wait between checks for updates. The default value is 90 days.
The options are: Possible values include: • 604800: 1 week • 1209600: 2 weeks • 2419200: 1 month • 7257600: 3 months Preferences >Security >Security Settings panel >'Check every' radio buttons. >>>cValue n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel. 7.x+ Security cAcceptablePolicyOIDs c(some integer) Not lockable An array of strings containing the policy OIDs for a certificate to be considered acceptable.
For ICA certificates: Set to 1.2.840.114021.1.6.1 and 1.2.840.114021.1.2.1 For EE certificates: Set to 1.2.840.114021.1.4.1, 1.2.840.114021.1.4.2, 1.2.840.114021.1.7.2, 1.2.840.114021.1.10.1, 1.2.840.114021.1.10.2, 1.2.840.114021.1.13.2, 1.2.840.114021.1.16.2, 1.2.840.114021.1.19.2, 1.2.840.114021.1.22.2, 1.2.840.114021.1.25.2, 1.2.840.114021.1.28.2, 1.2.840.114021.1.30.2 Custom Security Handlers. Security handlers are Acrobat plugins. Information about creating plugins in general and security handlers in particular can be found in the Acrobat Software Development Kit (SDK) and its HFTs, header files, and other API documentation. Because Acrobat's Adobe.PPKLite is becoming more feature rich with each release, it is unlikely that you will need a custom security handler. Adobe.PPKLite is the default security handler used for performing private key functions, validating signatures, and signing and encrypting documents.
This is represented in the user interface as Adobe Default Security in the Digital Signatures Advanced Preferences dialog on both the Verification and Creation tabs. Administrators can install custom handlers to perform these functions, in which case the drop down lists on these tabs will list the additional handlers. All entries in the cHandler folder are reset by the Digital Signature Preferences dialog's Reset button. If a custom handler is used, you can specify the following: • Separate handlers for signing/encryption and signature validation.
• The default method displayed in the drop-down list of handlers. • Lock down the selections so they cannot be modified by end users. Summary table Remembers a preferred handler for accessing Trusted Identity Manager functions including certificate data import from an FDF file. Remembers a preferred handler for directory functions (e.g. LDAP), including for importing directory information from an FDF data exchange file. Used by DigSig and PubSec to store the handler that accesses private key functions. Remembers the name of the preferred handler to use when verifying signatures.
Qualifies the use of aVerify. The last on-screen coordinates of a handler's digital ID selection dialog. >>>aPrivKey atom: String value >REG_SZ Adobe.PPKLite 7.x+ Security cHandlers HKLM SOFTWARE Policies Adobe (product name) (version) FeatureLockdown cSecurity cHandlers Used by DigSig and PubSec to store the handler that accesses private key functions. It is used for signing, decryption, and responding to an FDF file request to export contact information.
The value should be set to Adobe.NoHandler if it is desired that the user be asked to select a handler. Preferences >Security >Advanced Preferences >Creation tab >Method to use When Signing and Encrypting Documents.
>>>aVerify atom: String value >REG_SZ Adobe.NoHandler 7.x+ Security cHandlers HKLM SOFTWARE Policies Adobe (product name) (version) FeatureLockdown cSecurity cHandlers Remembers the name of the preferred handler to use when verifying signatures. If this value is not set, then the handler used to verify signatures is the handler that matches the Filter attribute in the signature dictionary; if this handler is not available, then the user is prompted to select a handler. If this value is set then, its meaning is qualified by the value of bVerifyUseAlways. • Adobe.NoHandler: Use the document-specified method, prompt if it is not available. • Adobe.PPKLite: Use the document-specified method, use the default method if it is not available.
• The value set in aPrivKey: Always use the default method (overrides the document-specified method). Takes the value selected from Default Method for Verifying Signatures. Preferences >Security >Advanced Preferences >Verification tab >the radio button selections under 'When Verifying:'. >>>bVerifyUseAlways boolean: DWORD value >REG_DWORD 0 7.x+ Security cHandlers HKLM SOFTWARE Policies Adobe (product name) (version) FeatureLockdown cSecurity cHandlers Qualifies the use of aVerify. If true and aVerify is set to a handler name, then this handler is used to verify all signatures. If false, then the aVerify handler is used only to verify signatures when the handler specified by the signature dictionary Filter attribute is not present. Preferences >Security >Advanced Preferences >Always use the default method (overrides the document-specified method).
The File Data Exchange Format (FDF) provides a format for easily importing and exporting certificate data and application settings. These settings appear in Security cPubSec after a client uses the feature. The default values are stored internally by the application and are not visible in the registry.
An administrator can set the default behavior, but your configuration is subject to modification by end users via the user interface. The following features are available: • Specifying whether the default export behavior is to save or email the file. • Specifying whether the default export behavior is to sign the file. • Specifying whether the default certificate request behavior is to save or email the file. • Enabling or disabling WebBuy FDF processing (deprecated). Summary table Persists whether user chose to save (1) or email (0) the FDF during export. Persists whether the user chose to sign the FDF during export.
Similar to the bFDFRequestSave. Caches a user's answer to the question whether they want to save the request as an FDF or email it directly when that user requests a certificate.
Enables WebBuy FDF file processing. Security Settings Console preferences persist information about the state of the console user interface. These preferences are user generated and implementation specific and are likely to change across application versions. These keys are not customizable and are provided for informational purposes only. Summary table An array of binary IDs for all categories in the tree view that were opened. Indicates (in pixels) the position of the horizontal window splitter. Indicates (in pixels) the position of the vertical window splitter.
A binary ID of the last-selected category in the tree view. By default, password caching is turned on so that users will not always have to enter a password when one is required. This feature affects Adobe LiveCycle Rights Management Server log in, signing with digital IDs in the Acrobat store (pfx or p12 files), changing password timeout policies, and creating new password security policies. For example, setting the option to false disables the menu option Save password with the policy when creating a new policy.
The following options are available: • Controlling whether some passwords are cached to disk. • Disabling the option to save a password with a policy. • Streamlining Adobe LiveCycle Rights Management Server workflows. This key does not exist in HKCU. It can only be used in HKLM.
Note: Disabling Never ask for password on a digital ID's password timeout dialog does not work in version 9.0. Summary table Controls whether certain passwords can be cached to disk; for example, passwords for digital IDs. >>>bAllowPasswordSaving boolean: DWORD value >REG_DWORD 1 7.0+ HKLM SOFTWARE Policies Adobe (product name) (version) FeatureLockdown cSecurity cPPKLite Controls whether certain passwords can be cached to disk; for example, passwords for digital IDs.
If false, users are prompted to enter a password every time one is required. Not all passwords are affected by this setting. User interface items where passwords are used: Save passwords with the policy in the New Security Policy dialog; Never checkbox on the Password timeout dialog. Examine Document. The Examine Document dialog box identifies hidden document information that might pose a risk to the integrity of security and signature workflows. Found content is listed and linked to in the Examine Document pane. Users can click on a link to view the content and check/uncheck items to mark them for removal.
Checked items are removed when the user selects the Remove button. The following options are available: • Examining a document each time it is closed. • Examining a document each time it is emailed.
Summary table Automatically examines the document for hidden content when it is closed. Automatically examines the document for hidden content when it is sent in an email. These preferences are only used for signature workflows where users access roaming IDs on a roaming ID server. While the needed configuration can be handled through the user interface by end users, you can set the following: • Specifying a Default Roaming ID Server: When a user adds a roaming ID account through the GUI, a dialog asks for a friendly name and a server URL.
If no other accounts have been configured and cDefaultServerInfo exists in the preferences, its values populate both the friendly server name and URL fields in the Add a Roaming ID dialog. • Specifying one or more authentication methods. Summary table A user friendly roaming ID server name.
The URL of the Roaming ID server. These preferences are created as a result of communications with a roaming ID server.
Whether or not you customize these settings is determined by the needs or your particular implementation. Summary table The value is provided by the server. Holds an encrypted SAML assertion obtained during last successful authentication.
Holds the time after which roaming ID provider will not attempt to use the SAML assertion stored in cSAML_Assertion. Holds the URL of the authentication server from which the SAML assertion stored in cSAML_Assertion was obtained. SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. SAML_NAME_ comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication. The SASL id of the authentication mechanism.
The mechanism-specific persistent data. >>>cSAML_Assertion n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel. Null 8.0+ Security cPPKHandler cRC Not lockable Holds an encrypted SAML assertion obtained during last successful authentication. Possession of this assertion is proof of a user's identity. Therefore, the assertion is encrypted using 256-bit AES algorithm in CBC mode.
The encryption key is stored in Microsafe database that is protected by the OS login. There are two binary entries under the cSAML_Assertion cab: xEncryptedData contains the encrypted assertion, 'xIV' contains the initialization vector used by the AES encryption algorithm for this assertion. The authentication mechanism provider pertains only to roaming IDs. It enables you to specify one or more authentication mechanisms.
The mechanism must be supported by the roaming ID server with which the application communicates. The following features are available: • Enabling multiple authentication mechanisms. • Limiting the authentication mechanism to one specified type. • Turning off authentication so that roaming IDs cannot be used. Summary table An array of text entries (t0-tn) where each entry contains the name of a registered provider. Specifies which registered provider(s) to use.
>>>cAuthMechanisms n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel. An array of all values listed in the description.
8.0+ Security cASPKI cSPIs Not lockable An array of text entries (t0-tn) where each entry contains the name of a registered provider. • PLAIN: A mechanism defined in RFC2595 consisting of a single message specifying the user's ID and password. • ASSP-Kerberos: A mechanism commonly used on Windows that passes a Single Sign On token and receives back a SAML assertion.
• ASSP-ArcotID: A mechanism recognized by Arcot roaming ID servers. • ASSP-QnA: A mechanism that initiates a question-answer dialog between the user and server. Kerberos Authentication. The key contains a list of P11 modules the user has loaded by choosing Attach Modules in the Security Settings console. By specifying a valid path to a PKCS#11 DLL, modules can be pre-attached to installed clients.
Because various errors appear as a result of a bad filename or pointing to a dll that is not a valid PKCS#11 module, test the settings and file before distributing them. The following options are available: • Preconfiguring the key when tuning the installer and distributing the module file or when modules are already installed. • Setting the default browse path in which to look for additional modules. For Reader X (10.0), not all PKCS#11 devices may work with Protected Mode (PM) enabled. However, in most cases, they do. Installation of such devices usually involves disabling Protected Mode, installing the driver, restarting the application, and then re-enabling Protected Mode.
For the latest information about PM compatibility with certain features, see Summary table Array of dynamic library paths to PKCS#11 modules. Contains an array of subcabs for all known PKCS#11 digital IDs.
Stores the last folder in which the user browsed for a P11 module. >>>cP11Credentials n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel. N/a 7.x+ Security cPPKHandler Not lockable Contains an array of subcabs for all known PKCS#11 digital IDs. The format is as follows: • xCert: Binary value of the certificate • 1: xTokenKey: Binary value generated from the IDs PKCS#11 token. The binary value is generated with the following method: Initialize SHA-1 digest, add the digest the value of the token label, token manufacturer, token model, and token serial. Finish the SHA-1 digest operation. The resulting 20-byte value is the token key.
Digital ID Defaults. Most digital ID default values are set by the application when a user first uses an ID or manually specifies a default value in the Security Settings Console. Moreover, since user actions will overwrite some preconfigured value an administrator might provide, setting many of these properties is usually not worthwhile. However, it is possible and the following options are available: • Specifying a default URL to obtain a new digital ID. This value is NOT overwritten by user actions. • Listing a set of attribute certificates.
• Specifying a default signing ID. This value is end user-specific. • Specifying a default encryption ID. This value is end user-specific. • Customizing a default directory server used to locate certificates that can be imported into the Trusted Identity Manager.
Note: Acrobat 9.0 users who configure a 3rd party security handler plugin may find that their non-default choice does not stick if the plugin calls PSUNregisterHandler(). That is, each time Acrobat restarts, the non-default security handler choice is lost. To fix the problem, change the plugin code to not call PSUNregisterHandler(). Summary table Default directory to use when searching for digital IDs.
Indicates whether a custom certificate specific preference (e.g. Identrus) has already been created and written to the registry. Contains a set of attribute certificates as binary data. Contains an array of subcabs for all application-known digital ID files. Identifies credential service provider interface for the default signing digital ID.
Identifies credential service provider interface for the ASPKI provider which exposes this digital ID. Identifies the default signing digital ID by its SHA1 hash of the public key. Identifies the default encryption digital ID by its SHA1 hash of the public key.
The destination URL when the user selects Enroll at an online CA while adding a new digital ID. >>>cDigitalIDFiles n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel. Null 7.x+ Security cPPKHandler Not lockable Contains an array of subcabs for all application-known digital ID files.
The format is as follows: • cPath: The path of to the digital ID file. • cCredentials: An array of certificates that have corresponding private keys in the file. • cCertificates: An array of certificates that are in the file but do not have an associated private key (usually CA certs). Certificates are stored as binary data. >>>aDefDirectory atom: String value >REG_SZ Adobe.PPKMS.ADSI.dir0 7.x+ Security cPPKHandler Not lockable Default directory to use when searching for digital IDs. On Windows, the Adobe.PPKMS security handler provides access through the Microsoft Active Directory Script Interface (ADSI) to all the directories the user created in the Security Settings Console. These directories are named in the format of (directory handler) + (index).
For example, Adobe.PPKMS.ADSI.dir0, Adobe.PPKMS.ADSI.dir1, and so on. Unsupported for Linux and Macintosh. Setting a default search directory affects the UI in two places: A star appears next to the default directory in the Security Settings Console and the directory is moved to the top of the directories' drop down list in the Trusted Identities Manager's Search for Recipients dialog.
Digital ID File Import and Export. The digital ID default path preferences point to the application security folder. For example, C: Documents and Settings (user name) Application Data Adobe Acrobat 8.0 Security. The path is used when the user imports or exports an ID from the Security Settings Console.
Since the application remembers the last accessed directory, if a user chooses a different directory, that action will overwrite the preconfigured value an administrator might provide. The following options are available: • Specifying a default path for exporting and importing digital ID certificates (does not include private keys). • Specifying a default path for saving newly created digital ID files.
Summary table The path last chosen for extracting an embedded file from a WebBuy FDF. Default path for exporting credentials. Default path for importing credentials. Default path for storing profile files such as PKCS#12 files.
The Adobe Approved Trust List (AATL) program allows signers to use digital signatures that are automitically trusted if they chain to the high-assurance, trustworthy certificates on the AATL. By default, both Acrobat and Reader download a list of 'trusted' root digital certificates automatically. 9.x products download every 90 days while 10.x and later products download every 30 days. To assure that downloaded (as well as any other) trust anchors have not been revoked, configure bRevCheckTrust.For more about the AATL program, see the and.
Summary table Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. Specifies whether or not trust anchors should be periodically downloaded from Adobe. The value in seconds that the application should check for new certificates to download from Adobe. An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.
Binary data used for internal purposes. Like the AATL program, the European Union Trust List (EUTL) program allows signers to use digital signatures that are automitically trusted if they chain to the high-assurance, trustworthy certificates on the EUTL. While the feature was introduced with 11.0.06, the first EUTL trust lists were made available with the October 13, 2015 release. To assure that downloaded (as well as any other) trust anchors have not been revoked, configure bRevCheckTrust. Note that both the AATL and EUTL features load certificates into the user's Acrobat Address Book (Acrobat Trust Store). The addition of the EUTL certificates increases the size of the address book and can affect the performance of signature validation in versions 11.0.06 to 11.0.10. Later product versions should validate in about 1/2 second.
If you experience performance issues, update to the latest product. Alternatively, you can remove the EUTL preference (not recommended).
For more about the EUTL program, see. Summary table Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0. Specifies whether or not trust anchors should be periodically downloaded from Adobe.
The value in seconds that the application should check for new certificates to download from Adobe. An internally used number created by Acrobat when it first sets up the resource pointed to by the URL. Binary data used for internal purposes. While Acrobat has its own store, the Windows store may already contain needed certificates or your enterprise may simply be a Windows shop. Windows integration allows end users to search for and use certificates in the Windows Certificate Store.
End users can configure their application for Windows integration through the application's Preference panel. Configuration options allow users to search the Windows store from the Trusted Identity Manager (through the Search button), set trust levels for any found certificate, and choose which certificates to use for encryption (once the certificate is located and added to the Trusted Identity Manager). If a user has a personal ID in the Windows store, it appears in the Security Settings Console automatically without any special configuration.
Administrators can control whether clients can access MSCAPI through Acrobat so that users can find, use, and set trust levels for Windows certificates. The following options are available: • Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable. • Setting separate trust levels for approval and certification signatures.
• Preventing end user modification of certificate trust levels. • Tuning the service provider interface for: • Certificate Providers (for Signing and Decryption) • Revocation Checker Providers • Signature Validation Directory Providers Summary table If true, then users can import from MSCAPI certificate stores into their Trusted Identity Manager. Locks the UI so that end users cannot change the value set by iMSStoreTrusted Controls whether or not certificates in the Windows Certificate Store are trusted for signing and certifying. >>>iMSStoreTrusted integer: DWORD value >REG_DWORD 0x00 7.0+ Security cASPKI cMSCAPI_DirectoryProvider Not lockable Controls whether or not certificates in the Windows Certificate Store are trusted for signing and certifying. To lock this setting, use bMSStoreTrusted.
Allowable values include: • 0x00: No checkbox selected. • 0x60: Validating Signatures. • 0x62: Validating Certified Documents and Signatures.
Note that this setting disables the Validating Signatures checkbox because it also controls non-certified signatures and users should not be able to uncheck that checkbox. Preferences >Security >Advanced Preferences >Windows Integration >(both Windows settings: Validating Signatures and Validating Certified Documents.). The trusted identity list contains all of a users imported certificates that they use for validating someone else's signature or encrypting a document for them. The list is maintained and managed via the Trusted Identity Manager; however, administrators can preconfigure applications to use non-default list files, add certificates from the Windows, store, and so on.
The following options are available: • Creating a custom filename/file for the trusted identity list. • Specifying a non-default security handler to control Trusted Identity Manager functions.
For details, see aAddressBook. • Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable. • Turning off and on the ability to automatically download certificates sent by Adobe to users over the internet via bLoadSettingsFromURL. Summary table The filename the Trusted Identity Manager uses to read and write addressbook data. The directory provider SPI provides access to trust anchors and intermediate CAs used for signature validation. By default, certificates in all of the supported locations are used.
The following options are available: • Preventing or allowing access to certificates in P12 files. End users must also be logged in to the file. • Preventing or allowing access to certificates in the Trusted Identity Manager. • Preventing or allowing access to certificates in the Window Certificate Store. • Preventing or allowing access to self-signed certificates created by an Adobe application.
Summary table An array of text entries (t0-tn) containing the name of a registered provider. Specifies a directory provider for signature validation. >>>cDirectoryProvider n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel. All of the available values. See the description. 7+ Security cASPKI cSPIs Not lockable An array of text entries (t0-tn) containing the name of a registered provider. • Adobe_FileCredentialDirectoryProvider: Provides access to PKCS#12 files.
• AAB_DirectoryProvider: Provides access to the Trusted Identity Manager. • MSCAPI_DirectoryProvider: Provides access to the Windows Certificate Store. • Adobe_SelfSignedCredDirectoryProvider: Provides access to self signed certificates created by Acrobat. Signature Validation (Main Settings). While users can configure these general signature validation preferences via the GUI, admins usually preconfigure the application. The following options are available: • Controlling whether all signatures are validated when a document opens. • Specifying which time to use when validating a signature.
• Specifying when to do revocation checking as well as the affect of a failed or bad response. • Using expired timestamps.
• Showing timestamp warnings in the Document Message Bar. Summary table Locks Security cASPKI cASPKI cVerify iReqRevCheck and disables the user interface item. Specifies whether to show a warning that there is a greater forgery risk when revocation information is embedded in the signature. Specifies whether to show timestamp warnings in the Document Message Bar.
Specifies whether to automatically validate all signatures on document open. Specifies whether revocation checks are required to succeed. Indicates the time at which signature validation should occur. >>>bValidateOnOpen boolean: DWORD value >REG_DWORD 1 7.0+ Security cDigSig HKLM SOFTWARE Policies Adobe (product name) (version) FeatureLockdown cSecurity cDigSig Specifies whether to automatically validate all signatures on document open. Note that the lockable setting does not configure the feature; instead, it locks what is set in HKCU and the user interface. • 0: Don't validate signatures on document open. • 1: Validate signatures on document open.
Preferences >Security >Verify signatures when the document is opened. >>>iReqRevCheck integer: DWORD value >REG_DWORD 2 7.0+ Security cASPKI cASPKI cVerify Not lockable Specifies whether revocation checks are required to succeed.
The user interface exposes this preference as a binary value to simplify the end user experience. A checked checkbox translates to 2 (RequiredIfInfoAvailable). An unchecked checkbox translates to 0 (No checks).
This check doesn't affect ubiquity signature verification where the value is always 1. Interacts with other iReqRevCheck settings.
Possible values include the following: • 0: Don't do revocation checks. • 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; don't fail if the check fails.
• 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs. • 3: Require a check; it must succeed under all circumstances. Note: Lockable via bReqRevCheck Preferences >Security >Advanced Preferences >Verification tab >Require certificate revocation checking to succeed... By default, when an application validates a signature it displays a signature status icon in the Signature Properties dialog, and in the Signatures Pane.
You can customize status icon behavior for a particular enterprise requirement. For example, a blue i appears on a signature status icon based on certain rules when a document is changed after it was signed. The following options are available: • Turning on the icon for signature appearances with bSigAPStatusIconDisable. This is off by default because displaying the signature status within the document represents a security vulnerability. Base Wars Gamenode Download Youtube.
• Turning off the icon for signature appearances AND remove the Hide signature field validity icon when signature is valid from the user interface so the user cannot change the setting with iDisplayValidIcon. • Turning on the icon for valid signatures only with iDisplayValidIcon.
• Turning off the blue i in the Signature Properties dialog, and Signatures Pane with bShowWarningForChanges. Summary table Determines whether or not to show a blue i on validated signature(s) if the document changes after it was signed. Controls whether the signature status icon is displayed in the signature appearance on the document. Determines when the signature status icon is displayed in a signature appearance. >>>iDisplayValidIcon integer: DWORD value >REG_DWORD null for 9.0 and later; 0 for pre 9. 7.0+ Security cPubSec Not lockable Determines when the signature status icon is displayed in a signature appearance. Possible values include: • 0: Always.
• 1: Display except when the signature is valid. This value disables bShowWarningForChanges and removes the Hide signature field validity icon option from the GUI. This setting does not affect the icons in the Signatures Pane or in the Signature Properties dialog Note: This UI item was removed from versions 9.x and later because signature status was moved to the Document Message Bar. Versions prior to 9.x only: Preferences >Security >Advanced Preferences >Verification tab >Hide signature field validity icon when signature is valid. >>>bShowWarningForChanges boolean: DWORD value >REG_DWORD 1 7.0+ Security cPubSec Not lockable Determines whether or not to show a blue i on validated signature(s) if the document changes after it was signed. If true, a document change results in a blue i status icon appearing for validated approval signatures. Use this setting when users need to know a document has changed after it was signed.
If false, the status icon remains a green check and pen even if a document changes after it is signed. The setting provides a method for administrators to turn off the blue i in workflows where documents can be changed or signed multiple times. This setting does not affect certification signatures. The warning icon never appears for valid certification or approval signatures in certified documents if the signatures were allowed by the certifier. Interacts with iDisplayValidIcon which cannot be set to 2, or the icons will not appear regardless of how bShowWarningForChanges is set. Signature Validation Logging.
Versions 8.x and later enable logging certificate validation and revocation checking information. You can set both the logging level and log location. The path must already exist for logging to take place.
Note that when Protected Mode is enabled, the log file path must be one that Protected Mode permits. The following options are available: • Specifying a logging path and filename. • Setting a logging level.
The following options are available: • Requiring signature property verification such as timestamps. Signatures will not be valid if this key is true and timestamp verification does not succeed. • Limiting the number of nested verification sessions to prevent looping. • Limiting the amount of time the signing time can be after the validation time. • Forcing revocation checks on intermediate and self-signed trust anchors (those which aren't roots). Summary table Specifies whether signature property verification must succeed for a signature to be valid. Specifies whether to perform revocation checks on intermediate trust anchors (those which aren't roots).
The maximum difference in minutes the signing time is allowed to be after the validation time for the signature to be valid. Specifies the maximum number of nested verification sessions allowed. >>>bRevCheckTrust boolean: DWORD value >REG_DWORD 1 10.1.2 and 9.5+ cASPKI cASPKI cVerify Not lockable Specifies whether to perform revocation checks on intermediate trust anchors (those which aren't roots). In previous versions, the application did not perform revocation checks on any intermediate trust anchors since it was assumed they were self-signed. With 10.1.2 and 9.5, this setting enables revocation checking on intermediate trust anchors if such information is available. Trust anchors from 3rd parties are often installed locally to facilitate signature validation.
Since it is possible that the trust anchors could become compromised and thereby open the host machine to malicious attack, those 3rd party providers in such cases would revoke their certificates. This preference enables detecting that revocation by forcing a revocation check on any intermediate trust anchors. Root and self-signed certificates are exempt from checking. Possible values include: • 0: Don't perform a revocation check on intermediate trust anchors. • 1: Perform a revocation check on intermediate trust anchors. >>>iMaxClockSkew integer: DWORD value >REG_DWORD 65 (minutes) 8.0+ Security cPubSec Not lockable The maximum difference in minutes the signing time is allowed to be after the validation time for the signature to be valid.
PubSec verifies that a document is not signed in the future by looking at the verifier's system time and the time embedded in the signature dictionary. Whenever time comes into the picture, there is always the possibility that the signer and verifier's times are out of sync. MaxClockSkew accommodates such differences. Signature Validation Rev Check (OCSP).
OCSP revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses. It is possible to require certain features for certificates used to sign OCSP requests and responses. If either does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. See RFC 2560 for details. Prior to 10.1, OCSP responses without nextUpdate were never embedded in a signature. For 10.1 and later, OCSP responses are always embedded irrespective of the presence of nextUpdate; however, whether they are used for signature validation depends on certain conditions: • Validation time is greater than thisUpdate minus the value of iMaxClockSkew (the default is 5 minutes). This test is always performed.
• When nextUpdate is present and the validation time is less than the nextUpdate time plus the value of iMaxClockSkew. • When nextUpdate is not present and the validation time is less than the thisUpdate time or the producedAt time (whichever is greater) plus the value of iMaxClockSkew. If you need a relaxed security environment (for example, when the responder is caching OCSP responses), bIgnoreNextUpdate can be set to 1 to ignore the last test. In this case, embedded responses without nextUpdate are always used for signature validation provided that they pass first test. This behavior is designed to support the long term validation feature and allows validating a signature with embedded responses that were valid at signing time.
The following options are available: • Specifying when to do revocation checking as well as the effect of a failed or bad response. • Specifying when and where to go online to get a response. • Specifying whether to include a nonce. Nonces are random generated numbers that are sent with a request and matched by a response. They improve security by assuring communication with an active, non-spoofed server.
• Using or ignoring a response's thisUpdate and nextUpdate times to control its validity. • Setting a limit on the amount of time difference between the local time and response's publish time. • Allowing or disallowing the OCSPNoCheck extension. • Requiring the presence of a public key hash extension ( bRequireOCSPCertHash). • Specifying whether OCSP requests should by signed ( bSignRequest).
• Requiring the presence of a particular OID in a request ( sSignCertOID). It is possible to require certain features for certificates used to sign OCSP responses. If a response does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. The following options are available: • Allowing or disallowing the OCSPNoCheck extension. • Requiring the presence of a public key hash extension via bRequireOCSPCertHash. Summary table Specifies whether the OCSPNoCheck extension is allowed in the response signing certificate.
Specifies whether to go online to get the revocation information for an expired certificate. Specifies whether to go online to do revocation checking. Specifies whether to use embedded OCSP responses when nextUpdate is not present and the validation time is less than the greater of thisUpdate or producedAt time plus the value of iMaxClockSkew.
Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity. Specifies whether a certificate public key hash extension must be present in OCSP responses. Specifies signature validation behavior with respect to nonces. Specifies whether the OCSP request should be signed.
The number of minutes the local machine time can vary from the response's published time to account for a network delay, time synchronization issues, and so on. Indicates whether revocation checks are required to succeed on the OCSP response. Specifies the amount of time in minutes after the response's published thisUpdate time for which the response will be valid. Specifies signature validation behavior with respect to nonces. Specifies how the revocation checker chooses which responder to use.
The URL used to fetch OCSP responses. >>>iReqRevCheck integer: DWORD value >REG_DWORD 2 7.0+ Security cASPKI cAdobe_OCSPRevChecker Not lockable Indicates whether revocation checks are required to succeed on the OCSP response. Interacts with other iReqRevCheck settings. Possible values include: • 0: Don't do revocation checks. • 1: Do a check IF certificate has AIA extension or responder info is in registry; don't fail if the check fails.
• 2: Do a check IF certificate has AIA extension or responder info is in registry; all checks must succeed if there is data and a check occurs. • 3: Require a check; it must succeed under all circumstances. >>>iSendNonce integer: DWORD value >REG_DWORD 2 10.0+ Security cASPKI cAdobe_OCSPRevChecker Not lockable Specifies signature validation behavior with respect to nonces.
With 10.0, this preference replaces bSendNonce. Possible values include: • 0: No nonces are sent. • 1: Nonces are included in the OCSP request and expected to be present in the response and should match the request's nonce. • 2: Nonces are included in the OCSP request, but if none are present in the response, their abscence is ignored.
>>>bExpiredCertGoOnline boolean: DWORD value >REG_DWORD 0 11.0.16+ Security cASPKI cASPKI Not lockable Specifies whether to go online to get the revocation information for an expired certificate. 11.0.16 introduced a signature validation change so that signatures are invalid if they are based on expired certificates and there is no embedded revocation information even if bIgnoreValidityDates is 1. For previous product versions, the signature would be valid. Now, to be standard's compliant, if a certificate has expired, the client should not check for the revocation information online. BExpiredCertGoOnline set to 1 re-enables the pre-11.0.16 behavior.
• 0: Do not go online for revocation even if bIgnoreValidityDates = 1 • 1: Do go online. >>>bIgnoreNextUpdate boolean: DWORD value >REG_DWORD 0 7.0+ Security cASPKI cAdobe_OCSPRevChecker Not lockable Specifies whether to use embedded OCSP responses when nextUpdate is not present and the validation time is less than the greater of thisUpdate or producedAt time plus the value of iMaxClockSkew.
For 10.1 and later, this preference is used along with iMaxClockSkew to determine whether or not embedded OCSP responses are actually used for signature validation. For details, see the subfeature description above. This behavior is designed to support Acrobat's long term validation feature and allows validating a signature with embedded responses that were valid at signing time.Possible values include: • 0: iMaxClockSkew is applied to thisUpdate on both sides of the validation time, i.e.
ThisUpdate - iMaxClockSkew. CRL revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses. The following options are available: • Specifying when to do revocation checking as well as the effect of a failed or bad response.
• Specifying when and where to go online to get a response. • Setting a time limit for caching a response after which the application must get a new response. • Specifying a LDAP server to query for CRLs. Querying an LDAP server can result in poor application performance depending on the quality of the network connection and the number of directories to search. • Specifying whether to ignore the response certificate's times in the thisUpdate and nextUpdate extensions. • Requiring the presence of the Authority Key Identifier extension.
It is possible to require certain features for certificates used to sign CRL responses. If a response does not meet the specified parameters, the response will be considered invalid and the signature status may be Unknown or Invalid. The following options are available: • Specifying whether to ignore the response certificate's times in the thisUpdate and nextUpdate extensions. • Requiring the presence of the Authority Key Identifier extension. Summary table Determines when the URL is used for an additional URL CRL distribution point. Indicates whether it's acceptable to go online to fetch a CRL. Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.
Specifies whether the Authority Key Identifier extension must be present in a CRL. Maximum cache lifetime in hours of the information (e.g. CRL) used to do revocation checking. Indicates whether revocation checks are required to succeed on the CRL response.
The LDAP server to get CRLs from in the form www.ldap.com. The URL used to fetch CRL responses for an additional URL CRL Distribution point. >>>iReqRevCheck integer: DWORD value >REG_DWORD 1 7.0+ Security cASPKI cAdobe_CRLRevChecker Not lockable Indicates whether revocation checks are required to succeed on the CRL response.
Interacts with other iReqRevCheck settings. Values include: • 0: Don't do revocation checks. • 1: Do a check IF responder details are in CRLDp certificate extension or the registry; don't fail if the check fails.
• 2: Do a check IF responder details are in CRLDp certificate extension or the registry; all checks must succeed if there is data and a check occurs. • 3: Require a check; it must succeed under all circumstances. The revocation checking process includes building the certificate chain so that each discovered certificate can be analyzed and processed as specified by other application preferences.
Administrators do have some control over what certificates are used to build a chain. The following options are available: • Controlling whether AIA extensions are followed. • Requiring the use of valid RSA signatures on all certificates in a chain. • Requiring the presence of specific policy OIDs in the specified chain scope for it to be valid. • Pointing to an LDAP server for path discovery purposes.
Querying an LDAP server can result in poor application performance depending on the quality of the network connection and the number of directories to search. Summary table Specifies whether to allow the chain builder to follow URIs in AIA certificate extensions so that certificates can be downloaded if they are not available locally. Specifies whether to allow the chain builder to build chains with invalid RSA signatures on certificates. An array of strings c0-cN containing the required certificate policy OIDs.
Specifies the validity model for validating signatures and certificates. Specifies the URL of an LDAP server to be used for path discovery. >>>iValidityModel integer: DWORD value >REG_DWORD 0 8.0+ Security cASPKI cAdobe_Validation Not lockable Specifies the validity model for validating signatures and certificates. The application uses shell validation by default, but chain validation may be used when required. Compliance with the German signature law requires chain validation. Allowabled values include: • 0: PKIX shell model • 1: Chain validity model.
Chain validation is used to validate all or part of a certificate chain when any certificate chaining up to a CA certificate containing the qualified certificate policy extension (OID 1.3.36.8.1.1) or the validity model certificate extension OID (1.3.6.1.4.1.8301.3.5) with the value set to the chain model OID (1.3.6.1.4.1.8301.3.5.1). >>>bRequireValidSigForChaining boolean: DWORD value >REG_DWORD 0 8.0+ Security cASPKI cAdobe_ChainBuilder Not lockable Specifies whether to allow the chain builder to build chains with invalid RSA signatures on certificates. Consider chain CA >ICA >EE where the CA's signature on an ICA is invalid. If this setting is true, the chain building will stop at the ICA and the CA will not be included in the chain.
If this preference is false, the full 3-certificate chain is produced. This setting does not affect DSA signatures. Applying a signature to a document involves both creating a signature and then validating it. Despite the fact that end users see only one step (the signature appears with a status icon), there are actually two phases which an administrator independently configure. Revocation checking can occur during the initial signing phase to control whether or not a signature is created.
The following option is available: • Specifying when to do revocation checking as well as the effect of a failed or bad response. Note: Interacts with bIsEnabled. For more detail about how revocation checking affects signing and signature validation, see Certificate Processing. Summary table Indicates whether revocation checks are required to succeed to create the signature.
>>>iReqRevCheck integer: DWORD value >REG_DWORD 0 7.0+ Security cASPKI cASPKI cSign Not lockable Indicates whether revocation checks are required to succeed to create the signature. Interacts with other iReqRevCheck settings. Allowable values include: • 0: Dont do revocation checks. • 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; dont fail if the check fails. • 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.
• 3: (New in 10.1.5 and 11.0) Require a check; it must succeed under all circumstances. Signing: Long Term Validation. Whether revocation checking information is stored in a signature varies by version.
Storing such data in a signature enables offline revocation checking and a determination of whether the signing certificate was valid at the time of signing. Setting bIsEnabled to 1 via the GUI or registry automatically sets cSign iReqRevCheck to 2.
The rationale is that if you choose to embed the revocation status you probably want a status to embed. A consequence of this choice is that you must do a check and retrieve a good result; otherwise, no signature is created. In other words, signing with a revoked certificate is prevented when this setting is on. The following options are available: • Embedding revocation status in a signature.
• Specifying the embedded data cache size to limit the amount of cached data. • Specifying when archived revocation data is used for revocation checking. • Controlling whether or not revocation data is stored in a JavaScript object. Note: If you are setting up a signing workflow for both signers and signature validators, you may want to set iUseArchivedRevInfo so that document recipients can validate signatures based on a signer's bIsEnabled setting.
Summary table Specifies whether the signature revocation status is included in the signature. If true, the revocation information is maintained within the SignatureInfo object and can be retrieved through JavaScript.
Specifies whether LTV information should be automatically added to all signatures. The maximum size of the revocation archival information in kilobytes. Indicates whether the revocation information archived with the signature is used for revocation checking.
>>>iAutoAddLTV integer: DWORD value >REG_DWORD 1 11.0+ Security cASPKI cAdobe_LTVProvider Not lockable Specifies whether LTV information should be automatically added to all signatures. Possible values include: • 0: Never add LTV information.
• 1: (default) Ask whether LTV information should be added if it is too big. • 2: Always add LTV information. When the cumulative size of the LTV data is greater than the sum of 10% of the PDF file size plus 10KB and Automatically add verification information on Save is set to 'Ask.' A dialog appears asking the user if they would like to continue embedding the LTV information.
Note that in workflows where the dialog appears asking whether to enable LTV, if the user selects the 'Do not show this message again' checkbox, AND click the No button, then this preference is set to zero. Preferences >Signatures >Verification panel (More) >Verification Information >Automatically add verification information when saving signed PDF. Signature Validation Rev Check (Providers). The revocation checker provider provides revocation checking services.
You can specify one or more revocation checking methods and choose whether to use the default methods or some MSCAPI-specific method. The following options are available: • Use one or both of Adobe's revocation checking methods (CRL and OCSP). • Use of the MSCAPI revocation checking plugin model as an alternative to Adobe mechanisms. For example, administrators may have standardized on MSCAPI or might prefer the MSCAPI method of using a CRL registry cache (Acrobat has its own cache). Note: Acrobat's default CRL cache location is C: Documents and Settings (user) Application Data Adobe (application) (version) Security CRLCache Summary table An array of text entries (t0-tn) containing the name of a registered provider. Specifies a provider for revocation checking.
>>>cRevocationChecker n/a: Cabs are keys that contain subvalues displayed in the right hand registry panel. Adobe_OCSPRevChecker, Adobe_CRLRevChecker 7+ Security cASPKI cSPIs Not lockable An array of text entries (t0-tn) containing the name of a registered provider. • Adobe_OCSPRevChecker: Adobe's default OCSP method.
• Adobe_CRLRevChecker: Adobe's default CRL method. • MSCAPI_RevocationChecker: Accesses MSCAP revocation checking plugin framework. The rules of operation are as follows: • If cRevocationChecker is empty, the default OCSP and CRL methods are used. • If cRevocationChecker is not empty, then only the methods listed are used. • Regardless of the order in which the validators are listed, the validators are always called in the following order: OCSP, CRL, MSCAPI. • The first validator present that produces a result is the only one used.
Signing: Preview Mode. Preview mode turns off (suppresses) rich content and dynamic document behavior that could prevent the signer from seeing what they are signing. While the use of preview mode adds an extra step in the signing workflow, it turns off potentially bad content, checks the document for the presence of any PDF constructs that may cause problems with signature integrity and provides a report about any found problems. The following option is available: • Force the use of preview mode during signing. Summary table Specifies whether a signer is forced to use preview mode during signing. The signing dialog has the capability of showing a location and contact information fields during a signing workflow.
Field fill-in is optional. By default, the option is off, but end users and administrators can turn this option on. The location will appear in the Signature Properties dialog and in the Signature's pane and may optionally appear in the signature appearance. The following options are available: • Showing or not showing the Contact and Location fields in the signing dialog. • Setting default contact information.
• Setting default location information. Note: If the end user changes the field data in the signing dialog, those values will overwrite the registry-specified values. Summary table Specifies whether the location and contact information UI will appear during signing. When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field.
Stores the location information of the signer. The signing dialog has the capability of showing a signing reasons drop down list during a signing workflow. By default, the option is off, but end users and administrators can turn this option on.
If a reason is used, it appears in the signature appearance, the Signature Properties dialog, and in the Signatures pane. The following options are available: • Showing or not showing the Reasons field in the signing dialog. • Changing the default reasons. Administrators can add, delete, and modify the reason list. • Locking the reason list so that it can't be modified by end users. Summary table Specifies whether the reason UI will appear during signing. Prevents users from modifying reason's settings.
Stores a list of signing reasons. >>>bAllowReasonWhenSigning boolean: DWORD value >REG_DWORD 0 8.0+ Security cPubSec HKLM SOFTWARE Policies Adobe (product name) (version) FeatureLockdown cSecurity cPubSec Specifies whether the reason UI will appear during signing. The preference can be overridden by a document seed value set on a field. For 8.1 and later, if cReasons is locked and is empty, bAllowSigningReasons is 0 and read only (The UI is turned off).
If cReasons is locked and has values, then bAllowSigningReasons is true and read only. Preferences >Security >Advanced Preferences >Creation tab >Show reasons when signing. >>>cReasons text: String value >REG_SZ See details. 7. Soundflower Download Mountain Lion. 0+ Security cPubSec Not lockable Stores a list of signing reasons. Entries in this folder are named t0, t1, etc. Subject to override by the document seed value: reasons.
The default reasons are: • t0: I am the author of this document • t1: I have reviewed this document • t2: I am approving this document • t3: I attest to the accuracy and integrity of this document • t4: I agree to the terms defined by the placement of my signature on this document • t5: I agree to specified portions of this document Reasons drop down list in signing dialog. A 'certification signature' is simply the first signature in a document where the user has indicated via a user interface choice to 'certify' the document. These preferences only control certification signature behavior and have no effect on approval signature behavior. In addition to the general signature preferences described elsewhere in this document, the following options are available: • Preventing invisible signatures: By default, users can sign with a visible or invisible signature. Prohibit invisible certification signatures by setting bAllowInvisibleSig to 0.
• Legal attestations (warning comments): When certifying a document that contains dynamic content, a signer can choose a default warning comment from a list or create a custom one. You can prepopulate this list with custom comments with cAttest. 8.0) Control certification based on document content: For versions prior to 8.0, you can control certification rights based on the nature of the document content and whether it generates LegalPDF warnings. These preferences are deprecated in 8.0.
• 11.0: Elevating certified documents to a privileged location so that they are trusted for operations that would otherwise be restricted (See TrustManager). • 11.0.04: Showing the document's certification status in the Protected View document message bar (See FeatureLockdown). Summary table Specifies whether a certification signature may be applied to a document containing Legal PDF warnings. Specifies whether to allow invisible certification signatures. Specifies whether any subsequent signers can sign a certified document that does not contain LegalPDF warnings with additional approval signatures.
Specifies whether any subsequent signers can sign a certified document containing LegalPDF warnings with additional approval signatures. Stores a list of the most recently used attestations regarding LegalPDF warnings in a document. The Sign dialog is capable of showing a Review button. The button invokes the PDF Signature Report which analyzes the document for the presence of any dynamic content that could adversely affect the integrity of signing workflows.
If none is found, a dialog appears indicating that there are no problems. If content such as a comment or JavaScript is discovered, the PDF Signature Report appears with a list of any PDF constructs that may cause problems with signature integrity. The following options are available: • Never showing or allowing the review of document warnings. • Limiting warning review to certification workflows. • Requiring warning review prior to applying an approval and/or certification signature.
• Always requiring review of warnings for every signature. Summary table Specifies whether the user is required to review document warnings before signing via the signing dialog. Specifies whether a button to allow reviewing document warnings shows up on the signing dialog. The default algorithm used to create a message digest (document hash) during signing can be customized. In some enterprise situations, such as when FIPS compliance is required, you may need a more secure algorithm.
Alternate hashing algorithms can be specified by name or OID as shown below. The algorithm that is used is displayed in the Hash Algorithm field of the Signature Properties dialog's Document tab. Usage rules: • MSCAPI supports different algorithms across versions. For example, early XP versions only supported SHA1 and MD5.
The use of other algorithms will require that the signer use a digital ID that resides in a.pfx/.p12 file in the Acrobat cache. • With XP SP3, MSCAPI supports SHA256 on certificates and some token devices.
• Pre 9.1: Acrobat uses SHA1 as the default. • 9.1 and later: Acrobat uses SHA256 as the default, but will use SHA1 if the token does not support SHA256. If using FIPS mode, do not use MD5 or RIPEMD160.
The following options are available: • Specifying an alternate algorithm. Summary table The hashing algorithm to use while signing.
A text entry that contains the OID of the hashing algorithm. The default format for creating the signature object that is embedded in a signed document is PKCS#7. The object contains the encrypted message digest, certificates, timestamps, and other information. It does not include the signature appearance and data outside of Contents in the signature dictionary. Format choices are limited so that a signature encoded by one handler can be unencoded (validated) by another handler. Providing a value for aSignFormat writes that value to the signature dictionary's SubFilter object. For details, see 'Signature Interoperability' in the PDF Reference.
• PKCS#1: For signing PDF files using PKCS#1, the only recommended value of SubFilter is adbe.x509.rsa_sha1, which uses the RSA encryption algorithm and SHA-1 digest method. The certificate chain of the signer is stored in the Cert entry. • PKCS#7: The value of Contents is a DER-encoded PKCS#7 binary data object containing the signature.
The PKCS#7 object must conform to the PKCS#7 specification in Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5. SubFilter can take one of the following values: • adbe.pkcs7.detached: No data is encapsulated in the PKCS#7 signed-data field.
• adbe.pkcs7.sha1: The SHA1 digest of the byte range is encapsulated in the PKCS#7 signed-data field with ContentInfo of type Data. • ETSI.CAdES.detached: Supports long term validation of signatures even when the signing certificate is revoked; this is part of the feature which allows adding an invisible timestamp signature to a document. Summary table The format to use when signing a document using public key cryptography when a format is not specified by a seed value, javascript parameter, or the PubSec Handler. >>>aSignFormat atom: String value >REG_SZ adbe.pkcs7.detached 7.0+ Security cPubSec HKLM SOFTWARE Policies Adobe (product name) (version) FeatureLockdown cSecurity cPubSec The format to use when signing a document using public key cryptography when a format is not specified by a seed value, javascript parameter, or the PubSec Handler. Allowable values include: • adbe.pkcs7.detached • adbe.pkcs7.sha1 • adbe.x509.rsa_sha1 • ETSI.CAdES.detached 10.0 and later: Preferences >Security >Advanced Preferences >Creation tab >Default Signature Signing Format Signing: Digest Comparison. When signing a PDF document, a message digest is created for the document and sent to the cryptographic module that performs the signing operation. Setting the registry entry bEnforceSecureChannel to 1 ensures the message digest sent to the cryptographic module is checked against the signed message digest that it returns.
This flag ensures that intermediate layers of software between Acrobat and the cryptographic module do not tamper with the signing operation. The following rules apply: • When using a certificate that includes a DSA public key with omitted parameters, the test to detect signature validity is not performed. In these cases, setting bEnforceSecureChannel has no effect. • When this preference is turned on, a digest mismatch results in a warning dialog. The signature is removed from the document and the signing application aborts the signing process. Summary table Specifies whether to prevent signing when the original message digest and the signed message digest do not match.
>>>bEnforceSecureChannel boolean: DWORD value >REG_DWORD 0 8.0+ Security cPubSec Not lockable Specifies whether to prevent signing when the original message digest and the signed message digest do not match. When set to 1, the user sees a warning dialog when the digest mismatch occurs. This error can be caused by a modification of the original message digest, a modification of the signed message digest, or a mismatch between the private and public key used for signing.
When using a certificate that doesn't include a public key (such as a DSA certificate with an omitted public key), the test to detect signature validity is not performed. Do not turn this setting on if such certificates are used. Signature Clearing. >>>bReqSigPropRetrieval boolean: DWORD value >REG_DWORD 0 7.0+ Security cASPKI cASPKI cSign Not lockable Indicates whether retrieving a signature property must succeed. Acrobat currently provides a signature property for timestamps.
By default, retrieving a valid and trusted timestamp is not required, and property retrieval failure only results in creating a signature which uses the local time. When property retrieval is required during signature creation and fetching a timestamp fails for any reason (bad URL, no network connection, etc.) the signature creation process is aborted, no signature is created, and an error appears. • 0: Make best effort, but success is not required. A signature is created. • 1: Property retrieval must succeed. On failure, a signature is not created and an error dialog appears. >>>bUseTSAsSigningTime boolean: DWORD value >REG_DWORD 0 11.0+ HKEY_LOCAL_MACHINE SOFTWARE Policies Adobe (product) (version) FeatureLockDown cSecurity cPubSec Specifies whether the timestamp time should be displayed in the signature appearance.
By default, the signature appearance displays the signing time from the signer's computer clock. To display the timestamp server time in a signature appearance: • Go to HKLM SOFTWARE Policies Adobe (product) (version) FeatureLockDown cSecurity cPubSec • Create the new DWORD bUseTSAsSigningTime and set it to 1.
• Go to HKCU Software Adobe (product) (version) Security cASPKI cASPKI cSign. • Set bReqSigPropRetrieval to 1. Create the preference if it does not exist. • Verify the computer time does not vary from the signature validation revocation check response time specified by HKCU Software Adobe (product) (version) Security cPubSec iMaxClockSkew. The default is 65 minutes.
IMaxClockSkew allows admins to account for a network delay, time synchronization issues, and so on without invalidation signatures. Possible values include: • 0: Don't show the timestamp time. • 1: Do show the timestamp time. Timestamp Server: List. Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler. The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider.
End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available: • Specifying a list of servers that will appear in the Security Settings Console. Preferences are represented as a list c0-cN and contain the server name, URL, and whether the authentication is required.
• Specifying when to do revocation checking as well as the effect of a failed or bad response. • Increasing security by choosing a more robust hashing algorithm. The algorithm must be supported by the timestamp server. • Requiring signature property retrieval (a valid and trusted server URL) in order to create a signature. Summary table This is an internal copy of bAuthReqd that cannot be modified. Specifies whether or not the timestamp server requires authentication. The user-defined server name.
The server URL. If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID. >>>bAuthRequired boolean: DWORD value >REG_DWORD null 7.0+ Security cPPKHandler cTimeStampServers c(index) Not lockable Specifies whether or not the timestamp server requires authentication.
If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID. The service provider needs to know what type of secure store the identifier names.
Only used when ASPKI is running within the Acrobat environment. Security Settings Console >Timestamp Servers >Configuration panel >This server requires me to log on. >>>xLockboxId string: Binary value >REG_BINARY null 7.0+ Security cPPKHandler cTimeStampServers c(index) Not lockable If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID.
The service provider needs to know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment. The preference is populated when the user checks This server requires me to log on and then enters a username and password. Timestamp Server: Default. Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default.
The full list of available servers appears under cPPKHandler. The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available: • Setting a default server.
Summary table Specifies whether the timestamp server requires authentication. Identifies the hashing algorithm used to hash the timestamped data. Indicates whether revocation checks on timestamps are required to succeed before signing. ASPKI requires the signature property to predict the size (in bytes) so that enough space can be set aside. The hashing algorithm OID used to hash the data to be timestamped.
The server log in password. A timestamp server URL such as The server login username. If a timestamp server requires authentication, the authentication data is stored in a secure store identified by this ID (e.g.
>>>iReqRevCheck integer: DWORD value >REG_DWORD 2 7.0+ Security cASPKI cAdobe_TSPProvider Not lockable Indicates whether revocation checks on timestamps are required to succeed before signing. Failure does not affect signature creation or validation, it only results in defaulting to the local, machine time. Interacts with other iReqRevCheck settings.
The possible values include: • 0: Dont do revocation checks. • 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; dont fail if the check fails. • 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs. • 3: Require a check; it must succeed under all circumstances. >>>xLockboxId string: Binary value >REG_BINARY null 7.0+ Security cASPKI cAdobe_TSPProvider Not lockable If a timestamp server requires authentication, the authentication data is stored in a secure store identified by this ID (e.g. The service provider needs know what type of secure store the identifier names.
Only used when ASPKI is running within the Acrobat environment. The preference is populated when the user checks This server requires me to log on and then enters a username and password. The preferences in EDC (a legacy name) define Adobe LiveCycle Right Management Server connections. Users can specify servers through the Security Settings Console. However, administrators can preconfigure user machines to control the end user experience. The following options are available: • Setting a default server under cEDC. The default server appears with a star icon in the Security Settings Console.
• Controlling whether to use HTTP or HTTPS with bAllowConnectViaHTTP. • Adding one or more servers in to the known server list cEDC KnownServers. These server definitions will appear in the Security Settings Console's server list. • Locking down the settings so that the server configuration dialog will not appear in the user interface, thereby preventing end users from adding servers or changing server settings. Summary table Prevents a LiveCycle Right Management Server from being configured by disabling the menu option in the Security Settings Console. If true, the server connection URI uses the format otherwise, it uses the format Indicates whether the password has been cached for this server. The last APS server used to open a document and the server used for off line key synchronization.
Set if bSavePassword is not 0 to look up the password in a user's secure password cache. The user defined name for this server. The DNS server name (i.e. The Adobe LiveCycle Rights Management Server selected by the user as the default. The default server URL. The keys at Security cPPKLite cSP_Favorites contain an array of subkeys c0-cN where each index defines a favorite security policy.
Both user and organizational policies can be favorites. Any policy marked as a favorite will appear in the user's favorite's list. End users make a policy a favorite by opening the Manage Security Policies dialog, highlighting the policy, and choosing Favorites.
A star icon appears to the left of the policy name and the policy becomes available in the top level menu. The following options are available: • Specifying an non-default handler for a policy. • Marking one or more policies as a favorite. • Specifying policy names. Summary table An ASAtom specifying which PDCrypt handler knows how to handle this security policy. Determines whether the referenced security policy is displayed as a favorite.
A string containing the security-policy.acrodata file key used to reference the policy that is being applied. The security policy name.
Opening Extension Manager Click on the icon that looks like this near the upper-right corner of the window, or choose File >Extension Manager. Installing and Removing Extensions You can browse a list of available extensions in the Available tab of the Extension Manager, and click Install to install an extension with one click. Use the filter field to search across the extension name, description, author, and all other fields. The extension listing The extension listing comes from the online. If you're an extension author, please so it's available for others to find. Removing Extensions Under the Installed tab, click on the Remove button to mark an extension for removal. When you close Extension Manager, Brackets will need to restart in order to finish removing the selected extensions.
(You can save your work or choose to cancel the restart first. If you cancel the restart, you'll need to reselect the extensions extensions to remove later). If an extension breaks Brackets to the point where Extension Manager is unusable, see the 'Manual' section below to remove the extension. Updating Extensions When an extension update is available, a green Update button will appear in the Installed tag. Updating extensions also requires a Brackets restart (see 'Removing Extensions' above).
Manual Install/Remove/Update From a URL • Install - Open Extension Manager and click the Install from URL. Button at the bottom.
Enter a URL to a ZIP file or the URL to a GitHub repo (if the extension doesn't require any special build/packaging). • Remove - Use Extension Manager normally. • Update - Click the 'Install from URL.' Button again and enter a URL to the updated version. Directly on disk • Choose Help >Show Extensions Folder (or ) • Drill down to the user folder • Add/remove or update the set of extension folders as needed • Quit and re-launch Brackets Old Extensions List Some older Brackets extensions are not listed in Extension Manager. These extensions may no longer work in current versions of Brackets.
•: Navigate back to previous cursor and edit locations quickly with toolbar buttons. •: Move toolbar from vertical (right) to horizontal (top). •: Auto-complete parenthesis, brackets, braces, double and single quotes. •: Auto formatter for XML/HTML, CSS, JavaScript files.
•: Indent automatically for whole file. •: Converts double to single quotes or single to double quotes •: Adds PHP function definition support to QuickOpen search •: Adds cshtml (views in MVC.net) to the HTML highlighting. •: Adds support for Haml, ERB, and Ruby line and block comments. •: Show tabs in place of title when sidebar is hidden • [Parent Dir] (): Show parent directory of opened files in the Working Set.
•: Updates scripts running in Node.js as you type •: Select any expression and evaluate it in wrepl •: Quick Edit on an exclusion shape definition in CSS displays the shape. • [BracketLESS] (): Compiles LESS files to CSS on save •: Opens any href and rel attribute urls in editor on ALT+0 shortcut. Currently works only with existing files. •: Run any task in your Gruntfile.js.
Tested on Brackets Sprint 25.) •: Add some links to the sidebar for quick access dev still a lot of stuff i want to add •: This extension allows automatically compress javascript and css files using YUI compressor. •: Runs on a js file.
•: Includes a way of creating an extensions toolbar and adding buttons to the toolbar with callbacks. •: Allows you to browse certain sites in the bottom panel and lets you do a Bing search on highlighted text by pressing Shift+Cmd+B. •: Displays JSLint error messages inline, highlighting infringing code and checking the code while you type. •: PHP_CodeSniffer for brackets. Lints your PHP through a web service. •: A Brackets extension that enables phil booth's complexityReport.js tool.
Displays complexity statistics on a per-function and aggregate basis. •: Runs the Jasmine-node unit test tool against the current file.
•: An extension that enables node-madge functionality. Search for module dependencies, circular dependencies and more. •: Because sometimes you need to eat your code.