XtremeDocumentStudio
.NET
PDFOne
.NET
XtremeDocumentStudio
(for Java)
PDFOne
(for Java)
Gnostice Document Studio
Delphi
eDocEngine
VCL
PDFtoolkit
VCL
StarDocs
Web APIs

Gnostice Blog

Monday, February 01, 2016

What does the “Signature validity is UNKNOWN” message from Adobe Reader mean?

No need to chuck your new certificates.

By V. Subhash

When Adobe Reader shows this message, there is no need to panic. Reader was unable to find document signature in the list of its trusted identities. It does not mean that signature is invalid.

Microsoft Windows maintains a signature store containing digital signatures. This store is used by Internet Explorer and other Microsoft applications. Firefox and other browsers have their own signature stores.

Similarly, Adobe Reader maintains its own signature store. Adobe Reader has an option to trust the certificates in the Windows signature store but this option is not enabled by default, as Adobe believes the Microsoft "store casts too wide a net".

This may be why the certificate that your e-mail program trusts or the word-processing program trusts is not automatically trusted by Adobe Reader.

The certificate that you use in your document may belong to you or your organization. This certificate is issued by a Certificate Authority, also known as a CA. If the CA is in the list of trusted CAs in Adobe Reader, then the signature validation message may not be so grim-sounding.

In 2005, Adobe introduced a set of CAs whose certificates who were chained to Adobe Root CA - as part of their CDS program. Adobe Reader automatically validates documents signed with certificates from these CAs.

Does that mean you or your organization need to buy new certificates from these select CAs? No. The whole idea of certificates is that the users control whom they want to trust. While users can trust Adobe or Microsoft or Mozilla, that's not the only option. Users can trust themselves too!

For a document to be validated upon receipt, the signature identity should already in the recipient's certificate store.

How can recipients of your documents have your identity in their digital store? One way would export your public key of your signature and your CA and e-mail it to the recipient, hoping that it is not tampered in transit. Adobe Reader has an option for this. Another option would be to provide the exported signatures via sneakernet. A third option would be simply send a signed document and ask the recipient to import the signatures straightway into their store. The sneakernet option may be the only option if there is danger of tampering during transit.

Privacy | Legal | Feedback | Newsletter | Blog | Resellers © 2002-2018 Gnostice Information Technologies Private Limited. All rights reserved.