What is it?
The Adobe Approved Trust List is a program that allows millions of users around the world to create digital signatures that are trusted whenever the signed document is opened in Adobe® Acrobat® or Reader® software. Essentially, both Acrobat and Reader have been programmed to reach out to a web page to periodically download a list of trusted “root” digital certificates. Any digital signature created with a credential that can trace a relationship (“chain”) back to the high-assurance, trustworthy certificates on this list is trusted by Acrobat and Reader.
How does it work?
Certificate authorities (CAs) — entities that provide digital signing credentials to other organizations and users — as well as governments and businesses that provide certificates to their citizens and employees can apply to Adobe to join the AATL program by submitting application materials and their root certificates (or another qualifying certificate). After verifying that the applicant’s services and credentials meet the assurance levels imposed by the AATL technical requirements, Adobe adds the certificate(s) to the Trust List itself, digitally signs the Trust List with an Adobe corporate digital ID that is linked to the Adobe Root certificate embedded in Adobe products, and then posts the list to a website hosted by Adobe.
Afterwards, when any user receives a digitally signed document from a signer whose digital certificate can trace its lineage (chain) back to a certificate on the AATL, that signature will automatically be trusted.
Why is this feature important?
When you receive a digitally signed document, both Reader and Acrobat ask three key questions to validate the signature:
- Is the digital certificate that signed the document still valid? Has it expired or been revoked?
- Has the document been changed since it was signed? Has the integrity of the document been affected? If there are changes, are they allowed changes or not?
- Finally, does this certificate chain up to a certificate listed in the Trusted Identity list? If so, the signature will be trusted automatically.
The answers to the first two questions are handled by Acrobat and Reader based on an analysis of the information contained within the certificate and the signed document itself. However, it’s the answer to the third question that has always posed a challenge to the electronic signatures marketplace. How do you know if you can trust a digital signature? What aspects of the signer’s digital certificate/credential should be noted? How important is verifying the signer’s identity, and how critical is the storage of the signing key itself?
Adobe understands that the relying party must be free to make its own trust decisions based on its unique circumstances. However, Adobe has also been looking at ways to help relying parties make this determination and in so doing make the process of using digital signatures that much easier. The Adobe Approved Trust List is simply the latest in these efforts.
How does this program compare to the CDS program?
Back in 2005, Adobe unveiled the Certified Document Services (CDS) program, which automatically trusts new digital IDs that are chained to (part of the family of) the Adobe Root certificate embedded in Adobe products. CDS, the predecessor to the AATL, has five certificate authorities offering certificates. While the high-level benefits of the Adobe Approved Trust List program are similar, existing certificate communities, such as government eID programs, can join the Trust List, as the chain to the Adobe Root certificate is not required.
Why would my organization want to join?
If you represent an organization or government that already has a significant investment in digital certificates (that is, hundreds of thousands of users), and these certificates are being used to sign PDF documents, then you already know the importance of trust and how confusion over a digital signature can lead to support calls, questions, and general uneasiness about using a digital signature. The AATL program provides an easy way for all your certificate holders, assuming they meet the technical requirements, to sign documents confidently, knowing that recipients will not only get the cost savings and a resulting “green” benefit from staying with an electronic document, but also the integrity-checking and trusted green checkmark/blue ribbon experience when they open the document.
How do I get an AATL-enabled signing credential?
Adobe does not sell these credentials but manages the program by which these credentials are trusted. To purchase AATL-enabled certificates, contact one of the members. Also check the list to see if your organization may already be a part of the AATL.
How do I configure the feature for enterprise deployments?
For enterprise configuration details, refer to the Preference Reference. Options include:
- Disabling the feature.
- Enabling silent import of certificates so that end users don’t see the import dialog.
AATL technical requirements
This is the official repository of the AATL Technical Requirements. The most recent specification published here applies currently.
If your organization is interested in joining the AATL program, first please review the Technical Requirements. If you meet the requirements, then contact the AATL team at Adobe to receive more information by clicking the link below: