Sal, Jakob, The CP for Adobe is here:- http://www.adobe.com/misc/pdfs/Adobe_CDS_CP.pdf and section 7 highlights the specific profile of the certificate.
Sal, you are correct it's an X509 certificate and there are no deviations from that spec. However, there are specific OID and specific rules that the CP mandates and there are also specific services that are related to the certificate which are indicated within the profile (Time stamping for example). FYI, I've hopefully addressed Ivo's concerns in a separate e-mail and made suitable suggestions to him on ways to solve his particular issue. Thanks Steve -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Crypto Sal Sent: 17 August 2010 05:30 To: openssl-users@openssl.org Subject: Re: Adobe Acrobat Certificates? On 08/16/2010 10:52 AM, Jakob Bohm wrote: > On 16-08-2010 11:51, Steve Roylance wrote: >> Ivo, >> >> GlobalSign offers Adobe CDS based certificates to the market so we >> are very >> familiar with Adobe Acrobat. If you want to create a simple PKCS#12 >> self >> signed certificate and you have Acrobat Pro, then go into the 'Advanced' >> settings menu 'Security Settings' and simply click on 'Add ID' and a >> wizard >> will guide you through the process to end up with a PKCS#12 or an >> exportable >> certificate in your Windows PC cert store. It's very easy. >> > Nice feature for test signatures, but I don't think that's what the > OP wanted (see below). > >> If you ever then need a real CDS (Recognizable by PDF reader worldwide) >> certificate GlobalSign would be pleased to help get one for you. > > Nice plug, but I guess the OP wanted to issue locally trusted > certificates signed by an in-house enterprise CA that runs on a Linux > machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). > > So maybe you (based on your experience) can tell the rest of us > exactly what makes an Adobe PDF Cert different from a generic X.509 > cert? > Jakob, From my experiences: NOTHING. (So long as it has digital signing enabled) From what I have seen and know, Adobe CDS partners [ http://www.adobe.com/security/partners_cds.html ], get an intermediate certificate from Adobe, which they then use to issue digital signing certificates to Organizations or Individuals. (Entity/their customers). The only real benefit is much like having a publicly trusted SSL certificate from a CA (Verisign/GeoTrust, Comodo, Entrust, GlobalSign, GoDaddy, etc.) vs. that of a self-signed certificate in a browser. (It helps get rid of the browser nag, because what end-user wants to actually THINK before they do something?) I do like the fact that Adobe gives end-users the ability to trust who they want (much like the friendly browsers do these days), when they want and they don't have to rely on Adobe to certify CAs especially since Adobe hasn't decided not to partner with some of the more popular global CAs such as Comodo, StartSSL, GoDaddy, etc. (Even though: Mozilla, Opera and Microsoft DO) Hope this sheds some more light on the issue. However, we await Steve's response. --Sal ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
