Adobe Certified Document Services

1. What are Certified Document Services (CDS)?
Certified Document Services (CDS) is one of the services enabled by the Adobe root certificate authority. CDS enables document authors to sign Portable Document Format (PDF) files, using standard digital certificates, which automatically validate when authors are using free Adobe® Reader® software. No additional client software or configuration is required.

CDS was designed to enable organizations and individuals who publish high-value documents to large and disparate recipient groups to increase the assurance level that the document's integrity and authenticity are preserved. By adding a Certifying Signatures and Approver Signatures to a PDF file, document authors can increase this assurance level while at the same time reduce the burden of the recipient regarding how to determine if the document can be trusted.

Click here to learn more about CDS http://www.adobe.com/security/digsig/certifieddocs.html.

GlobalSign offers CDS services under the DocumentSign brand. DocumentSign Digital IDs are issued to individuals and departments and allow authors to add Certifying Signatures and Approver Signatures to PDFs.

2. How does it work?
DocumentSign Digital IDs are “chained” to the inherently trusted Adobe root certificate found in Adobe Reader and Acrobat 6.0+. Recipients who open certified documents signed with CDS digital IDs receive one of three easy to understand trust messages.

Certification VALID	Validity of author NOT confirmed	Certification INVALID

3. How do I get a DocumentSign Digital ID?

4. How is my organization vetted?
After the completion of a Letter Of Authorization (LOA) completed by an Organizational Representative authorized to bind the organization to the terms of the GlobalSign agreement and by reference the DocumentSign Digital ID for Adobe PDF Certificate Practice Statement, GlobalSign shall verify the Organization is legitimate using third party verification services like Dun and Bradstreet.

Click here to obtain the <LOA template>.

5. How are subscribers vetted?
Retail subscriber’s identity is verified by GlobalSign’s vetting team in accordance with the steps described in the DocumentSign Certification Practice Statement. Enterprise subscribers are vetted by authorized Registration Authorities that have been appointed by the Organization Representative.

6. Where can I review the Certificate Practice Statement for DocumentSign Digital IDs?
Click here for the DocumentSign Certification Practice Statement.

7. Where can I review the Certificate Policy Statement for DocumentSign Digital IDs?
<Adobe CP>

8. Why does my private key associated with my DocumentSign Digital ID need to be stored on cryptographic hardware?
The Adobe CDS Certificate Policy highlights the need to ensure the security of the CDS program by ensuring all digital IDs are created on FIPS compliant Cryptographic Hardware. This maintains the 'singularity' of the Digital ID such that it cannot be duplicated, and therefore preserves non repudiation capabilities of the solution. the only exception to this are Test Certificates which have a separate Test OID and therefore can be created outside of a hardware module.

9. How do I know what type of DocumentSign Digital ID is right for me?

PersonalSign Pro Digital ID for Adobe PDF
A client based desktop solution designed for organizations with low volume requirements needing named individuals (e.g. John Smith) to add Certifying or Approval Signatures to PDFs. Authors digitally sign using the Adobe Acrobat software and a PersonalSign Pro Digital ID securely stored on a SafeNet FIPS 140-1 level 2 cryptographic USB token.

DepartmentSign Digital ID for Adobe PDF - low volume
A client based desktop solution designed for organizations with low volume requirements needing their departments e.g. Marketing Department or Legal Department to add Certifying or Approval Signatures to PDFs. Departments digitally sign using the Adobe Acrobat software and a PersonalSign Pro Digital ID securely stored on a SafeNet FIPS 140-1 level 2 cryptographic USB token.

DepartmentSign Digital ID for Adobe PDF - medium volume
An automated solution to add Certifying and Approval Signatures to important PDFs and designed for organizations with medium volume requirements. A role-based DocumentSign Digital ID e.g. Marketing Department or Legal Department is issued and securely protected on a SafeNet FIPS 140-1 level 2 cryptographic device such as a Luna® PCI card.

Corporate RA for Adobe PDF
Includes two options for the Enterprise to manage the full life-cycle of DocumentSign Digital IDs issued under their organization name. For example:

• Distributed implementations of PersonalSign and DepartmentSign Digital IDs on USB tokens issued to individuals and departments
  
  
• Centralized implementations (maintained on the organization's server) DocumentSign Digital IDs for either departments or individuals

Distributed implementations involve providing organization administrators (acting as the organization's Registration Authority) a bulk quantity of PersonalSign or DepartmentSign Digital IDs for low volume Certifying and Approval Signature requirements and the associated Safenet USB tokens used to protect the Digital IDs.

Centralized, server-based implementations work with SafeNet hardware security modules (optionally sold) that are highly integrated with Adobe’s Enterprise Server suite. The net result is a highly automated solution with robust signing functionality for high volume addition of Certifying and Approval Signature to PDFs.

10. How do I enroll for a DocumentSign Digital ID?
For USB token-based DocumentSign Digital IDs, once your registration has been approved pending receipt of verification documents, you will received an email containing a link to a web site that’s you’ll use to pick up your certificate. Remember, you can not start this process until you first receive a User Guide and USB token (furnished by GlobalSign for Retail customers and by the Organization administrator in the case of Corporate RA customers). Additionally you must install the USB drivers prior to starting the certificate enrolment process.

See DocumentSign for Adobe PDF Quick Start Guide for details.

11. What happens if I “lock” myself out of my GlobalSign furnished USB token?
USB tokens are shipped blank using the default passphrase of PASSWORD. Subscriber’s are required to personalize the USB token passphrase to a 6 – 8 mix character secret value. This additional level of security is required by the DocumentSign Certification Practice Statement. However, like most increases in security comes a burden. DocumentSign Subscribers are responsible for remembering the value and will be permanently locked out of their USB token after (10) failed attempts. GlobalSign is unable to retrieve the passphrase.

12. Where can I get the GlobalSign for Adobe CA subordinate CA and what is the root hierarchy?
Visit http://secure.globalsign.net/cacert/GlobalSignCDS.crt for the Adobe CA subordinate CA in CER and DER format. The Adobe root hierarchy is a high security PKI implementation as follows:

13. What information does the DocumentSign Digital ID contain?
PersonalSign Digital IDs for Adobe PDF typically contain the following information:

Common Name: e.g. John Doe
Email: e.g. john.doe@yahoo.com
Country Code: e.g. US
State: e.g. Massachusetts
Locality:: e.g. Boston

DocumentSign Digital IDs for Adobe PDF issued with a professional context i.e. PersonalSign Professional, DepartmentSign, and CorporateRA Digital IDs for Adobe PDF typically contain the following information:

Organization: ABC Company
Organization Unit: 123 Business Unit
Common Name: e.g. John Doe or Marketing Department
Email: e.g. john.doe@yahoo.com
Country Code: e.g. US
State: e.g. Massachusetts
Locality:: e.g. Boston

14. What Adobe applications work with CDS?

Acrobat CDS Authoring Products:

• Acrobat Professional v6.x through 8.x
• Acrobat Standard v6.x through 8.x
• Adobe LiveCycle Document Security Server v7.x and LiveCycle ES Digital Signatures

Acrobat CDS Validation Products:

• Acrobat Professional v6.x through 8.x
• Acrobat Standard v6.x through 8.x
• Acrobat Elements v6.x through 8.x
• Adobe Reader v6.x through 8.x
• Adobe LiveCycle Document Security Server v.7.x and LiveCycle ES Digital Signatures

15. Where can I learn more about digitally signing Adobe PDF documents?
Go to the Adobe product help section and search under “digital signature” for detailed information.

16. What technical requirements do I need to use a DocumentSign Digital ID?

Software requirements for the SafeNet iKey 2032 USB token
Your computers must contain:
One of the following Microsoft operating systems:

• Windows 2000 Professional SP 4
• Windows 2000 Server SP 4
• Windows Server 2003
• Windows XP Professional (SP 2)
• Windows Vista
• Microsoft Internet Explorer V5.5 SP2 or higher
• At this time support for the iKey drivers is limited to 32 bit versions of the operating systems and NOT 64 bit versions

Hardware requirements for the SafeNet iKey 2032 USB token

• An available USB port for your USB iKey token
• Minimum of 128MB of RAM

Software requirements for Adobe Acrobat Reader.
http://www.adobe.com/products/reader/productinfo/systemreqs/index.html

Software requirements for the Adobe Acrobat Family.
http://www.adobe.com/products/acrobatpro/productinfo/systemreqs/

17. How can I learn more about server-based CDS implementations?
Contact GlobalSign Adobe Sales on Tel US 603-570-7060 or Tel UK + 44 1622 766766 sales@globalsign.com to learn more about highly automated CDS solutions.

18. Where can I find the USB token drivers for XP / Vista systems?
Click below and select Save As. Double click the application to begin installation of drivers.
DocumentSign for Adobe PDF Drivers.

Please note that previous programs you have installed may also have used InstallShield and therefore may require temporary files to be removed.  You will be presented with the following error screen if this is the case.



To correct the problem, please delete the following directories.
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10
and/or
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11

19. Where can I find the USB token Utilities for XP / Vista systems?
Click below and select Save As. Double click the application to begin installation of the utilities.
DocumentSign for Adobe PDF Drivers.

20. What do I do if my DocumentSign Digital ID is lost or stolen?
DocumentSign Digital ID holders should immediately report their lost or stolen certificate to their company administrator that issue their CDS certificate.

21. How does a DocumentSign Digital ID differ from any other x.509v3 certificate?
No need for pre-established or pre-understood trust decisions, no need for software plug ins, no desktop or client side configuration, no swapping trusted CAs. No special configuration for time-stamping and OCSP. It’s already integrated and ready out of the box.

22. How does time-stamping work?
DocumentSign Digital IDs contain a special extension that supported Adobe products will use to gain access to a highly available and highly trusted RFC 3161 trusted clock. This assures relying parties of the exact date and time of the signature.

23. How long will my signature remain valid?
If digitally signed on-line, with a valid timestamp and revocation check, your signature shall remain valid well after the certificate has expired or even if it was revoked after the fact.

24. What is the difference between Certified and Approval signatures?
Most digital signatures are referred to as approval signatures. Signatures that certify a PDF are called certifying signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature. A certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel.

Approval signatures are performed when someone signs a document to show consent, approval, or acceptance. A certified document is one that has a certification signature applied by the originator when the document is ready for use. The originator specifies what changes are allowed; choosing one of three levels of modification permitted:

• no changes
• form fill-in only
• form fill-in and commenting

Valid approval signatures produce a “green check mark” and certified signatures produce a “blue ribbon”. Both types of digital signatures provide embedded OCSP and RFC 3161 compliant services resulting in valid signatures well past the life of the DocumentSign Digital ID that signed them.

  See example of a Certified PDF containing Approval Signatures

25. What are some possible reasons on why my valid DocumentSign Digital ID produced a “question mark” at document opening?
Potential issues could be as follows:

• Port 80 is blocked, therefore supported Adobe products can not reach the OCSP and/ or Time-stamping servers needed for validation
• The document of digital signature was performed “off-line”
• Author or recipients are not signing or validating with Adobe Reader or Acrobat 6.0+

26. Why isn’t the ikey USB token drivers installing on my Vista operating system?
One reason may be your User Account Control (UAC) setting. You may need to disable the UAC by going to the Windows Vista Control Panel and select User Accounts:

Click on the option for Turn User Account Control On or Off:



Uncheck the Use User Account Control (UAC) to help protect your computer:

This must be done prior to installing the drivers and re-enable after successful driver installation. You may reinstate User Account Control after installation for security for your system.