A digital ID includes a certificate with a public key and a private key. Participants in signing and certificate security workflows exchange the public part (the certificate) of their digital ID. Once you obtain someone’s certificate and add it to your trusted identities list, you can encrypt documents for them. There may be instances when the certificate does not already chain up to a trust anchor that you have specified. In such cases, you can set the certificate’s trust level so that you can validate the owner’s signature. Understanding what a trusted identity is and how trust levels are set lets you streamline workflows and troubleshoot problems. For example, you can add trusted identities in advance and individually set the trust for each certificate. In enterprise settings, your trusted identities list may be preconfigured. You may also be able to search a directory server for additional certificates.
You can export your certificate and contact data for use in signature validation and certificate security workflows. Other users can import that data to their trusted identity list. Contact data added in this manner helps expand the number of users that can participate in secure document workflows. See the Digital Signature Guide (PDF) at www.adobe.com/go/learn_acr_security_en for information on exporting certificates.
You build a list of trusted identities by getting digital ID certificates from signing participants and certificate security workflows. You get this information from a server, file, or a signed document. For signing workflows, you can get this information during the signature validation process. For certificate security workflows involving encryption, request the information in advance. This enables you to encrypt the document with the document recipient’s public key. See the Digital Signature Guide (PDF) at www.adobe.com/go/learn_acr_security_en for more information on setting up certificate trust.
The Adobe Approved Trust List (AATL) allows users to create certificate-based signatures that are trusted whenever the signed document is opened in Acrobat 9 or Reader 9 and later. Both Acrobat and Reader access an Adobe hosted web page to download a list of trusted root digital certificates every 30 days. Any certificate-based signature created with a credential that can trace a relationship back to a certificate on this list is trusted. The trusted root certificates have been verified by Adobe and other authorities to meet specific technical requirements. They represent high assurance identity and signing credentials. The certificates include government and citizen credentials from across the world. In addition, they include credentials from global commercial certificate authorities and qualified certification service providers (CSPs) in Europe.
For details about this feature and why it is important for validating a signature, see the AATL web page at https://helpx.adobe.com/acrobat/kb/approved-trust-list2.html.
AATL is enabled by default. The list downloads when you first open or create a signed document, or access the various security preferences dialogs. You are asked to verify if the automatic update in the AATL is acceptable to you. Click Yes if you want to receive the updates.
Check with your administrator if your organization has turned off access to the AATL for some reason.
Select the option Load Trusted Root Certificates From An Adobe Server.
This option allows Acrobat or Reader to automatically download trust settings from an Adobe server. These trust settings ensure that the user or organization associated with the certificate has met the assurance levels of the Adobe Approved Trust List program.