Posts Tagged ‘CDS’

Should You Use SHA-2?

Tuesday, December 11th, 2012 | Bruce Morton

A common question we receive from certificate customers: should we ask Entrust to sign our certificate with a signature using the SHA-2 hashing algorithm? Here is some information to help you make this decision.

What’s the purpose of the signature?

The purpose of the signature is to allow an end-user who is validating the certificate to ensure it was issued by a trusted certification authority (CA) and, thus, determine whether or not to trust the certificate.

The CA provides the signature and can choose from several cryptographic hash functions. MD5 was commonly used until it was found to have serious cryptographic flaws. SHA-1 is currently the most widely used hash function, and the industry is now moving to SHA-2. There is also a newly approved SHA-3 hash function, which may be deployed as a substitute to SHA-2 at a future date.

The main thing you need to understand about hash functions is they are designed to be collision- and preimage resistant.

Why should I consider using SHA-2?

As time moves along, the attacks against a given cryptographic hash function often improve. MD2 and MD5 were formerly used, but are now known to be too weak for cryptographic use. The concern is that in the not too distant future the SHA-1 hash will also be found to be too weak.

What are the hash attacks?

(more…)

Tags: , , , , , , , , , , ,
Posted in Certificate Management, SSL Deployment | Add Comment | No Comments »

Adobe Code-Signing Certificate Compromised

Wednesday, October 3rd, 2012 | Bruce Morton

Adobe announced they received two malicious utilities signed by a valid Adobe code-signing certificate. The code-signing certificate was compromised though an attack on their code-signing system.

The code-signing certificate will be revoked on October 4, 2012, and will impact all code being signed after July 12, 2012. A supporting security advisory has been issued.

The compromise of the code-signing certificate does not impact Adobe Certified Document Services (CDS) or any root certificate in the CDS system. As such, there is no impact to customers who have purchased CDS signing certificates.

Tags: , , ,
Posted in Technical | Add Comment | No Comments »

What is a Certified Document and when should you use it?

Wednesday, August 1st, 2012 | Bruce Morton

I found this article on the Adobe Security Matters website, What is a Certified Document and when should you use it? For those who need to certify documents, you may find it interesting.

As a quick summary, it states that here are two frequent use cases for Certified Documents:

  • Publishing files and want the recipients to know that the files really did originate from you and they have not been accidentally or maliciously modified since you published them.
  • Distribution of electronic forms with pre-populated information, and want to make sure recipients are not accidentally or maliciously modifying your form data when returning them to you.

Entrust issues Adobe CDS Signing certificates which will help you meet the Adobe recommendations:

  • Make sure your signing certificate is trusted by your recipient community.
  • When certifying a document, make sure that all certificates from the trust chain are available on the signing system (desktop or server).
  • When publishing a certified document with a digital signature, make sure you are online and able to reach the revocation information published by the certificate authorities.
  • Utilize an RFC3161 based timestamp authority as part of the digital signature process.

Tags: , , ,
Posted in Document Signing | Add Comment | No Comments »

Why Adobe CDS Certificates

Wednesday, August 4th, 2010 | Scott Shetler

Back in 2005, Adobe unveiled the Certified Document Services (CDS) program, which automatically trusts new digital IDs that are chained to (part of the family of) the Adobe Root certificate embedded in Adobe products. Anybody who opens a PDF document signed or certified by a CDS credential automatically gets a “blue ribbon” with trust provided to the signature without any user interaction.

Lately, I’ve had many people ask me why they would use Adobe CDS signing certificates instead of one of many other methods to sign PDF documents…why not;

So, for starters, I ask our customers what they are looking for….do you want people outside your organization (the general public) to trust the digital signature? If it’s just for internal users, and you don’t care about the visual indicator within the PDF format then perhaps privately trusted certificates are fine for signing your documents. But if you do want the public to trust the digital signature, then you need a publicly trusted certificate…but not just any publicly trusted certificate…you need one where the root certificate is embedded inside Adobe Acrobat or Adobe Reader. That way, the document recipient can trace the root of trust and know that the signature is valid and trusted.

Now think about the dynamics of your recipient population….do your users all have Adobe Acrobat or Reader v9 or greater? If not, then you need to use Adobe CDS certificates, because the root of trust is embedded in Adobe all the way back to Adobe Acrobat and Reader v6. That means that upwards of 99% of your likely recipient population will be able to validate and trust the digital signature, and when it comes right down to what you want, it means that more people will trust and therefore read the material you intend for them.

More flexibility, more trust, happier partners and customers!

PS. By the way, Entrust sells Adobe CDS certificates for a variety of scenarios, from individual signing to organizational automated signing processes. See our web site

Tags:
Posted in Document Signing | Add Comment | No Comments »