1. Home
2. Security

Adobe Approved Trust List (AATL)

What is it?

The Adobe Approved Trust List is a program that allows millions of users around the world to create digital signatures that are trusted whenever the signed document is opened in Adobe® Acrobat® 9 or Reader® 9 software and later. Essentially, both Acrobat and Reader have been programmed to reach out to a web page to periodically download a list of trusted "root" digital certificates. Any digital signature created with a credential that can trace a relationship ("chain") back to the high-assurance, trustworthy certificates on this list is trusted by Acrobat and Reader 9 and later.

How does it work?

Certificate authorities (CAs) — entities that provide digital signing credentials to other organizations and users — as well as governments and businesses that provide certificates to their citizens and employees can apply to Adobe to join the AATL program by submitting application materials and their root certificates (or another qualifying certificate). After verifying that the applicant's services and credentials meet the assurance levels imposed by the AATL technical requirements, Adobe adds the certificate(s) to the Trust List itself, digitally signs the Trust List with an Adobe corporate digital ID that is linked to the Adobe Root certificate embedded in Adobe products, and then posts the list to a website hosted by Adobe.

Adobe products that support the AATL will automatically download this file every 90 days.⁽¹⁾ Before the contents are deposited into the client's Trusted Identity list, the AATL is verified to ensure it came from Adobe.

Afterwards, when any user of AATL supported products receives a digitally signed document from a signer whose digital certificate can trace its lineage (chain) back to a certificate on the AATL, that signature will automatically be trusted.

How do I enable this feature?

If you are using Acrobat or Reader 9, you don’t need to do anything. This feature is enabled by default when you install these products, and the Trust List is automatically updated every 90 days.⁽¹⁾

If you want to verify that the Trust List is enabled, choose Edit ("Acrobat" on Mac) > Preferences > Trust Manager and be sure that the "Load trusted root certificates from an Adobe server..." checkbox is selected (see image below). You can click the Update Now button in that same dialog box to download the latest version of the Trust List from Adobe. Please read the User FAQ for more information and additional instructions on how to take advantage of the AATL.

Why is this feature important?

When you receive a digitally signed document, both Reader and Acrobat ask three key questions to validate the signature:

1. Is the digital certificate that signed the document still valid? Has it expired or been revoked?
2. Has the document been changed since it was signed? Has the integrity of the document been affected? If there are changes, are they allowed changes or not?
3. Finally, does this certificate chain up to a certificate listed in the Trusted Identity list? If so, the signature will be trusted automatically.

The answers to the first two questions are handled by Acrobat and Reader based on an analysis of the information contained within the certificate and the signed document itself. However, it's the answer to the third question that has always posed a challenge to the electronic signatures marketplace. How do you know if you can trust a digital signature? What aspects of the signer's digital certificate/credential should be noted? How important is verifying the signer's identity, and how critical is the storage of the signing key itself?

Adobe understands that the relying party must be free to make its own trust decisions based on its unique circumstances. Adobe products feature several different ways in which to set this trust:

• Setting Signature Trust in Adobe Reader and Adobe Acrobat — Part One
• Setting Signature Trust in Adobe Reader and Adobe Acrobat — Part Two
• Setting Signature Trust in Adobe Reader and Adobe Acrobat — Part Three

However, Adobe has also been looking at ways to help relying parties make this determination and in so doing make the process of using digital signatures that much easier. The Adobe Approved Trust List is simply the latest in these efforts.

How does this program compare with the CDS program?

Back in 2005, Adobe unveiled the Certified Document Services (CDS) program, which automatically trusts new digital IDs that are chained to (part of the family of) the Adobe Root certificate embedded in Adobe products. Anybody who opens a PDF document signed or certified by a CDS credential automatically gets a "blue ribbon" with trust provided to the signature without any user interaction. CDS credentials are backwards compatible from the current generation of Acrobat and Reader all the way back to version 6.

Five certificate authorities currently offer CDS certificates. These certificates are required to meet a high standard for assurance, and they feature additional capabilities including the embedding of robust timestamping and real-time revocation to provide for the long-term validation of digital signatures. The CDS program is the key to document certification efforts at the U.S. GPO, the Antwerp Port Authority, and many other organizations that want to use high-assurance signatures to protect the integrity and authorship of key electronic documents.

While the high-level benefits of the Adobe Approved Trust List program are similar, the AATL is only available in Acrobat and Reader 9 at this time. It is not backwards compatible. However, existing certificate communities, such as government eID programs, can join the Trust List, as the chain to the Adobe Root certificate is not required.

Please contact Adobe to get more information on which program would be best for your application.

Why would my organization want to join?

If you represent an organization or government that already has a significant investment in digital certificates (that is, hundreds of thousands of users), and these certificates are being used to sign PDF documents, then you already know the importance of trust and how confusion over a digital signature can lead to support calls, questions, and general uneasiness about using a digital signature. The AATL program provides an easy way for all your certificate holders, assuming they meet the technical requirements, to sign documents confidently, knowing that recipients will not only get the cost savings and a resulting "green" benefit from staying with an electronic document, but also the integrity-checking and trusted green checkmark/blue ribbon experience when they open the document.

How do I get an AATL-enabled signing credential?

Adobe does not sell these credentials but manages the program by which these credentials are trusted. To purchase AATL-enabled certificates, contact one of the members listed below. Also check the list to see if your organization may already be a part of the AATL.

Join now

If your organization is interested in joining the AATL, please review the supporting documents and click the link for the region in which you reside to contact an Adobe representative:

• Americas
• Europe and Middle East
• ROW

AATL supporting documents

• Operational Policies (PDF, 78k)
• Technical Requirements (PDF, 67k)
• User FAQ (PDF, 94k)

AATL sample documents⁽²⁾

• DigiNotar Sample Document (PDF, 851k)
• GBO.Overheid Sample Document (PDF, 74k)
• GlobalSign Sample Document (PDF, 702k)
• Keynectis Sample Document (PDF, 225k)
• SwissSign Sample Document (PDF, 199k)
• US Federal Common Policy Sample Document (PDF, 38k)
• VeriSign Sample Document (PDF, 46k)

AATL supported products

Notes:

1. This 90-day timer is active if you open a digitally signed document, sign a document yourself, or access the signature functionality of the product. If you never perform these actions, the AATL will not be downloaded to your computer until you do so.
2. Must have AATL enabled and downloaded.
3. AATL validation features are the features within an Adobe product that allow a user not only to check the integrity of a digitally signed document and the validity (expiration, revocation) of a digital certificate, but also to validate that the digital certificate (and associated private key) used to sign a PDF document is chained (linked) to a certificate on the AATL.
4. Authoring features are the features within an Adobe product that allow a user to digitally sign a document with a digital certificate, including an AATL-chained certificate. Note that practically any Adobe product that is capable of digitally signing a document can be used to sign a document with an AATL-linked digital certificate.