Digital Signatures and Document Security Terms


A deprecated Adobe Profile Format file.


A Microsoft format for digital IDs often stored in the Windows Certificate Store. These IDs can be used by Windows programs as well as the Acrobat product family.


A file format that conforms to PKCS#12.


A file format that conforms to PKCS#7.


A file format that conforms to PKCS#7.


A file format that conforms to PKCS#12.


Adobe Acrobat Trust List


Attribute certificate

Acrobat’s Public Key Infrastructure Library

A standalone PKI toolkit written in C++ with the intention of being completely portable and usable in different applications, including but not limited to, Acrobat and GUI-less servers. ASPKI supports RFC 3280 and NIST compliant chain building and path validation, including support for cross certificates and multiple chains; multiple revocation protocols like CRL (RFC3280) and OCSP (RFC2560); time stamping (RFC3161); and embedded revocation information along with a signature to achieve signature archival.


Advanced electronic signatures

Adobe Approved Trust List

An Adobe program designed to facilitate trust in PDF signatures by downloading a list of trusted, high assurance root and ICA certificates to Acrobat and Reader. See

Adobe LiveCycle Rights Management Server

Adobe LiveCycle Enterprise Suite (ES) is a SOA J2EE-based (Java 2 Enterprise Edition) server software product from Adobe Inc. used to build applications that automate a broad range of business processes for enterprises and government agencies.

Adobe Policy Server

As of Acrobat 9, Adobe Policy Server is renamed to Adobe LiveCycle Rights Management Server.

Adobe Profile Files

Adobe’s legacy certificate format not used after Acrobat 5. The certificates are stored in .apf files. This format is not supported as of version 9.0.

advanced electronic signatures

A type of electronic signature described in the European Union Signature Directive. Differentiated from a Qualified Electronic Signature in that it may not use a QEC.


authority information access


Association for Information and Image Management


Adobe LiveCycle Rights Management Server

approval signature

A signature used to indicate approval of, or consent on, the document terms. Acrobat and Reader recognize both approval and certification signatures.


Adobe Policy Server


Acrobat’s Public Key Infrastructure Library

Association for Information and Image Management

AIIM is a non profit community that provides education, research, and best practices to help organizations find, control, and optimize their information as well as understand the challenges associated with managing documents and business processes.

attribute certificate

A file that contains the supplemental attributes and extension that is bound to a PKC, but does not itself contain any key data.

authority information access

An extension that is part of a PKC which contains information on how to access either PKC’s of issuing certificate(s) (least used) or where to access OCSP revocation information which is what this extension is primarily used for.

basic constraint

An extension within a public key certificate that defines whether or not the certificate has been issued to a CA.


certificate authority (CA)


Cryptographic Message System Advanced Electronic Signatures




Certified Document Services (CDS)

CDS digital ID

A digital ID issued by a Certified Document Services provider.

CDS digital ID certificate

CDS digital ID


European Committee for Standardization.


That part of a digital ID that contains the public key. Certificates are shared among participants of signature and certificate security workflows in order to verify participant identities.

certificate authority (CA)

An entity which issues digital certificates for use by other parties. It is an example of a trusted third party. CAs are characteristic of many PKI schemes.

certificate revocation list (CRL)

CRL is a method that public key infrastructures use to maintain access to cached or networked lists of unexpired but revoked certificates. The list specifies revoked certificates, the reasons for revocation (optional), and the certificate issue date and issuing entities. Each list contains a proposed date for the next release. Acrobat’s CRL revocation checker adheres to RFC 3280 and NIST PKITS except for delta CRLs.

certification signature

A digital signature applied using an individual digital ID or organizational digital ID for the purpose of establishing the authenticity of a document and the integrity of a document’s content, including its appearance and business logic.

certified document

A document to which a certification signature has been applied.

Certified Document Services (CDS)

An Adobe program where commercial CA’s create a subordinate or ICA below that chains to the Adobe Root certificate. As the Adobe Root is automatically trusted by Acrobat and Reader v6.0 and above, signatures made with credentials that chain to it are also similarly trusted.

certify or certifying

The act of applying a certification signature to a document using the Acrobat “Certify” feature. Certifying helps establish document authenticity as well as the integrity of its content, including its appearance and business logic.

Click thru signature

A type of electronic signature where the signer is indicating their agreement with terms and indication to sign the document / process by clicking on a button, which might say “I accept.” Typically, an audit log of the event is kept for evidentiary purposes and authentication may or may not be required. Sometimes a server applied digital (certification) signature may be applied after the click thru process to protect the integrity of the document.


Cryptographic Message Syntax


certificate revocation list (CRL)

Cryptographic Message Syntax

A syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content which is described in RFC 3369.

Cryptographic Message System Advanced Electronic Signatures

An EU Advanced Signature Format relying on CMS signatures, as described in ETSI TS 101 733.

cryptographic service provider

Application software that allows it to use MSCAPI to communicate with cryptographic module APIs such as PKCS#11 modules, PFX files, and so on


cryptographic service provider


Certificate Service Provider. Alternate term for CA.

digest method

A hash algorithm used to create a one way hash of data. Acrobat supports six digest methods; MD5, SHA1, SHA256, SHA384, SHA 512, and RIPEMD 160.

digital ID

An electronic representation of data based on the ITU-T X.509 v3 standard, associated with a person or entity. It is often stored in a password-protected file on a computer or network, a USB token, a smart card, or other security hardware device. It can be used for digital signatures and certificate security. “Digital ID” is sometimes used interchangeably with “certificate”; however, a certificate is only one part of a digital ID which also contains a private key and other data.

digital signature

An electronic signature that can be used to verify the identity of the signer through the use of public key infrastructure (PKI) technology. Signers need a digital ID and an application capable of creating a signature.

digital signature algorithm

An encryption algorithm used to create a digital signature created by NIST as defined by FIPS 186.

digitally sign

To apply a digital signature using a digital ID.

document integrity

In signing workflows, document integrity refers to whether or not what was signed has changed after signing. That is, what the signer signed should be reproducible and viewable on the document recipient’s end. For the document recipient to validate a signature, its important to determine to what document or what document version that signature applies. See message digest.


digital signature algorithm


European Commission.


end entity certificate (EE)


Electronic Exchange of Social Security Information.


electronic ID

electronic signature

Generic term. Generally defined as an electronic process which intrinsically links some tag (data, voice, image, key) to content that is being signed, is linked to the signer, and is generally capable of detecting changes in the document signed. A digital signature is a type of electronic signature, as are click thru and signature image.

embedded JavaScript

JavaScript that exists within a document rather than that which is executed from the JavaScript Console or through a batch process.

embedded validation response

Information from the digital ID issuer that was used to apply the digital signature and that indicates if the digital ID was valid when the signature was applied. If the digital ID was valid and no one has tampered with the document, the signature will have a status of VALID. Once the digital ID expires or is revoked, it won’t be possible to determine if the signature was valid at the time it was applied unless there is an embedded revocation response.

end entity certificate (EE)

The last element of a signing chain. By definition, an end entity certificate does not contain the basic constraint value CA, and is issued to an individual or a pseudo entity (e.g. a department or organization).


European Telecommunications Standards Institute.


ETSI/Electronic Signature and Infrastructure Technical Committee.


European Union.

EU Experts Group

A generic term used widely within the EU. Of particular interest is the EUEG on Electronic Procedures.

EU Signature Directive

Directive 1999/93/EC on a Community Framework for Electronic Signatures. Established a Framework for Electronic Signatures and Standards in the European Union.

European Union Trust List

An Adobe program designed to facilitate trust in PDF signatures by downloading a list of trusted, high assurance root and ICA certificates to Acrobat and Reader. See


Federal Information Processing Standards: These are publicly announced standards developed by the United States Federal government for use by all non military government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, IOS, etc.).

FIPS 140

Federal Information Processing Standard 140: Standard which defines increasing levels of assurance for hardware and software based devices and applications for storing private keys. Level 1 is the lowest assurance, and level 4 is the highest, requiring devices to self‐destruct and ‘zeroize’ themselves if they are compromised in any way.

hardware security module

While actually a generic term for any hardware device designed to securely store digital IDs, HSMs in common parlance are rack mounted servers or hardened PCI cards which are designed for higher security and higher volume cryptographic operations.

hardware token

A hardware device (typically a smart card or USB device) that contains the user’s digital ID(s) and requires a password or other authentication method to access those IDs for the purpose of signing.


hardware security module


intermediate certificate authority (ICA)


Interoperable Delivery of European eGovernment Services to public Administrations Businesses and Citizens individual digital ID: A digital ID issued to an individual to digitally sign as them self (e.g. John Smith) as opposed to an organization or other non‐human entity.

individual digital ID

A digital ID issued to individuals so that they can identify themselves during a digital signature process (e.g. John Smith) as opposed to an organization or other non-human entity.

intermediate certificate authority (ICA)

A type of CA characterized by the fact that the ICA’s certificate may itself be signed by a different ICA, all the way up to a ‘self-signed’ root certificate. Certificates in between the end entity and root certificates are sometimes called “intermediate certificates” (ICAs) and are issued by the CA or ICAs underneath the CA.


International Standards Organization.


Information Communication Technologies.

long term validation

The validation of a digital signature after certificate(s) associated with the signature has expired.


long term validation

message digest

Before Acrobat or Adobe Reader can verify if a document the signed version of the document has changed or not (has integrity), it must first have a way to uniquely identify what was signed. To do this, it uses a message digest. A message digest is a number which is created algorithmically from a file and which uniquely represents that file. If the file changes, the message digest changes. Sometimes referred to as a checksum or hash, a message digest is simply a unique number created at signing time that identifies what was signed and is then embedded in the signature and the document for later verification.


Member State (one of the EU countries)


Windows Microsoft Crypto API (MSCAPI) is the API that the application uses to access cryptographic service providers such as PFX files and PKCS#11 files. MSCAPI is also used by the application anytime it uses a Windows security feature.

National Institute of Standards

A non regulatory agency of the United States Department of Commerce’s Technology Administration. The institute’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.


National Institute of Standards


online certificate status Protocol (OCSP)

online certificate status Protocol (OCSP)

OCSP defines a protocol for determining the revocation status of a digital certificate without requiring a CRL. Unlike CRL, OCSP obviates the need to frequently download updates to keep certification status lists current. Acrobat’s OCSP revocation checker adheres to RFC 2560.

organizational digital ID

A digital ID issued to an organization or non‐human entity (for example, the Adobe Public Relations Department). It can be used by an authorized employee / process to perform signing operations, at the desktop or server, on behalf of the company.


PDF Advanced Electronic Signatures

PDF Advanced Electronic Signatures

A five part standard (ETSI TS 102 778) which describes how to use the digital signature features of the Portable Document Format (PDF) to meet EU signature requirements.


public key certificate


A group of Public Key Cryptography Standards authored by RSA Security


Public key Cryptography Standard #11: A Public key cryptography Standard published by RSA Laboratories defining an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions.

PKCS#11 device

External hardware such as a smart card reader or token. It is driven by a module (a software driver such as a .dll file on Windows).

PKCS#11 digital ID

An ID on a PKCS11# device. A device may contain one or more IDs.

PKCS#11 format

Cryptographic Token Interface Standard: An encryption format used by smart cards, tokens, and other PKCS#11-compatible devices. The ID is stored on the device rather than on the user’s computer.

PKCS#11 module

The software module that drives a PKCS#11 device.

PKCS#11 token

PKCS#11 device.


Public Key Cryptography Standard #12: Personal Information Exchange Syntax Standard that specifies a portable, password protected, and encrypted format for storing or transporting certificates. The certificates are stored in .pfx (Windows) and .p12 (Macintosh) files. Unlike other formats, the file may contain private keys.


Public Key Cryptography Standard #7: A Public key cryptography standard published by RSA Laboratories that defines the syntax/format for a digital signature. This format extends PKCS#1 information to include timestamps, digital certificates and more. Files with .p7b and .p7c extensions are registered by the Windows OS. If you double click on a .p7c file it will be viewed by a Windows application. Replaced by CMS.


Public Key Cryptography Standard #9 (of #15 produced by RSA) Selected Object Classes and Attribute Types. Defines attributes that PKCS#7 uses.


public key infrastructure

point of single contact

The point of single contact for a member state.

Policy Server

As of Acrobat 9, Adobe Policy Server is renamed to Adobe LiveCycle Rights Management Server

Private key

The secret key in a PKI system, used to validate incoming messages and sign outgoing ones. A Private Key is always paired with its Public Key during those key generations.

privileged context

A context in which you have the right to do something that’s normally restricted. Such a right (or privilege) could be granted by executing a method in a specific way (through the console or batch process), by some PDF property, or because the document was signed by someone you trust. For example, trusting a document certifier’s certificate for executing JavaScript creates a privileged context which enables the JavaScript to run where it otherwise would not.


point of single contact

public key

The publicly available key in a PKI system, used to encrypt messages bound for its owner and to validate signatures made by its owner. A Public Key is always paired with its Private Key during those key generations.

public key certificate

A file that contains the numeric public key portion of a public/private key pair along with the associated extensions and attributes that are used to define who the certificate is for, what its validity period is, and how the certificate can be used.

public key infrastructure

Term that includes all the CSPs, Certificates, and standards for encryption and digital signatures using public/private key pairs. Also, an arrangement that provides for trusted third party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried out by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates.


qualified electronic certificate


qualified electronic certificate


qualified electronic certificate


qualified certificate service provider

qualified certificate service provider

A CSP that has met the high assurance requirements spelled out in the EU Signature Directive as well as the implementing Member State’s legislation, and provides credentials under a high assurance mechanism that includes secure signature creation devices.

qualified electronic certificate

A digital certificate from a QCSP that conforms to the RFC 3739 specification. It contains a qc statement that simply states that it is a qualified certificate. These types of certificates meet the requirements of the EU Signature Directive.

qualified electronic signatures

Electronic signatures made by an secure signature-creation device with a QEC provided by a QCSP.

roaming ID

A roaming ID is a digital ID that is stored on a server. The private key always remains on the server, but the certificate and its public key can be downloaded at the subscriber’s request to any location. Roaming IDs require an Internet connection and require the user to authenticate to the server to initiate the signature process. They eliminate the need to provide hardware tokens to users for private key storage.

root certificate

The top-most issuing certificate in a certificate chain; sometimes used as a trust anchor.


An encryption algorithm used to create a digital signature. The acronym derives from the creator’s last names. In this case Rivest, Shamir and Adelman.

Secure Identity Across Borders Linked (STORK)

An EU project to better leverage cross-border trust and usage of eIDs.

secure signature creation device

A high assurance hardware device (smart card, USB token, etc) that stores the private key associated often with a QEC.

security restricted property or method

A property or method whose availability is restricted to certain events such as batch processing, console execution, or application startup. For example, in Acrobat 7.0, a security-restricted method (S) can only be executed through a menu event if one of the following is true: The JavaScript user preferences item “Enable menu items JavaScript execution privileges” is checked or the method is executed through a trusted function. The JavaScript for Acrobat API Reference identifies the items that have restrictions.

signature algorithm

The combined usage of a digest method (e.g. MD5, SHA1) and an encryption algorithm (e.g. DSA or RSA)

signature image

A type of electronic signature where the signer signs a document by physically applying their handwritten signature to a document using a dedicated signature pad or Tablet PC and plugin to Acrobat or Reader. These signatures may also digitally sign the document at the time of signing to protect integrity.


secure signature creation device

STF 364

Special Task Force #364 Group in ETSI/ESI working on PDF AdES or PAdES.


Secure Identity Across Borders Linked: An EU project to better leverage cross-border trust and usage of eIDs.


subordinate certificate authority

subordinate certificate authority

A type of CA characterized by the fact that the ICA’s certificate may itself be signed by a different ICA (thus ‘subordinate’ to it), all the way up to a root certificate.


A digitally signed timestamp whose signer vouches for the existence of the signed document or content at the time given as part of the digital signature. The time stamp data can be embedded in the digital signature using a trusted time server (instead of the time clock of the computer that is used to apply the digital signature). See also TSP.


See trust list.

Trust (Trust service) Status List

As described in ETSI TS 102 231, a format and method for communicating in human and machine readable form all of the certificates trusted by each member state and their QCSPs.

trust anchor

A certificate in a certificate chain that is trusted for selected operations. It could be an intermediate certificate authority rather than a root; that is, it does not have to be the topmost certificate in the chain. Certificates that chain up to this certificate will also be trusted for the same operations. It is usually issued by a 3rd party certificate authority.

trust list

A list of trusted CA’s and certificates.


See timestamp.


See Trust (Trust service) Status List.


A timestamp protocol which is described in RFC 3161.


In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on (SSO) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.


See XML Advanced Electronic Signatures.

XML Advanced Electronic Signatures

An EU Advanced Electronic Signature Format relying on XML signatures, as described in ETSI TS 101 903.