Issue

Certain revoked Digital Signatures which in Acrobat and Reader versions prior to 9.1 displayed as invalid, now display as valid signatures in Acrobat and Reader 9.1

Reason

 In Acrobat and Reader 9.1, default Digital Signature preferences have changed in order to reflect best practices regardinglong term Signature validation strategy.   In previous versions of the product, Acrobat and Reader would default to the ‘current’ time to check the validity of a signature if the products did not find an embedded third party timestamp.  However, this produced situations where certificates could be revoked days, weeks or months after the signature was applied (when theoretically the certificate was still valid) yet Acorbat or Reader would display the signature as invalid due to the fact that it was checking revocation at the time the document was opened, as opposed to when it was signed.  The same result might occur if the certificate expired.

In Acrobat and Reader 9.1, the default signature validation time has been changed to the time of signature, or more accurately, ‘Secure time, else signing time.’  This will provide users with a more accurate portrayal of the validity of the certificate at the time of signing.

But it also means that, as well as trusting the signature, you are also trusting the time at which the document was signed. It is possible for a signer to change their system date to a time when a certificate was valid and then sign the document which would then lead to misleading results.  Hence, Adobe suggests signatures be configured to use time stamp servers to provide the time for signatures.

Acrobat and Reader 9.1 also now have the ability to embed long-term validation and revocation information (CRLs / OCSPs / Timestamps) into the document after signature.  Additionally, expired timestamps (after signature) are now accepted by default.

Solution

 In order to return to the original behavior of Acrobat 9.0 and earlier change the following preferences:

To access these preferences go to Edit>Preferences>Security>Advanced Preferences

1. Under the creation tab, 'Include signature's revocation status...' in 9.1.x is enabled by default.

        Untick this option to restore Acrobat/Reader 9.0 behaviour.

2.Under the Verification tab, the 'Verification Time' has changed from 'Secure Time' to 'The time at which the signature was created.'

        To restore Acrobat/Reader 9.0 and earlier behaviour set this option to ’Secure Time’'.

3.Also under Verification Time a new option has been added; 'Use expired Timestamps'.

        Untick this option to restore Acrobat/Reader 9.0 behaviour. 

Note that while this will return the status of certain signatures back to a revoked status, it may not reflect upon the true status of these certificates at the time of signing.

Changing these settings via the registry:

1. To disable 'Include signature's revocation status...' via the registry:

    Reader: 

        Change HKCU\Software\Adobe\Acrobat Reader\9.0\Security\\cASPKI\cAdobe_LTVProvider\bIsEnabled: 0x00000001  

        to HKCU\Software\Adobe\Acrobat Reader\9.0\Security\\cASPKI\cAdobe_LTVProvider\bIsEnabled: 0x00000000

    Acrobat: 

        Change HKCU\Software\Adobe\Adobe Acrobat\9.0\Security\\cASPKI\cAdobe_LTVProvider\bIsEnabled: 0x00000001 

        to HKCU\Software\Adobe\Adobe Acrobat\9.0\Security\cASPKI\cAdobe_LTVProvider\bIsEnabled: 0x00000000

2.To change from 'Secure Time' to 'The time at which the signature was created', via the registry:

    Reader: 

        Change HKCU\Software\Adobe\Acrobat Reader\9.0\Security\cPPKHandler\iSigVerificationTime: 0x00000002  

        to HKCU\Software\Adobe\Acrobat Reader\9.0\Security\cPPKHandler\iSigVerificationTime: 0x00000001

    Acrobat: 

        Change HKCU\Software\Adobe\Adobe Acrobat\9.0\Security\cPPKHandler\iSigVerificationTime: 0x00000002 

        to HKCU\Software\Adobe\Adobe Acrobat\9.0\Security\cPPKHandler\iSigVerificationTime: 0x00000001

3.To turn off  'Use expired Timestamps' via the registry:

    Reader: 

        Change HKCU\Software\Adobe\Acrobat Reader\9.0\Security\cASPKI\cAdobe_TSPProvider\bUseExpiredTimestamps: 0x00000001  

        to HKCU\Software\Adobe\Acrobat Reader\9.0\Security\cASPKI\cAdobe_TSPProvider\bUseExpiredTimestamps: 0x00000000

    Acrobat: 

        Change HKCU\Software\Adobe\Adobe Acrobat\9.0\Security\cASPKI\cAdobe_TSPProvider\bUseExpiredTimestamps: 0x00000001  

        to HKCU\Software\Adobe\Adobe Acrobat\9.0\Security\cASPKI\cAdobe_TSPProvider\bUseExpiredTimestamps: 0x00000000

Products affected