Adobe Reader 10 faces change in certificate validation algorithm

[Esmond Ivers]

I was studying the validation certificates of various softwares when I decided to check certificates of Adobe Products. So I studied certificate of Adobe Reader 10.1.1 and 10.1.2. I noticed that the algorithm used for validation of the certificates of both is very different. Even the digital signature on the certificates varies. What I observed was before Adobe Reader 10.1.2 no revocation checking is performed for a certificate marked as a trust anchor. Why has this change in certification done?

[Panop]

If you had studied the certificate validation of Adobe Reader from very earlier version than the change is not new. It was also applied in Adobe Reader 9.5. The main intention of this change is to protect users where Trust Anchors faces danger of being compromised. This algorithm provides bRevCheckTrust. When the trust anchor information is presented in form of certificate, the name included in the subject field is utilized as the trusted issuer name. The contents of the subjectPublicKeyInfo field is then treated as source for trusted public key algorithm and the trusted public key.

[Go!pee]

If you are studying the certificates for too long, let me explain you the concept of certificate validation algorithm in brief,

• Alice gets its certificate from CA Carl.
• Carl gets its certificate from CA Carl Root.
• Carl uses OCSP as revocation mechanism, that is, the certificate of Alice has an authority to access information pointing to the OCSP responder of Carl.
• That OCSP responder uses a OCSP signing certificate provide by CA Berta.
• Berta gets its certificate from CA Berta Root.
• Berta uses OCSP as revocation mechanism, that is, the OCSP signer certificate used by the OCSP responder of Carl has an authority to access information pointing to the OCSP responder of Berta.
• That OCSP responder now uses a OCSP signing certificate issued by CA Berta Root.

[QUENBY]

According to the algorithm explained in the above comment, Adobe reader 10.1.2 uses Alice’s certificate as trusted certificate. The certificated cannot be altered in any manner as Adobe Reader 10.1.2 cannot find a certificate path for Carl's OCSP signer certificate. In other case, the certificate of Alice and Carl's OCSP signer certificate are marked as trusted certificates. So even if someone alters the Alice certificate, computer can detect change using Carl's OCSP signer certificate. Same goes if someone tries to alter Carl's OCSP signer certificate.