The signer of the document in question uses an official p12 keystore issued by QuoVadis.
The receiving user then encounters a problem with the signature in adobe reader 11:
- The certificate chain is shown correctely
- The signer-certificate shows the yellow warning flag saying: The selected certificate has errors: Invalid policy constraint
This causes lot of problems in user environments now oblidged to deal with signed documents.
Since we have absolutely no influence on all the various digital ids out in the field following questions:
- Exactely hat policy constaints hurt adobe readers and why is this checked at all?
- What can/must we do on the signer's side to get a document signed with an official digital id accepted in adobe reader ?
- Is it reasonable to think a reader should accept an otherwise valid certification chains without threading the innocent receiver with "Something wrong with document credibility" ?
Thanks for yor help
A CA may issue many different signing certificates and System Administrator may restrict which signatures signed with certificates issued by this CA should be accepted as Valid on particular Reader installations.
Policy constraints are set on individual Acrobat/Reader installations. Usually they are set by IT but can be also done manually by the users. When policy constraints are enabled Reader validates only signatures signed with DIgital IDs that meet specified policy constraints. In Reader/Acrobat policy constraints are specified per trusted root certificate. In Reader XI go to Edit->Preferences->Signatures, click on More.... in "Identities&Trusted Certificates" and select "Trusted Certificates". In the list of ttrusted certificates select the root certificate of the chain in the problem signature and click "Edit Trust" button. In the dialog that comes up select "Policy Restrictions" tab. It contains on top explanation of what policy restrictions are.
Apparently the installations that exhibit this problem have some "Certificate policies" entered for QuoVadis trusted root. When it happens Reader will mark as Valid only signatures signed with the QuoVadis-issued Digital IDs that include matching policy constraints. There is nothing you can do about it on the signer's side, because it is controlled by the preferences on the recipients' side.