Glossary
Key terms used throughout the VerifyKit documentation.
AATL (Adobe Approved Trust List) — A list of certificate authorities whose root certificates are trusted by Adobe Acrobat and Adobe Reader for PDF signature validation. Certificates signed by AATL members are automatically trusted in Adobe products.
AIA (Authority Information Access) — An X.509 certificate extension that provides URLs for fetching the issuing CA's certificate (CA Issuers) and OCSP responder endpoints. VerifyKit uses AIA CA Issuers URLs to automatically resolve missing intermediate certificates when a PDF does not embed the full certificate chain. This feature is enabled by default (enableAIA: true) and can be disabled for air-gapped environments.
ASN.1 (Abstract Syntax Notation One) — A standard notation for defining data structures used in cryptography and telecommunications. X.509 certificates, CMS signatures, and OCSP responses are all defined using ASN.1 schemas, typically encoded in DER or PEM format.
ByteRange — A PDF signature field property that specifies which byte ranges of the file are covered by the signature. A well-formed ByteRange covers the entire file except for the signature value itself. VerifyKit checks that the ByteRange is syntactically correct and covers the whole file.
CMS (Cryptographic Message Syntax) — The standard format (RFC 5652) for digitally signed data used in PDF signatures. CMS is the modern name for PKCS#7 signed data. A PDF signature embeds a CMS SignedData structure containing the signature value, signer certificate, and signed attributes.
CRL (Certificate Revocation List) — A signed list published by a Certificate Authority containing the serial numbers of all certificates it has revoked. Clients download the CRL and check whether a certificate's serial number appears in it. CRLs can be large and are typically updated on a schedule (hourly to daily).
CSP (Content Security Policy) — A browser security mechanism that restricts what resources a web page can load and execute. VerifyKit requires wasm-unsafe-eval in the CSP script-src directive to compile and run the WASM engine. See the Deployment guide for details.
DocMDP (Document Modification Detection and Prevention) — A PDF signature permission mechanism that restricts what changes can be made to a document after it is certified. A certification signature includes a DocMDP transform with a permission level (1 = no changes, 2 = form fill + sign, 3 = annotate + form fill + sign). VerifyKit exposes this as sig.mdpPermission. See also MDP Permission.
DSS (Document Security Store) — A PDF structure (ISO 32000-2) that stores validation-related data such as certificates, CRLs, and OCSP responses at the document level. DSS data enables long-term validation (LTV) by embedding all the information needed to verify signatures without network access. VerifyKit reads DSS data as part of its verification pipeline.
DER (Distinguished Encoding Rules) — A binary encoding format for ASN.1 data structures. X.509 certificates and CMS signatures are commonly stored in DER format. DER is the canonical encoding — the same data always produces the same byte sequence.
EKU (Extended Key Usage) — An X.509 certificate extension that specifies the purposes for which the certificate's public key may be used. For PDF document signing, the certificate should include the id-kp-documentSigning or id-kp-emailProtection EKU. VerifyKit checks this as one of its eight verification points.
ETSI (European Telecommunications Standards Institute) — The standards body that defines the PAdES (PDF Advanced Electronic Signatures) specification (ETSI EN 319 142). PAdES defines conformance levels (B-B, B-T, B-LT, B-LTA) for PDF signatures with increasing levels of long-term validation support.
MDP Permission (Modification Detection and Prevention Permission) — The permission level set by a DocMDP certification signature. Level 1 disallows all changes, level 2 allows form filling and additional signatures, and level 3 allows annotations, form filling, and signatures. Available as sig.mdpPermission (1, 2, or 3) on PdfSignature. A value of null or undefined indicates an approval signature (no DocMDP restriction).
LTV (Long-Term Validation) — A PDF signature that embeds all the data needed for future validation: the complete certificate chain, CRL or OCSP responses, and timestamps. LTV-enabled signatures (PAdES B-LT and B-LTA) can be validated even after certificates expire or CA infrastructure is decommissioned.
OCSP (Online Certificate Status Protocol) — A protocol (RFC 6960) for checking the revocation status of an X.509 certificate in real time. The client sends a request with the certificate's serial number to an OCSP responder, which returns good, revoked, or unknown. OCSP is lighter-weight than downloading a full CRL.
OID (Object Identifier) — A globally unique dotted-decimal identifier used in ASN.1 to identify algorithms, extensions, and policies. For example, 1.2.840.113549.1.1.11 identifies SHA-256 with RSA encryption. VerifyKit's oidToName() function maps common OIDs to human-readable names.
PAdES (PDF Advanced Electronic Signatures) — An ETSI standard (EN 319 142) that defines conformance levels for PDF digital signatures. VerifyKit detects and reports the PAdES level of each signature: B-B (basic), B-T (with timestamp), B-LT (long-term), and B-LTA (long-term archival).
PEM (Privacy-Enhanced Mail) — A text encoding format for cryptographic data, consisting of base64-encoded DER data wrapped between -----BEGIN ...----- and -----END ...----- headers. VerifyKit accepts PEM-encoded certificates when configuring the trust store.
PKCS#7 — The original name for the signed-data format now standardized as CMS (RFC 5652). PDF signatures use the adbe.pkcs7.detached or adbe.pkcs7.sha1 sub-filters to embed PKCS#7/CMS signed data. See also CMS.
PKI (Public Key Infrastructure) — The framework of policies, procedures, and technology for managing digital certificates and public-key encryption. PKI enables trust through a hierarchy of Certificate Authorities (CAs) that issue and sign certificates. VerifyKit validates signatures by building a certificate chain from the signer to a trusted root CA.
RFC 3161 — The standard for trusted timestamping. An RFC 3161 timestamp is a signed assertion from a Time Stamping Authority (TSA) proving that a document existed at a specific time. PDF signatures embed RFC 3161 timestamps to establish when the signature was created, enabling the PAdES B-T conformance level.
RSA (Rivest-Shamir-Adleman) — A widely used public-key cryptographic algorithm for digital signatures and encryption. Most PDF digital signatures use RSA with SHA-256 or SHA-512 as the hash algorithm. VerifyKit supports RSA, RSA-PSS, ECDSA, and EdDSA signature algorithms.
SHA-256 (Secure Hash Algorithm 256-bit) — A cryptographic hash function from the SHA-2 family that produces a 256-bit (32-byte) digest. SHA-256 is the standard hash algorithm for modern PDF signatures. VerifyKit's algorithm check flags weaker algorithms like SHA-1 and MD5 as warnings.
SSRF (Server-Side Request Forgery) — A security vulnerability where an attacker tricks a server into making requests to unintended destinations (e.g., internal network services). The VerifyKit revocation proxy includes SSRF protection via the urlFilter option to prevent the proxy from fetching internal URLs. See the Deployment guide for configuration.
TSA (Time Stamping Authority) — A trusted third-party service that issues RFC 3161 timestamps. A TSA signs a hash of the document with its own certificate, proving the document existed at a specific time. TSA timestamps are embedded in PDF signatures to provide non-repudiation of time.
WASM (WebAssembly) — A binary instruction format for a stack-based virtual machine, designed as a portable compilation target for languages like Rust and C++. VerifyKit's core verification engine is written in Rust and compiled to WASM, enabling near-native performance in browsers and Node.js without native dependencies.
X.509 — The ITU-T standard for public-key certificates. An X.509 certificate binds a public key to an identity (subject) and is signed by a Certificate Authority (issuer). PDF digital signatures include the signer's X.509 certificate and optionally the full certificate chain. VerifyKit parses and validates X.509 certificates as part of its eight-point verification model.