What is the difference between software and hardware based certificates in regard to the Adobe Approved Trust List (AATL)?
Adobe Approved Trusted List or AATL, is a program that enables people to sign documents in Adobe Document Cloud solutions and have that signature trusted globally. When a document is signed with an AATL-approved certificate, the recipient of the signed document will be able to trust the certificate* automatically and avoid the time-consuming process of manually downloading the certificate root chain locally required to authenticate the signature.
In short, AATL certificates allow anyone to validate a digital signature, on any device, at any time!
IdenTrust CA is a current AATL Member and authorized to issue AATL-enabled certificates.
AATL certificates must be issued on password protected devices that are FIPS 142-2 L2+ compliant, such as HID Global USB tokens and HID Global Smart cards. This requirement facilitates two-factor authentication (2FA) and also provides additional security, as the certificate private key cannot be exported from the hardware device; thereby eliminating the potential of key compromise by bad actors. Due to this requirement, only hardware certificates which are stored on a token or smartcard, are included on the AATL.
Software Certificates, that are stored directly on the computer itself, do not meet the requirements for inclusion on the AATL.
*AATL signatures are only auto-trusted when using other Adobe products. Should the recipient use another product, they will need to follow the manual process to trust the signature.