There are two reasons for filtering certificate information within a form's code:
- To control the certificate information displayed when users select a signature identity
- To limit the number of certificates displayed when users select a signature identity
Typically users have more than one digital certificate on their computers. They acquire the certificates from various Certificate Authorities, using different signature engines, and each certificate may have a different purpose. As a result, the Viewer often presents a long list of signing identities when users want to sign a form. If a form has specific signing requirements, form designers should ensure that the Viewer displays all the information necessary to enable users to select the correct signing identity, while limiting extraneous data. Alternatively, designers could limit certificate choices so that the Viewer only displays applicable signing identities.
There are two types of certificate filters:
filter is easiest method of controlling the certificate information that is displayed to the user. It allows you to specify the information displayed to users so that they can easily choose the correct signing certificate. On the other hand, filteridentity
filters are much more difficult to create for the public, because they filter for precise values. When you create forms for use by the general public you are unlikely to know the details of their digital certificates. Filteridentity
filters require exact matches, including spelling, case, and punctuation. Unfortunately, CryptoAPI and NSS certificates use different strings to report the same information, preventing an exact match by both signature engines. As a result, certificate filtering for precise values is only useful when the signer's digital certificate contains predictable information. In other words, organizations may choose to specify which certificates sign in-house documents, but it is not practical to filter for specific values when creating forms that will be signed by the public.