At one site we implemented a paperless workflow whereby users digitally signed PDF documents that had readers rights credentials (and generated by ADS).
The digitial 'signatures' that we generated and installed on the user's workstations were signed by our CA. One thing I was disappointed in was that we couldn't revoke a signature and make Adobe Reader show that that signature was no longer valid. However, this was some time ago, so maybe Adobe Reader now has some mecahnism to check for revoked certificates?