pki
Security Matters: Digital Signatures and PKI Archives
News, views, and other informal discussions about Adobe Systems Information Assurance initiatives that protect information by ensuring their authenticity, integrity, confidentiality/privacy, and non-repudiation. Digital Rights Management (DRM), Information Rights Management (IRM), digital signatures, Public Key Infrastructure (PKI), and identity management will be discussed frequently for Adobe applications and file formats.
Main
February 29, 2008
"Trust Us!" - Electronic Signatures and Assurance
electronic signature,digital signature,assurance,authentication,document integrity,eSignature
This entry continues our “What is an Electronic Signature, Anyway?” educational series.
Merriam-Webster defines assurance as “something that inspires confidence” and “freedom from self-doubt or uncertainty.” When you receive an electronic document, how do you know it’s the document the author intended you to receive? Likewise, if that document is an electronically-signed contract, how do you know who actually signed it? How do you know the other party didn’t change the document after you sent it? Assurance, as you can see, is critical to trusting the work that we store, put or send online. Electronic signatures can provide a way to enhance your confidence in these documents in a paperless environment.
We can break down the most significant aspects of electronic signature assurance into the following components:
Authentication
Authentication deals with how a user verified him or herself to the signing system. The more complex the type of authentication and the more ‘factors’ of authentication you combine, the higher the level of assurance becomes. Did they simply click a button or did they first have to enter a username and password? Authentication to a system is stronger if a user must present both a physical device (token or smart card) and a PIN or password to the system - a combination known as ‘two-factor authentication.’ Handwritten eSignatures inherit some level of assurance from their historical wet ink cousin. Even biometric technology could be added to the picture, requiring persons to present ‘something they are,’ like a fingerprint or iris, to verify themselves.
Identity Vetting
Identity vetting, or identity verification, answers the question, “How did the system arrive at trust in this signer?” In other words, how did an organization or system grant a signer her signing credential or access to the signing system? The intensity of this process can help to define assurance. Is the signer being asked to appear in person and present multiple forms of government ID, or are they simply required to enter their name and click “OK”? The more intense the scrutiny, the better the level of assurance.
Integrity
Integrity is one of the key capabilities of an electronic signature. An electronic signature often includes the capability to “fingerprint” or hash a document so that a recipient can verify that a signed document was not changed post-signature. Integrity can be achieved in a number of ways. Some methodologies use cryptographic calculations, like a signed hash and digital signature embedded in a document verifiable by the reader of a document, to achieve integrity. Others systems may offer integrity through secure archiving of original electronic documents and a strong audit trail of events that lead to the signature event itself.
Validity
Validity, or put another way, the legitimacy of the user’s signing credential or access at the time of signature, is another critical aspect of assurance. The user may be who he says he is, and may have used the proper methods for authentication, but what if they signing credential had been revoked before the time of signing because the user was fired from their organization? Signing systems offering higher levels of assurance should be able to establish validity at the actual time of signing.
Time of signing
The time of signing is the final key element of assurance in electronic signatures. A PC clock may be modified to fraudulently indicate time of signing, and thus a trusted third party clock can provide more assurance.
Not all electronic signatures are equal, however, when it comes to assurance. The following diagram shows a stereotypical breakdown of assurance compared with average cost.
You can see that click-through electronic signatures inhabit the low end of the spectrum and multi-factor authenticated digital signatures occupy the high ground. But not everything is as it seems. If certain pieces of the assurance puzzle are missing, the arrangement above could be completely scrambled.
For example, you may have a digital signature system that requires the user to possess a device that requires both their fingerprint and a PIN code in order to sign a document. On its face, this looks pretty secure. But what if the system used to provide the user with the signing credential (a digital ID) never checked into that user’s identity? Bob Smith could be signing in the name of Adobe's CEO and no one would be any wiser.
Coming from the other direction, you might imagine a contract workflow that only requires a button click to process a signature. This seems low assurance at first glance. But if we add fingerprint authentication, strong identity vetting (in-person proofing), and a secure infrastructure in which the documents are processed and stored, one could argue the assurance of this system surpasses other technologies.
In the end, you will need to educate yourself and ask questions about the assurance capabilities of the electronic signature systems you intend to deploy. The choice of an electronic signature method comes down to a decision about what you’re trying to protect and provide assurance to. Simple travel expense reports do not require significant assurance measures, but multimillion dollar contracts definitely would. Interoffice memos proclaiming a new copier in the mailroom don’t require much assurance, but critical government documents like the US Federal Budget do.
The next in our “What is an Electronic Signature Anyway?” series will focus on the legal admissibility of electronic signatures and the laws that govern their use.
Posted by John B Harris at 11:39 AM | Permalink
February 21, 2008
“So what is an electronic signature anyway?”
As I reviewed the blog entries here from my fellow Adobe Security Solutions teammates, I realized that with all of the gory technical information, we may have lost some of you, our dear readers. With this entry, we’ll start a new series of articles that move the conversation up to a high-level, out of the dense fog of acronym warfare, and explain from a business user’s point of view what all this stuff means and how it can be useful for you in your organizations’ daily business processes.
So...electronic signatures. We’ve variously mentioned digital signatures, eSignatures, electronic signatures, and signature odors. Ok, well, not the last one, but to start, I’ll suggest that we use electronic signature as a generic term. Electronic signatures can be defined as any electronic process signifying an approval to terms, and/or a document, presented in electronic format. Electronic signatures frequently also have the added benefit of ensuring the integrity of the signed document to signify that (1) the document has not been changed since it was signed and (2) the signer cannot ‘repudiate’ or claim that they did not sign the document.
Electronic signatures encompass a broad gamut of technologies and methodologies, ranging from an “I agree” button in a click-thru agreement...
...to an electronic tablet which accepts a handwritten signature (oftentimes referred to as an eSignature)...
...to a digital signature cryptographically tied to a digital ID or certificate.
They can be used for internal approval processes for things as simple as time-off requests, for more formal documentation and acceptance of account opening terms in a branch office of a bank, for signing off on critical infrastructure planning documents, and to protecting the reputation of a country’s electronic documents by certifying authorship and the integrity and status of the document itself.
Organizations choose electronic signatures for many reasons. Among them:
Workflow Efficiency - It’s faster for someone to click a button or enter a password than to route a document to them through interoffice mail or courier.
Save Money - By going electronic, you eliminate the cost of paper, printing, and courier services.
Document Integrity – Organizations publish vast amounts of material to the internet, but are now becoming increasingly concerned about what happens to those documents in the wild. It’s critical to reputations and revenue that documents are not modified to create a false or fraudulent impression of the organization.
You’ll notice that many of these reasons mirror those that accompanied the rise of the electronic document and form in the first place. This is not accidental — electronic signatures are a natural extension of the movement to electronic documents. Many companies have gone fully electronic only to come to the signature step and require customers to print out documents which are signed in wet ink and then sent via the mail to be re-entered into a system. This is neither efficient, nor timely, nor a good use of resources. Electronic signatures, at their core, represent a vital way to leverage a company’s assets and increase savings based on key technology investments.
Adobe supports all of the electronic signatures described above via our LiveCycle® ES suite as well as our Adobe® Acrobat® and Adobe Reader® client software packages. Adobe’s Security Partner Community plays an essential role as well, supplying key components for electronic signature solutions. Adobe is also a member of the Electronic Signatures and Records Association, a new organization which seeks to expand knowledge on both electronic signature and records and also play an active role in public policy on these topics.
In our next ‘tutorial’ entry, we’ll explore the question of assurance in electronic signatures.
Posted by John B Harris at 10:34 AM | Permalink
February 04, 2008
Digital Courtroom: Tribunale di Cremona
A new case study is available showcasing Tribunale di Cremona, one of the Courts within the District of Tribunale di Brescia, using Adobe Connect with Adobe LiveCycle solutions to support an end-to-end process for holding legal proceedings with dispersed parties and efficiently delivering all required case documents.
In addition to supporting dynamic web conferences with streaming audio and video, Adobe solutions deliver other benefits to the Digital Connect project. For instance, the court can store court papers for each trial in Adobe PDF; plus staff can handle documents remotely and securely via digital signature authentication.
These capabilities are handled by Adobe LiveCycle solutions to address the need to assign policy controls to protect documents.
“These features are critical,” says Beluzzi. “A trial transcript can be shared among participants, downloaded, digitally signed just as if participants were physically next to each other. In addition, the transcript goes through a workflow and is automatically added to the remaining court papers.”
The project is the result of a productive collaboration with Adobe. First electronic court papers, then web conferencing-based court trials give the Italian justice system a new image: fast, efficient, and on time.
“By collaborating with Adobe and using products such as Adobe Policy Server, Adobe LiveCycle Workflow, and Adobe Connect, the court is designing a powerful system that can be replicated in other areas without customization,” says Beluzzi. “This is important because it allows Tribunale di Cremona to achieve great results with limited efforts, without developing ad hoc software.”
The Court has documented the excellent cost benefits of the system. The total cost of training and traveling for detainees and lawyers is about €467,000 a year. Using Digital Connect to perform trials and to train employees could save the Court over €1 million in three years.
Posted by John Landwehr at 10:01 PM | Permalink
US Government Printing Office Deploys Digital Signatures for FY2009 Budget
Today the United States Government Printing Office (GPO) deployed digital signatures in Adobe PDF for the release of The Budget of the U.S. Government, Fiscal Year 2009.
The Executive Office of the President, Office of Management and Budget (OMB) released a statement stating this is the first time the White House will not order hard copy versions of the budget, and has instead posted the budget online as fully searchable PDF documents.
With an estimated total of nearly 2,200 pages in the four-book budget set, and a projected order of more than 3,000 copies for the media, Capitol Hill and the White House, the E-Budget will have a “green” focus above and beyond the fiscal sense. This step will save nearly 20 tons of paper, or roughly 480 trees. In terms of fiscal savings, we estimate the E-Budget will save nearly a million dollars over the next five years.
GPO has implemented a new digital seal of authenticity for their PDF documents, including today's release of the FY2009 budget:
For almost 150 years, the U.S. Government Printing Office (GPO) has been the official disseminator of Government documents and has assured users of their authenticity.
In the 21st century, the increasing use of electronic documents poses special challenges in verifying authenticity, because digital technology makes such documents easy to alter or copy, leading to multiple non-identical versions that can be used in unauthorized or illegitimate ways.
To help meet the challenge of the digital age, GPO has begun implementing digital signatures to certain electronic documents on GPO Access that not only establish GPO as the trusted information disseminator, but also provide the assurance that an electronic document has not been altered since GPO disseminated it.
The visible digital signatures on online PDF documents serve the same purpose as handwritten signatures or traditional wax seals on printed documents. A digital signature, viewed through the GPO Seal of Authenticity, verifies document integrity and authenticity on GPO online Federal documents, at no cost to the customer.
More information on GPO's authentication program is available at http://www.gpoaccess.gov/authentication/
Opening the Nation's Fiscal Outlook from GPO Access with Acrobat 8.1.1 on Windows XP SP2:
Opening the Nation's Fiscal Outlook with Acrobat 8.1.1 on Mac OS X 10.5.1 (Leopard)
The digital signatures on the GPO documents automatically validate with Adobe Acrobat and Adobe Reader version 7 and higher on Mac and Windows, via the Certified Document Service (CDS) program. No additional software or configuration is required to validate CDS signatures.
There are several ways recipients can verify the signature status. First is the document message bar across the top of the document, showing the certifying blue ribbon as well as information contained in the signer's certificate:
The left navigation panel also has an icon of a pen over paper, which brings up the digital signature pane, showing additional information on the document signature:
Clicking on the GPO document seal in the PDF will also bring up the Signature Validation Status:
Clicking on that Signature Properties button above provides even more detail of the signature, including the authenticity, integrity, and timestamping indicators - with the ability to drill down deeper to review revocation status, certificate chaining, and other security information associated with the signature.
For digital signatures to automatically validate in Acrobat and Reader, the Public Key Infrastructure (PKI) certificates must have been issued by a Certificate Authority (CA) participating in the CDS Program. These CAs comply with the Adobe CDS Certificate Policy. This is a program Adobe released in 2003 with Acrobat and Reader 6. The CA/Browser Forum released a program with similar intentions for web browser SSL sites in 2007.
Certifying signatures can be applied to PDF documents on the desktop using Adobe Acrobat, or on the server using Adobe LiveCycle Digital Signatures. Recipient's approval signatures can also be applied using Adobe Acrobat or Adobe Reader (via Adobe LiveCycle Reader Extensions) and then subsequently validated on the server with Adobe LiveCycle Digital Signatures as part of an automated workflow process.
Adobe Systems has been providing security technologies in PDF for over a dozen years. Adobe uses FIPS 140 approved cryptography, has been approved by the US Department of Defense, and certified by the SAFE BioPharma Association. Adobe's security solutions are also supported by a strong partner ecosystem to extend the native capabilities of authentication through hardware and software integration.
Posted by John Landwehr at 08:52 AM | Permalink
January 02, 2008
Demo: Certified Documents in Adobe PDF
Here is a demonstration of a PDF document that has a certifying signature plus four recipient signatures from four different certificate authorities that are part of Adobe's Certified Document Services (CDS) program.
Click here to download the PDF for Adobe Acrobat and Adobe Reader version 6 and higher.
In v8 and higher, you will see a status bar across the top, indicating the valid document certification:
followed by the recipient signatures from each of the CAs:
For long term digital signature validation, each of these signatures also include an embedded OCSP response from the certificates in the chains and RFC3161 timestamps. This shows that the certificates were valid at the time of signing - even if the document is subsequently opened after certificate expiration or revocation.
Posted by John Landwehr at 11:30 PM | Permalink
December 10, 2007
Document Integrity Takes a Big Leap Forward with Expansion of Adobe’s CDS Program
The amazing proliferation of PDF files—over 1 billion at latest estimate—combined with the ubiquity of the internet and online information makes it critical that document creators and document readers consider the authorship and integrity of documents we trust on a daily basis as sources of information, conduits for personal data (forms), and, truly, receptacles for corporate and organizational reputation.
Let’s consider the “pump and dump” stock scams that have occurred over the past few years. By creating false press releases, fraudsters were able to ‘pump’ up the price of a stock by creating fake, positive news items for the company, and then ‘dump’ before the scam was discovered and the company's reputation damaged.
This type of fraud is but one possibility. When you fill out and submit information in a PDF form online, do you ever check for the authorship of the document? Who’s to say the form wasn’t modified to send your personally identifiable information (PII) to the government office AND to an identity thief at the same time? What about corporate annual reports? Government laws and regulations? Analyst reports? Licensing documentation?
Several years ago, Adobe recognized these threats, and worked with GeoTrust (acquired last year by Verisign) to create the Adobe Certified Document Services program alongside the release of Acrobat® and Reader® 6.0.
By joining this program, interested individuals and organizations were required to submit to a strong identity vetting process to make sure they were who they said they were, and then would be issued a credential (digital certificate) on a hardware token (USB or smart card device). When used with the Adobe software, an author could choose to ‘certify’ a document upon authoring. Once certified with a CDS credential, the document’s integrity, authorship, and even time and date of creation would be embedded with the document. And because the credential was provided under Adobe’s high assurance policies, the digital signature is automatically trusted in both Acrobat and Reader v6.0 and above, giving the recipient an immediate notification of the document’s integrity with a blue ribbon and bar at the top of the window.
Now, Adobe has partnered with three additional credential Providers for the CDS Program: Chosen Security, GlobalSign and Keynectis. (Providers' announcements are here, here and here.) This program expansion will substantially enhance the standing and awareness of the CDS program, while at the same time offering a broader range of services to all aspects of the marketplace through innovative services and solutions. In addition, these companies, as well as current CDS member Verisign, have a global footprint, which means that the document integrity capabilities offered by these CDS Providers, and built into Adobe Acrobat and Reader, will benefit documents created throughout the world.
For more information, click here.
Posted by John B Harris at 07:49 AM | Permalink
November 25, 2007
Adobe's history of content protection
Every once in a while, someone asks "How long has Adobe offered content protection?" Turns out, Adobe's information assurance efforts have been ramping up for over a dozen years. Adobe provides security features in numerous products and also provides dedicated security solutions such as LiveCycle Digital Signatures and LiveCycle Rights Management. Here's a brief history:
Adobe's history of content protection started with Acrobat 2.0 in 1994. At the time, this was simple 40-bit RC4 password-based encryption and digital rights management (DRM) to restrict who can open the document and what they can do with it.
Acrobat 4.0 in 1999 added support for Public Key Infrastructure (PKI) enabling a single PDF document to be protected for multiple recipients, with different permissions based on their own keypair. Depending on who opened the document, printing, modification, and clipboard actions are enabled/disabled. This release was also the first to add digital signatures using PKI. This was important for paper documents to move to digital with an opportunity for higher levels of assurance than a pen could provide on paper with a wet signature (ink) by utilizing cryptographic protections of authenticity, integrity, and non-repudiation. Acrobat 5.0 added support for 128-bit RC4 encryption for stronger levels of confidentiality. Acrobat 6.0 added support for the Microsoft CryptoAPI to (CAPI) so the keypair could be stored in the Windows certificate store or through a Crypto Service Provider (CSP) to smartcards and other tokens.
In 2005, Acrobat and Reader 7.0 shipped along with LiveCycle Policy Server and Security Server. AES128 encryption was added to PDF. The enterprise rights management capabilities of Policy Server integrate with an organization's LDAP or Active Directory. A policy coupled with an information classification such as "Insider Restricted" restricts who can open the document, what they can do with it, and also provides enterprise auditing measures. Absolute (e.g. on 12/31) and relative (e.g. 7 years from document creation) expiration dates can be set to automatically expire documents. All these permissions in a policy are dynamic and can change after the document is published - to add or delete users, change permissions, or even revoke the document entirely. This revocation feature is used by many to enable version control outside a repository, so as a document is changed on the server all distributed copies of that document are automatically revoked providing the recipient with a notification to go back to the server for a current version. Visual watermarking capabilities on PDF are able to show the policy name, recipient opening the document, and the date/time. Acrobat and Reader 7.0 were also US Department of Defense (DoD) certified by the Joint Interoperability Test Command (JITC). The LiveCycle Security Server provided the ability to apply and validate digital signatures as well as encrypt and decrypt document in an automated business process. Flash Media Server 2 provided protected streaming capabilities for delivering video to Flash Player.
As we wrap up 2007, there has been a lot going on over the last 12 months. Acrobat, Reader, and LiveCycle shipped with new FIPS 140 approved encryption libraries. LiveCycle Rights Management (formerly Policy Server) now supports native Microsoft Office documents as well as Dassault CATIA. LiveCycle Digital Signatures (formerly Security Server) provides XML signature support as well as certified documents and is integrated with automated forms and document generation processes. Adobe's rights management has been integrated into hardware devices such as Multi Function Peripherals (MFPs) from Ricoh and others. Third party software vendors including PTC and Hitachi/Lattice3D are integrating Rights Management into their native applications. Adobe Media Player is in public pre-release with support for content protection on downloadable and offline Flash video.
What about 2008 and beyond? Stay tuned for more entries as Adobe's security solutions expand to protect even more aspects of the information lifecycle - independent of storage, independent of transport, across operating systems and file formats.
Posted by John Landwehr at 09:32 AM | Permalink
November 17, 2007
Electronic Signature and Secure Forms in the Insurance Industry
Karen Pauli from the Tower Group recently published a research note on progress and opportunities with electronic signatures and secure forms in the Insurance Industry.
Summary from the report:
Electronic commerce is no longer a "nice-to-have" capability. A more global business model demands that carriers adopt capabilities for moving documents electronically. Consumers are becoming less tolerant of paper-based transactions because of both the time and volume required. Insurance business processes are bound by many legal requirements, and fulfilling those requirements in a cost-effective and documented way is a critical concern for the insurance industry. The ever-increasing demand to establish competitive advantage and deal with pervasive problems related to fraud and compliance requires new and creative solutions. Electronic signature
technology has enterprise applicability to address all these issues.
Insurance carriers must transition away from traditional paper-based, wet-signature processes and adopt secure document and electronic signature technology. The technical complexity may appear daunting, but technology solutions providers and experts in the marketplace can partner with carriers to overcome this hurdle. The legal barriers have been eliminated by ESIGN and UETA enactment. The pen is now on the Web, and the time is right for carriers to reach out and grab it.
Posted by John Landwehr at 08:18 PM | Permalink
July 10, 2007
eIDs: A Foundation for Digital ID Success
Making PKI, and in turn, digital certificates (digital IDs), work in today’s marketplace involves several critical factors:
• a strong commitment to the technology;
• a well thought-out system for provisioning of digital IDs to users;
• the availability of tools to use and employ the digital IDs; and
• applications which deliver a potent value proposition and benefit to the end user.
The deployment of electronic identity cards with on-board digital IDs represents a powerful new front in the effort to address these issues and bring PKI to the masses.
These cards, commonly known as eIDs, put a government-issued ID in a smart card (“chip card”) form factor. The smart card provides several critical advantages over other types of card technologies, particularly in the realm of security and privacy. In addition, the smart card has an inherent capability to protect and utilize a citizen digital ID.
The citizen can then use this digital ID, working in coordination with digital ID-friendly applications such as internet browsers and Adobe® Reader® or Acrobat®, to digitally sign tax forms, securely logon to government benefit sites, access resources, etc., all easily over the internet. Not only does this save the citizen time and money in interacting with the government, it can also dramatically save governments money and response times on delivery, paper handling, data entry, and production costs.
Learn more about the benefits of eIDs and how Adobe can deliver extended value to these deployments in this white paper, “eID cards: Improving trust and reducing the cost of e-government transactions,” posted on the Adobe Government website at: http://www.adobe.com/government/pdfs/eid_cards_wp.pdf .
Posted by John B Harris at 05:34 AM | Permalink
June 11, 2007
Arcot Announces Two Factor Authentication in Flash Player and Apollo/AIR
Arcot, a member of Adobe's security partner community, just announced their Flash-based two-factor browser authentication solution as well as support of Adobe Integrated Runtime (which was also announced today as available in beta, and formerly codenamed Apollo). Arcot's "software smartcard" solution provides greatly improved simplicity and security for consumer logins to online applications.
Usernames and passwords alone have reached the end of their useful life for protecting valuable online transactions because they are often reused by consumers across sites, easily guessed, and subject to phishing. While today's web browsers provide PKI authentication using SSLv3 client authentication, there is not a consistent or friendly user experience across browsers and operating systems to provision and utilize the necessary PKI credential. That's why you often hear PKI = Painful Key Infrastructure instead of Public Key Infrastructure.
Arcot has developed a seamless provisioning and utilization of PKI credentials in the form of an ArcotID. While the user logs in with their existing username/password, a SWF in the browser is providing PKI authentication behind the scenes using a locally stored credential in the form of an ArcotID.
ArcotID Flash client is part of WebFort, Arcot's two-factor authentication system for large enterprises in financial services, healthcare and other industries facing increasing regulatory pressure to protect and verify end-users’ identities such as those from the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA).
Posted by John Landwehr at 08:21 AM | Permalink
June 03, 2007
Adobe Unveils LiveCycle Enterprise Suite
Adobe Systems today introduced Adobe LiveCycle Enterprise Suite (ES), an integrated family of software for more securely automating processes that help businesses and governments engage with customers, citizens, employees, partners, and suppliers.
With LiveCycle ES, organizations can deliver applications that are easier to interact with. This enables companies to better communicate with people who may be frustrated with, or confused by on-line procedures, and are likely to abandon transactions, resorting to higher cost avenues such as in-person visits or phone assistance. By transforming processes such as account enrollment, claims processing or guided self service into engaging applications, businesses and governments can improve customer service, decrease costly cycle times, and manage information faster, more accurately, and more securely.
LiveCycle ES includes scalable solution components to build, manage and optimize business critical processes. Information assurance capabilities are provided by LiveCycle Rights Management ES and LiveCycle Digital Signatures ES.
Click below for more information on:
* New features in LiveCycle Rights Management ES
* New features in LiveCycle Digital Signatures ES
* Adobe LiveCycle ES Platform Support
Posted by John Landwehr at 09:59 PM | Permalink
What's new in Adobe LiveCycle Digital Signatures ES
Adobe LiveCycle Digital Signatures ES (formerly Adobe LiveCycle Document Security) lets you use digital signatures to preserve the integrity and authenticity of a document as it is transferred among users within and beyond the firewall, when it is downloaded offline, and when it is submitted back to your organization.
With Digital Signatures ES, you can automate the process of bulk certifying and signing documents, as well as
validating signatures in documents that are submitted back to your organization.
Key features
Digital Signatures ES can apply security features to any PDF document whether it is generated by other Adobe server products, on a desktop by Acrobat, or even by a third-party solution. Because PDF documents can contain any type of information, such as text, audio, and video files, you can use Digital Signatures ES to secure any type of information that is saved in a PDF document.
Digital Signatures ES can apply the appropriate security features through automated business processes
or programmatically through the API:
Certification and Approval signatures: Specify digital signing of documents so that recipients can validate the authenticity and integrity of the content. Digital signatures can be applied individually or in batches by using digital certificates from third-party vendors. With digital signatures applied, documents maintain authenticity even when archived.
Signature validation: Specify signature validation so that your organization can verify the authenticity of returned documents it receives. When digitally signed documents are received, Digital Signatures ES can open the document and validate it based on its signature status.
How Digital Signatures ES secures a document
In a typical Digital Signatures ES process, a developer creates an application that retrieves a PDF document from a specified repository, applies a digital signature by using a credential (private key) in a specified keystore (including HSMs), encrypts the document with a password, and sends the document to several specified recipients by email. In another example, a custom application created by using the Java API may get a series of documents, apply a digital signature to all of them, and distribute them online through the web to a number of specified locations.
This new LiveCycle Digital Signatures ES release offers many new features, including:
Signing operation: The signing operation lets you control several aspects of digital signatures used in a document. When designing a PDF document, you can define the following items:
● The appearance of the digital signature when it displays on the document
● The signature algorithm used for signing
● The properties set in signature profiles used while signing
● Embedded revocation checks in the signature field property.
Signature field creation: Digital Signatures ES supports seed values through the Signature APIs that are defined in the PDF 1.7 specification. You can create these using LiveCycle Designer 8.0 or 8.1.
Signature validation: Digital Signatures ES supports several new signature validation features:
● Validation of XML digital signatures
● Configuration of revocation check failover from OCSP to CRL, and CRL to OSCP
● Enhanced Signatures Status information that can be used when developing business processes
● RFC3280-compliant validation, and support for specifying path validation options at runtime
● Per invocation control of the verification time and revocation check styles which are used for revocation checks (rather than a global setting).
TrustStore configuration: Digital Signatures ES now uses the TrustStore repository as the database in which security data is stored. Trust chains are dynamically added to the TrustStore repository without requiring a restart of the server.
New API functionality: The following new APIs enable granular control over signature processing:
ClearSignature(), ClearSignatureField, RemoveSignatureField. The Signing Profile can also be controlled using the API (seed values). You can also use the API to specify a policy OID for each trust anchor.
Added standards compliancy: Digital Signatures ES now supports the following standards:
● XML digital signature standards (http://www.w3.org/TR/xmldsig-core)
● SHA-2 family of encryption algorithms
● RFC3280 certificates and certificate revocation lists
Support for FIPS mode: You can enable the Federal Information Processing Standards (FIPS) option restricting data protection to FIPS 140-2 approved algorithms using the RSA BSAFE Crypto-J 3.5.2 encryption module with FIPS 140-2 validation certificate #590
Configure service attributes in a web-based interface: You can configure Signature service attributes in the Archive Administration area of the LiveCycle Administration Console. For example, you can set up watched folders and endpoints for service invocation, configure remote APIs and parameters for processing.
Posted by John Landwehr at 08:39 PM | Permalink
April 29, 2007
U.S. Department of Defense to Deliver eForms with Adobe LiveCycle
Adobe Systems Incorporated today announced the United States Department of Defense’s (DoD) Forms Management Program has licensed Adobe Acrobat Professional and Adobe LiveCycle software. The new solution will help automate processes and streamline operations by providing fillable forms to all DoD entities, including the Army, Navy, Air Force, Marines, Coast Guard and Joint Chiefs of Staff, as well as the Office of the Secretary of Defense and Defense Agencies.
“Government agencies and militaries around the world are realizing the benefits of Adobe solutions and tools to deliver services to their constituents,” said Eugene Lee, vice president of vertical and solutions marketing at Adobe. “By incorporating Adobe’s software, the DoD Forms Management Program will be able to easily institutionalize automated processes that allow DoD officials to meet their mission requirements faster and more effectively.”
The DoD Forms Management Program will provide nearly 1,000 electronic PDF forms across the military, ranging from officer commissions to facilities, medical claims, purchasing and accounts payable. DoD constituents will be able to electronically fill, save, digitally sign and submit Department of Defense (DD) and Secretary of Defense (SD) forms electronically using the free Adobe Reader that is present on every desktop. By applying a digital signature with their Common Access Card (CAC), DoD users will be able to save time and minimize the need for hard copies.
“By leveraging the free Adobe Reader that already exists on DoD desktops, we aren't forcing our users to download additional software,” said Robert Cushing, Program Manager for the DoD Forms Management Office. “Additionally, our DD and SD forms become more portable and user friendly in field environments. The Adobe LiveCycle solution will provide an efficient and cost-savings addition to the DoD Forms Program.”
Adobe Acrobat and Adobe Reader desktop software has been certified by the US DoD JITC.
Posted by John Landwehr at 09:30 PM | Permalink
April 09, 2007
DoD Certification of Acrobat and Reader 8
The United States Department of Defense Joint Interoperability Test Command (JITC) has certified both Adobe Acrobat and Adobe Reader version 8.
Many programs supporting the Department of Defense missions require security services, such as authentication, confidentiality, non-repudiation, and access control. The JITC certification demonstrates compliance with DoD policy as well as showing confidence that the applications are properly and securely using Public Key Infrastructure.
Here are the direct links for certification of Adobe Acrobat and Adobe Reader
Certification was also achieved for Acrobat and Reader version 7.
Posted by John Landwehr at 07:09 AM | Permalink
April 03, 2007
Acrobat and Reader Security Docs
If you're looking for more details on how digital signatures, encryption, and other security features work in Adobe Acrobat and Adobe Reader, here are some good resources updated for v8:
Document Security User Guide for Adobe Acrobat and Adobe Reader Version 8 (PDF, 2.2 MB)
This document describes how to configure and use the application user interface, register a digital ID for use in Acrobat, and manage other people's public key certificates within your system.
Digital Signature User Guide for Adobe Acrobat and Adobe Reader Version 8 (PDF, 3 MB)
This guide describes the digital signature features of the Acrobat 8.x family of products both for Adobe Acrobat and Adobe Reader Version 8 users as well as for security administrators.
Adobe Acrobat 8 for Microsoft Windows Group Policy and the Active Directory service (PDF, 378KB)
This document describes using Group Policy to deploy Acrobat 8 or Adobe Reader 8 products on a Windows network.
Sharing Acrobat settings and data with FDF files in Acrobat 8 (PDF, 456 KB)
Learn how to use FDF files to exchange data between the Acrobat family of client and server products.
Posted by John Landwehr at 08:18 PM | Permalink
March 26, 2007
Faster, cheaper, and more secure mortgages
Two announcements today on electronic mortgages in PDF:
New PDF eSignature Guidelines for Mortgages
MISMO Guidelines to Help Standardize Implementation of PDF in the Mortgage Process
Adobe Systems Inc. (Nasdaq: ADBE) and MISMO® Inc. today announced the release of guidelines for the standardization of electronically signed PDF documents in the mortgage process. The guidelines are intended to help standardize the implementation of PDF and electronically signed PDF documents across the mortgage banking industry, moving the industry to a new level of interoperability with PDF for end-to-end electronic mortgage workflows...
Adobe and Wolters Kluwer Financial Services Team to Deliver Mortgages Electronically
Companies to Enable Lenders to Secure and Streamline Mortgage Processes in PDF
Adobe Systems Incorporated (Nasdaq:ADBE) and Wolters Kluwer Financial Services today announced an agreement to provide lenders with a new option for delivering mortgages electronically. With this agreement, the companies will work together to provide integration between Wolters Kluwer Financial Services Expere® Integrated Enterprise (IE) solution and Adobe® LiveCycle® interactive process management software...
Posted by John Landwehr at 10:08 PM | Permalink
February 06, 2007
Adobe Digital Signature Solutions Certified by SAFE-BioPharma Association
Adobe Systems today announced that SAFE(Signatures and Authentication for Everyone)-BioPharma Association has certified Adobe Acrobat software, Adobe Reader with Adobe LiveCycle Reader Extensions and Adobe LiveCycle Document Security software for compliance the with the SAFE digital signature standard. These are the first software products ever certified by SAFE, a non-profit association that manages digital identity and signature standards for pharmaceutical industries.
With today’s announcement, legally binding digital signatures are more readily available to biopharmaceutical professionals who need help eliminating the inefficiencies and inaccuracies of paper-based processes while improving end-to-end electronic document workflows. By using the Adobe products certified by SAFE, biopharmaceutical organizations, clinical investigators and regulators can collaborate more securely and efficiently to better service patients, conduct pharmaceutical research, and help bring new drugs to market more quickly.
SAFE-BioPharma Association is a non-profit association that manages the SAFE digital identity and signature standard for the pharmaceutical industries. The SAFE standard provides a secure, legally enforceable, and regulatory compliant way to provide identity verification, non repudiation, and content integrity for electronically signed documents. To become certified by SAFE, products and solutions must successfully pass product certification testing by an independent laboratory accredited by SAFE-BioPharma Association.
Posted by John Landwehr at 06:41 AM | Permalink
February 05, 2007
CIC Electronic Signatures and Adobe Acrobat 8
Today CIC announced their new electronic signature offering for Adobe Acrobat 8, delivering a proven enterprise solution for use within small to mid-sized businesses.
Sign-it is specifically designed to extend the digital signature framework within Acrobat 8. The combination of CIC Sign-it and Adobe Acrobat has been successfully deployed within several major enterprise accounts and, with the new capabilities of these recent products, can now be easily utilized within smaller businesses at a reasonable price.
"The combination of Acrobat 8 and Sign-it allows organizations to accelerate the move toward efficient and legally binding paperless transactions in their respective markets," said Russ Davis, Chief Technology Officer at CIC. "Our goal is to provide out-of-the-box solutions for our customers that utilize the latest in security technologies to enable them to execute secure transactions and documents electronically from the office and field as well as over the web, leveraging the type of eSignature that fits their unique requirements. The new features and increased flexibility of Acrobat 8 enable CIC to rapidly bring its next generation eSignature solutions to market. Acrobat and PDF are fundamental elements in many of CIC's major electronic signature deployments and this release represents significant benefits and enhanced value for our clients."
"Acrobat 8 helps small and mid-sized businesses save time and money by allowing them to share their PDF content more efficiently and more securely," said John Landwehr, Director of Security Solutions at Adobe. "CIC's latest release extends the capabilities of Acrobat to include targeted, adaptable electronic signatures, making CIC an important member of our Security Partner Community."
Posted by John Landwehr at 07:29 AM | Permalink
September 22, 2006
Making digital signatures easier to use and deploy with roaming credentials
Acrobat and Reader 8 includes a new "Roaming Credential" feature to make digital signatures easier to use and deploy. Arcot has just announced their SignFort server to utilize this capability.
Digital signatures historically required credential provisioning to desktop clients in the form of software or hardware-based PKI certificates - before a signature could ever be applied. These credentials can be accessed by Acrobat and Reader via PKCS#12 files on disk, or via PKCS#11 libraries and CryptoAPI Crypto Service Providers (CSPs) in Microsoft Windows, or via custom client plug-ins. Both PKCS#11 and CSPs usually require additional 3rd party software libraries to be distributed to the clients for hardware tokens such as smartcards and usb keys. Additionally after the first certificate is issued, they ultimately expire and need to be reguarly renewed at the client by requesting a new certificate from the Certificate Authority. Distributing the additional software and managing client certificates is why some people have referred to PKI as "Painful" Key Infrastructure, instead of Public Key Infrastructure.
The new "Roaming Credential" capability in Acrobat and Reader 8 does not require additional software deployment or credential management (provioning or renewal) on the client to do a digital signature. A new webservice protocol was developed to utilize a product, such as Arcot's SignFort, to broker the credential management in a centralized server.
When signing a document with roaming credentials, the user clicks a signature field, authenticates, and saves the signed document. That's it.
The address of the roaming credential server can be specified as a "seed value" preference in the signature field itself, on a per-document basis. Or, the Acrobat and Reader application itself can be configured to use a roaming credential server for all documents, even without seed values on the signature fields of documents.
Authentication is either username/password, Windows kerberos single-sign-on, or the ArcotID.
When the roaming credential service is used, the user authentication is sent to the server along with the hash of the document. The server verifies the authentication and maps to a user's credential stored on the server, optionally in a Hardware Security Module (HSM). That credential then signs the hash and returns the value to the desktop to be embedded in the document.
This capability is especially useful when sending documents outside an organization's firewall for business partners and customers to apply digital signatures. As long as those external users already have a supported authenticaiton credential as described above, and have Adobe Acrobat or Reader 8, they can sign a document tied to a roaming credential server without any additional software deployments or configuration on their client.
Posted by John Landwehr at 09:40 AM | Permalink
August 16, 2006
Organizations deploying Adobe & GeoTrust digital signature solutions
GeoTrust announced a growing number of customers involved in regulation and certification usin
ariston
inerta
kiev apartaments service
knauf
o2 optix
zip-lock
zip lock
2114
asus p505
lucent definity
mobil pegasus
5440.16 ()
dimplex model silver (sp4)
asko
salamander
mobihel
raymond weil
646
775
braas
5440.16 ()
pki