When the PDF 1.7 documentation was being reviewed as an ISO Draft last year, one of the most deeply questioned and apparently confusing parts of the standard had to do with the digital signature support defined for PDF. This was especially challenged by European experts on digital signatures. As a consequence of this, I have been learning as much as I can about how digital signatures are handled in PDF, electronic/digital signatures in general, the European Union Directives for Electronic Signatures and the European Telecommunications Standards Institute (ETSI) and its Electronic Signature and Infrastructure Technical Committee (ETSI/ESI). I want to share some of what I have learned with you in this series of blog articles.
Introduction: There is signing and then there is signing
First, you need to understand that the phrase “digital signature” has very special technical meaning. Normally when the word “signature” is used we think of something like this:
I learned early in my adult life, through some painful real estate transactions, that the world’s system for conducting business is truly built around honest people who trust each other. You can write contracts that are hundred’s of pages long and if someone wants to violate the spirit of the transaction they will still find a way to do it. Our system, based upon these simple ink on paper signatures, is technically very flawed, but it is still the core method used to conduct business worldwide because we rely upon the basic honesty of people.
Someone can change a signed paper document, and if done with skill, the change can be detectable only by an expert. With our widespread availability of high quality copiers it is easy to take a signature off one document and put it onto a different one. Executing criminal activity around paper and ink signatures is rather simple. Not getting caught may be a different story.
We dramatize the idea that only an expert forger can draw my contorted signature just like I do, and we dramatize that there are equally expert analysts that can detect forgeries. The courtroom drama with the expert’s testimony is seldom how things end up. Usually a signature is used on some document of record to be primarily a memory aid to remind us when and under what conditions we agreed to something. In fact, recording the act of agreeing via a “signing act” is the legal force for normal signatures. Even the “X” used by illiterates to sign documents is legal because it is the act of making the agreement that is important not the symbol that represents it. The symbol or signature is part of the reminder that you agreed.
The term “electronic signature” is a very general term that includes the idea of putting an electronic image of a signature on an electronic page. A “digital signature” is much stronger and involves assurances that the document hasn’t changed and the signer is who they claim to be. In fact, such digital signatures go way beyond paper and ink signatures with respect to assuring that the document has not been tampered with and that the signature is really a valid signature for that person. We are going to talk primarily about digital signatures.
I guess the digital signature is driven to take the stronger path from normal ink signatures because we can make changes to document so much more easily and the changes can be done in ways so that it is impossible to know what was original and what was newly modified. Additionally, when we have digital material we take advantage that we do not have to be face to face to conduct business. We can send documents world-wide via e-mail or the Internet. So with whom we are really dealing becomes an issue. With normal signatures and signing, if we have a concern that who we are dealing with is who they say they are, we turn to notaries who give stronger confidence that the person is who they say to be. That same approach is used for digital signing by setting up Certificate Authorities (CAs) run by Certification Service Providers (CSPs).
So two things, document integrity and personal identification, are tied together into a system based upon clever digital encryption technology to give us digital signatures.
Much more on that in my next few blog articles.
There is also more material about electronic and digital signatures to be found on the Adobe Security Blog. For example:
Jim King (contact: firstname.lastname@example.org)