Establishing Trust in an ad hoc Electronic Signature Workflow with Acrobat

I had a customer ask me about why signatures in their PDFs that they had signed with Acrobat would not verify. Doing a little digging, it became apparent that while the group had created and begun using signatures in Acrobat, they had not established trust within the group.

An electronic signature, like a pen-and-ink signature, is only as good as your belief that the signature is genuine. In a paper workflow, we can witness someone applying their mark to the paper. We use ink because it is hard to remove from the paper. How, then, do we trust an electronic signature when we can’t witness the signature being applied to the PDF?

There are several mechanisms to establish and maintain trust in the context of Adobe PDF workflows. In this article, we’ll look at the ad hoc signature workflow. In order to for a signature workflow to work, we need two elements: signatures and Identities. In this workflow, all of the parties create electronic signatures and Identities with Acrobat, and all of the parties must exchange Identities in advance of using the signatures.

Digital Identities

In Acrobat X, signatures depend on digital identities, so we must start with creating an identity. When you have a document open, you can click on the Tools panel and then choose Sign & Certify>More Sign & Certify>Security Settings… At any time, you can find these controls under Edit>Protection>Security Settings…

Note: Click on these or any of the following images to view them full size.

You create a Digital Identity in the Security Settings Panel. A Digital Identity is a file that contains information specific to you, such as your name, email address, and company contact information. In addition, it contains half of a key that can be used to decrypt content that you have encrypted. This is important, because the person with whom you are sharing a signed PDF needs this key in order to be able to decrypt your signature and verify that you are who you say you are. Without this key, we don’t have trust in the workflow, so the key is how we establish this trust.

Let’s make a Digital Signature. In the Digital Signatures panel, click the Add ID button and then choose A new digital ID I want to create now and then click Next.

Now, you need to enter your personal information, select an encryption strength, and also make a choice about how you’ll be using this ID. In this example, I have entered my personal information, chosen my region, and have chosen 2048-bit RSA encryption. The default is 1024-bit RSA for backwards compatibility, but in this age of WikiLeaks and other data security compromises, I’ll opt for more modern protection. I’ve also chosen to use this digital ID for Digital Signatures and for Data Encryption. This is the default setting, but you can choose to use this ID exclusively for either Digital Signatures or Data Encryption.

 

A note about Unicode Support: if you need to use this signature in a region that uses Unicode characters, such as many parts of the Middle East and Asia, then you will want to enable Unicode support here as well. Enabling Unicode Support will expose another set of fields that allow you to enter Unicode data in addition to the Western characters.

Having made your choices, click Next.

Now, choose your password. This is a tricky business, since once you create the signature, you will need to know this password in order to use it. Ah, yes, in order to use it, you need to know its key to entry. This protects you from anyone else using the signature to impersonate you. To this end, choose a strong password. Acrobat X provides a thermometer that lets you know how strong your password is, or how hard it would be to guess. It bases this strength on a number of factors, including use of upper and lower case, use of special characters, apparent randomness of the string, and length of the string.

 

When you’re done, click Finish to complete the ID creation process, then close the Security Settings panel.

Establishing trust

Now that we have an ID, we can share it with people with whom we want to exchange signed documents. In a paper workflow, we can compare an ink signature against a government-issued ID, such as a passport or a driver’s license. In an electronic signature workflow, we exchange Digital IDs in advance of exchanging signed documents. This establishes the trust between the participants and allows Acrobat to verify the signatures on documents as having come from trusted sources.

There are several ways to exchange Digital IDs in Acrobat X, and I’ll focus on the two easiest ways to do it.

Let’s pause a moment to consider what’s being shared when you export an ID. An ID is an encrypted token that contains your personal information. The encryption scheme depends on two very large prime numbers. When you encrypt a signature (or any electronic content), the encryption routines use the key in your ID to do the encryption. Under this scheme, if someone has one of your two prime numbers, known as a public key, they can use it to decode your encrypted content. Sharing the public part of your ID is critical to establishing trust, because it enables the person with whom you are exchanging signatures to read the encrypted information in your signature.

Having that out of the way, let’s go back to the workflow.¬†From the Security Settings panel, choose the ID you want to share and then click the Export button.

Here you’ll have to decide whether you want to email the ID to someone or save it somewhere on your computer. If you choose to email, then Acrobat will compose an email containing instructions as to how to import the ID. It will also include the ID as an attachment to the email. If you choose to save to a file, then Acrobat will save the ID as a file to the location of your choice. You will then be able to send it to whomever needs it without having to return to Acrobat. Make a choice, and click Next.

Acrobat creates an email message that explains what to do with the attached ID

In either case, Acrobat exports the ID as an FDF file. The recipient just needs to double click on the FDF file to install in either Reader or Acrobat.

You can also request that someone send you their ID. In Acrobat X, click on Sign & Certify>More Sign & Certify>Manage Trusted Identities and then choose Request Contact…

Enter your name, email address and phone number. Enable the Include my Certificates option, and choose Email request. Then, click Next…

In the following screen, select the ID you want to send and click Next. Then, enter the email address of the person with whom you want to exchange IDs. Click Send for Acrobat to compose the email and send it with your computer’s email program.

Making your digital mark

Now that we have created an ID and established trust, it is time to sign a document.

Open the PDF you want to sign. This PDF could be a PDF with a special form field for signatures or it could be a document with no signature field. If you have permission to sign the document, then you will be able to apply an electronic signature. The Sign & Certify panel has several options in it, including Sign Document and Place Signature. There is a subtle difference between these options: if the document is an electronic form and there is an existing signature field, then Sign Document will put the signature into the signature field. If there is no signature field on the document, then it behaves the same as Place Signature. Place Signature asks you to draw a box on the PDF where you’d like the signature to be.

Note: There is also an option called Apply Ink Signature, but that makes an annotation that looks like you signed the document with a pen. It is not an electronic signature like we’ve been discussing up to now and should not be used in an electronic signature workflow unless both parties agree that the annotation-type signature is acceptable as a signature. I want to take advantage of the work we’ve put in up to now, so we’ll be talking about Signing and Placing a Signatures.

I’ll assume that you are signing a document that does not have a signature field. Choose Sign & Certify>Place Signature. Acrobat will ask you to draw a box where you want the signature to go. Once you release the mouse from drawing the box, you’ll be able to determine which ID to use and also how the signature looks.

Choose the ID you want to use from the Sign As drop-down menu. Choose the ID that you used when you established trust earlier and enter the password for that ID.

You have options as to how the signature will appear on the document. By default, Acrobat includes your name and some of your personal information from the certificate. It is common to add a photo or scan of an ink signature to an electronic signature. To change the appearance, click on the Appearance menu and choose Create New Appearance…

Enter a name for the new appearance and configure the graphic option. You can have no name, choose to show your name, or choose the Imported graphic option and then browse to an image file. You can select just about any image file type that Acrobat can convert to PDF and have it appear in the signature. In this example, I chose a jpeg. You can also enable or disable different fields from the certificate. Make your choices and click OK.

When you have set all of your options, then you can click the Sign button to sign the document. You must save the signed PDF immediately. You may want to establish a naming convention for your signed documents, such as original_filename_SIGNED.pdf for signed PDFs. Having saved the PDF, you are done.

Final appearance of the digital signature with image

Final appearance of the digital signature with image

Note: If you are the last person in the workflow who needs to sign a document, then you may want to lock the document after you sign it. You can enable that option before you apply the signature.

Once signed, you can validate signatures in the Signature panel. This panel appears in any PDF that has a signature applied. You can also hover your mouse over a signature, and the tooltip will tell you whether the signature is valid. You can also click on a signature to check its validity.

There are times when you would want to remove a signature from a document. If you are the signer, then you can right-click on the signature and choose Clear Signature from the contextual menu.

Extending signature workflows to Reader users

You can include Reader users in your signature workflow by saving your PDF as a Reader Extended PDF. From the File menu, choose Save As>Reader Extended PDF>Enable Additional Features… A notice will appear letting you know what features will be enabled for Reader. Click Save Now to save the Reader Extended PDF. Give the Reader Extended PDF a name like original_name_Reader_Extended.pdf.

Conclusion

Once you create a Digital ID, then you can establish trust with someone else and exchange signed documents with them. Remember that you’ll need to establish trust by exchanging IDs with the other person in order to validate signatures.

Share on Facebook

11 Responses to Establishing Trust in an ad hoc Electronic Signature Workflow with Acrobat

  1. Thanks for sharing this tutorial. I’d like to get to 100% electronic signatures with my clients and avoid snail mail and the added time all together. This is definitely something I’m going to explore further.

  2. Pingback: Trust us…Trust in Electronic Signatures Revisited « Security Matters

  3. Hi James, nice tutorial. I can see how in the context of a closed group where trust hasalready been established an Acrobat Digital ID would be sufficient to establish trust in an Adobe PDF Workflow . The task of establishing trust is still quite an onerous one though and it asks the relying party to 1) trust an email and 2) explicity trust the author of the document. For the highest level of assurance and ease-of-use in the exchange of Adobe PDF documents, across and beyond the organisation, this is where the global Adobe Certified Document Services Program and CDS signatures really come into their own.

  4. Andy Blackham says:

    Hi James, Thanks for this. In a spearate Adobe forum post you mention a Photoshop and Illustrator Programitic Licence. I’ve contacted Adobe Licencing to enquire and they know nothing of it and have directed me to the Photoshop SDK on devnet.
    Does this liecence have another name?

    • James Lockman says:

      Hi, Andy.

      There is licensing available for using Illustrator or Photoshop in a programmatic fashion, which is to say powered by scripting for use by a workgroup. You’d need to talk to your Adobe Account rep. Contact me offline so I can help determine who that should be in the UK. jlockman at adobe dot com

  5. rsclark82 says:

    We are in the midst of moving management over to iPads and having their meeting papers available on the iPad rather than hard copy. We’ve been using the e-signatures on our management papers but when it comes to combining these separate papers into one, all signatures are lost….would establishing trust etc amongst management prevent this from occurring once all single docs are combined into one?

    I’m no IT expert – am just exploring options…..

    • James Lockman says:

      Establishing trust won’t help you here, because you are moving your PDFs out of Acrobat and onto another reading tool on the iPad. If you need to extend your eSignature workflow to iPads, consider EchoSign, which does work on iPads.

      • rsclark82 says:

        I still lose the signatures off each PDF when I combine them all together in Adobe on the PC – before I even view on the iPad. Is it possible to overcome this or will EchoSign fix this issue too?

        • James Lockman says:

          This is expected behavior, since digitally signing a PDF ensures that the reader knows that the signer actually signed the PDF that is being read. Consider the following: a person signs a PDF and sends it to you. You remove a page. Should the signature remain? Well, the signer didn’t sign the document in its current state, so the signature becomes invalid.

          You CAN preserve those signatures and combine PDFs into one PDF by using Portfolios. A Portfolio is a special kind of PDF that can contain other documents. These other documents can be Office docs, other PDFs, movies, Flash animations, and almost anything you can think of, with some exceptions. You can’t put an executable in a Portfolio, for instance. Nor can you put a Zip or Stuffit archive, since there might be executables in them. A Portfolio just might be the solution to your problem, since signed PDFs in a Portfolio remain signed. Unfortunately, today there is no Adobe Reader for iPad, so this solution won’t help your iPad-based managers.

  6. Terri J says:

    Is there anyway NOT to have to use a password everytime you want to sign a document? Any help appreciated. Thanks

    • James Lockman says:

      Terri,

      You could use the Ink Signature panel in Acrobat 10. It applies an annotation that looks like a signature, but it is probably not suited for any real-world business application that requires a digital signature. One of the key aspects of a digital signature workflow is that everyone must trust the signers (hence this post). One of the ways that we maintain trust in a digital signature workflow is that we only allow the owner of that signature to sign with it. A digital signature without a password is like an ATM card with no PIN.

      While it might be tempting to dispense with a password in order to sign a document, that would most definitely not be a trustworthy digital signature.