Making digital signatures easier to use and deploy with roaming credentials

Acrobat and Reader 8 includes a new “Roaming Credential” feature to make digital signatures easier to use and deploy. Arcot has just announced their SignFort server to utilize this capability.

Digital signatures historically required credential provisioning to desktop clients in the form of software or hardware-based PKI certificates – before a signature could ever be applied. These credentials can be accessed by Acrobat and Reader via PKCS#12 files on disk, or via PKCS#11 libraries and CryptoAPI Crypto Service Providers (CSPs) in Microsoft Windows, or via custom client plug-ins. Both PKCS#11 and CSPs usually require additional 3rd party software libraries to be distributed to the clients for hardware tokens such as smartcards and usb keys. Additionally after the first certificate is issued, they ultimately expire and need to be reguarly renewed at the client by requesting a new certificate from the Certificate Authority. Distributing the additional software and managing client certificates is why some people have referred to PKI as “Painful” Key Infrastructure, instead of Public Key Infrastructure.

The new “Roaming Credential” capability in Acrobat and Reader 8 does not require additional software deployment or credential management (provioning or renewal) on the client to do a digital signature. A new webservice protocol was developed to utilize a product, such as Arcot’s SignFort, to broker the credential management in a centralized server.

When signing a document with roaming credentials, the user clicks a signature field, authenticates, and saves the signed document. That’s it.

The address of the roaming credential server can be specified as a “seed value” preference in the signature field itself, on a per-document basis. Or, the Acrobat and Reader application itself can be configured to use a roaming credential server for all documents, even without seed values on the signature fields of documents.

Authentication is either username/password, Windows kerberos single-sign-on, or the ArcotID.

When the roaming credential service is used, the user authentication is sent to the server along with the hash of the document. The server verifies the authentication and maps to a user’s credential stored on the server, optionally in a Hardware Security Module (HSM). That credential then signs the hash and returns the value to the desktop to be embedded in the document.

This capability is especially useful when sending documents outside an organization’s firewall for business partners and customers to apply digital signatures. As long as those external users already have a supported authenticaiton credential as described above, and have Adobe Acrobat or Reader 8, they can sign a document tied to a roaming credential server without any additional software deployments or configuration on their client.