In part one of this series, I discussed the three essential questions that Adobe products ask in regards to electronic signatures: (1) is the signature credential in good standing; (2) has the document changed since it was signed, and (3) has the relying party trusted the signer.  This third question is the one that is oftentimes left to the user or organization to answer, due to the unique circumstances of any particular situation.  Today we’ll discuss how users can set up that trust and provide the third leg of the tripod in the intrinsic valdiity of an electronic signature.

Signature credentials are trusted in Adobe products through the establishment and installation of trust anchors and trusted identities.  Trust anchors are typically root certificates—certificates at the top of the hierarchy from which other certificates are derived.  Trusted identities can be any certificate, even an end-entity, or user, certificate.  In any case, in order to pass validation, the signing certificate must either be a trust anchor (root) or be chained to (derived from) that root.

We’ll cover in this post the 3 ways an individual user can set trust in Adobe products.

User Trust Setting #1: The Signature Dialog Box

This is the most straightforward method: a user receives a signed document from an individual who has not been previously trusted by the user. The user opens the document with Adobe Acrobat or Reader, right-clicks on the signature, chooses Show Signature Properties and then Show Certificate. By clicking on the Trust tab within that dialog box, the user can select Add to Trusted Identities to select whether the credential will be trusted for standard approval signatures and/or certification (publishing) signatures.

User Trust Setting #2: Trust Manager

In this method, a user may already have a number of certificates in hand or available (via email, for example) from approved signers and wishes to add them to the Trusted Identity list. The user clicks on the Advanced menu and then chooses Manage Trusted Identities. The user can then simply add or request ‘contacts’ (certificates) and go on to edit that trust.

User Trust Setting #3: Certificate Store (Windows)

In order to best serve the purposes of web browsing, operating system and browser vendors have created lists of trusted identities (SSL certificates) to enable more secure transactions online. Users of Adobe products have the option to allow the software to trust all of the certificates in the Windows Certificate Store, though this option is not selected by default. Why? Adobe believes the store casts too wide a net, and trusts a large number of both high and low assurance certificates, thereby introducing unnecessary risk into a document signing scenario. The rise of the enhanced validation (EV) SSL certificate also highlights this problem.

Despite these concerns, some users may still wish to enable this option. Within the Edit menu, select Preferences, and then Security. Click on the Advanced Preferences button, and then on the Windows Integration tab. The user can then choose to either trust certificates in the Store for validating standard signatures and/or certification signatures.

For more detailed information on these options, be sure to check out this link:

Tags:electronic signature,digital signature,trust,validity,acrobat,reader,trust settings

Posted by John B Harris at 3:03 PM | Permalink

A few months ago, I wrote about the nature of assurance in electronic signatures and how aspects like authentication, audit, and integrity add to the trust you place in a signature.

When we consider electronic signatures, recognize that there are typically two parties to the transaction: the author / signer and the recipient, or relying party.  The signer’s role is obvious.  The relying party, on the other hand, is the one who is in the position to accept the signature and therefore the signer’s approval of the terms or nature of the signed document.  When faced with an electronic signature, the relying party must be aware (or have resources he/she can turn to, such as a lawyer) of three intersecting zones of validity—legal, contractual, and intrinsic—and how Adobe products can assist. 

First, signature validity is provided by national, regional and local legislation, as well as industry regulations.  E-Sign and the EU Signature Directive at the national level, UETA at the regional / local level, and industry standards like MISMO, NAVA, and SPeRS, all are informative as to an electronic signature’s standing.

The second category is that of contractual validity. Organizations may jointly accept each other’s electronic signatures via contract and thus impart additional validity to those signatures. As an example, the SAFE-BioPharma initiative among pharmaceutical and life sciences companies has as its backbone a strong business contract that stipulates each member will trust other members’ digital signatures and accept them as legally valid. SAFE members can therefore easily rely on each other’s signatures without worry.

Adobe products cannot provide specific feedback on these first two aspects of trust and assurance. Adobe Reader can be found on practically every computer in the world and thus Adobe can’t be aware of every single law, regulation, or contractual relationship a user may be subject to—we have to leave the lawyers something. But, Adobe products can provide clear guidance on that most important aspect of electronic signatures, the signature’s intrinsic validity.

Adobe products like Acrobat, Reader and LiveCycle ES Digital Signatures ask three questions of an electronic signature:

1. Is the signature credential valid and in good working order?
• Is the digital certificate in good standing? Has it expired? Has it been revoked?
2. Has the document been altered since it was signed?
   • Integrity checking. Has the document been changed? What’s been changed, if so? Is it an authorized change (another signature, for example)?
3. Is the signer trusted by the relying party?

The answers to these questions remain critically important no matter whether a signature is governed by legislation or established in a contractual relationship. The first two questions are handled behind the scenes by Adobe products through industry standard cryptographic protocols. The third question, however, is, by its very nature, answered by the relying party, based on their knowledge of relationships the organization may have, business colleagues, etc.

Adobe products cannot answer this question in most circumstances. Adobe understands that the relying party must be free to make their own trust decisions based on their own unique circumstances. If Adobe were to trust every signature credential, users might accept signatures from false identities or trust documents that should not be trusted in the first place. However, as you’ll read later in this series, Adobe has been looking at ways to help relying parties make this determination since 2005, and will be announcing an even more comprehensive approach starting later this year.

Next time, though, I’ll cover how a relying party can trust a signer from a user perspective.

Tags:electronic signature,digital signature,valdiity,assurance,trust settings acrobat,reader,livecycle

Posted by John B Harris at 8:20 AM | Permalink

Adobe Security Customers,

I wanted to be sure the group was aware of the 2008 MAX Awards. These customer recognition awards showcase some of our best customer projects developed around the globe over the past year.

This year we will award projects in 6 categories: Advertising & Branding, Enterprise, Mobility and Devices, Public Sector, Rich Internet Application, and Video. Most of our security nominations are typically in the Enterprise and Public Sector categories.

The top three finalists in each category will be invited to attend MAX North America in San Francisco, where we will announce the winner, as well as the People's Choice award winner. All finalists will receive complimentary admission to MAX.

All submissions must be received online at by September 12th, 2008, so be sure to submit your Adobe Security project today! https://www.Adobemaxsubmission.com/submission

For more information or to see last year's finalists and winners please Click Here

Here is the link to submit a nomination:

https://max.adobe.com/na/experience/#?s=5&p=0

Posted by John Carione at 11:33 AM | Permalink

Read about how Allgaier Automotive is using Livecycle Rights Management ES to improve communications of and collaboration on complex 3D design models.

http://www.adobe.com/cfusion/showcase/index.cfm?event=casestudydetail&casestudyid=510844&loc=en_us

Posted by John Carione at 10:37 AM | Permalink

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smart card/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration. As promised in part one, today's topic is a deep dive on smartcard/certificate authentication and the benefits to customers.

Smart card / Certificate authentication

The fourth type of authentication that LiveCycle Rights Management ES supports is smart card, or certificate-based authentication. For some customers, this form of authentication is often more secure than the other forms of authentication supported. To understand how it works in LiveCycle Rights Management ES and the benefits it provides, however, requires some background and context.

A smart card, in its most well-known form, is a credit card-sized ‘intelligent card’ that carries user’s credentials in the form of Digital Certificates. Many variants today also possess processing capabilities like the ability to compute Digital Signatures. A smart card is a something-you-have type of authentication, as compared to Username/Password which is something-you-know.

A Digital Certificate, often just referred to as Certificate, is a digital document that at a minimum includes a Distinguished Name (DN) and an associated Public Key. The DN uniquely identifies a user’s identity, and the public key can be used to prove that identity. The Certificate is signed by a trusted third party known as Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. This Public Key Infrastructure (PKI) assumes the use of Public Key Cryptography, which is the most common method on the Internet for authenticating end parties or encrypting messages. PKI overcomes the significant flaws in the traditional cryptography or the symmetric cryptography, and at the same time provides added security by having strict requirements for key lengths and industry standard cryptographic algorithms (set forth by Public Key Cryptography Standards or PKCS, and governed by RSA Laboratories).

At the time of authentication, LiveCycle Rights Management ES validates the chosen Certificate’s signature against its cache of known and trusted CA certificates. The server verifies the Certificate, validates the Digital Signature, and finally maps this Certificate to a unique user through the rules an administrator creates when configuring LiveCycle. LiveCycle Rights Management ES also provides for flexibility and easier enterprise integration by providing server-based “SPIs,” which can be used to develop custom certificate authentication providers.

Many enterprises and governments today employ smart card based authentication, not only for its enhanced security but also for its ease of deployment and use for end users. For example the United States Department of Defense issues Common Access Cards (CAC cards) which can be used for secure user identification. These CAC cards can be used within LiveCycle Rights Management ES to authenticate users who are opening protected documents. A user would insert his card into a smart card reader on his machine to identify himself. These readers are available in a variety of form factors and can be connected to a computer using USB or PC card interface – and are integrated into many laptops today, such as the Dell Latitude line of business laptops.

To give you a better idea of how easy it is for an end user to authenticate to LiveCycle Rights Management ES using a smart card, click on the following demo:

Guest Contributor: Chaitanya Atreya

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 2:00 PM | Permalink

This entry is part of our continuing educational series, “What is an Electronic Signature, Anyway?” (Parts 1, 2, 3 and 4)

Disclaimer. This blog entry is not intended to provide legal advice. You should discuss issues relating to the use of electronic signatures in your business with your own legal counsel and compliance officers.

Two months ago we discussed here the nature of the legal environment surrounding electronic signatures. I’d like to point out some additional resources that can expand your knowledge of the subject.

• Within the EU context, Law Professor Dr. Jos DuMortier, director of the Interdisciplinary Centre for Law and ICT at the Catholic University of Leuven (K.U. Leuven) in Belgium, and a well-known authority on the intersection of law with information technology, has published and/or contributed to a large number of whitepapers and articles on the subject of electronic signatures. This whitepaper from October 2007 describes how digital signatures created with PDF documents and the Belgian eID can be granted valid, legal status.

• Just last week, the American Bar Association published an impressive book entitled, “Foundations of Digital Evidence,” which covers, as you might have guessed, the implications, nature, and changes that digital evidence has wrought upon legal systems around the world. Adobe’s own Ed Chase, a Solutions Architect and one of our electronic signature gurus, contributed a critical chapter on PDF and its impact on the subject, providing details about how the features of PDF and digital signatures can support legal requirements for electronic records.

Posted by John B Harris at 12:11 PM | Permalink

Partners are critical to everything we do in the security space, and we are very proud of the best-of-breed Community we have fostered in order to best create solutions based on Adobe’s capabilities and customized to each customer’s needs.

With that in mind, we’re always extremely pleased to see cooperation among our many security partners so that they can also mutually leverage their capabilities which in the end is all the better for our own customers.

One of our partners, Communication Intelligence Corporation (CIC), a key electronic signature industry player, recently announced a partnership with 4Point Solutions, one of our foremost LiveCycle systems integrators, to promote closer integration of their technologies.

And ARX, Inc., a security partner offering a convenient , virtually plug-and-play CA and signing appliance, CoSign, announced relationships (here and here) with two of our Certificate Authority partners, GlobalSign and ChosenSecurity,to provide more complete and easy-to-deploy solutions around these two companies’ digital ID offerings.

So, how do these new relationships benefit Adobe’s customers? CIC’s relationship with 4Point means that customers deploying LiveCycle will have more electronic signature options on the table. With ARX, customers looking to speed workflows with digital signatures can deploy the ARX CoSign product, centrally storing user signing credentials from GlobalSign or Chosen Security, both leading certificate authorities in their own right.

Posted by John B Harris at 11:46 AM | Permalink

This entry is part of our continuing educational series, “What is an Electronic Signature, Anyway?” (Parts 1, 2 and 3.)

In June, at an event at the National Press Club, Jerry Buckley, Founding Partner at the Buckley Kolar law firm in Washington DC, as well as Counsel to the Electronic Signatures and Records Association (ESRA), an organization devoted to promulgating the use of electronic signatures & documents and educating the public & industry on those matters, stated that the “train had left the station” when it came to electronic signature usage around the world. As the demand for more fully electronic workflows becomes more pronounced, especially given the meteoric rise in gas, and thus shipping, prices, as well as an increasing desire on the part of enterprises and organizations to ‘go green,’ electronic signatures will become even more ubiquitous.

Buckley and Margo Tank, also a Founding Partner at Buckley Kolar, together provided compelling examples of this movement:

“This year marks a significant turning point in the adoption of electronic signatures...
• eMortgages up six-fold in last year
• $12 billion in electronic automobile finance contracts have been consummated and over $2 billion of these have been securitized, reflecting acceptance by the capital markets
• Billions of dollars in student loan transactions signed electronically
• Of relevance to our environment, the Government Printing Office estimates that it saves 20 tons of paper and roughly 480 trees by electronically distributing just one annually published document, the National Budget, electronically signed”

In parallel with the press event, ESRA also released a newsletter containing information on several key signature deployments. Two of these (US Government Printing Office and Procter & Gamble are Adobe customers who have used the universally deployed nature of Reader and PDF, combined with Adobe’s powerful LiveCycle Enterprise Suite software, to save money and accelerate and improve their signature workflows in combination with key security partners.

But the examples do not end there. Here are some other organizations that have revolutionized their business processes using various electronic signature methods combined with Adobe products:

• Snap-On Credit: “We're impressed by the ease of integrating CIC and Adobe solutions into our processes. Already, we are looking to automate more forms processes, making it even faster and easier for franchisees to conduct business." – Thomas Niman, Snap-on Credit, LLC

• Astra Zeneca : “’Due to the enthusiastic response from users signing regulatory documents, we are looking for opportunities to leverage the existing solution for digitally signing documents in other areas,’ says Rich Ware, one of the project team leaders.” – Bio-IT World, July 2008
• Speaking of SAFE, be sure to check out this Adobe blog post on the use and deployment of digital signatures within SAFE environments.

• Land Title & Survey Authority of British Columbia: "One law firm informed us they saved $6000 per month. Plus, the stress level is lower because there are fewer delays and errors in processing paperwork. Acrobat and Adobe Reader software are ideal for government agencies that want to streamline document processes by using electronic forms and digital signatures." - Denis Thomas, technical architect of the Electronic Filing System at the Land Title & Survey Authority

• Kane County Circuit Court: "The automated process built around Adobe LiveCycle software is dramatically faster than our previous manual workflows. Within approximately sixty seconds of having a judge sign the document, an order of protection arrives at the sheriff's office for input into the national wanted persons database. Overall, we've seen as much as a five-fold improvement in the time it takes to complete, submit, and process orders of protection." - Matt Meyer, programmer at the Circuit Court Clerk's office

We’ll continue to shine light on other real world electronic signature deployments in future posts.

Posted by John B Harris at 9:55 AM | Permalink