LiveCycle Digital Signatures: Three Common Use Cases

PostsThe Archives

With Adobe LiveCycle Digital Signatures, a solution component of the LiveCycle Enterprise Suite, you can easily automate digital signature processes, enabling your organization to bring more paper-based processes online. By facilitating a 100% electronic workflow, with no paper-out for handwritten signatures or special document authenticity seals, you can reduce costs, improve compliance, increase user satisfaction, and accelerate business processes. This article highlights three common uses cases of this J2EE server component for digital signatures.

1. Automated Certified Document Publishing

Since version 6.0 of Acrobat and Reader, certified documents have provided documents recipients with added assurances that the document was published by the named author and has not been modified. This is indicated by a blue ribbon:

When a certified document is opened with Acrobat or Reader, the Document Message Bar across the top of the document indicates the author’s name, email, organization, and verifying third party.  Adobe published it’s Q3 2008 10Q as a certified document, like this:

Certifying digital signatures can automatically validate in Acrobat and Reader – without any additional software installation or configuration, by using the Certified Document Services program

Certified documents can be created manually using Adobe Acrobat on the desktop via File -> Save as Certified Document.  If you have a lot of documents to certify, or want to otherwise automate the certification process, LiveCycle Digital Signatures is the solution. The signing credential can either be stored in software on the server, or be more securely stored in a hardware security module (HSM) from one of Adobe’s Security Partners.  Then a process is designed within LiveCycle to specify the file input, signature properties, and resulting output. Some examples include webservices, drop folders/network shares, content management systems like LiveCycle Content Services  powered by Alfresco or Documentum, Sharepoint, FileNet, etc.

If you are also looking to automate document generation with certified documents, LiveCycle Digital Signatures can be integrated with LiveCycle PDF Generator and LiveCycle PDF Generator 3D to convert native documents to PDF and certify them in a single automated server process.

Certified documents are applicable not only for static documents, but also for interactive forms.  When coupled with LiveCycle Forms and LiveCycle Process Management, the automated certification can apply to the form template being delivered to a participant.  For example, if you are offering a loan of 30yr fixed at 6%, and want to have added assurances that what you sent out to a user is the same thing you get back (and not 60yrs at 3%!) – the certifying signature can be automatically applied to forms as they are generated and routed to participants in a workflow.  If certified form template data is modified or a fraudulent form is introduced into the process, LiveCycle can generate an exception when a document is returned with the certifying signature missing or invalid.

To see more certified documents in action, visit the US Government Printing Office website where they used LiveCycle Digital Signatures to digitally sign the FY2009 Federal Budget. University registrars, such as Penn State, University of Colorado, and University of Southern California, are also certifying official transcripts and delivering them faster, cheaper, and more secure than paper – by using certified PDF documents.

2. Workflow Validation

In a paper world, someone needs to manually examine every document to determine if all handwritten signatures have been applied by the right people in the right places.  Fortunately in the digital world, LiveCycle Digital Signatures provides a signature validation engine for automating the receipt of digitally signed PDF documents. If you are sending out forms and contracts to be digitally signed by Acrobat or Reader users on the desktop, LiveCycle can subsequently receive those signed documents and check the signatures as part of an automated process.

The server side validation engine is configured using root PKI certificates as trust anchors to validate the certificate chain of each signature.  The server is also capable of doing CRL and OCSP checks to verify that the signing credentials are not revoked. Those capabilities are coupled with the document integrity checks to verify that the current document and its signature have the same cryptographic fingerprint using hashing algorithms such as MD5, SHA1, SHA256, etc. If any of the signatures on a document are not valid, exceptions are generated in the business process. Otherwise, a document with valid signatures can more quickly proceed through the process without user intervention.

In the first use case described above, certified documents were recommended as a way to have added assurances that what is sent out, is the same as what’s being received. LiveCycle can take a form template, such as one with loan terms, and certify it. It can then be delivered and reviewed by a recipient, digitally signed, and returned back to the server. LiveCycle’s digital signature validation engine first checks that the certifying signature on the form template is still valid (eg the loan terms). Then LiveCycle can validate that the recipient has applied their own digital signature on top of and data they supplied and the underlying form template. If the document needs multiple approvals, it can continue validating multiple signatures on the document.  When the signature validation process is complete, LiveCycle is able to extract the form data from the signed document, process in other enterprise applications and then store a copy of the signed document in a content management system for archival.

3. Counter-signatures

Many paper processes are not complete until they have an official "RECEIVED on DATE" stamp applied, like this:

In an electronic business process, LIveCycle Digital Signatures can also apply the equivalent of the received stamp as part of an automated workflow.  After all of the document’s signatures have been validated any any additional field validation is performed on the supplied data – a final role-based signature can be applied in the server process, which can look something like this:

It’s also possible to create custom signature appearances so the digital signature actually looks like a paper-based received stamp.

There are many benefits to applying this final "received signature" as part of an automated server process. The received signature can provide a cryptographic based timestamp (RFC3161) to the document to show what exactly was received and when – important for time sensitive processes.  The signature can also indicate that at the time the document was received, all of the form data was valid and all of the digital signatures applied by any participants were also valid.

Posts, The Archives

Posted on 11-10-2008