Author Archive: John Landwehr

LiveCycle Digital Signatures: Three Common Use Cases

With Adobe LiveCycle Digital Signatures, a solution component of the LiveCycle Enterprise Suite, you can easily automate digital signature processes, enabling your organization to bring more paper-based processes online. By facilitating a 100% electronic workflow, with no paper-out for handwritten signatures or special document authenticity seals, you can reduce costs, improve compliance, increase user satisfaction, and accelerate business processes. This article highlights three common uses cases of this J2EE server component for digital signatures.

1. Automated Certified Document Publishing

Since version 6.0 of Acrobat and Reader, certified documents have provided documents recipients with added assurances that the document was published by the named author and has not been modified. This is indicated by a blue ribbon:

When a certified document is opened with Acrobat or Reader, the Document Message Bar across the top of the document indicates the author’s name, email, organization, and verifying third party.  Adobe published it’s Q3 2008 10Q as a certified document, like this:

Certifying digital signatures can automatically validate in Acrobat and Reader – without any additional software installation or configuration, by using the Certified Document Services program

Certified documents can be created manually using Adobe Acrobat on the desktop via File -> Save as Certified Document.  If you have a lot of documents to certify, or want to otherwise automate the certification process, LiveCycle Digital Signatures is the solution. The signing credential can either be stored in software on the server, or be more securely stored in a hardware security module (HSM) from one of Adobe’s Security Partners.  Then a process is designed within LiveCycle to specify the file input, signature properties, and resulting output. Some examples include webservices, drop folders/network shares, content management systems like LiveCycle Content Services  powered by Alfresco or Documentum, Sharepoint, FileNet, etc.

If you are also looking to automate document generation with certified documents, LiveCycle Digital Signatures can be integrated with LiveCycle PDF Generator and LiveCycle PDF Generator 3D to convert native documents to PDF and certify them in a single automated server process.

Certified documents are applicable not only for static documents, but also for interactive forms.  When coupled with LiveCycle Forms and LiveCycle Process Management, the automated certification can apply to the form template being delivered to a participant.  For example, if you are offering a loan of 30yr fixed at 6%, and want to have added assurances that what you sent out to a user is the same thing you get back (and not 60yrs at 3%!) – the certifying signature can be automatically applied to forms as they are generated and routed to participants in a workflow.  If certified form template data is modified or a fraudulent form is introduced into the process, LiveCycle can generate an exception when a document is returned with the certifying signature missing or invalid.

To see more certified documents in action, visit the US Government Printing Office website where they used LiveCycle Digital Signatures to digitally sign the FY2009 Federal Budget. University registrars, such as Penn State, University of Colorado, and University of Southern California, are also certifying official transcripts and delivering them faster, cheaper, and more secure than paper – by using certified PDF documents.

2. Workflow Validation

In a paper world, someone needs to manually examine every document to determine if all handwritten signatures have been applied by the right people in the right places.  Fortunately in the digital world, LiveCycle Digital Signatures provides a signature validation engine for automating the receipt of digitally signed PDF documents. If you are sending out forms and contracts to be digitally signed by Acrobat or Reader users on the desktop, LiveCycle can subsequently receive those signed documents and check the signatures as part of an automated process.

The server side validation engine is configured using root PKI certificates as trust anchors to validate the certificate chain of each signature.  The server is also capable of doing CRL and OCSP checks to verify that the signing credentials are not revoked. Those capabilities are coupled with the document integrity checks to verify that the current document and its signature have the same cryptographic fingerprint using hashing algorithms such as MD5, SHA1, SHA256, etc. If any of the signatures on a document are not valid, exceptions are generated in the business process. Otherwise, a document with valid signatures can more quickly proceed through the process without user intervention.

In the first use case described above, certified documents were recommended as a way to have added assurances that what is sent out, is the same as what’s being received. LiveCycle can take a form template, such as one with loan terms, and certify it. It can then be delivered and reviewed by a recipient, digitally signed, and returned back to the server. LiveCycle’s digital signature validation engine first checks that the certifying signature on the form template is still valid (eg the loan terms). Then LiveCycle can validate that the recipient has applied their own digital signature on top of and data they supplied and the underlying form template. If the document needs multiple approvals, it can continue validating multiple signatures on the document.  When the signature validation process is complete, LiveCycle is able to extract the form data from the signed document, process in other enterprise applications and then store a copy of the signed document in a content management system for archival.

3. Counter-signatures

Many paper processes are not complete until they have an official "RECEIVED on DATE" stamp applied, like this:

In an electronic business process, LIveCycle Digital Signatures can also apply the equivalent of the received stamp as part of an automated workflow.  After all of the document’s signatures have been validated any any additional field validation is performed on the supplied data – a final role-based signature can be applied in the server process, which can look something like this:

It’s also possible to create custom signature appearances so the digital signature actually looks like a paper-based received stamp.

There are many benefits to applying this final "received signature" as part of an automated server process. The received signature can provide a cryptographic based timestamp (RFC3161) to the document to show what exactly was received and when – important for time sensitive processes.  The signature can also indicate that at the time the document was received, all of the form data was valid and all of the digital signatures applied by any participants were also valid.

Live Webcast: Information Assurance – Keeping Your Documents Secure

Join us for this LIVE Event on:
Wednesday, October 29, 2008
12:00 PM PT / 3:00 PM ET

The need to keep your organization’s business critical information confidential by restricting distribution and preventing unauthorized disclosure of this information is imperative. Discover how Adobe Acrobat 9 can help protect your organization’s sensitive information by helping provide document control and security, addressing issues such as encryption, document authenticity, passwords, redaction, and sanitization/metadata removal. Join John Landwehr as he covers best practices on Security and Information Assurance.

More information and registration is available here.

Adobe Presenting at Security Automation Conference

On Wednesday September 24, 2008 John Landwehr from Adobe will be providing an overview of Digital Rights Management at the 4th Annual IT Security Automation Conference at NIST – Gaithersburg, MD.

A copy of the keynote presentation is available here as a 5MB PDF download.

DIRECTV NFL Sunday Ticket Supercast protected by Adobe products

DIRECTV and Adobe announced that the NFL SUNDAY TICKET SUPERCAST is powered by Adobe’s video solution with content protection.

DIRECTV is also providing SUPERCAST as a downloadable rich Internet application (RIA) built on Adobe AIR. Adobe AIR offers a new way to engage customers on the desktop with a downloadable, branded RIA that can be deployed across major operating systems. The SUPERCAST application on AIR provides a wide variety of real-time NFL SUNDAY TICKET content right on the desktop as games stream live in high-quality H.264 video, including Red Zone channel’s live-action of critical plays, statistics and moments from game broadcasts, as well as near real-time highlights from all the games. Additionally, only in the SUPERCAST application on Adobe AIR can fans receive desktop notification alerts when requested highlights become available. SUPERCAST is available at

Content is streamed live via Adobe Flash Media Server software to the browser using Adobe Flash Player technology, which is installed on more than 98 percent of Internet-connected computers, and to the desktop via Adobe AIR. DIRECTV also uses Adobe Flash Media Rights Management Server software for digital rights management (DRM) to protect the NFL premium on-demand content downloaded to the desktop. Adobe Flash Media Server is helping enable DIRECTV to stream content more securely and cater to large volumes of fans with rapid, reliable delivery of exciting content. Adobe Flash Media Rights Management Server is a robust on-demand content protection solution that is non-intrusive to users, yet can allow DIRECTV to safeguard media integrity, authenticity and access, whether SuperFan subscribers are online or offline, even after the content has been viewed.

Scientific American Article on Improving Online Security

Adobe recently participated in an industry roundtable on Improving Online Security. The transcript has been published in the September 2008 issue of Scientific American, page 96 and on their website.

John Landwehr from Adobe and representatives from Hewlett Packard, Kaiser Permanente, McAfee, Microsoft, Panda Security, Sun, and Symantec discussed ways to protect against more numerous and sophisticated attacks by hackers and called for upgraded technology along with more attention to human and legal factors.

Now hiring: Digital Signatures Product Management

Adobe is looking for a Sr. Product Manager to join our security solutions team and work on digital signatures in Acrobat, Reader, and LiveCycle.

The job description and application process is posted on

Adobe (NASDAQ: ADBE) revolutionizes how the world engages with ideas and information. For 25 years, the company’s award-winning software and technologies have redefined business, entertainment, and personal communications by setting new standards for producing and delivering content that engages people virtually anywhere at anytime. From rich images in print, video, and film to dynamic digital content for a variety of media, the impact of Adobe solutions is evident across industries and felt by anyone who creates, views, and interacts with information. With a reputation for excellence and a portfolio of many of the most respected and recognizable software brands, Adobe is one of the world’s largest and most diversified software companies.

Today, Adobe is better positioned than ever to push the boundaries of the digital universe. Under the leadership of President & CEO Shantanu Narayen, we’re driving even greater innovation with powerful, compelling software solutions that meet the needs of customers and markets ranging from designers and filmmakers, to enterprises and governments, to developers and home users.

Recognizing that employees are at the core of our success, Adobe recruits and retains highly qualified and motivated individuals, creates an environment where they can innovate and achieve their best, and rewards them for their performance by giving them an opportunity to share in the company’s success.

Position Overview
Adobe Information Assurance Solutions enable organizations to more securely engage with employees, external associates, and customers by protecting the information lifecycle. Security can be persistently applied to information independent of storage and transport, inside and outside an organization. Adobe’s ecosystem of security partners provides interoperability with many information security infrastructures including identity and access management, single-sign-on, public key infrastructures, smart cards, and biometrics.

This Sr. Product Manager position in the Security Solutions team of Adobe’s Business and Productivity BU will significantly contribute to growing Adobe’s market share in information assurance solutions by identifying and prioritizing feature requirements, providing product competitive analysis, understanding customer usage workflows and customer satisfaction, driving and evaluating technology trends, ease of use, standards and certifications.

Requires at least 5 years of experience in enterprise software product management. BS in Computer Science or related technical discipline, and in-depth experience with identity management, electronic and digital signatures, encryption, J2EE authentication, public key infrastructure, smartcards, maintaining documents of record, and information lifecycle workflows.

This position also requires significant cross-group interaction, a strong customer and partner focus, excellent communication, presentation, and negotiation skills, attention to detail, solid technical abilities to collaborate with engineering and direct market experience. Candidates must be passionate about the technology to make Adobe solutions more secure and easy to use. Preference given to candidates with security certifications.

Adobe believes personal fulfillment and company success go hand in hand, sustaining one another. In fact, our dynamic, rewarding working environment is well known – including eight years on FORTUNE magazine’s “100 Best Companies to Work For” and other, similar accolades. By hiring the very best and brightest, Adobe continues to be a simply better place to work – creating a dynamic environment today and providing incentives for future achievement.

Now available: rights management for downloadable video

Today Adobe announced general availability of the Flash Media Rights Management Server with cross-platform content protection that helps safeguard video content created for Adobe Flash technology against misuse.

Adobe has been offering content protection capabilities for over a dozen years in a variety of formats, starting with PDF and expanding to native office documents and CAD files. As the leader in web video, Adobe has also had online streaming protections from Flash Media Server since its second release in 2005, which have recently expanded in Flash Media Server 3.

Adobe’s Rights Management technologies are now included in the Adobe AIR Runtime to protect downloadable and offline video in Adobe Media Player and other custom AIR applications. This provides content owners with the ability to consistently protect their content on both Mac and Windows platforms, with Linux in the works, providing significant cross-platform reach.

The server is also cross platform, running on Windows and Linux, providing utilities to encrypt video files encoded with the Sorenson, On2 and H264 video codecs. Those protected files can then be distributed over standard HTTP progressive download delivery, including through a CDN. The FMRMS service provider interfaces allow for integration into existing infrastructure for authentication and authorization of content.

The content protection capabilities Adobe provides give content owners choices in download to own, download to rent, and ad-supported business models with an engaging user experience including content protection.

A FAQ is available here.

Digital Courtroom: Tribunale di Cremona

A new case study is available showcasing Tribunale di Cremona, one of the Courts within the District of Tribunale di Brescia, using Adobe Connect with Adobe LiveCycle solutions to support an end-to-end process for holding legal proceedings with dispersed parties and efficiently delivering all required case documents.

In addition to supporting dynamic web conferences with streaming audio and video, Adobe solutions deliver other benefits to the Digital Connect project. For instance, the court can store court papers for each trial in Adobe PDF; plus staff can handle documents remotely and securely via digital signature authentication.

These capabilities are handled by Adobe LiveCycle solutions to address the need to assign policy controls to protect documents.

“These features are critical,” says Beluzzi. “A trial transcript can be shared among participants, downloaded, digitally signed just as if participants were physically next to each other. In addition, the transcript goes through a workflow and is automatically added to the remaining court papers.”

The project is the result of a productive collaboration with Adobe. First electronic court papers, then web conferencing-based court trials give the Italian justice system a new image: fast, efficient, and on time.

“By collaborating with Adobe and using products such as Adobe Policy Server, Adobe LiveCycle Workflow, and Adobe Connect, the court is designing a powerful system that can be replicated in other areas without customization,” says Beluzzi. “This is important because it allows Tribunale di Cremona to achieve great results with limited efforts, without developing ad hoc software.”

The Court has documented the excellent cost benefits of the system. The total cost of training and traveling for detainees and lawyers is about €467,000 a year. Using Digital Connect to perform trials and to train employees could save the Court over €1 million in three years.

US Government Printing Office Deploys Digital Signatures for FY2009 Budget

Today the United States Government Printing Office (GPO)  deployed digital signatures in Adobe PDF for the release of The Budget of the U.S. Government, Fiscal Year 2009.

The Executive Office of the President, Office of Management and Budget (OMB) released a statement stating this is the first time the White House will not order hard copy versions of the budget, and has instead posted the budget online as fully searchable PDF documents. 

With an estimated total of nearly 2,200 pages in the four-book budget set, and a projected order of more than 3,000 copies for the media, Capitol Hill and the White House, the E-Budget will have a “green” focus above and beyond the fiscal sense. This step will save nearly 20 tons of paper, or roughly 480 trees. In terms of fiscal savings, we estimate the E-Budget will save nearly a million dollars over the next five years.

GPO has implemented a new digital seal of authenticity for their PDF documents, including today’s release of the FY2009 budget:

For almost 150 years, the U.S. Government Printing Office (GPO) has been the official disseminator of Government documents and has assured users of their authenticity.

In the 21st century, the increasing use of electronic documents poses special challenges in verifying authenticity, because digital technology makes such documents easy to alter or copy, leading to multiple non-identical versions that can be used in unauthorized or illegitimate ways.

To help meet the challenge of the digital age, GPO has begun implementing digital signatures to certain electronic documents on GPO Access that not only establish GPO as the trusted information disseminator, but also provide the assurance that an electronic document has not been altered since GPO disseminated it.

The visible digital signatures on online PDF documents serve the same purpose as handwritten signatures or traditional wax seals on printed documents. A digital signature, viewed through the GPO Seal of Authenticity, verifies document integrity and authenticity on GPO online Federal documents, at no cost to the customer.

More information on GPO’s authentication program is available at

Opening the Nation’s Fiscal Outlook from GPO Access with Acrobat 8.1.1 on Windows XP SP2:

Opening the Nation’s Fiscal Outlook with Acrobat 8.1.1 on Mac OS X 10.5.1 (Leopard)

The digital signatures on the GPO documents automatically validate with Adobe Acrobat and Adobe Reader version 7 and higher on Mac and Windows, via the Certified Document Service (CDS) program. No additional software or configuration is required to validate CDS signatures. 

There are several ways recipients can verify the signature status.  First is the document message bar across the top of the document, showing the certifying blue ribbon as well as information contained in the signer’s certificate:

The left navigation panel also has an icon of a pen over paper, which brings up the digital signature pane, showing additional information on the document signature:

Clicking on the GPO document seal in the PDF will also bring up the Signature Validation Status:

Clicking on that Signature Properties button above provides even more detail of the signature, including the authenticity, integrity, and timestamping indicators – with the ability to drill down deeper to review revocation status, certificate chaining, and other security information associated with the signature.

For digital signatures to automatically validate in Acrobat and Reader, the Public Key Infrastructure (PKI) certificates must have been issued by a Certificate Authority (CA) participating in the CDS Program. These CAs comply with the Adobe CDS Certificate Policy.  This is a program Adobe released in 2003 with Acrobat and Reader 6.  The CA/Browser Forum released a program with similar intentions for web browser SSL sites in 2007. 

Certifying signatures can be applied to PDF documents on the desktop using Adobe Acrobat, or on the server using Adobe LiveCycle Digital Signatures.  Recipient’s approval signatures can also be applied using Adobe Acrobat or Adobe Reader (via Adobe LiveCycle Reader Extensions) and then subsequently validated on the server with Adobe LiveCycle Digital Signatures as part of an automated workflow process.

Adobe Systems has been providing security technologies in PDF for over a dozen years.  Adobe uses FIPS 140 approved cryptography, has been approved by the US Department of Defense, and certified by the SAFE BioPharma Association. Adobe’s security solutions are also supported by a strong partner ecosystem to extend the native capabilities of authentication through hardware and software integration.




Demo: Certified Documents in Adobe PDF

Here is a demonstration of a PDF document that has a certifying signature plus four recipient signatures from four different certificate authorities that are part of Adobe’s Certified Document Services (CDS) program.

Click here to download the PDF for Adobe Acrobat and Adobe Reader version 6 and higher.

In v8 and higher, you will see a status bar across the top, indicating the valid document certification:

followed by the recipient signatures from each of the CAs:

For long term digital signature validation, each of these signatures also include an embedded OCSP response from the certificates in the chains and RFC3161 timestamps. This shows that the certificates were valid at the time of signing – even if the document is subsequently opened after certificate expiration or revocation.