Posts in Category "Demonstrations"

Digital Signatures with PIV and PIV-I Credentials

In response to Homeland Security Presidential Directive (HSPD) 12, NIST created a program for improving the identification and authentication of Federal employees and contractors to Federal facilities and information systems.  This program is Federal Information Processing Standard (FIPS) 201, entitled Personal Identity Verification (PIV) of Federal Employees and Contractors, which as of September 2011 had issued over 5 million credentials.  PIV-I expands the interoperable secure PKI credentialing to Non-Federal Issuers (NFI) so that other organizations seeking identity federation can include their own employees.  Currently approved PIV-I providers include DigiCert, Entrust, Operational Research Consultants, VeriSign/Symantec, and Verizon Business.  The CertiPath bridge also supports PIV-I credential providers such as Citi and HID.

If you have a PIV or PIV-I card, and are interested in digitally signing documents for consent/approval signatures or certified publishing – Adobe Acrobat and Adobe Reader will automatically validate digital signatures via US Federal Common Policy.  Through the Adobe Approved Trust List  (AATL) program, the following trust anchors are included in version 9 and higher:

  • Common Policy — 2010 expiry — Common Hardware, Common High, Medium HW CBP
  • Common Policy — 2027 expiry — Common Hardware, Common High, Medium HW CBP
  • Federal Common Policy CA — 2030 expiry — Common Hardware, Common High, Medium HW CBP, SHA1 Hardware
To have the digital signature automatically validate for any recipient, whether or not they have a PIV/PIV-I credential, the signer’s system must build a complete certificate chain for path validation to reach one of the supported trust anchors.  If the signer’s system only has the signer’s certificate – it will not validate for anyone else automatically.  A recommendation to make this easier is for all of the issuing certificate authority public key certificates to be stored on the smartcard and available to the OS+applications.  That way the card can be truly portable and sign documents on any system.  Otherwise, the system administrator will need to ensure all of the certificates are otherwise installed into the OS and available to Adobe Acrobat/Reader.
As an example, below is an overview of configuring digital signatures with the HID PIV-I service.
After the customer application is approved and credentials are being issued, the user will need to install the chain of certificates on their signing systems.  The certificates required are:
  1. HIDSigningCA1
  2. HIDRootCA1
  3. Federal Bridge CA
  4. CertiPath Bridge CA – G2

There are several ways these certificates can be installed.  The easiest is to open the attached file HID_PIV-I_AdobeConfiguration.pdf, which provides a simplified installation experience into Adobe Acrobat and Adobe Reader.  You can also download the FDF directly here:  HID-PIV-I-Certs-AdobeReader.fdf

Now you can sign a PDF file and it will automatically validate for anyone with Acrobat or Reader version 9.1 or higher.

Sample HID PIV-I Signature document digitally signed with a production HID PIV-I card looks like this:

Here is the path that the digital signature follows for validation:

Happy Birthday, ESIGN!!

On Wednesday, don’t be concerned/scared/shocked if you see your sales people looking somewhat calmer, your legal counsel winces a little less when you crack a lawyer joke, your chief risk officer smiles at you, and your controller pulls you over and eagerly points to the latest revenue figures.

Why? June 30th is the tenth anniversary of the US federal law that made their lives easier by putting electronic signatures on equal footing with wet ink! That’s right: 10 years ago tomorrow, President Bill Clinton digitally signed into law the ESIGN Act (eSignAct.pdf).

How is this important? The electronic signatures legalized with the ESIGN Act produce dramatic, real-world benefits for Adobe’s customers.

Continue reading…

Feature Spotlights – Flexible Authentication in LiveCycle ES2

Adobe released updates of all of the LiveCycle components when we released our “ES2” version in November 2009. As a part of this we made some significant strides to expand how you can integrate our product suite into other directory, identity management, and authentication systems.

I’d like to take this opportunity to explain some of what is new, as well as show you several videos that go into each area in more depth.

First, our integration with ActiveDirectory and LDAP directories executes substantially faster, as we have optimized the system to only pick up records that have changed recently. More info:

Second, our integration with Smartcards and PKI certificates for strong authentication is much more flexible, and supports many more types of certificates. More info:

Third, several customers have asked us to query one directory for user information, but integrated with a second instance for high performance authentication. We’ve listened and now support this — more info:

Finally, all of our web- and Flex-based components now support SAML-based federated identity for authentication. Technically, this means that LiveCycle is substantially more flexible in terms of the Single-Sign-On (SSO) and authentication facilities that be used. In practice this means that it is very easy for you to integrate LiveCycle into your processes for interacting with customers and engaging with citizens without deploying additional identity provisioning or management software. More info:

Feature Spotlights – Simplifying Access Control in Rights Management ES2

Adobe released LiveCycle Rights Management ES2 in November 2009. This will be the first of several postings that detail some of the new functionality within the product and how it can help you be more effective in protecting your intellectual property and restricting access to personally identifiable information.

Today I’ll provide an update on how we’ve simplified how you can define and use access control within your organization as well as across artificial boundaries; with LiveCycle you can confidently ensure that only the right people — regardless of whether they are one of your employees, contractors, partners, customers, or citizens — have access to documents.

Specifically, the latest product offers a new rich web application for defining which users and groups should be able to open documents — or modify, print, copy, etc. You can define and edit policies much more quickly now that you can add multiple users or groups simultaneously.

And with our new “dynamic groups” feature, you can more quickly restrict access to an entire external organization. For example, if you found you were previously listing several users with your partner “”, manually adding,, and, you now have a new option. By adding the LiveCycle dynamic group “*”, you have the flexibility of a wildcard.

The following two video demos show off the new UI as well as the new flexible dynamic groups mechanisms. Check them out!

Improved policy interface:

Dynamic groups:

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by
contacting Adobe

Seven Technology Habits of Highly Effective CFOs

Recently, Adobe executive vice president and Chief Financial Officer Mark Garrett presented a keynote at the CFO Rising conference, sponsored by CFO Magazine. Speaking to a ballroom full of senior finance executives, Mark outlined the “Seven Technology Habits of Highly Effective CFOs” and utilized several case study examples to illustrate his points.

Continue reading…

Seamlessly storing and managing documents protected with LiveCycle ES

A frequent topic of conversation with customers is how LiveCycle ES can be used to seamlessly store and manage protected documents. Following on to an earlier discussion of some of the capabilities within LiveCycle Content Services ES, we recently published an article in the LiveCycle Developer Center describing how LiveCycle can be used as a repository of protected documents. An online guide as well a several Captivate demos can be found at

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

Packaging options for encrypted PDFs

Since Acrobat 2.0 in 1994, encryption has been available to protect a PDF document – restricting who can open it and what they can subsequently do with it. Today, there are a number of packaging options for distributing one or more protected PDF files.

Continue reading…

Flexibility in identifying and authenticating users

We’ve received a bunch of good feedback lately on some of our explanations and demonstrations of the authentication types supported in LiveCycle Rights Management. We adapted some of these posts into a technical article within the LiveCycle Developer Center on Adobe’s web site. You can read it here:

Rights Management within LiveCycle Content Services

This past summer Adobe released the LiveCycle ES Update 1 release. This include LiveCycle Content Services ES, a fully integrated set of content services that enables organizations to "manage content in a lower-cost, extensible way for cross-company and cross-organizational processes". LiveCycle Rights Management ES is a core part of this offering, and allows organizations to include content protection as a part of these cross-organizational processes.

Each "space" within Content Services can be seen as a folder to hold sub-spaces or content. These spaces can be associated with business rules and security — including various access control rights as defined by LiveCycle Rights Management ES.

It’s easy for business users to interact with these spaces because content can be added in several different ways; for example: using the Web UI, FTP, CIFS, or WebDAV. Adding security is a breeze because the act of adding content can be associated with an automatic trigger that can protect the content with Rights Management. For example, an administrator can create a trigger to associate the "Confidential" policy for general documents, or the "Mergers & Acquisitions" policy for content being stored for the M&A team.

In today’s blog entry we show off a simple example of how:

  1. An administrator can create a rule to automatically protect all content with a specific predefined policy.
  2. An end user can upload a document to be automatically protected.
  3. A recipient can open a protected document within the Content Services repository.

Click on the following screenshot of LiveCycle Content Services for a brief tour of this functionality:

Guest Contributor: Neerav Aggarwal

Questions or feedback on this entry? Contact us at

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

Flexibility in identifying and authenticating users – Part Two

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smart card/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration. As promised in part one, today’s topic is a deep dive on smartcard/certificate authentication and the benefits to customers.


Smart card / Certificate authentication

The fourth type of authentication that LiveCycle Rights Management ES supports is smart card, or certificate-based authentication. For some customers, this form of authentication is often more secure than the other forms of authentication supported. To understand how it works in LiveCycle Rights Management ES and the benefits it provides, however, requires some background and context.

A smart card, in its most well-known form, is a credit card-sized ‘intelligent card’ that carries user’s credentials in the form of Digital Certificates. Many variants today also possess processing capabilities like the ability to compute Digital Signatures. A smart card is a something-you-have type of authentication, as compared to Username/Password which is something-you-know.

A Digital Certificate, often just referred to as Certificate, is a digital document that at a minimum includes a Distinguished Name (DN) and an associated Public Key. The DN uniquely identifies a user’s identity, and the public key can be used to prove that identity. The Certificate is signed by a trusted third party known as Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. This Public Key Infrastructure (PKI) assumes the use of Public Key Cryptography, which is the most common method on the Internet for authenticating end parties or encrypting messages. PKI overcomes the significant flaws in the traditional cryptography or the symmetric cryptography, and at the same time provides added security by having strict requirements for key lengths and industry standard cryptographic algorithms (set forth by Public Key Cryptography Standards or PKCS, and governed by RSA Laboratories).

At the time of authentication, LiveCycle Rights Management ES validates the chosen Certificate’s signature against its cache of known and trusted CA certificates. The server verifies the Certificate, validates the Digital Signature, and finally maps this Certificate to a unique user through the rules an administrator creates when configuring LiveCycle. LiveCycle Rights Management ES also provides for flexibility and easier enterprise integration by providing server-based “SPIs,” which can be used to develop custom certificate authentication providers.

Many enterprises and governments today employ smart card based authentication, not only for its enhanced security but also for its ease of deployment and use for end users. For example the United States Department of Defense issues Common Access Cards (CAC cards) which can be used for secure user identification. These CAC cards can be used within LiveCycle Rights Management ES to authenticate users who are opening protected documents. A user would insert his card into a smart card reader on his machine to identify himself. These readers are available in a variety of form factors and can be connected to a computer using USB or PC card interface – and are integrated into many laptops today, such as the Dell Latitude line of business laptops.

To give you a better idea of how easy it is for an end user to authenticate to LiveCycle Rights Management ES using a smart card, click on the following demo:

Guest Contributor: Chaitanya Atreya

Questions or feedback on this entry? Contact us at

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe