Posts in Category "Demonstrations"

Protecting native Office documents

On June 17th Adobe announced an expansion of the LiveCycle Enterprise Suite with our forthcoming LiveCycle ES Update 1 release. Included as a part of this release is our second version of our LiveCycle Rights Management ES Extension for Microsoft Office. This release expands our support for to include the ability to protect, and collaborate in natively protected Word documents, Excel spreadsheets and PowerPoint presentations. Further, we support all editions of Office 2003 and Office 2007 localized natively into English, French, German, and Japanese.

Click on the following screenshot to watch a short Captivate demo of our native support for PowerPoint presentations:

The software are now available for download from for use with your LiveCycle Rights Management ES system.

Questions or feedback on this entry? Contact us at

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

Emerging Technology: Audit Dashboard

LiveCycle Rights Management can help you maintain the confidentiality of sensitive information by protecting files against unauthorized access. You can also monitor each recipient’s use of the protected information, including when and how often the file is accessed, through detailed audit logs.

The detailed audit logs are accessible through our Web-based GUI, as well as
programmatically through a set of APIs. One of our engineers recently was learning how to develop Adobe AIR applications, and decided to use these APIs to create a new audit dashboard application for examining audit data. We’re starting to explore ways to release this application in the future but I wanted to share a preview of it with you. We’re looking for feedback – so feel free to send an email to the address at the end of the Captivate video.

Click on the following screenshot to watch the preview:


Questions or feedback on this entry? Contact us at

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

LiveCycle Rights Management ES supports native Pro/ENGINEER documents

In early 2008 PTC shipped Pro/ENGINEER Wildfire 4, their integrated solution for 3D CAD/CAM. As announced in our relationship last year, PTC and Adobe have worked together to integrate Adobe LiveCycle Rights Management ES directly into Pro/ENGINEER, providing native CAD document protection. Sold as the Pro/ENGINEER Rights Management Extension, this solution exclusively works with Adobe LiveCycle Rights Management ES, allowing designers to provide persistent and dynamic access control to Pro/ENGINEER part, assembly, and drawing files.

Adobe’s latest release of the LiveCycle Rights ManagementES Update 1 — provides additional functionality for Pro/ENGINEER customers wishing to manage and track iterated versions of protected parts and assemblies. These extensions enable designers to ensure that suppliers are instantly updated to the latest version of a design, decreasing the pain of mismatched versions when designing products sourced from multiple organizations.

Click on the following screenshot of Pro/ENGINEER for a brief tour of the functionality:

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

Flexibility in identifying and authenticating users – Part One

Rights management is used to manage usage rights to protect sensitive documents, ensuring that only authorized users have access to protected information. At its core, this is dynamic protection based upon user identities. To facilitate this, the system must know which individual users should have access to secured content.

Flexibility in identifying and authenticating users ensures that protection can be transparently integrated into preexisting infrastructure, and is central to effective deployment. The benefits should be clear: fast deployment, easy administration, and quick to achieve a return on investment.

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smartcard/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration.

In today’s topic, let me explain some of the possibilities and benefits associated with the first three authentication type:

Anonymous authentication

This type of authentication completely skips identifying the end-user! By granting “guest-level” access to content, end-users need not authenticate prior to being authorized to open content. This allows several workflows:

  1. Authors can distribute content and still control them through the “yank and replace” revocation mechanism. For example, an author can distribute a price sheet or a data capture form, and make sure that only the latest version of content can be viewed.
  2. Even though individual end-user identity is unknown, authorization can be controlled based upon IP address or the number of times content has been viewed. Further, detailed (though anonymous) audit records can keep track of how frequently documents are opened.

Username/password authentication

This is typically the most familiar authentication dialog within LiveCycle Rights Management ES:


This dialog is the gateway to the powerful “username/password” authentication; it provides out-of-the-box functionality to authenticate users against a variety of directory systems, as well as create a custom integration with other credential providers.

For example, you can authenticate users against supported LDAP directories (e.g., Microsoft Active Directory, Sun Directory Server, IBM Domino LDAP, Novell eDirectory, etc.) that you already have deployed. But there’s no need to limit yourself to LDAP users. We provide two out-of-the-box mechanisms for managing user accounts for customers without existing directory infrastructure: “invited users” and “local users”. Think of these accounts as being stored “locally” within our own built-in directory. Administrators can manage these accounts using our built-in APIs and GUI, and the facility exists for end-users to quickly and easily provision their own accounts.

In all these cases, the end user simply enters his username and password upon opening a document and the server automatically queries the relevant system to verify credentials and further authorize the user. If the administrator chooses to allow it, the end user can also instruct the client to remember his credentials, which will securely cache credentials and not bother him to authenticate for subsequent documents. For many customers, this can enable an inexpensive form of “Single Sign-On” (SSO), since end users would see an authentication dialog at most once, and likely forget they are opening protected content.

This authentication type, however, is much more flexible than basic username/password integration with directory services. We can enable integration with any credential system that traffics in two user-inputted strings. This is because LiveCycle Rights Management ES can dynamically customize this authentication dialog, and because a customer can develop a custom authentication provider integration via the server-based “SPIs”.

For example, some of our financial industry customers have leveraged their existing account management infrastructure, allowing their customers to authenticate via their existing account number and PIN to their policy-protected banking statements. Others have used these SPIs to integrate with one-time password (OTP) systems to enable multi-factor authentication.

Kerberos SSO authentication

Those customers who want the ultimate “transparent integration” with existing authentication infrastructure can choose to enable Kerberos-based single sign-on (SSO). This is an outstanding option for those who feel that “clicks ‘R’ bad”, and never want to be impacted with an authentication dialog.

Because end users never see an authentication dialog when opening a protected document, and frequently forget are accessing protected content, they often think of this authentication type as “magic.”

Based upon technology built into Microsoft Windows clients and Microsoft Active Directory on the server, Kerberos SSO allows LiveCycle Rights Management ES clients to securely use the credentials entered the end-user used when logging into his machine to authenticate directly with the Rights Management server.

Next time: A deep dive on smartcard/certificate authentication and the benefits to customers.

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

Delegating control over policy definition and usage with “Policy Sets”

One question that often comes up with customers is “how can my large, distributed organization effectively delegate and manage access control?” Our answer is “policy sets”, a feature introduced in LiveCycle Rights Management ES.

The “Policy Sets” feature allows administrators to delegate who can create and manage shared
policies. It also permits organizations to control which policies each individual or workgroup can use. Allowing decentralized management enables customers to more effectively ensure their intellectual property is protected.


This short video goes through the functionality in more depth

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

US Government Printing Office Deploys Digital Signatures for FY2009 Budget

Today the United States Government Printing Office (GPO)  deployed digital signatures in Adobe PDF for the release of The Budget of the U.S. Government, Fiscal Year 2009.

The Executive Office of the President, Office of Management and Budget (OMB) released a statement stating this is the first time the White House will not order hard copy versions of the budget, and has instead posted the budget online as fully searchable PDF documents. 

With an estimated total of nearly 2,200 pages in the four-book budget set, and a projected order of more than 3,000 copies for the media, Capitol Hill and the White House, the E-Budget will have a “green” focus above and beyond the fiscal sense. This step will save nearly 20 tons of paper, or roughly 480 trees. In terms of fiscal savings, we estimate the E-Budget will save nearly a million dollars over the next five years.

GPO has implemented a new digital seal of authenticity for their PDF documents, including today’s release of the FY2009 budget:

For almost 150 years, the U.S. Government Printing Office (GPO) has been the official disseminator of Government documents and has assured users of their authenticity.

In the 21st century, the increasing use of electronic documents poses special challenges in verifying authenticity, because digital technology makes such documents easy to alter or copy, leading to multiple non-identical versions that can be used in unauthorized or illegitimate ways.

To help meet the challenge of the digital age, GPO has begun implementing digital signatures to certain electronic documents on GPO Access that not only establish GPO as the trusted information disseminator, but also provide the assurance that an electronic document has not been altered since GPO disseminated it.

The visible digital signatures on online PDF documents serve the same purpose as handwritten signatures or traditional wax seals on printed documents. A digital signature, viewed through the GPO Seal of Authenticity, verifies document integrity and authenticity on GPO online Federal documents, at no cost to the customer.

More information on GPO’s authentication program is available at

Opening the Nation’s Fiscal Outlook from GPO Access with Acrobat 8.1.1 on Windows XP SP2:

Opening the Nation’s Fiscal Outlook with Acrobat 8.1.1 on Mac OS X 10.5.1 (Leopard)

The digital signatures on the GPO documents automatically validate with Adobe Acrobat and Adobe Reader version 7 and higher on Mac and Windows, via the Certified Document Service (CDS) program. No additional software or configuration is required to validate CDS signatures. 

There are several ways recipients can verify the signature status.  First is the document message bar across the top of the document, showing the certifying blue ribbon as well as information contained in the signer’s certificate:

The left navigation panel also has an icon of a pen over paper, which brings up the digital signature pane, showing additional information on the document signature:

Clicking on the GPO document seal in the PDF will also bring up the Signature Validation Status:

Clicking on that Signature Properties button above provides even more detail of the signature, including the authenticity, integrity, and timestamping indicators – with the ability to drill down deeper to review revocation status, certificate chaining, and other security information associated with the signature.

For digital signatures to automatically validate in Acrobat and Reader, the Public Key Infrastructure (PKI) certificates must have been issued by a Certificate Authority (CA) participating in the CDS Program. These CAs comply with the Adobe CDS Certificate Policy.  This is a program Adobe released in 2003 with Acrobat and Reader 6.  The CA/Browser Forum released a program with similar intentions for web browser SSL sites in 2007. 

Certifying signatures can be applied to PDF documents on the desktop using Adobe Acrobat, or on the server using Adobe LiveCycle Digital Signatures.  Recipient’s approval signatures can also be applied using Adobe Acrobat or Adobe Reader (via Adobe LiveCycle Reader Extensions) and then subsequently validated on the server with Adobe LiveCycle Digital Signatures as part of an automated workflow process.

Adobe Systems has been providing security technologies in PDF for over a dozen years.  Adobe uses FIPS 140 approved cryptography, has been approved by the US Department of Defense, and certified by the SAFE BioPharma Association. Adobe’s security solutions are also supported by a strong partner ecosystem to extend the native capabilities of authentication through hardware and software integration.




Demo: Certified Documents in Adobe PDF

Here is a demonstration of a PDF document that has a certifying signature plus four recipient signatures from four different certificate authorities that are part of Adobe’s Certified Document Services (CDS) program.

Click here to download the PDF for Adobe Acrobat and Adobe Reader version 6 and higher.

In v8 and higher, you will see a status bar across the top, indicating the valid document certification:

followed by the recipient signatures from each of the CAs:

For long term digital signature validation, each of these signatures also include an embedded OCSP response from the certificates in the chains and RFC3161 timestamps. This shows that the certificates were valid at the time of signing – even if the document is subsequently opened after certificate expiration or revocation.

Demo: Applying Rights Management to a PDF in Acrobat

Applying a policy from Adobe LiveCycle Rights Management is as easy as two clicks in Adobe Acrobat. With a PDF document open, click the Secure menu, followed by one of the pre-defined policy names (that typically map to a organization-wide information classification system).  That’s it!  Click here to see this demonstrated using Adobe Captivate and Flash…


Dynamic Watermarks with LiveCycle Rights Management

Adobe LiveCycle Rights Management provides dynamic watermarking capabilities on PDF documents. A watermark is an image that is superimposed over the original base document. In a rights managed document, the image can be applied dynamically as the document is viewed in Adobe Acrobat or Adobe Reader. The watermark is not editable by recipients and is not permanently stored in the document. The location is customizable by administrators and can contain pre-defined text such as an information classification as well as the recipient’s name, their username, and the date/time the document is opened.

Click here to download a sample PDF with a dynamic watermark across the top of every page. To show it’s really dynamic and not burned into the underlying document, the watermark shows the current date and time for which the document was opened. If you close and reopen the document, it will change.

The dynamic watermark is often used as a detective control to track down unauthorized redistribution of sensitive documents and is a good part of a Data Loss Prevention (DLP) strategy. The dynamic watermark reminds the recipients of the document classification, such as “Company Confidential”, and the user-specific information shown on the document acts as a deterrent to unauthorized redistribution of the document. If a printed copy of a sensitive document shows up someplace it shouldn’t – the source of unauthorized redistribution can be determined by simply looking at the watermark.

The watermark templated is defined by LiveCycle Rights management administrators. Here are the options:



A policy definition, such as “Confidential”, can then specify which watermark template to use every time that policy is applied:


Here is what a watermarked document looks like with a policy applied that includes a dynamic watermark showing full name, username, custom text, and date/time:


Here we have unchecked the User Name, User ID, and Current Date – leaving only the Custom Text.  The H/V alignment is set to center, and the rotation to 45 degrees:


Here the vertical alignment is set to the top at 50% scale using only the custom text field:


By remapping the user name from the DN in LDAP to a separate field containing a unique hex code for each user, it can be applied rather unobtrusively to the lower right hand corner of a document: