Posts in Category "Digital Signatures and PKI"

PDF Advanced Electronic Signatures (PAdES): Your Questions Answered…

By now, you’ve surely heard the news about the new European standard for PDF Advanced Electronic Signatures (PAdES) which formalizes how digital signatures in PDF can comply with the European requirements for electronic signatures.

However, there are five parts to the standard, and they all deal with terminology that may not be familiar. Don’t worry….you’re not alone.  A new website has been set up to answer frequently asked questions on PAdES.

Continue reading…

Upcoming event will debate legal significance of digital signatures and electronic signatures

We’ve discussed the legal validity of electronic signatures and digital signatures in this blog in the past.  While a concurrence of laws worldwide point to general acceptance of electronic signatures as legally binding, there are a number of nuances that need to be taken into account when dealing with the identity and evidentiary elements of those electronic signatures, especially as it relates to how they’ll stand up longer term in court.

An event to be
held on March 1, the first day of the RSA 2010 Conference, will be dedicated to these questions. 

Continue reading…

Conquering Information Risk Management

Managing information risk is a complex business these days, especially when you look at (1) the range of information you need to protect, (2) the breadth of risks you need to mitigate, and (3) the management policies and tools available to today’s IT security professionals to protect that information. However:

“A well-realized information risk management strategy has other benefits [beyond security]: enhanced business agility, competitiveness, efficiency and cost savings.”

In other words, you can’t do without it!! 

The problem?  According to Deloitte, on
average, only half of the companies surveyed in their annual Global Security and Privacy Survey had formal security
policies or strategies.  Not a great foundation on which to build risk management on!

I wrote a recent article in Security Products magazine which confronts these challenges head-on, and provides some tips on navigating the “mind-boggling” task of information risk management.

Read the article here.

Straight Talk about PDF & Digital Signatures – ISSE 2009

Jim King, PDF Architect, senior principal scientist at Adobe and one of the key drivers behind the PDF format and its adoption and continuing development by ISO as a standard (ISO 32000), recently delivered a keynote presentation to the ISSE (Information Security Solutions Europe) 2009 Conference in The Hague, Netherlands.  He discussed the evolution of the PDF format and standard, and spent most of his talk introducing the new PAdES signature standard and what it encompasses.

During that conference, Jim sat down with Roger Dean, executive director of eema UK, for a conversation about PDF, the need for digital signatures, challenges of communicating the benefits of digital signatures, and finally a description of the PAdES standard.  This interview is now available below (and here)…enjoy!

Eliminating the Pen…One Step at a Time: PAdES PDF Advanced Electronic Signature Standard Released for EU

Building on the delivery of the PDF format to the International Standards Organization (ISO) as ISO 32000-1, Adobe has been collaborating with standards bodies around the world to make it easier for companies, organizations and individuals to leverage the ubiquity of PDF to make business processes quicker, easier and more reliable.  However, the rush to go paperless has often fallen short of its true potential because signing a document oftentimes brings business critical processes crashing to a halt, requiring users to print out the previously electronic document in order to apply their nom de plume with an ancient writing implement.  Electronic signatures are obviously the solution, but there’s still the question of interoperability and the use of electronically signed documents within certain legal frameworks, such as the European Union (EU).  With last week’s announcement of an ETSI open standard for PDF digital signatures, that question can now be answered.

ETSI/ESI Technical Standard (TS) 102 778, better known as PAdES (pronounced with either a long or short a), documents how the digital signature format described in ISO 32000-1 meets the needs of the 1999 EU Signature Directive (see previous blog entry), and then goes on to describe how that format can be expanded to take advantage of certain capabilities such as long-term document validation, where digital signatures placed on documents today can be validated five, ten and even 50 years later.  (The standard can be downloaded free of charge from the ETSI website at

Continue reading…

History…signed with Adobe products: US District Court Judge issues first digitally signed judicial order

For the first time in history, the Honorable John M. Facciola, Magistrate Judge for the U.S. District Court in the District of Columbia, signed a judicial order, not with paper and pen, but with a digital signature!  Press release here.


Judge Facciola viewing his just-digitally signed order in Adobe Acrobat.  Courtesy National Notary Association (NNA). 

Talk about setting precedent–while electronic filing has been required for some time, orders are typically printed out, signed, and then re-scanned into systems for filing.  Not until now has there been such a vote of confidence in the legal significance and weight of a digital signature.  By keeping the generation, signing and filing of the order completely electronic, the process is made much more efficient, potentially driving costs down and making the court’s systems work more effectively.  This is the latest example of organizations understanding not only the integrity and authenticity benefits of digital signatures, but the resource savings also.  Remember, it’s not so much the signature event that consumes time and money–it’s the processes around it.

Continue reading…

Contracts @ the speed of light: Adobe’s new Click-to-Accept solution

Recently, Adobe launched its C2A (Click-to-Accept) service, providing partners and customers with the ability to electronically sign certain Adobe agreements without a lengthy approval and review process.  And what’s more, not only was it developed with the cross-functional support of product, information technology and legal teams within Adobe, it’s also based on off-the-shelf Adobe server and client products, including Adobe LiveCycle® ES, Flash, and Adobe Reader®.  We’ve talked in this blog about Adobe’s capabilities to support a wide range of electronic signatures within a single workflow, and here’s a clear example of that in production right here at Adobe.

Continue reading…

Finding your way in the wood: Signature Terminology and Security Resources

If you’ve been following this blog, you’ll know that we toss around lots of terms in each entry, along with references to standards, technologies, products and services.  Even if you haven’t read this blog before, you may have struggled trying to understand the difference between electronic and digital signatures, or what a "PKCS#11" is, or, for that matter, a trust anchor.

Well, struggle no more–today we published our latest security terms glossary, which should help to clearly define terms and keep everyone here in line with usage. (Let us know if we don’t!)   Over 140 terms are defined, along with spelled out acronyms, so you are no longer in the dark!  

What’s more, the glossary is posted on our Security Document Library site, part of the wiki area of Adobe’s web presence.   The Document Library contains links to the latest security documentation, including an omnibus guide, "Digital Signatures & Rights Management in the Acrobat Family of Products,"  which consolidates many separate documents we’ve had in the past on signatures, preferences, registry settings, encryption and the like.  In addition, there are links to many useful one page ‘keys’ on signature validation, icons, signature creation, etc.

Find the glossary here.  If we’ve missed any terms or some element of documentation, please email John Harris at jbharris(at)


News from Adobe’s Security Partner Community: VeriSign Joins the Adobe Approved Trust List

Several weeks ago, Adobe launched the Adobe Approved Trust List (AATL), our latest effort at making the use of digital signatures easier through better trust mechanisms.  VeriSign, already a Provider in our flagship trust program Certified Document Services (CDS) through its acquisition of GeoTrust, announced the inclusion of its Non-Federal SSP in the AATL, widening VeriSign’s trust foundation in Adobe Acrobat and Reader.

According to
Mike Stewart, CIO at the Kansas Secretary of State’s office:

As a VeriSign Non-Federal SSP-PKI customer, we are excited to now have the ability to use the certificates we’ve already issued to digitally sign Adobe documents as part of the AATL program.  VeriSign and Adobe have made it easy to deploy and use.

Adobe is excited too!  VeriSign, along with other AATL charter Members and CDS Providers, is improving the capability for today’s agile enterprises and organizations to use digital signatures and bring cost efficiencies, integrity, and non-repudiation to more document workflows.

For more information on the Adobe Approved Trust List, please visit our website.

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!


Casting a Wider Trust Net: Announcing the Adobe Approved Trust List

Over the years, Adobe has made electronic documents and workflows easier, more efficient, and more secure.  With one of the leading implementations of electronic signatures on the market, Adobe products allow you to go the last mile by eliminating the need to print a document out just to sign it.  At the same time, we’ve also been busy behind the scenes working on ways to better deliver trust in those electronic and digital signatures so users can rely fully on these new workflows.  Today, we’re announcing the launch of our latest trust effort, the Adobe Approved Trust List…available now.

The AATL will allow millions of users around the world to create digital signatures that are trusted whenever the signed document is opened in Acrobat or Reader 9.0 and above.  Essentially, both Acrobat and Reader have been programmed to reach out to an Adobe-hosted web page to periodically download a list of trusted root digital certificates.  Any digital signature created with a credential that can trace a relationship (‘chain’) back to a certificate on this list will be trusted by our products.  Trust is only one of many questions Adobe products ask when validating an electronic signature, but it is a critical one.

[SCM]actwin,12,0,1700,927;Beta AATL Test Document.pdf - Adobe Acrobat Pro Extended  Acrobat.exe  5/21/2009 , 5:40:46 PM

[SCM]actwin,12,0,1700,926;Beta AATL Test Document.pdf - Adobe Acrobat Pro Extended  Acrobat.exe  5/21/2009 , 5:39:46 PM

Document Before AATL

Document After AATL

Several countries and organizations have already placed their ‘trust’ in the AATL:

  • DigiNotar
    • DigiNotar Qualified CA
  • GBO.Overheid – Netherlands
    • Staat der Nederlanden Root CA – with Certificate Policies defining secure hardware
    • Staat der Nederlanden Root CA – G2 – with Certificate Policies defining secure hardware
  • GlobalSign
    • DocumentSign CA
  • Keynectis
    • ICS CA
  • SwissSign
    • SwissSign Platinum CA — G2
  • TC Trustcenter / ChosenSecurity
    • CA 7:PN
    • CA 8:PN
  • US Federal Common Policy Root
    • Common Policy – 2010 expiry @  Common Hardware, Common High, Medium HW CBP
    • Common Policy – 2027 expiry @  Common Hardware, Common High, Medium HW CBP
  • VeriSign
    • Class 3 Intermediate Non-Federal SSP @ Medium-Hardware

Starting today, valid signatures with credentials from these providers, chaining up to these certificates, and meeting a set of Technical Requirements will be automatically trusted in Acrobat and Reader 9.0 and above, including most US Federal HSPD-12 / PIV cards.

So how do you take advantage of the AATL?  Well, if you’re using Acrobat or Reader 9, you don’t need to do anything!  This feature is turned on by default when you install these products, and the Trust List will automatically be updated every 90 days, though you must open a signed document (like the one here, for example) or open a signature-related menu item to trigger the timer and update.

If you want to verify the AATL is enabled, go to Edit (‘Acrobat’ on Mac)->Preferences->Trust Manager and be sure that the “Load trusted root certificates from an Adobe server…” check box is checked.  (See image below.)  You can then click the “Update Now” button in that same dialog box to download the latest version of the AATL from Adobe.  In any case, be sure to review the User FAQ if you’re having any problems or have any questions about how the AATL works.


The launch of the AATL complements our existing Certified Document Services (CDS) trust program, where new digital IDs that are chained to the Adobe Root certificate embedded in Adobe products are automatically trusted.  CDS is key to document certification efforts at the US Government Printing Office, Avow Systems, the Antwerp Port Authority, and many other customers who use high assurance signatures to protect the integrity and authorship of key electronic documents.  Anybody who opens a PDF document signed or certified by a CDS credential automatically gets a ‘blue ribbon’ experience with trust provided to the signature without any user interaction.  Five certificate authorities currently offer CDS certificates. 

While the high level benefits of the Adobe Approved Trust List program are similar, the AATL is only available in Acrobat and Reader 9 at this time.  It is not backwards compatible.  CDS credentials, on the other hand, are backwards compatible from the current generation of Acrobat and Reader all the way back to version 6. Also CDS Providers offer certificates that meet a similar high standard for assurance and feature additional capabilities including the automatic embedding of robust timestamping and real-time revocation to provide for easy, long term validation of digital signatures.  However, existing certificate communities, such as government national ID card programs, can join the AATL, as the chain to the Adobe Root certificate is not required.  Contact Adobe to get more information about which program is right for your organization / government.

If you’d like to test the AATL (and you’ve verified that it’s enabled and downloaded per the instructions above and in the FAQ), please browse our sample documents available here.

And the story doesn’t end there!  Several more government and commercial entities are lined up to join the program in the coming months…stay tuned.

Please visit the AATL webpage for more information.