Posts in Category "Electronic Signatures, Digital Signatures & PKI"

Digital Signatures with PIV and PIV-I Credentials

In response to Homeland Security Presidential Directive (HSPD) 12, NIST created a program for improving the identification and authentication of Federal employees and contractors to Federal facilities and information systems.  This program is Federal Information Processing Standard (FIPS) 201, entitled Personal Identity Verification (PIV) of Federal Employees and Contractors, which as of September 2011 had issued over 5 million credentials.  PIV-I expands the interoperable secure PKI credentialing to Non-Federal Issuers (NFI) so that other organizations seeking identity federation can include their own employees.  Currently approved PIV-I providers include DigiCert, Entrust, Operational Research Consultants, VeriSign/Symantec, and Verizon Business.  The CertiPath bridge also supports PIV-I credential providers such as Citi and HID.

If you have a PIV or PIV-I card, and are interested in digitally signing documents for consent/approval signatures or certified publishing – Adobe Acrobat and Adobe Reader will automatically validate digital signatures via US Federal Common Policy.  Through the Adobe Approved Trust List  (AATL) program, the following trust anchors are included in version 9 and higher:

  • Common Policy — 2010 expiry — Common Hardware, Common High, Medium HW CBP
  • Common Policy — 2027 expiry — Common Hardware, Common High, Medium HW CBP
  • Federal Common Policy CA — 2030 expiry — Common Hardware, Common High, Medium HW CBP, SHA1 Hardware
To have the digital signature automatically validate for any recipient, whether or not they have a PIV/PIV-I credential, the signer’s system must build a complete certificate chain for path validation to reach one of the supported trust anchors.  If the signer’s system only has the signer’s certificate – it will not validate for anyone else automatically.  A recommendation to make this easier is for all of the issuing certificate authority public key certificates to be stored on the smartcard and available to the OS+applications.  That way the card can be truly portable and sign documents on any system.  Otherwise, the system administrator will need to ensure all of the certificates are otherwise installed into the OS and available to Adobe Acrobat/Reader.
As an example, below is an overview of configuring digital signatures with the HID PIV-I service.
After the customer application is approved and credentials are being issued, the user will need to install the chain of certificates on their signing systems.  The certificates required are:
  1. HIDSigningCA1
  2. HIDRootCA1
  3. Federal Bridge CA
  4. CertiPath Bridge CA – G2

There are several ways these certificates can be installed.  The easiest is to open the attached file HID_PIV-I_AdobeConfiguration.pdf, which provides a simplified installation experience into Adobe Acrobat and Adobe Reader.  You can also download the FDF directly here:  HID-PIV-I-Certs-AdobeReader.fdf

Now you can sign a PDF file and it will automatically validate for anyone with Acrobat or Reader version 9.1 or higher.

Sample HID PIV-I Signature document digitally signed with a production HID PIV-I card looks like this:

Here is the path that the digital signature follows for validation:

FIPS Validation Certificate for LiveCycle ES3

Adobe LiveCycle ES3 includes a FIPS 140 Certified RSA BSAFE Crypto-J 3.5 (cert#590) encryption module.  FIPS mode is configured in the product installer.

What is a Certified Document and when should you use it?

A Certified Document provides PDF document and forms recipients with added assurances of its authenticity and integrity.  Here are two frequent uses cases for Certified Documents that illustrate these capabilities:

  1. You publish files and want the recipients to know that the files really did originate from you and they have not been accidentally or maliciously modified since you published them.
  2. You distribute electronic forms with pre-populated information, and want to make sure recipients are not accidentally or maliciously modifying your form data when returning them to you.

To certify a document,you can use Acrobat on the desktop or LiveCycle Digital Signatures as part of an automated process on a server.  To verify the certification on a document, desktop users simply open PDFs with the free Adobe Reader or Adobe Acrobat.  If you would like an automated process to verify certified documents on a server, LiveCycle Digital Signatures can also verify certified document status.

When a document has valid certification, a blue ribbon in a blue bar will show above the document in the viewer, like this:

In this case, the document originated from the United States Government Printing Office.  It was published as part of an automated Adobe LiveCycle process, and the source document is publicly available here (http://www.gpo.gov/fdsys/pkg/BILLS-106s761enr/pdf/BILLS-106s761enr.pdf) as part of their Federal Digital System which has very specific requirements on authentication when publishing official US Government documents to the public.  In 2008, the Executive Office of the President, Office of Management and Budget (OMB) stated the White House was no longer ordering hard copy paper versions of the US Federal budget, and instead has posted certified PDF documents online.

Certified documents are also implemented at Antwerp Port Authority for electronic invoices and at a number of higher education institutions for delivering student transcripts electronically, including Penn State, Northwestern, Stanford, and more.

In addition to static documents, certifying a document increases the level of security in electronic forms workflows.  Here is an example:
a) Organization generates a form for recipient to complete and return
b) Form contains some specific transactional information, like an interest rate (3%) and term (15yrs).
c) Recipient decides they will change the rate and term to be more favorable, and then digitally signs it and returns it.

Typically, the form publisher would have to manually review every completed form to look for such errors, and they can often be overlooked.  The better solution is to certify the form as it is published to the recipient.  The added assurances here are that the recipient knows it’s an official form that hasn’t been tampered with, and when the publishing organization receives a completed and signed form back – they know that what was sent out has not been changed along the way.  The certification also allows the form author/publisher to specify which fields and form elements are locked, and which can be filled in by the recipient.

Here is an example of a certified form:

The source PDF file is available here as a Sample.

In either of these cases, if an unauthorized change is made to a certified document, the blue ribbon will turn to a red X – indicator.

More information on automating digital signatures for documents and forms is available in this previous post (LiveCycle Digital Signatures: Three Common Use Cases)

Certified documents utilize PKI and digital signatures to provide the assurances of authenticity and integrity.  These are capabilities built into the ISO 32000 standard PDF specification as well as Adobe Acrobat, Reader, and LiveCycle.  Adobe products utilize FIPS certified encryption implementations of RSA and SHA hashing algorithms (up to RSA4096 and SHA512).  The publisher/signer utilizes their private key certificate to sign documents on the desktop (Acrobat) or server (LiveCycle) and recipients simply use Acrobat or Reader to view them.

Recommendations and best practices:

A. Make sure your signing certificate is trusted by your recipient community.  This can be accomplished in several ways:

1) Utilize the Adobe CDS/AATL program, where certificates are automatically trusted and the recipients have zero configuration to validate digital signatures.  You can either obtain a certificate from a registered Adobe provider, or if you meet the strict program requirements – have your certificate authority automatically trusted.  NOTE: If you are publishing documents to the general public, CDS/AATL is the only recommended option.

2) Utilize enterprise install and management capabilities to push out trust anchors in pre-configured installations as well as maintained on an internal server

3) Utilize an enterprise desktop configuration setting to trust the existing certificate store in the operating system (e.g. Windows CAPI)

B) When certifying a document, make sure that all certificates from the trust chain are available on the signing system (desktop or server).  This includes not only the end-entity signing certificate, but also any intermediate certificates up to the trust anchor.  That way, the recipient only needs to have the trust anchor, as described in the previous section.

C) When publishing a certified document with a digital signature, make sure you are online and able to reach the revocation information published by the certificate authorities.  That way, long term validation (LTV) information is stored in the document.  If this information is not included, the certified document will no longer validate after a signing certificate expires.

D) By default certified documents utilize the system clock as a date/time indicator.  If you have higher assurance needs for time, utilize an RFC3161 based timestamp authority as part of the digital signature process

Register Now! E-Signatures 2011 Conference in Washington, DC, November 9-10!

Saving money.  Getting business done faster.  Eliminating the need to print and route paper contracts and documents.  These are some of the great benefits provided by electronic signatures and records.

But you still have questions:  Is it legal?  Can I use these technologies internationally?  In which sectors can I leverage these technologies?  Who else is using electronic signatures, and what benefits are they seeing in the real-world?

The E-Signatures 2011: Electronic Signatures and Records Conference will provide the answers!  Organized by the Electronic Signatures and Records Association (ESRA) and scheduled to be held in Washington, DC on November 9th and 10th, the conference brings together a number of government, industry, vendor, and customer speakers to cover topics including:

  • IRS eSignature Programs and Initiatives
  • International Adoption and Cross Jurisdiction Issues for eSignatures
  • Enabling eSignatures and eRecords for eFiling and eTitling with Motor Vehicle Registration Offices
  • eSignature Case Studies
  • …and more!

Adobe is proud to be a Gold Sponsor of this event, and we encourage you to register now, before it’s too late.

PDF Brochure: Announcement – 2011 ESRA Conference

We hope to see you in DC!!

 

Adobe Acrobat X and Reader X Are Now JITC Certified!

“JITC certified,” you say…what’s that?  JITC stands for the US Department of Defense’s Joint Interoperability Test Command, which carries out extensive work on software and other systems intended to be used by the US military for mission critical purposes.

In this specific instance, Adobe Acrobat and Reader X have been certified by JITC for their compliance with the DoD’s application requirements for Public Key Enabled services, e.g digital signatures.  The testing included intensive, comprehensive evaluations of Acrobat and Reader’s capabilities in:

  • Certificate operations
  • Signature and certificate status validation
  • Path processing and validation
  • Configuration and documentation

Adobe is proud to note that we have consistently been certified for JITC compliance in every version of Adobe Acrobat and Reader back to version 7 back in 2006.

Click here for a link to the official JITC list of software and solutions that have been tested for Public Key Enabled compliance.

9/23/11: Update on Further DigiNotar Issues

The Dutch government today announced that DigiNotar’s subordinate Certificate Authorities (subCAs) under the Staat der Nederlanden root certificates will be revoked next Wednesday, September 28th.  This follows on the Dutch government’s removal of trust from DigiNotar, DigiNotar’s removal from the Netherlands Trust List, and the company’s announcement of bankruptcy proceedings.

Continue reading…

DigiNotar Removed from the Adobe Approved Trust List

As discussed earlier on this blog, the Adobe Approved Trust List (AATL) has been updated to remove the DigiNotar Qualified CA root certificate. Users of Adobe Reader and Acrobat X (version 10.x) will be automatically updated to this list.

To be sure your copy of Adobe Reader or Acrobat will get the update, you can force a download of the AATL.  Go to Preferences->Trust Manager->Automatic Updates and click the Update Now button.  Also, be sure the “Load trusted root certificates from an Adobe server” option is checked.

A future product update of Adobe Reader and Acrobat version 9.x will enable dynamic updates of the AATL. In the meantime, users of Adobe Reader and Acrobat 9 can manually remove the DigiNotar Qualified CA using instructions provided in the blog post.

Also note that the Dutch government has published a document regarding the impact of the removal on signed PDFs.  That document (in Dutch and English) can be found at the links below:

Dutch version:

http://www.logius.nl/actueel/item/titel/verwijdering-diginotar-uit-adobe-reader/

English version:

http://www.logius.nl/english/news-message/titel/removal-of-diginotar-from-adobe-reader/

 

 

This posting is provided “AS IS” with no warranties and confers no rights.

Information Regarding Adobe Reader & Acrobat and the Removal of DigiNotar from the Adobe Approved Trust List

In the past two weeks, it has come to light that Dutch certificate authority DigiNotar suffered a serious security breach in which a hacker generated more than 500 rogue SSL certificates and had access to DigiNotar’s services, including many that were relied upon specifically by the Dutch government for key citizen and commercial services.  The full extent of the attack is still not clear.

Last week, many of the major browser vendors removed DigiNotar certificates from their list of trusted certificates, and in turn, the Dutch government renounced trust in DigiNotar and took over certificate operations at the company.

What Does This Mean for Adobe Customers?

The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions.  The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.

While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security.  (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.

Continue reading…

Cintas rolls out eSignature solution from SOFTPRO, leveraging Adobe LiveCycle ES and Reader

Late last week, SOFTPRO, one of the members of Adobe’s Security Partner Community, announced one of the largest known deployments of electronic signature technology alongside Adobe® LiveCycle ES (now known as the Adobe Digital Enterprise Platform (ADEP), Adobe Reader and tablet PCs.  The customer?  Cintas Corporation.

Cintas provides specialized services—among them uniform delivery, document management, and cleanroom resources—around the world for clients in a variety of markets.  Their trucks and personnel are recognizable the world over…and by the end of 2011, all Cintas sales representatives will be able to collect customer signatures directly on a tablet computer, eliminating the paper from their workflows and making the company both more efficient and more ecologically sustainable.

According to Brian Daniel, Director IT, at Cintas:

SOFTPRO is an excellent partner for us for two reasons. First, they understood our needs and worked closely with us to deploy and support our implementation. We knew we could count on them. Second, their solution is both robust and easy to implement. We are deploying a combination of technologies and SOFTPRO brings them all together.  Both our sales team and customers have been quite pleased with this roll-out.

SOFTPRO’s software integrates directly with Reader and LiveCycle ES, and allows Cintas to not only produce easy to use PDF forms with LiveCycle ES, but also easily electronically sign them in Reader.

Read the press release here, and for more on SOFTPRO, visit their website here.

Completing the Circle: EchoSign Acquisition Rounds Out Adobe’s Electronic Signature Offerings

Adobe’s history is one of not only inventing and adapting amazing technology, but also making those same innovations easy to use.  Over ten years ago, we took the complex world of public key infrastructure (PKI) & digital certificates, and in turn, made digital signing a one-click process on a PDF within Acrobat and Reader on your PC or Mac.  So it naturally follows that yesterday Adobe continued this trend towards great technology made simple and announced that it had acquired leading electronic signature provider EchoSign.

EchoSign offers an easy-to-use, yet fully-featured, electronic signature service that allows users, from individuals to large enterprises, to easily upload documents, set up a signing workflow, and have recipients sign with a simple click-through process.

Continue reading…