In the past two weeks, it has come to light that Dutch certificate authority DigiNotar suffered a serious security breach in which a hacker generated more than 500 rogue SSL certificates and had access to DigiNotar’s services, including many that were relied upon specifically by the Dutch government for key citizen and commercial services. The full extent of the attack is still not clear.
Last week, many of the major browser vendors removed DigiNotar certificates from their list of trusted certificates, and in turn, the Dutch government renounced trust in DigiNotar and took over certificate operations at the company.
What Does This Mean for Adobe Customers?
The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions. The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.
While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security. (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)
Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.
Late last week, SOFTPRO, one of the members of Adobe’s Security Partner Community, announced one of the largest known deployments of electronic signature technology alongside Adobe® LiveCycle ES (now known as the Adobe Digital Enterprise Platform (ADEP), Adobe Reader and tablet PCs. The customer? Cintas Corporation.
Cintas provides specialized services—among them uniform delivery, document management, and cleanroom resources—around the world for clients in a variety of markets. Their trucks and personnel are recognizable the world over…and by the end of 2011, all Cintas sales representatives will be able to collect customer signatures directly on a tablet computer, eliminating the paper from their workflows and making the company both more efficient and more ecologically sustainable.
According to Brian Daniel, Director IT, at Cintas:
SOFTPRO is an excellent partner for us for two reasons. First, they understood our needs and worked closely with us to deploy and support our implementation. We knew we could count on them. Second, their solution is both robust and easy to implement. We are deploying a combination of technologies and SOFTPRO brings them all together. Both our sales team and customers have been quite pleased with this roll-out.
SOFTPRO’s software integrates directly with Reader and LiveCycle ES, and allows Cintas to not only produce easy to use PDF forms with LiveCycle ES, but also easily electronically sign them in Reader.
Read the press release here, and for more on SOFTPRO, visit their website here.
Adobe’s history is one of not only inventing and adapting amazing technology, but also making those same innovations easy to use. Over ten years ago, we took the complex world of public key infrastructure (PKI) & digital certificates, and in turn, made digital signing a one-click process on a PDF within Acrobat and Reader on your PC or Mac. So it naturally follows that yesterday Adobe continued this trend towards great technology made simple and announced that it had acquired leading electronic signature provider EchoSign.
EchoSign offers an easy-to-use, yet fully-featured, electronic signature service that allows users, from individuals to large enterprises, to easily upload documents, set up a signing workflow, and have recipients sign with a simple click-through process.
Just last night, we announced the availability of updates to both Adobe Acrobat and Reader, bringing them up to version 10.1. Along with a significant list of vulnerability mitigations, these updates also bring with them substantial changes to the secure operation of Acrobat on Windows, and to the digital signature functionality across platforms.
First, Acrobat 10.1 on Windows now features the same Protected Mode operation as Adobe Reader X, protecting users from malicious PDFs. Additional information on Acrobat’s implementation of sandboxing is available on the Adobe Secure Software Engineering Team’s (ASSET) blog. For those savvy in digital signatures, note that Protected Mode (on both Acrobat and Reader) may impair the installation of PKCS#11-based tokens. Refer to the simple instructions here for a workaround.
And if you’re like me and love the nitty-gritty details of digital signatures, you’ll probably appreciate the other signature-specific changes in 10.1…
Version X of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 18.104.22.168 encryption module with FIPS 140-2 validation certificate #1092. To enable FIPS mode in Acrobat and Reader X and restrict document encryption and digital signatures to the FIPS approved algorithms (AES/RSA/SHA) in this library, please refer to Section 6.1.11 of the Acrobat Digital Signature Admin Guide.
Information on FIPS compliance in Acrobat and Reader 9….see this post.
Today, Adobe pushed out yet another update to its certificate trust program implemented in Adobe Reader and Acrobat. The AATL program, launched in 2009, makes it easier for users to view and rely on digitally signed PDFs by automatically displaying a green checkmark for those signature credentials which meet higher assurance requirements when opened in Reader and Acrobat 9 and X.
The update today included the Columbian A.C. Raiz Certicamara S. A. root certificate for Acrobat and Reader X.
Last Friday, one of our colleagues James Lockman published a great blog entry on creating digital IDs and signatures in Acrobat X, and ways in which to establish trust in those signatures.
This is a thorough, updated companion piece to three blog entries we published back in 2008 on trust–an issue which is still critical to understand when considering electronic signatures to reduce costs and expedite previously paper-based workflows:
With this year being the tenth year of the ESIGN Act’s enactment, there’s been lots of activity around electronic signatures, their adoption, and the key challenges that face this exciting class of technology solutions. To cap that off, the Electronic Signatures and Records Association (ESRA) has recently announced the details for their annual conference, coming this November 6-7 in Washington, DC.
The agenda for the nearly two day event is jam-packed with compelling content and speakers, covering both real-world implementation stories as well as guidance and advice for navigating this nascent field in North America and around the world. Among the presenters is US District Magistrate Judge John Facciola, who was the first to digitally sign a judicial order, as well as a number of other key industry, legal, and government personalities, all of whom have great stories to tell about the progress of electronic signatures and the benefits they bring.
Lower registration rates are in effect until October 6th, so be sure to register now for this event! For more details, view the ESRA 2010 Announcement, Registration Form or check out the website here.
We’ll see you there!
On Wednesday, don’t be concerned/scared/shocked if you see your sales people looking somewhat calmer, your legal counsel winces a little less when you crack a lawyer joke, your chief risk officer smiles at you, and your controller pulls you over and eagerly points to the latest revenue figures.
Why? June 30th is the tenth anniversary of the US federal law that made their lives easier by putting electronic signatures on equal footing with wet ink! That’s right: 10 years ago tomorrow, President Bill Clinton digitally signed into law the ESIGN Act (eSignAct.pdf).
How is this important? The electronic signatures legalized with the ESIGN Act produce dramatic, real-world benefits for Adobe’s customers.
Signatures are utterly ubiquitous today…so much so, that we don’t even recognize how often and in how many different ways we are signing off on things. Of course, we’re all well-aware when we’re signing a legal document in person, like a mortgage or rental agreement. But we’re also assenting to a purchase when we chicken-scratch our signature on grocery store point-of-sale terminals. (OK, that’s my chicken scratch.) Did you know we’re also signing and assenting to a contract when we install software, or agree to privacy terms on a website, by clicking an ‘I agree’ button?
The truth is, there are many different ways in which we can express our intent. In the paper world, some agreements require the signatures of multiple parties. Others, by tradition, necessitate the signer use dozens of pens to sign one name! Yet others require the use of specially designed stamps. Different types of signatures for different types of transactions.
These same variations carry over into the electronic realm, based on
necessity, expediency, cost, regulations, and local and national laws.
We’ve explained in this blog what electronic signatures are and how they work. Adobe eSignatures, launched last week, provides yet another option – a very convenient way to send documents out for electronic signature minus the cost of express delivery.