Posts in Category "General"

RSA 2009 Conference Session on Cloud Computing Security

If you are attending the 2009 RSA Conference in San Francisco this April, be sure to check out this panel discussion on cloud computing security

Continue reading…

Acrobat 9 and password encryption

Based on some recent online discussion of Acrobat 9 and password encryption, we’re posting to provide a quick summary on what has changed, how it impacts the overall security of PDF documents, and Adobe’s commitment to providing high-assurance document security implementations.

Continue reading…

Update: FIPS 140 Validation Certificates for Acrobat, Reader, and LiveCycle

Version 9.0 of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 2.1.0.3 encryption module with FIPS 140-2 validation certificate #828. Instructions here will also enable FIPS mode in Acrobat and Reader 9.0 to restrict document encryption and digital signatures to FIPS approved algorithms (AES/RSA/SHA) in this library.

Adobe LiveCycle ES still includes the RSA BSAFE Crypto-J 3.5.04 encryption module with FIPS 140-2 validation certificate #590. FIPS mode is configured in the product installer.

Communicating the value of Adobe’s Information-Centric Security Solutions

We are excited to announce a new set of assets aimed at helping our customer community and ecosystem partners better understand the benefits and value that can be derived from Adobe’s Information-Centric security solutions. If you haven’t heard the term “Information-Centric” before, it’s not new, but it well represents the way Adobe technologies protect the confidentiality, integrity, and authenticity of information — natively within the information itself.

For LiveCycle Rights Management ES and LiveCycle Digital Signatures ES, please feel free to download and view a host of new collateral including:

New datasheets that provide a overview of the value proposition and specific areas where our solutions solve real customer problems:

LiveCycle RIghts Management ES: http://www.adobe.com/products/livecycle/pdfs/livecycle_rights_management_es_datasheet_na.pdf

LIveCycle Digital Signatures ES: http://www.adobe.com/products/livecycle/pdfs/95011596_lc_digisig_ds_ue.pdf

There are also two new whitepapers, the first one for Rights Management is entitled: Delivering an Information Risk Management strategy across the heterogeneous enterprise: and is intended to describe the need to protect sensitive information consistently wherever it resides in the enterprise. This paper also outlines common use cases via customer anecdotes about how LiveCycle Rights Managment ES is protecting the most widely used file types inside (and outside) the organization. http://www.adobe.com/products/livecycle/pdfs/95011600_lc_rightsmgmt_wp_ue.pdf

The second whitepaper is entitled: Electronic Signatures: Solution Scenarios for your Environment: This piece is intended to articulate the different electronic signatures solutions offered by Adobe and help folks understand the pro/cons of each, so you’re best prepared to map right electronic signature solution to your assurance level requirements. http://www.adobe.com/products/livecycle/pdfs/95011606_Digital_Signature_wp_ue.pdf

Finally, there are also new updates to our website including updated customer success stories, in depth pages, features and benefits pages, and a detailed supported formats page for RIghts Management.

LiveCycle Rights Management ES: http://www.adobe.com/products/livecycle/rightsmanagement/
LiveCycle Digital Signatures ES: http://www.adobe.com/products/livecycle/digitalsignatures/
Enjoy!

Live Webcast: Information Assurance – Keeping Your Documents Secure

Join us for this LIVE Event on:
Wednesday, October 29, 2008
12:00 PM PT / 3:00 PM ET

The need to keep your organization’s business critical information confidential by restricting distribution and preventing unauthorized disclosure of this information is imperative. Discover how Adobe Acrobat 9 can help protect your organization’s sensitive information by helping provide document control and security, addressing issues such as encryption, document authenticity, passwords, redaction, and sanitization/metadata removal. Join John Landwehr as he covers best practices on Security and Information Assurance.

More information and registration is available here.

Come One, Come All…

…to the E-Signatures ’08 Conference, scheduled for November 12-13, 2008, at the Omni Shoreham hotel in Washington, DC.   This conference, organized by the Electronic Signatures and Records Association, features compelling presentations from industry experts on the leading business, legal, and technology topics surrounding e-signatures, and prominently highlights several case studies.

Included in these case studies, Adobe customers will describe how electronic signature solutions involving products from Adobe and our Security Partner Community have improved their internal workflows and, in turn, saved them significant amounts of money, time, and resources.  You can expect to hear from:

In addition, conference attendees will learn about government and insurance industry views on e-signatures; legal, regulatory & standards updates; and finally how the new administration might affect the future of e-signature policy.  For an updated agenda, keep checking here.

Sign up this week!  Early bird registration ends Monday, October 6th.

Tags:,,,,,

Scientific American Article on Improving Online Security

Adobe recently participated in an industry roundtable on Improving Online Security. The transcript has been published in the September 2008 issue of Scientific American, page 96 and on their website.

John Landwehr from Adobe and representatives from Hewlett Packard, Kaiser Permanente, McAfee, Microsoft, Panda Security, Sun, and Symantec discussed ways to protect against more numerous and sophisticated attacks by hackers and called for upgraded technology along with more attention to human and legal factors.

Now hiring: Digital Signatures Product Management

Adobe is looking for a Sr. Product Manager to join our security solutions team and work on digital signatures in Acrobat, Reader, and LiveCycle.

The job description and application process is posted on cooljobs.adobe.com.

Description:
Adobe (NASDAQ: ADBE) revolutionizes how the world engages with ideas and information. For 25 years, the company’s award-winning software and technologies have redefined business, entertainment, and personal communications by setting new standards for producing and delivering content that engages people virtually anywhere at anytime. From rich images in print, video, and film to dynamic digital content for a variety of media, the impact of Adobe solutions is evident across industries and felt by anyone who creates, views, and interacts with information. With a reputation for excellence and a portfolio of many of the most respected and recognizable software brands, Adobe is one of the world’s largest and most diversified software companies.

Today, Adobe is better positioned than ever to push the boundaries of the digital universe. Under the leadership of President & CEO Shantanu Narayen, we’re driving even greater innovation with powerful, compelling software solutions that meet the needs of customers and markets ranging from designers and filmmakers, to enterprises and governments, to developers and home users.

Recognizing that employees are at the core of our success, Adobe recruits and retains highly qualified and motivated individuals, creates an environment where they can innovate and achieve their best, and rewards them for their performance by giving them an opportunity to share in the company’s success.

Position Overview
Adobe Information Assurance Solutions enable organizations to more securely engage with employees, external associates, and customers by protecting the information lifecycle. Security can be persistently applied to information independent of storage and transport, inside and outside an organization. Adobe’s ecosystem of security partners provides interoperability with many information security infrastructures including identity and access management, single-sign-on, public key infrastructures, smart cards, and biometrics.

This Sr. Product Manager position in the Security Solutions team of Adobe’s Business and Productivity BU will significantly contribute to growing Adobe’s market share in information assurance solutions by identifying and prioritizing feature requirements, providing product competitive analysis, understanding customer usage workflows and customer satisfaction, driving and evaluating technology trends, ease of use, standards and certifications.

Requirements
Requires at least 5 years of experience in enterprise software product management. BS in Computer Science or related technical discipline, and in-depth experience with identity management, electronic and digital signatures, encryption, J2EE authentication, public key infrastructure, smartcards, maintaining documents of record, and information lifecycle workflows.

This position also requires significant cross-group interaction, a strong customer and partner focus, excellent communication, presentation, and negotiation skills, attention to detail, solid technical abilities to collaborate with engineering and direct market experience. Candidates must be passionate about the technology to make Adobe solutions more secure and easy to use. Preference given to candidates with security certifications.

Adobe believes personal fulfillment and company success go hand in hand, sustaining one another. In fact, our dynamic, rewarding working environment is well known – including eight years on FORTUNE magazine’s “100 Best Companies to Work For” and other, similar accolades. By hiring the very best and brightest, Adobe continues to be a simply better place to work – creating a dynamic environment today and providing incentives for future achievement.

Protecting native Office documents

On June 17th Adobe announced an expansion of the LiveCycle Enterprise Suite with our forthcoming LiveCycle ES Update 1 release. Included as a part of this release is our second version of our LiveCycle Rights Management ES Extension for Microsoft Office. This release expands our support for to include the ability to protect, and collaborate in natively protected Word documents, Excel spreadsheets and PowerPoint presentations. Further, we support all editions of Office 2003 and Office 2007 localized natively into English, French, German, and Japanese.

Click on the following screenshot to watch a short Captivate demo of our native support for PowerPoint presentations:

The software are now available for download from http://www.adobe.com/go/getrmextensions for use with your LiveCycle Rights Management ES system.


Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

"This is legal, right?" – Electronic Signatures & The Law

,,,,,,

This entry is the third in our “What is an Electronic Signature, Anyway?” (Part One / Part Two) educational series.

First, a disclaimer.  This blog entry is not intended to provide legal advice.  You should discuss issues relating to the use of electronic signatures in your business with your own legal counsel and compliance officers.

With that out of the way, welcome back to our series on electronic signatures.  Up to now we’ve covered what can be defined as an electronic signature, and how one can provide assurance as to the validity of an electronic signature.  However, our clients and customers are mainly concerned with one thing:  are electronic signatures legality and admissible in a court of law?  Will my contract be null and void if use this electronic signature pad?  Will my account documents be tossed out because they’ve been digitally signed?  Can I accept electronic signatures on my contracts?

Only your legal counsel can answer these specifically, but, in this lengthy entry, we can offer some very high-level information on the applicable laws, what is meant by legal effect versus admissibility, the availability of case law, and where you can go to find out more information.

 

Laws

In 2000, President Clinton digitally signed into law the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).  This public law provides that:

a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and (2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

At the state level, the Uniform Electronic Transactions Act (UETA), passed by 48 US States, provides much the same protections to electronic signatures and records. (The remaining 2 states have other legislation covering electronic signatures.)

Note that neither piece of legislation specifies a particular electronic signature technology.  In fact, the E-Sign Act states that:

The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

By keeping the legislation technology-agnostic, the law doesn’t create a bias and also does not have to be changed as technology changes.  It therefore has the added benefit of allowing for a wide spectrum of electronic signature technologies (click-thru, signature pad, biometrics, digital signatures, etc), as long as the systems provide a signature that is “attached” to the electronic document needing to be signed, and provide evidence to the fact that the signatory actually signed the electronic document, showing an “intent to sign.”  The laws do prohibit the use of electronic signatures on certain legal documents such as wills and adoption papers, though.

Other US laws and regulations provide guidance in specific industries.  For instance, 21 CFR Part 11 covers the use of digital signatures in communications with the Food and Drug Administration.  This is a good time to mention that laws are not the only things to be concerned about when it comes to electronic signatures.  You also have to be aware of any regulatory standards or recommendations that may be in place for your industry. 

Using the pharmaceutical industry again as an example, the SAFE-BioPharma Association ( Signatures and Authentication for Everyone), interested in promoting the use of electronic documents and reducing costs, created a technical, legal & business model around the use of electronic signatures among pharmaceutical manufacturers, clinical investigators and regulators.    In fact, SAFE requires the use of digital signatures, and has certified (and recently re-certified) PDF-based digital signatures in Adobe Reader®, Acrobat®, and LiveCycle® Digital Signatures within the SAFE standard.

Outside of the US, most countries have electronic signature laws in place, as well, though they vary in complexity.  For the 27 member states of the European Union, Directive 1999/93/EC on a Community Framework for Electronic Signatures (EU Signature Directive) provides an in-depth legal framework for electronic signatures and their validity inside and between EU countries.  It creates several categories of electronic signatures, with so-called “Qualified” signatures required to be legally accepted and valid in all EU member states.  The high assurance requirements around Qualified Electronic Signatures (QES) do point to digital signature technology, with a requirement for a ‘Secure Signature Creation Device’ and best practices around key generation, storage, and certification of the providers of the signing credentials themselves.

Adding to the fun, EU member states are required to individually transpose EU Directives into their own legislation.  Certain countries decided to tweak the text on the way to implementation, and in so doing, created another layer of complexity that makes working with cross-border electronic signatures quite a challenge!

Note that electronic signatures applied in the US may not be provided legal admissibility in the European Union, especially on documents like electronic, or e-, invoices.

 

Legal Effect vs. Admissibility

We’ve tossed these terms around in this entry, so it’s probably time to clarify the difference between the two.  While lawyers around the globe may cringe at my over-simplification, here we go…

“Legal effect” pretty much means that, yes, the court will accept that an “electronic signature” is a “signature” as already defined by precedent and law.  So, in other words, an electronic signature and a wet ink signature are equivalent in most respects, and they can be brought into trial.

However, just like their wet ink counterparts, each document intended to be entered into evidence in a trial will need to be assessed for its “admissibility,” whether it’s signed with ink or a digital certificate.  Does it represent the intent of the signatory?  Has the document been altered?  Who had the right to sign this document?  How was the signature derived, and what controlled access to the document for its signature?  These questions come into play no matter the type of signature.

However, wet ink signatures have been in use for quite a long time and have established a certain amount of credibility.  Electronic signatures, on the other hand, are a newer phenomenon, and thus may be more subject to the critical eye of the court.  This is where the concept of assurance, as described in the previous entry in this series, can come into play.  Higher assurance signature methods that authenticate the signer, use document fingerprinting (‘hashing’) to provide integrity, and store signature keys (and thus, the “pen”) in a secure manner, are more likely in the long run to be provided with the benefit of the doubt than those signature technologies which provide lesser assurance.

So, in the end, your electronic signature may be a legal signature, but it could be tossed out of court if the judge feels that the signature process did not provide the appropriate level of assurance.

 

Case Law 

Well, we’d love to point you to a particular case which ruled this or that technology admissible or signatures captured on these types of documents were OK, but there are none.  In the United States, there are likely hundreds of cases that cover subjects related to the use of electronic documents and e-discovery, but none that specifically cover challenges to electronic signatures.  While this could mean that cases are being handled in arbitration (outside the courts), or that challenges have not been filed, it is all the more likely that the courts have been holding electronic signatures as accessible.  

What the future holds, no one is certain.  The EU Signature Directive provides a clear sign that assurance does play a role in admissibility.  Will the ideas of the Directive take hold in other countries around the world?  How will US and state case law react to increasing numbers of electronic signatures?  We’ll keep watching…and we’ll keep you informed!

The good thing is that with Adobe products like Acrobat and LiveCycle you are gaining the ability to sign electronic documents (PDF) with a spectrum of electronic signatures, whether they’re electronically captured on a tablet PC, created with digital certificates, or even required to be compliant with the EU Signature Directive.  You can rely on Adobe’s global expertise in the field and years of collaboration with our Security Partner Community to meet your electronic signature needs, no matter the requirements.

 

Links

Here are some links to continue your reading.  Again, be sure to confer with your legal counsel on these topics.

  • ABA Digital Signature Guidelines Tutorial – A great starting point for understanding digital signatures from the American Bar Association.
  • The Sedona Conference® – Though focused primarily on electronic records, this educational non-profit organizations provides substantial coverage of related case law and issues that may come into play.
  • Electronic Signatures & Records Association (ESRA) – This association brings together vendors and business owners in its efforts to extol the benefits of electronic signatures and documents.  Adobe is a board member of the Association.

 

Next in our “What is an Electronic Signature, Anyway?” series will be an exploration of real world examples of electronic signatures in action around the world today and what the implications are for the businesses implementing them and the customers using them.