Posts in Category "General"

Scientific American Article on Improving Online Security

Adobe recently participated in an industry roundtable on Improving Online Security. The transcript has been published in the September 2008 issue of Scientific American, page 96 and on their website.

John Landwehr from Adobe and representatives from Hewlett Packard, Kaiser Permanente, McAfee, Microsoft, Panda Security, Sun, and Symantec discussed ways to protect against more numerous and sophisticated attacks by hackers and called for upgraded technology along with more attention to human and legal factors.

Now hiring: Digital Signatures Product Management

Adobe is looking for a Sr. Product Manager to join our security solutions team and work on digital signatures in Acrobat, Reader, and LiveCycle.

The job description and application process is posted on cooljobs.adobe.com.

Description:
Adobe (NASDAQ: ADBE) revolutionizes how the world engages with ideas and information. For 25 years, the company’s award-winning software and technologies have redefined business, entertainment, and personal communications by setting new standards for producing and delivering content that engages people virtually anywhere at anytime. From rich images in print, video, and film to dynamic digital content for a variety of media, the impact of Adobe solutions is evident across industries and felt by anyone who creates, views, and interacts with information. With a reputation for excellence and a portfolio of many of the most respected and recognizable software brands, Adobe is one of the world’s largest and most diversified software companies.

Today, Adobe is better positioned than ever to push the boundaries of the digital universe. Under the leadership of President & CEO Shantanu Narayen, we’re driving even greater innovation with powerful, compelling software solutions that meet the needs of customers and markets ranging from designers and filmmakers, to enterprises and governments, to developers and home users.

Recognizing that employees are at the core of our success, Adobe recruits and retains highly qualified and motivated individuals, creates an environment where they can innovate and achieve their best, and rewards them for their performance by giving them an opportunity to share in the company’s success.

Position Overview
Adobe Information Assurance Solutions enable organizations to more securely engage with employees, external associates, and customers by protecting the information lifecycle. Security can be persistently applied to information independent of storage and transport, inside and outside an organization. Adobe’s ecosystem of security partners provides interoperability with many information security infrastructures including identity and access management, single-sign-on, public key infrastructures, smart cards, and biometrics.

This Sr. Product Manager position in the Security Solutions team of Adobe’s Business and Productivity BU will significantly contribute to growing Adobe’s market share in information assurance solutions by identifying and prioritizing feature requirements, providing product competitive analysis, understanding customer usage workflows and customer satisfaction, driving and evaluating technology trends, ease of use, standards and certifications.

Requirements
Requires at least 5 years of experience in enterprise software product management. BS in Computer Science or related technical discipline, and in-depth experience with identity management, electronic and digital signatures, encryption, J2EE authentication, public key infrastructure, smartcards, maintaining documents of record, and information lifecycle workflows.

This position also requires significant cross-group interaction, a strong customer and partner focus, excellent communication, presentation, and negotiation skills, attention to detail, solid technical abilities to collaborate with engineering and direct market experience. Candidates must be passionate about the technology to make Adobe solutions more secure and easy to use. Preference given to candidates with security certifications.

Adobe believes personal fulfillment and company success go hand in hand, sustaining one another. In fact, our dynamic, rewarding working environment is well known – including eight years on FORTUNE magazine’s “100 Best Companies to Work For” and other, similar accolades. By hiring the very best and brightest, Adobe continues to be a simply better place to work – creating a dynamic environment today and providing incentives for future achievement.

Protecting native Office documents

On June 17th Adobe announced an expansion of the LiveCycle Enterprise Suite with our forthcoming LiveCycle ES Update 1 release. Included as a part of this release is our second version of our LiveCycle Rights Management ES Extension for Microsoft Office. This release expands our support for to include the ability to protect, and collaborate in natively protected Word documents, Excel spreadsheets and PowerPoint presentations. Further, we support all editions of Office 2003 and Office 2007 localized natively into English, French, German, and Japanese.

Click on the following screenshot to watch a short Captivate demo of our native support for PowerPoint presentations:

The software are now available for download from http://www.adobe.com/go/getrmextensions for use with your LiveCycle Rights Management ES system.


Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

"This is legal, right?" – Electronic Signatures & The Law

,,,,,,

This entry is the third in our “What is an Electronic Signature, Anyway?” (Part One / Part Two) educational series.

First, a disclaimer.  This blog entry is not intended to provide legal advice.  You should discuss issues relating to the use of electronic signatures in your business with your own legal counsel and compliance officers.

With that out of the way, welcome back to our series on electronic signatures.  Up to now we’ve covered what can be defined as an electronic signature, and how one can provide assurance as to the validity of an electronic signature.  However, our clients and customers are mainly concerned with one thing:  are electronic signatures legality and admissible in a court of law?  Will my contract be null and void if use this electronic signature pad?  Will my account documents be tossed out because they’ve been digitally signed?  Can I accept electronic signatures on my contracts?

Only your legal counsel can answer these specifically, but, in this lengthy entry, we can offer some very high-level information on the applicable laws, what is meant by legal effect versus admissibility, the availability of case law, and where you can go to find out more information.

 

Laws

In 2000, President Clinton digitally signed into law the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).  This public law provides that:

a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and (2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

At the state level, the Uniform Electronic Transactions Act (UETA), passed by 48 US States, provides much the same protections to electronic signatures and records. (The remaining 2 states have other legislation covering electronic signatures.)

Note that neither piece of legislation specifies a particular electronic signature technology.  In fact, the E-Sign Act states that:

The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

By keeping the legislation technology-agnostic, the law doesn’t create a bias and also does not have to be changed as technology changes.  It therefore has the added benefit of allowing for a wide spectrum of electronic signature technologies (click-thru, signature pad, biometrics, digital signatures, etc), as long as the systems provide a signature that is “attached” to the electronic document needing to be signed, and provide evidence to the fact that the signatory actually signed the electronic document, showing an “intent to sign.”  The laws do prohibit the use of electronic signatures on certain legal documents such as wills and adoption papers, though.

Other US laws and regulations provide guidance in specific industries.  For instance, 21 CFR Part 11 covers the use of digital signatures in communications with the Food and Drug Administration.  This is a good time to mention that laws are not the only things to be concerned about when it comes to electronic signatures.  You also have to be aware of any regulatory standards or recommendations that may be in place for your industry. 

Using the pharmaceutical industry again as an example, the SAFE-BioPharma Association ( Signatures and Authentication for Everyone), interested in promoting the use of electronic documents and reducing costs, created a technical, legal & business model around the use of electronic signatures among pharmaceutical manufacturers, clinical investigators and regulators.    In fact, SAFE requires the use of digital signatures, and has certified (and recently re-certified) PDF-based digital signatures in Adobe Reader®, Acrobat®, and LiveCycle® Digital Signatures within the SAFE standard.

Outside of the US, most countries have electronic signature laws in place, as well, though they vary in complexity.  For the 27 member states of the European Union, Directive 1999/93/EC on a Community Framework for Electronic Signatures (EU Signature Directive) provides an in-depth legal framework for electronic signatures and their validity inside and between EU countries.  It creates several categories of electronic signatures, with so-called “Qualified” signatures required to be legally accepted and valid in all EU member states.  The high assurance requirements around Qualified Electronic Signatures (QES) do point to digital signature technology, with a requirement for a ‘Secure Signature Creation Device’ and best practices around key generation, storage, and certification of the providers of the signing credentials themselves.

Adding to the fun, EU member states are required to individually transpose EU Directives into their own legislation.  Certain countries decided to tweak the text on the way to implementation, and in so doing, created another layer of complexity that makes working with cross-border electronic signatures quite a challenge!

Note that electronic signatures applied in the US may not be provided legal admissibility in the European Union, especially on documents like electronic, or e-, invoices.

 

Legal Effect vs. Admissibility

We’ve tossed these terms around in this entry, so it’s probably time to clarify the difference between the two.  While lawyers around the globe may cringe at my over-simplification, here we go…

“Legal effect” pretty much means that, yes, the court will accept that an “electronic signature” is a “signature” as already defined by precedent and law.  So, in other words, an electronic signature and a wet ink signature are equivalent in most respects, and they can be brought into trial.

However, just like their wet ink counterparts, each document intended to be entered into evidence in a trial will need to be assessed for its “admissibility,” whether it’s signed with ink or a digital certificate.  Does it represent the intent of the signatory?  Has the document been altered?  Who had the right to sign this document?  How was the signature derived, and what controlled access to the document for its signature?  These questions come into play no matter the type of signature.

However, wet ink signatures have been in use for quite a long time and have established a certain amount of credibility.  Electronic signatures, on the other hand, are a newer phenomenon, and thus may be more subject to the critical eye of the court.  This is where the concept of assurance, as described in the previous entry in this series, can come into play.  Higher assurance signature methods that authenticate the signer, use document fingerprinting (‘hashing’) to provide integrity, and store signature keys (and thus, the “pen”) in a secure manner, are more likely in the long run to be provided with the benefit of the doubt than those signature technologies which provide lesser assurance.

So, in the end, your electronic signature may be a legal signature, but it could be tossed out of court if the judge feels that the signature process did not provide the appropriate level of assurance.

 

Case Law 

Well, we’d love to point you to a particular case which ruled this or that technology admissible or signatures captured on these types of documents were OK, but there are none.  In the United States, there are likely hundreds of cases that cover subjects related to the use of electronic documents and e-discovery, but none that specifically cover challenges to electronic signatures.  While this could mean that cases are being handled in arbitration (outside the courts), or that challenges have not been filed, it is all the more likely that the courts have been holding electronic signatures as accessible.  

What the future holds, no one is certain.  The EU Signature Directive provides a clear sign that assurance does play a role in admissibility.  Will the ideas of the Directive take hold in other countries around the world?  How will US and state case law react to increasing numbers of electronic signatures?  We’ll keep watching…and we’ll keep you informed!

The good thing is that with Adobe products like Acrobat and LiveCycle you are gaining the ability to sign electronic documents (PDF) with a spectrum of electronic signatures, whether they’re electronically captured on a tablet PC, created with digital certificates, or even required to be compliant with the EU Signature Directive.  You can rely on Adobe’s global expertise in the field and years of collaboration with our Security Partner Community to meet your electronic signature needs, no matter the requirements.

 

Links

Here are some links to continue your reading.  Again, be sure to confer with your legal counsel on these topics.

  • ABA Digital Signature Guidelines Tutorial – A great starting point for understanding digital signatures from the American Bar Association.
  • The Sedona Conference® – Though focused primarily on electronic records, this educational non-profit organizations provides substantial coverage of related case law and issues that may come into play.
  • Electronic Signatures & Records Association (ESRA) – This association brings together vendors and business owners in its efforts to extol the benefits of electronic signatures and documents.  Adobe is a board member of the Association.

 

Next in our “What is an Electronic Signature, Anyway?” series will be an exploration of real world examples of electronic signatures in action around the world today and what the implications are for the businesses implementing them and the customers using them.

Adobe @ RSA

The RSA Conference is one of the most highly respected information security conferences and exhibitions in the industry.  This year, the Conference runs from April 7-11 in San Francisco, California, at the Moscone Convention Center.  Anyone who’s anyone in the information security space, specifically companies and individuals involved in authentication, identity management, encryption, and cryptography, will be there.  Attendees (over 17,000 expected) represent every key vertical market and range from C-level executives to front line IT staff.  Heck, even Al Gore is making an appearance (no really…he’s one of the keynotes at the event!).

Adobe will be exhibiting at Booth 828 and demonstrating our LiveCycle ES and Acrobat products, highlighting their electronic signature and rights management capabilities.  If you are planning on attending, please come by and say hello!  Learn about the latest updates to our product and feature line-up, as well as our integration with a wide variety of partners, many of whom will also be exhibiting at the event (see below).  We’ll be happy to answer any questions you have. 

The extended Security Solutions team, including product managers, engineering, and sales engineers will be on hand during RSA, not only manning the demo stations at the booth, but also roving the floor, and speaking at the conference itself.  For example, John Landwehr, director of Security Solutions and Strategy at Adobe, will be speaking on Thursday, April 10 at 8:00 AM on a panel (DEPL-301) with Deloitte & Touche covering the topic of Information Classification and its critical application to the questions of security policy, data leakage and rights management in the enterprise.

If your company is interested in a partnering relationship with Adobe, please visit the booth and ask for John Harris, who manages our security alliances.

We look forward to meeting you in San Francisco next week!  Our Security Partner Community will also be exhibiting at RSA…be sure to visit them and ask how they work hand-in-hand with Adobe:                                                

 

    Partner 
    Booth #
    ActiveIdentity
    Booth 657
    Athena Smartcard Solutions
    Booth 1350
    Arcot Systems, Inc. 
    Booth 1045
    CoreStreet Ltd.  
    Booth 1350
    Entrust
    Booth 817
    Gemalto Inc.
    Booth 1923
    nCipher Inc.
    Booth 2129
    RSA, The Security Division of EMC
    Booth 1717
    SafeNet, Inc.
    Booth 1039
    SOFTPRO GmbH 
    Booth 1332
    VeriSign, Inc.
    Booth 1316

Adobe’s history of content protection

Every once in a while, someone asks “How long has Adobe offered content protection?” Turns out, Adobe’s information assurance efforts have been ramping up for over a dozen years. Adobe provides security features in numerous products and also provides dedicated security solutions such as LiveCycle Digital Signatures and LiveCycle Rights Management. Here’s a brief history:

Adobe’s history of content protection started with Acrobat 2.0 in 1994. At the time, this was simple 40-bit RC4 password-based encryption and digital rights management (DRM) to restrict who can open the document and what they can do with it.

Acrobat 4.0 in 1999 added support for Public Key Infrastructure (PKI) enabling a single PDF document to be protected for multiple recipients, with different permissions based on their own keypair. Depending on who opened the document, printing, modification, and clipboard actions are enabled/disabled. This release was also the first to add digital signatures using PKI. This was important for paper documents to move to digital with an opportunity for higher levels of assurance than a pen could provide on paper with a wet signature (ink) by utilizing cryptographic protections of authenticity, integrity, and non-repudiation. Acrobat 5.0 added support for 128-bit RC4 encryption for stronger levels of confidentiality. Acrobat 6.0 added support for the Microsoft CryptoAPI to (CAPI) so the keypair could be stored in the Windows certificate store or through a Crypto Service Provider (CSP) to smartcards and other tokens.

In 2005, Acrobat and Reader 7.0 shipped along with LiveCycle Policy Server and Security Server. AES128 encryption was added to PDF. The enterprise rights management capabilities of Policy Server integrate with an organization’s LDAP or Active Directory. A policy coupled with an information classification such as “Insider Restricted” restricts who can open the document, what they can do with it, and also provides enterprise auditing measures. Absolute (e.g. on 12/31) and relative (e.g. 7 years from document creation) expiration dates can be set to automatically expire documents. All these permissions in a policy are dynamic and can change after the document is published – to add or delete users, change permissions, or even revoke the document entirely. This revocation feature is used by many to enable version control outside a repository, so as a document is changed on the server all distributed copies of that document are automatically revoked providing the recipient with a notification to go back to the server for a current version. Visual watermarking capabilities on PDF are able to show the policy name, recipient opening the document, and the date/time. Acrobat and Reader 7.0 were also US Department of Defense (DoD) certified by the Joint Interoperability Test Command (JITC). The LiveCycle Security Server provided the ability to apply and validate digital signatures as well as encrypt and decrypt document in an automated business process. Flash Media Server 2 provided protected streaming capabilities for delivering video to Flash Player.

As we wrap up 2007, there has been a lot going on over the last 12 months. Acrobat, Reader, and LiveCycle shipped with new FIPS 140 approved encryption libraries. LiveCycle Rights Management (formerly Policy Server) now supports native Microsoft Office documents as well as Dassault CATIA. LiveCycle Digital Signatures (formerly Security Server) provides XML signature support as well as certified documents and is integrated with automated forms and document generation processes. Adobe’s rights management has been integrated into hardware devices such as Multi Function Peripherals (MFPs) from Ricoh and others. Third party software vendors including PTC and Hitachi/Lattice3D are integrating Rights Management into their native applications. Adobe Media Player is in public pre-release with support for content protection on downloadable and offline Flash video.

What about 2008 and beyond? Stay tuned for more entries as Adobe’s security solutions expand to protect even more aspects of the information lifecycle – independent of storage, independent of transport, across operating systems and file formats.

FIPS 140 Validation Certificates for Acrobat, Reader, and LiveCycle

Version 8.1 of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 2.1 encryption module with FIPS 140-2 validation certificate #828. FIPS mode can be enabled to restrict document encryption and digital signatures to FIPS approved algorithms (AES/RSA/SHA) from this library using these instructions.

Adobe LiveCycle ES includes the RSA BSAFE Crypto-J 3.5.04 encryption module with FIPS 140-2 validation certificate #590. FIPS mode is configured in the product installer.

Adobe Security Solutions at MAX 2007

MAX 2007 is an experience unlike any other, an opportunity to connect with thousands of Adobe users, experts, and staff for education, inspiration, and community. Join us to discover new skills, explore emerging technologies, and build valuable relationships.

This year’s conference tour is scheduled for:
* North America: Chicago, IL – September 30 – October 3
* Europe: Barcelona, Spain – October 15-18
* Japan: Tokyo – November 1-2

Below is a sampling of sessions covering various aspects of Adobe security solutions, features, and infrastructure:

LiveCycle Digital Security and Certification
This session will focus on the persistent rights management and document security technologies in the LiveCycle Enterprise Suite. The components explored will include LiveCycle Digital Signatures ES, LiveCycle Rights Management (formerly Policy Server), and LiveCycle User Manager. The thrust of the talk will focus on LiveCycle ES as a service oriented platform for delivering key interactions with remote clients but will also showcase core capabilities and delve quickly into SDK’s and API’s for developers.

Implementing Rights Management (DRM) for Video Delivery
Content protection is an important consideration when creating and deploying streaming media. This session addresses the optimal ways to prepare, host, and deliver video content to the Flash player. We’ll examine administrative and security tools, tips, and tricks as part of Flash technology and Flash solutions.

LiveCycle Rights Management ES: Its Purpose, Scope, and Integration with Various Technologies and FormatsIn this session, we’ll provide an overview of Adobe LiveCycle Rights Management ES and how it is used to protect content. Afterward, the session will focus on some common integration tasks, including integration with enterprise content management (ECM) software, product lifecycle management (PLM) software, authentication environments (such as ActiveDirectory and LDAP), and multiple file formats. Topics will include Rights Management Customer Configuration and architecture, integration strategy, integration points, and open-source products.

Adobe Integrated Runtime (AIR) Security
Desktop application security creates different requirements for developers. Find out how the Adobe AIR security model will affect your application and what best practices you should follow to build more secure desktop applications using Adobe AIR.

Partner Summit: Meet the Team: An Enterprise Print and Scan Security Solution
Adobe has developed a solution that provides more secure document scanning, printing, collaboration, and auditing. This solution integrates Acrobat and LiveCycle Rights Management with MFP (multifunction peripheral) devices to provide end-to-end document security. Adobe is working with MFP OEMs to bring this solution to market in 2008 and is looking for VARs and systems integrators to partner with. Learn how you can extend document workflows by adding more secure print and scan services to your solutions.

Securing your Video delivery with Flash Media Server
Learn about the many new content protection mechanisms in Flash Media Server. We will cover content encryption and protection, rights management, protected streaming into Flash/AIR/AMP, SWF verification, content integrity, and user-based content protection.

Securing ColdFusion
Securing ColdFusion servers involves more than just setting an administrator password. From OS and HTTP issues to SQL injection attacks to vulnerabilities in installed software and more, there’s a lot to lock down and a lot to keep an eye on. This session will cover security at multiple levels, arming you with the know-how to protect your servers and valuable data.

Adobe Media Player: The New Model for Content Monetization
The Adobe Media Player offers content publishers new ways to monetize content by integrating advertising into both online and offline experiences. Explore the new advertising model, more secure content protection capabilities, flexible user-selected features for downloading and viewing “favorites,” and more.

Flash Player Cross-Domain Security
Find out how the Flash Player sandbox keeps your content and users safe from malicious attacks. Learn how to configure Flash Player using policy files, config files, and ActionScript to allow the communication you want and prevent the problems you don’t want.

Hands On: LiveCycle ES Business Process Management and Design
In this session, we’ll explain the process management functionality in Adobe LiveCycle Enterprise Suite. Topics will include components, control flow, data types and mappings, exception handling, events, parallel flows, security, subprocesses, transactions, versioning, short- vs. long-lived processing, and reporting.

Branding and Protecting Flash Enabled Video
Learn how to create and deliver interactive content featuring seamlessly integrated video. Create customized players that fit the look and feel of your project. Learn how to protect your content so you can deliver with confidence. Discover new components, including closed-captioning capabilities. This session will appeal to new Flash users, as well as Flash experts who are newly interested in video.

Introduction to Streaming with Flash Media Server
This session will provide an overview of the full ecosystem for delivering high performance streaming with Flash Media Server, including encoding, encrypting, securing, managing the assets, delivery options with Flash Media Server and the CDN, tracking, and reporting. Topics will include the difference between streaming and progressive video, the details of secure delivery, the use of DRM, and planning your Flash Media Server cluster. Come learn the basics of what Flash Media Server can do for your online video experience.

Arcot Announces Two Factor Authentication in Flash Player and Apollo/AIR

Arcot, a member of Adobe’s security partner community, just announced their Flash-based two-factor browser authentication solution as well as support of Adobe Integrated Runtime (which was also announced today as available in beta, and formerly codenamed Apollo). Arcot’s “software smartcard” solution provides greatly improved simplicity and security for consumer logins to online applications.

Usernames and passwords alone have reached the end of their useful life for protecting valuable online transactions because they are often reused by consumers across sites, easily guessed, and subject to phishing. While today’s web browsers provide PKI authentication using SSLv3 client authentication, there is not a consistent or friendly user experience across browsers and operating systems to provision and utilize the necessary PKI credential. That’s why you often hear PKI = Painful Key Infrastructure instead of Public Key Infrastructure.

Arcot has developed a seamless provisioning and utilization of PKI credentials in the form of an ArcotID. While the user logs in with their existing username/password, a SWF in the browser is providing PKI authentication behind the scenes using a locally stored credential in the form of an ArcotID.

ArcotID Flash client is part of WebFort, Arcot’s two-factor authentication system for large enterprises in financial services, healthcare and other industries facing increasing regulatory pressure to protect and verify end-users’ identities such as those from the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA).

Acrobat and Reader 8.1 – Now Available

Adobe Acrobat 8.1 and Adobe Reader 8.1 are now available for download. In Acrobat, check the Adobe Updater (Help menu -> Check for Updates) to look for the update. You can also directly download Adobe Reader 8.1.

A partial listing of what’s new in 8.1:
* Microsoft Windows Vista™ and Office 2007 support

* Installing on 64-bit versions of Windows XP and Vista

* Easily extract documents from a package. Search and print the current or selected document, or all documents within the package.

* Read and organize eBooks and other publications with Adobe® Digital Editions (a separate product). When you first click the Digital Editions menu item, you can download and install the Adobe Digital Editions software. After installation, choose Digital Editions to go directly to your Adobe Digital Editions bookshelf.

* Acrobat 8.1 provides a FIPS mode to restrict data protection to Federal Information Processing Standard (FIPS) 140-2 approved algorithms using the RSA BSAFE Crypto-C 2.1 encryption module. This article has more information on enabling FIPS mode.

The following knowledgebase articles describe the 8.1 update in more detail:
401730: Adobe Acrobat 8.1 Update
401732: Adobe Reader 8.1 Update