Posted by John B Harris at 7:58 AM | Permalink

Building on the delivery of the PDF format to the International Standards Organization (ISO) as ISO 32000-1, Adobe has been collaborating with standards bodies around the world to make it easier for companies, organizations and individuals to leverage the ubiquity of PDF to make business processes quicker, easier and more reliable.  However, the rush to go paperless has often fallen short of its true potential because signing a document oftentimes brings business critical processes crashing to a halt, requiring users to print out the previously electronic document in order to apply their nom de plume with an ancient writing implement.  Electronic signatures are obviously the solution, but there’s still the question of interoperability and the use of electronically signed documents within certain legal frameworks, such as the European Union (EU).  With last week’s announcement of an ETSI open standard for PDF digital signatures, that question can now be answered.

ETSI/ESI Technical Standard (TS) 102 778, better known as PAdES (pronounced with either a long or short a), documents how the digital signature format described in ISO 32000-1 meets the needs of the 1999 EU Signature Directive (see previous blog entry), and then goes on to describe how that format can be expanded to take advantage of certain capabilities such as long-term document validation, where digital signatures placed on documents today can be validated five, ten and even 50 years later.  (The standard can be downloaded free of charge from the ETSI website at http://pda.etsi.org/pda/.)

Continue reading "Eliminating the Pen...One Step at a Time: PAdES PDF Advanced Electronic Signature Standard Released for EU" »

Posted by John B Harris at 12:29 PM | Permalink

For the first time in history, the Honorable John M. Facciola, Magistrate Judge for the U.S. District Court in the District of Columbia, signed a judicial order, not with paper and pen, but with a digital signature!  Press release here.

Judge Facciola viewing his just-digitally signed order in Adobe Acrobat.  Courtesy National Notary Association (NNA). 

Talk about setting precedent--while electronic filing has been required for some time, orders are typically printed out, signed, and then re-scanned into systems for filing.  Not until now has there been such a vote of confidence in the legal significance and weight of a digital signature.  By keeping the generation, signing and filing of the order completely electronic, the process is made much more efficient, potentially driving costs down and making the court’s systems work more effectively.  This is the latest example of organizations understanding not only the integrity and authenticity benefits of digital signatures, but the resource savings also.  Remember, it’s not so much the signature event that consumes time and money--it’s the processes around it.

Continue reading "History...signed with Adobe products: US District Court Judge issues first digitally signed judicial order" »

Posted by John B Harris at 8:51 AM | Permalink

Continue reading "Contracts @ the speed of light: Adobe's new Click-to-Accept solution" »

Posted by John B Harris at 12:46 PM | Permalink

If you've been following this blog, you'll know that we toss around lots of terms in each entry, along with references to standards, technologies, products and services.  Even if you haven't read this blog before, you may have struggled trying to understand the difference between electronic and digital signatures, or what a "PKCS#11" is, or, for that matter, a trust anchor.

Well, struggle no more--today we published our latest security terms glossary, which should help to clearly define terms and keep everyone here in line with usage. (Let us know if we don't!)   Over 140 terms are defined, along with spelled out acronyms, so you are no longer in the dark!  

What's more, the glossary is posted on our Security Document Library site, part of the learn.adobe.com wiki area of Adobe's web presence.   The Document Library contains links to the latest security documentation, including an omnibus guide, "Digital Signatures & Rights Management in the Acrobat Family of Products,"  which consolidates many separate documents we've had in the past on signatures, preferences, registry settings, encryption and the like.  In addition, there are links to many useful one page 'keys' on signature validation, icons, signature creation, etc.

Find the glossary here.  If we've missed any terms or some element of documentation, please email John Harris at jbharris(at)adobe.com.

Tags:electronic signature,digital signature,terms,glossary,resources

Posted by John B Harris at 7:02 AM | Permalink

Several weeks ago, Adobe launched the Adobe Approved Trust List (AATL), our latest effort at making the use of digital signatures easier through better trust mechanisms.  VeriSign, already a Provider in our flagship trust program Certified Document Services (CDS) through its acquisition of GeoTrust, announced the inclusion of its Non-Federal SSP in the AATL, widening VeriSign's trust foundation in Adobe Acrobat and Reader.

According to Mike Stewart, CIO at the Kansas Secretary of State's office:

As a VeriSign Non-Federal SSP-PKI customer, we are excited to now have the ability to use the certificates we've already issued to digitally sign Adobe documents as part of the AATL program.  VeriSign and Adobe have made it easy to deploy and use.

Adobe is excited too!  VeriSign, along with other AATL charter Members and CDS Providers, is improving the capability for today's agile enterprises and organizations to use digital signatures and bring cost efficiencies, integrity, and non-repudiation to more document workflows.

For more information on the Adobe Approved Trust List, please visit our website.

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:digital signature,electronic signature,trust,aatl,adobe approved trust list,security partner community,press

Posted by John B Harris at 1:36 PM | Permalink

Over the years, Adobe has made electronic documents and workflows easier, more efficient, and more secure.  With one of the leading implementations of electronic signatures on the market, Adobe products allow you to go the last mile by eliminating the need to print a document out just to sign it.  At the same time, we’ve also been busy behind the scenes working on ways to better deliver trust in those electronic and digital signatures so users can rely fully on these new workflows.  Today, we’re announcing the launch of our latest trust effort, the Adobe Approved Trust List...available now.

The AATL will allow millions of users around the world to create digital signatures that are trusted whenever the signed document is opened in Acrobat or Reader 9.0 and above.  Essentially, both Acrobat and Reader have been programmed to reach out to an Adobe-hosted web page to periodically download a list of trusted root digital certificates.  Any digital signature created with a credential that can trace a relationship (‘chain’) back to a certificate on this list will be trusted by our products.  Trust is only one of many questions Adobe products ask when validating an electronic signature, but it is a critical one.

Several countries and organizations have already placed their ‘trust’ in the AATL:

• DigiNotar
• DigiNotar Qualified CA
• GBO.Overheid – Netherlands
• Staat der Nederlanden Root CA – with Certificate Policies defining secure hardware
• Staat der Nederlanden Root CA – G2 – with Certificate Policies defining secure hardware
• GlobalSign
• DocumentSign CA
• Keynectis
• ICS CA
• SwissSign
• SwissSign Platinum CA — G2
• TC Trustcenter / ChosenSecurity
• CA 7:PN
• CA 8:PN
• US Federal Common Policy Root
• Common Policy – 2010 expiry @  Common Hardware, Common High, Medium HW CBP
• Common Policy – 2027 expiry @  Common Hardware, Common High, Medium HW CBP
• VeriSign
• Class 3 Intermediate Non-Federal SSP @ Medium-Hardware

Starting today, valid signatures with credentials from these providers, chaining up to these certificates, and meeting a set of Technical Requirements will be automatically trusted in Acrobat and Reader 9.0 and above, including most US Federal HSPD-12 / PIV cards.

So how do you take advantage of the AATL?  Well, if you’re using Acrobat or Reader 9, you don’t need to do anything!  This feature is turned on by default when you install these products, and the Trust List will automatically be updated every 90 days, though you must open a signed document (like the one here, for example) or open a signature-related menu item to trigger the timer and update.

If you want to verify the AATL is enabled, go to Edit (‘Acrobat’ on Mac)->Preferences->Trust Manager and be sure that the “Load trusted root certificates from an Adobe server...” check box is checked.  (See image below.)  You can then click the “Update Now” button in that same dialog box to download the latest version of the AATL from Adobe.  In any case, be sure to review the User FAQ if you’re having any problems or have any questions about how the AATL works.

The launch of the AATL complements our existing Certified Document Services (CDS) trust program, where new digital IDs that are chained to the Adobe Root certificate embedded in Adobe products are automatically trusted.  CDS is key to document certification efforts at the US Government Printing Office, Avow Systems, the Antwerp Port Authority, and many other customers who use high assurance signatures to protect the integrity and authorship of key electronic documents.  Anybody who opens a PDF document signed or certified by a CDS credential automatically gets a ‘blue ribbon’ experience with trust provided to the signature without any user interaction.  Five certificate authorities currently offer CDS certificates. 

While the high level benefits of the Adobe Approved Trust List program are similar, the AATL is only available in Acrobat and Reader 9 at this time.  It is not backwards compatible.  CDS credentials, on the other hand, are backwards compatible from the current generation of Acrobat and Reader all the way back to version 6. Also CDS Providers offer certificates that meet a similar high standard for assurance and feature additional capabilities including the automatic embedding of robust timestamping and real-time revocation to provide for easy, long term validation of digital signatures.  However, existing certificate communities, such as government national ID card programs, can join the AATL, as the chain to the Adobe Root certificate is not required.  Contact Adobe to get more information about which program is right for your organization / government.

If you’d like to test the AATL (and you've verified that it's enabled and downloaded per the instructions above and in the FAQ), please browse our sample documents available here.

And the story doesn’t end there!  Several more government and commercial entities are lined up to join the program in the coming months...stay tuned.

Please visit the AATL webpage for more information.

Tags:Trust List,trust,acrobat,reader,digital signature,electronic signature,assurance,cds,certified document services,AATL

Posted by John B Harris at 6:09 AM | Permalink

This is the latest entry in our “What is an Electronic Signature, Anyway?” series.  You can find previous entries here.

Recently, I’ve received a number of emails from our users asking questions about electronic signatures, so I thought it would be useful to briefly answer some of these frequently asked questions and also direct you, dear reader, to a variety of resources here at Adobe that can help.

First, I recommend you read the other blog entries in our “What is an Electronic Signature, Anyway? “ series to better understand the terminology and issues surrounding electronic signatures.

Now onto the questions...

I want to electronically sign a PDF—what do I need to do?

There are lots of different ways to electronically ‘sign’ documents, but they vary in terms of reliability, longer-term validity, and application.

Continue reading "“Sign here...” Getting started with electronic signatures in Adobe products" »

Posted by John B Harris at 1:59 PM | Permalink

Electronic signatures come in many shapes and sizes, and for a long time, Adobe has been primarily associated with three of those sub-types—digital signatures, certification signatures, and handwritten eSignatures based on solutions from our Security Partner Community—due to our comprehensive coverage of, and capability for, those technologies.  However, customers and partners do not often associate us with click-thru approvals and electronic signatures, where a user authenticates to a website, reviews a document, and then is allowed to approve or reject said document with a simple click of a button.

Actually, Adobe has supported this capability for some time within our LiveCycle ES product line, but the capability was spread across components that can prepare documents for review (PDF Generator, Output, Reader Extensions, Forms), move documents along a workflow (Process Management), present documents for review, comment, and approval (Workspace), and then sign (Digital Signatures) and archive (Content Services) or further process those documents for storage, submission, etc. 

The challenge of piecing together these components was not lost on Adobe, and last year we started working on Solution Accelerators--sample code and tooling that brings together task-oriented building blocks composed of LiveCycle components.  More than a proof-of-concept, but less than complete production code, Solution Accelerators can be used by a customer or systems integrator to bring projects to fruition in a much shorter timeframe, while providing for flexibility in the final implementation. 

The eSubmissions Solution Accelerator, released this Spring, shows how LiveCycle can be used to present documents for review, commenting, & approval in parallel or serial workflows, and incorporates the capability to not only sign with traditional digital signatures or handwritten electronic signatures, but also via authenticated click-thru approvals and server-side signing and certification functions.  Download the demonstration video here.  Unlike other click-thru solutions on the market, this Solution Accelerator shows the breadth and depth of Adobe’s offering, providing for compliance with electronic signature regulations around the world.

While this Solution Accelerator was designed for the biopharmaceutical market, it can easily be repurposed for contract approvals, financial services transactions, and the like—this is one of the benefits of the Solution Accelerator approach. Moreover, eSubmissions demonstrates Adobe’s intent to provide users with a best-in-class experience when it comes to electronic documents and workflows.  There’s no longer any reason to print an electronic document just for review and signature...Adobe provides a one-stop shop for a full range of electronic signature and approval capabilities.

Tags:electronic signatures,click-thru signatures,click-through signatures,digital signatures,electronic approval,electronic workflow,solution accelerator,livecycle,security partner community,click-thru approval

Posted by John B Harris at 10:08 AM | Permalink

Recently, Adobe executive vice president and Chief Financial Officer Mark Garrett presented a keynote at the CFO Rising conference, sponsored by CFO Magazine. Speaking to a ballroom full of senior finance executives, Mark outlined the “Seven Technology Habits of Highly Effective CFOs” and utilized several case study examples to illustrate his points.

Continue reading "Seven Technology Habits of Highly Effective CFOs" »

Posted by John Landwehr at 8:43 AM | Permalink

The United States Department of Defense Joint Interoperability Test Command (JITC) has certified both Adobe Acrobat and Adobe Reader version 9...

Continue reading "DoD Certification of Acrobat and Reader 9" »

Posted by John Landwehr at 2:15 PM | Permalink

Version 9.1 of Adobe Acrobat and Adobe Reader are now available with critical security updates and other product improvements. Adobe strongly recommends all users update using the built-in software update system or manual download from adobe.com. Here are some additional details on this release:

Continue reading "Acrobat and Reader 9.1 Now Available with Information Assurance Updates" »

Posted by John Landwehr at 12:15 PM | Permalink

If you have (and use) an electronic signature credential, and are interested in helping Adobe craft the next generation of Adobe Acrobat, Reader, and LiveCycle products and signature features, we are offering you the ability to participate in an Electronic Signature Survey.

There are three parts to this Survey.  The first part asks you to sign a signature field with your signature credential.  The second asks you a series of questions about your use of electronic signatures, and the third concerns technical details about your signature credential. 

IMPORTANT NOTICE:  All information you provide as part of the Electronic Signature Survey will only be used to test the compatibility of Adobe’s LiveCycle ES, Adobe Acrobat and Adobe Reader products with the signatures collected by way of this Electronic Signature Survey and to understand the ways in which signatures are used in our products, helping guide Adobe's electronic signature product strategy.   Adobe will retain the information you submit as part of the Electronic Signature Survey as long as reasonably necessary but solely for testing and product development purposes as noted above.  The information you provide as part of the Electronic Signature Survey will not be publicly disclosed.  If at any time you wish to have the information you submit via the Electronic Signature Survey removed from Adobe’s database, please send an email to signaturesurvey@adobe.com. 

All information submitted by you is subject to Adobe’s Online Privacy Policy located at:  http://www.adobe.com/misc/privacy.html.

Download the Survey here.  Thank you for participating! 

Tags:digital signature,electronic signature,PDF,Acrobat,Reader,survey

Posted by John B Harris at 8:04 AM | Permalink

Since Acrobat 2.0 in 1994, encryption has been available to protect a PDF document - restricting who can open it and what they can subsequently do with it. Today, there are a number of packaging options for distributing one or more protected PDF files.

Continue reading "Packaging options for encrypted PDFs" »

Posted by John Landwehr at 1:14 PM | Permalink

Following on the heels of a number of successful customer deployments, Adobe is proud to welcome another respected organization to the CDS Program.  Entrust announced today they have joined the CDS Program and will begin offering certificates under its auspices in early 2009.  This will bring to five the number of CAs in the program, along with ChosenSecurity, GlobalSign, Keynectis, and VeriSign.

CDS makes creating and receiving authentic documents easier by not requiring a recipient to explicitly trust the author of the document.  CDS signatures automatically validate in Adobe Acrobat or Adobe Reader 6.0 and above, providing integrity and long-term assurance to electronic documents of record.  Providers involved in the CDS Program are required to meet stringent requirements for identity vetting, security, and operations.

According to Entrust's President and CEO Bill Conner:

While electronic documents are an efficient method to do business, until recently they lacked the security necessary to be accepted for official enterprise use.  With the advent of this standard and the specialized certificates, organizations can be confident that electronic documents are authentic and have not been tampered with or altered.

Read more about CDS here.

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:digital certificate,digital signature,electronic signature,CDS,Certified Document Services,Adobe,Entrust

Posted by John B Harris at 10:01 AM | Permalink

Since its induction into the Adobe Certified Document Services (CDS) Program, GlobalSign has been very busy working to build a customer base eager to leverage the native trust and assurance that CDS brings to any recipient opening a CDS digitally signed PDF document in Adobe Acrobat or Reader 6.0 and above.  That work has paid off in three separate customer announcements this year, including one just released today:

• December 8, 2008: In partnership with Adobe and SafeNet, GlobalSign today announced the success of the Antwerp Port Authority project.  This port is the second largest in Europe and the fourth largest in the world.  Looking to save time and money by eliminating paper invoices, and required by law to provide for the integrity and authenticity of the resulting electronic invoices for value-added taxes (VAT), the Port of Antwerp deployed a solution combining:
• LiveCycle ES document generation and digital signature servers;
• DocumentSign CDS digital certificates from GlobalSign; and
• SafeNet hardware security modules (HSMs) to protect the signing keys themselves.

“We’ve seen a marked increase in the number of projects across the whole of Europe in recent months as the worldwide economic climate causes enterprises both large and small to re-evaluate their invoicing processes to drive down costs and remain competitive.  DocumentSign is not only a cost effective and easy solution for businesses to use, but is also compliant with European e-VAT legislation.”  -Steve Roylance, Business Development Director, GlobalSign.

• May 2008: At the annual National Notary Association conference, GlobalSign announced the positive results of a pilot undertaken with the UK Notaries Society in which the cost efficiency and legal admissibility of eNotarization performed with GlobalSign CDS credentials was well-documented.

• May 2008: Bodycote, a leading provider of testing and thermal processing services, announced  that it had selected GlobalSign’s DocumentSign program, based on CDS credentials, to certify its test data and reports.  With this solution Bodycote can provide results to its clients in PDF form, confident in the both the accuracy and integrity of the data contained within. 

  “DocumentSign services our security requirements but is also instantly deployable and very scalable - essential factors for rolling out a solution that can be easily understood by every person in the reliance chain.  For our clients' customers, they simply open the test results in [R]eader.” - Alan Slater, Head of IS & IT Architecture, Bodycote
  

Tags:digital signature,electronic signature,GlobalSign,PDF,Adobe,Reader,Acrobat,LiveCycle,Certified Document Services,CDS,e-invoice,e-invoicing,eNotary,enotarization,Antwerp Port Authority,Bodycote,NNA

Posted by John B Harris at 8:46 AM | Permalink

Based on some recent online discussion of Acrobat 9 and password encryption, we’re posting to provide a quick summary on what has changed, how it impacts the overall security of PDF documents, and Adobe's commitment to providing high-assurance document security implementations.

Continue reading "Acrobat 9 and password encryption" »

Posted by John Landwehr at 2:10 PM | Permalink

No matter how far technology has reached into our personal and professional lives, it seems we just can’t get rid of paper cluttering our desks, folders, and cabinets.  Despite the ubiquity of PDF documents and ever-increasing use of the web and computers for banking and commerce, the bill, statement and invoice still rule the roost when it comes to sheer volume of paper.  (OK, next to junk mail, but...)

This problem is exacerbated in the European Union where the requirement to document and validate value-added taxes (VAT) results in the creation and exchange of over 30 billion invoices every year, at an estimated cost of €30 per invoice.  Add to that staggering cost environmental pressures to “go green” and reduce waste.  Add to that the loss in business agility resulting from delivery times and internal routing.  And then add to that the human errors attendant with the transposition of data from these paper documents to electronic systems, which can cost over €100 per incident.  Facing a global economic recession, the benefits of moving to electronic, or e-, invoicing systems are real: expected cost reductions on the order of 80%!

The EU acted in 2001 to harmonize invoicing legislation and encourage the use of e-invoicing across all 25 EU member states (Council Directive 2001/115/EC ).  These regulations mandated a common set of master data fields in addition to the use of technologies to better manage the integrity and authenticity of invoice content.  Yet even with this harmonization framework, there are still over 200 e-invoicing systems in place all over Europe, making it very difficult to exchange electronic invoices across national borders.  Given this challenge, the CEN/ISSS Workshop on Compliance of eInvoices works to create standards and best practices for a more universal solution that can be implemented on a broader scale and provide for improved accessibility, efficiency, and cost-savings. 

A solution based on the PDF file format (ISO 32000) and Adobe LiveCycle ES is a good example of those best practices in action.  LiveCycle Enterprise Suite is built on open standards like PDF and XML.  LiveCycle ES can also protect integrity with digital signatures; import data into a PDF document; archive those documents with the ISO ratified PDF/A format; distribute and then also process, verify, and validate e-invoices on the way back in.

Nick Pope, Technical Editor of the CEN/ISSS Workshop on Compliance of eInvoices, had this to say about the solution:  “By combining two de-facto standards – XML for data portability and PDF for human readable documents – with the power of digital signatures, intelligent PDF supports trading between virtually any two partners with fidelity and easy accessibility.”

E-invoicing systems based on LiveCycle ES have already been successfully deployed by several organizations.  Poste Italiane estimates that more than 1.5 million pages have been converted to digital resulting in substantial cost savings.  Cuatrecasas, Spain’s second largest law firm, has reduced invoicing costs by thousands of euros annually.  And Europcar leveraged e-invoicing to not only reduce costs but also improve interoperability with their clients' ERP systems, enhancing the customer experience.

To read more about Adobe’s e-invoicing solutions using PDF and LiveCycle ES, please read the whitepaper, “Applying best practices for secure, automated electronic invoicing.”

Other links:

• E-Invoice Gateway
• LiveCycle Digital Signatures
  

Tags:Adobe,e-invoicing,digital signature,electronic signature,LiveCycle,PDF

Posted by John B Harris at 9:28 AM | Permalink

We’re always pleased to see our partners taking advantage of key, integrated capabilities of our products to better serve our joint customers' needs.  Yesterday, ARX (Algorithmic Research) announced that its CoSign product now supports the Adobe Signature Service Protocol (ASSP), built into Adobe Acrobat and Adobe Reader version 8.0 and above.

CoSign is a hardened, plug-and-play appliance that allows organizations to easily set up a centralized repository of digital IDs.  These credentials are securely stored on the appliance, eliminating the need for users to carry hardware tokens, which can add to the cost of a digital certificate (PKI) rollout.  The user simply authenticates to the server to access their credentials.

Prior to this announcement, ARX required users to install a small client to provide signing capabilities in Adobe products.  Now, with ARX’s ASSP support, users can set up Acrobat and Reader to access their centralized (roaming) credentials in CoSign for digital signatures without any additional software.  The ASSP protocol provides users with the ability to choose a roaming credential, specify an ASSP-capable server, and then, after clicking on a signature field, simply enter the appropriate authentication information to access their credential.  ASSP handles the behind the scenes communication between client and server, passing the hash (fingerprint of the document) up to the server for signature and then returning it to the client to be embedded back into the document.

Here’s a brief demo of how the system works...note that I'm using a test credential here.

Easy, huh?

With today’s announcement, ARX joins our other security partner Arcot in featuring support for the ASSP protocol.  This protocol is just the latest step in Adobe’s strategy to make electronic signature workflows easier and more productive. 

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:Adobe,ARX,digital signature,roaming ID,roaming credential,appliance

Posted by John B Harris at 5:26 AM | Permalink

Version 9.0 of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 2.1.0.3 encryption module with FIPS 140-2 validation certificate #828. Instructions here will also enable FIPS mode in Acrobat and Reader 9.0 to restrict document encryption and digital signatures to FIPS approved algorithms (AES/RSA/SHA) in this library.

Adobe LiveCycle ES still includes the RSA BSAFE Crypto-J 3.5.04 encryption module with FIPS 140-2 validation certificate #590. FIPS mode is configured in the product installer.

Posted by John B Harris at 10:29 AM | Permalink

With Adobe LiveCycle Digital Signatures, a solution component of the LiveCycle Enterprise Suite, you can easily automate digital signature processes, enabling your organization to bring more paper-based processes online. By facilitating a 100% electronic workflow, with no paper-out for handwritten signatures or special document authenticity seals, you can reduce costs, improve compliance, increase user satisfaction, and accelerate business processes. This article highlights three common uses cases of this J2EE server component for digital signatures.

1. Automated Certified Document Publishing

Since version 6.0 of Acrobat and Reader, certified documents have provided documents recipients with added assurances that the document was published by the named author and has not been modified. This is indicated by a blue ribbon:

When a certified document is opened with Acrobat or Reader, the Document Message Bar across the top of the document indicates the author's name, email, organization, and verifying third party.  Adobe published it's Q3 2008 10Q as a certified document, like this:

Certifying digital signatures can automatically validate in Acrobat and Reader - without any additional software installation or configuration, by using the Certified Document Services program. 

Certified documents can be created manually using Adobe Acrobat on the desktop via File -> Save as Certified Document.  If you have a lot of documents to certify, or want to otherwise automate the certification process, LiveCycle Digital Signatures is the solution. The signing credential can either be stored in software on the server, or be more securely stored in a hardware security module (HSM) from one of Adobe's Security Partners.  Then a process is designed within LiveCycle to specify the file input, signature properties, and resulting output. Some examples include webservices, drop folders/network shares, content management systems like LiveCycle Content Services  powered by Alfresco or Documentum, Sharepoint, FileNet, etc.

If you are also looking to automate document generation with certified documents, LiveCycle Digital Signatures can be integrated with LiveCycle PDF Generator and LiveCycle PDF Generator 3D to convert native documents to PDF and certify them in a single automated server process.

Certified documents are applicable not only for static documents, but also for interactive forms.  When coupled with LiveCycle Forms and LiveCycle Process Management, the automated certification can apply to the form template being delivered to a participant.  For example, if you are offering a loan of 30yr fixed at 6%, and want to have added assurances that what you sent out to a user is the same thing you get back (and not 60yrs at 3%!) - the certifying signature can be automatically applied to forms as they are generated and routed to participants in a workflow.  If certified form template data is modified or a fraudulent form is introduced into the process, LiveCycle can generate an exception when a document is returned with the certifying signature missing or invalid.

To see more certified documents in action, visit the US Government Printing Office website where they used LiveCycle Digital Signatures to digitally sign the FY2009 Federal Budget. University registrars, such as Penn State, University of Colorado, and University of Southern California, are also certifying official transcripts and delivering them faster, cheaper, and more secure than paper - by using certified PDF documents.

2. Workflow Validation

In a paper world, someone needs to manually examine every document to determine if all handwritten signatures have been applied by the right people in the right places.  Fortunately in the digital world, LiveCycle Digital Signatures provides a signature validation engine for automating the receipt of digitally signed PDF documents. If you are sending out forms and contracts to be digitally signed by Acrobat or Reader users on the desktop, LiveCycle can subsequently receive those signed documents and check the signatures as part of an automated process.

The server side validation engine is configured using root PKI certificates as trust anchors to validate the certificate chain of each signature.  The server is also capable of doing CRL and OCSP checks to verify that the signing credentials are not revoked. Those capabilities are coupled with the document integrity checks to verify that the current document and its signature have the same cryptographic fingerprint using hashing algorithms such as MD5, SHA1, SHA256, etc. If any of the signatures on a document are not valid, exceptions are generated in the business process. Otherwise, a document with valid signatures can more quickly proceed through the process without user intervention.

In the first use case described above, certified documents were recommended as a way to have added assurances that what is sent out, is the same as what's being received. LiveCycle can take a form template, such as one with loan terms, and certify it. It can then be delivered and reviewed by a recipient, digitally signed, and returned back to the server. LiveCycle's digital signature validation engine first checks that the certifying signature on the form template is still valid (eg the loan terms). Then LiveCycle can validate that the recipient has applied their own digital signature on top of and data they supplied and the underlying form template. If the document needs multiple approvals, it can continue validating multiple signatures on the document.  When the signature validation process is complete, LiveCycle is able to extract the form data from the signed document, process in other enterprise applications and then store a copy of the signed document in a content management system for archival.

3. Counter-signatures

Many paper processes are not complete until they have an official "RECEIVED on DATE" stamp applied, like this:

In an electronic business process, LIveCycle Digital Signatures can also apply the equivalent of the received stamp as part of an automated workflow.  After all of the document's signatures have been validated any any additional field validation is performed on the supplied data - a final role-based signature can be applied in the server process, which can look something like this:

It's also possible to create custom signature appearances so the digital signature actually looks like a paper-based received stamp.

There are many benefits to applying this final "received signature" as part of an automated server process. The received signature can provide a cryptographic based timestamp (RFC3161) to the document to show what exactly was received and when - important for time sensitive processes.  The signature can also indicate that at the time the document was received, all of the form data was valid and all of the digital signatures applied by any participants were also valid.

Posted by John Landwehr at 8:51 AM | Permalink

We are excited to announce a new set of assets aimed at helping our customer community and ecosystem partners better understand the benefits and value that can be derived from Adobe's Information-Centric security solutions. If you haven't heard the term "Information-Centric" before, it's not new, but it well represents the way Adobe technologies protect the confidentiality, integrity, and authenticity of information -- natively within the information itself.

For LiveCycle Rights Management ES and LiveCycle Digital Signatures ES, please feel free to download and view a host of new collateral including:

New datasheets that provide a overview of the value proposition and specific areas where our solutions solve real customer problems:

LiveCycle RIghts Management ES: http://www.adobe.com/products/livecycle/pdfs/livecycle_rights_management_es_datasheet_na.pdf

LIveCycle Digital Signatures ES: http://www.adobe.com/products/livecycle/pdfs/95011596_lc_digisig_ds_ue.pdf

There are also two new whitepapers, the first one for Rights Management is entitled: Delivering an Information Risk Management strategy across the heterogeneous enterprise: and is intended to describe the need to protect sensitive information consistently wherever it resides in the enterprise. This paper also outlines common use cases via customer anecdotes about how LiveCycle Rights Managment ES is protecting the most widely used file types inside (and outside) the organization. http://www.adobe.com/products/livecycle/pdfs/95011600_lc_rightsmgmt_wp_ue.pdf

The second whitepaper is entitled: Electronic Signatures: Solution Scenarios for your Environment: This piece is intended to articulate the different electronic signatures solutions offered by Adobe and help folks understand the pro/cons of each, so you're best prepared to map right electronic signature solution to your assurance level requirements. http://www.adobe.com/products/livecycle/pdfs/95011606_Digital_Signature_wp_ue.pdf

Finally, there are also new updates to our website including updated customer success stories, in depth pages, features and benefits pages, and a detailed supported formats page for RIghts Management.

LiveCycle Rights Management ES: http://www.adobe.com/products/livecycle/rightsmanagement/
LiveCycle Digital Signatures ES: http://www.adobe.com/products/livecycle/digitalsignatures/
Enjoy!

Posted by John Carione at 1:36 PM | Permalink

In August, we started to look at how one can set trust for signatures in Adobe Acrobat and Reader.  The first methods we focused on were user-based.  The challenge with these methods is that they require the user to have some background in digital certificate technology or, at the very least, be technically savvy.  The truth is, in most organizations, these methods could be confusing and administrators (and the legal or compliance departments) are not going to necessarily want users manually setting trust on certificates from outside parties.  Also, setting trust in the wrong certificate could lead to business risks when documents are received.  Enterprise-wide methods, on the other hand, can automate to a large degree what the user could do individually and also help to set standards for all users within an organization. 

Continue reading "Setting Signature Trust in Adobe Reader & Adobe Acrobat – Part Three – “The How – Enterprise Trust Settings”" »

Posted by John B Harris at 10:49 AM | Permalink

Join us for this LIVE Event on:
Wednesday, October 29, 2008
12:00 PM PT / 3:00 PM ET

The need to keep your organization's business critical information confidential by restricting distribution and preventing unauthorized disclosure of this information is imperative. Discover how Adobe Acrobat 9 can help protect your organization’s sensitive information by helping provide document control and security, addressing issues such as encryption, document authenticity, passwords, redaction, and sanitization/metadata removal. Join John Landwehr as he covers best practices on Security and Information Assurance.

More information and registration is available here.

Posted by John Landwehr at 2:25 PM | Permalink

...to the E-Signatures '08 Conference, scheduled for November 12-13, 2008, at the Omni Shoreham hotel in Washington, DC.   This conference, organized by the Electronic Signatures and Records Association, features compelling presentations from industry experts on the leading business, legal, and technology topics surrounding e-signatures, and prominently highlights several case studies.

Included in these case studies, Adobe customers will describe how electronic signature solutions involving products from Adobe and our Security Partner Community have improved their internal workflows and, in turn, saved them significant amounts of money, time, and resources.  You can expect to hear from:

• John Hannan, Chief Information Security Officer, U.S. Government Printing Office
• Kay Bross, Senior PKI Specialist, Information Security & Solutions, Procter & Gamble
• Thomas Niman, Director, Business Operations & Systems Integration, Snap-on Credit LLC

In addition, conference attendees will learn about government and insurance industry views on e-signatures; legal, regulatory & standards updates; and finally how the new administration might affect the future of e-signature policy.  For an updated agenda, keep checking here.

Sign up this week!  Early bird registration ends Monday, October 6th.

Tags:e-signature,conference,ESRA,adobe customers,electronic signature,digital signature

Posted by John B Harris at 10:16 AM | Permalink

In part one of this series, I discussed the three essential questions that Adobe products ask in regards to electronic signatures: (1) is the signature credential in good standing; (2) has the document changed since it was signed, and (3) has the relying party trusted the signer.  This third question is the one that is oftentimes left to the user or organization to answer, due to the unique circumstances of any particular situation.  Today we’ll discuss how users can set up that trust and provide the third leg of the tripod in the intrinsic valdiity of an electronic signature.

Signature credentials are trusted in Adobe products through the establishment and installation of trust anchors and trusted identities.  Trust anchors are typically root certificates—certificates at the top of the hierarchy from which other certificates are derived.  Trusted identities can be any certificate, even an end-entity, or user, certificate.  In any case, in order to pass validation, the signing certificate must either be a trust anchor (root) or be chained to (derived from) that root.

We’ll cover in this post the 3 ways an individual user can set trust in Adobe products.

Continue reading "Setting Signature Trust in Adobe Reader & Adobe Acrobat – Part Two – “The How – Manual Trust Settings”" »

Posted by John B Harris at 3:03 PM | Permalink

A few months ago, I wrote about the nature of assurance in electronic signatures and how aspects like authentication, audit, and integrity add to the trust you place in a signature.

When we consider electronic signatures, recognize that there are typically two parties to the transaction: the author / signer and the recipient, or relying party.  The signer’s role is obvious.  The relying party, on the other hand, is the one who is in the position to accept the signature and therefore the signer’s approval of the terms or nature of the signed document.  When faced with an electronic signature, the relying party must be aware (or have resources he/she can turn to, such as a lawyer) of three intersecting zones of validity—legal, contractual, and intrinsic—and how Adobe products can assist. 

Continue reading "Setting Signature Trust in Adobe Reader & Adobe Acrobat – Part One – “The Why”" »

Posted by John B Harris at 8:20 AM | Permalink

This entry is part of our continuing educational series, “What is an Electronic Signature, Anyway?” (Parts 1, 2, 3 and 4)

Disclaimer. This blog entry is not intended to provide legal advice. You should discuss issues relating to the use of electronic signatures in your business with your own legal counsel and compliance officers.

Two months ago we discussed here the nature of the legal environment surrounding electronic signatures. I’d like to point out some additional resources that can expand your knowledge of the subject.

• Within the EU context, Law Professor Dr. Jos DuMortier, director of the Interdisciplinary Centre for Law and ICT at the Catholic University of Leuven (K.U. Leuven) in Belgium, and a well-known authority on the intersection of law with information technology, has published and/or contributed to a large number of whitepapers and articles on the subject of electronic signatures. This whitepaper from October 2007 describes how digital signatures created with PDF documents and the Belgian eID can be granted valid, legal status.

• Just last week, the American Bar Association published an impressive book entitled, “Foundations of Digital Evidence,” which covers, as you might have guessed, the implications, nature, and changes that digital evidence has wrought upon legal systems around the world. Adobe’s own Ed Chase, a Solutions Architect and one of our electronic signature gurus, contributed a critical chapter on PDF and its impact on the subject, providing details about how the features of PDF and digital signatures can support legal requirements for electronic records.

Posted by John B Harris at 12:11 PM | Permalink

This entry is part of our continuing educational series, “What is an Electronic Signature, Anyway?” (Parts 1, 2 and 3.)

In June, at an event at the National Press Club, Jerry Buckley, Founding Partner at the Buckley Kolar law firm in Washington DC, as well as Counsel to the Electronic Signatures and Records Association (ESRA), an organization devoted to promulgating the use of electronic signatures & documents and educating the public & industry on those matters, stated that the “train had left the station” when it came to electronic signature usage around the world. As the demand for more fully electronic workflows becomes more pronounced, especially given the meteoric rise in gas, and thus shipping, prices, as well as an increasing desire on the part of enterprises and organizations to ‘go green,’ electronic signatures will become even more ubiquitous.

Continue reading "“The train has left the station!” - Electronic Signatures in the Real World" »

Posted by John B Harris at 9:55 AM | Permalink

Adobe is looking for a Sr. Product Manager to join our security solutions team and work on digital signatures in Acrobat, Reader, and LiveCycle.

The job description and application process is posted on cooljobs.adobe.com.

Description:
Adobe (NASDAQ: ADBE) revolutionizes how the world engages with ideas and information. For 25 years, the company’s award-winning software and technologies have redefined business, entertainment, and personal communications by setting new standards for producing and delivering content that engages people virtually anywhere at anytime. From rich images in print, video, and film to dynamic digital content for a variety of media, the impact of Adobe solutions is evident across industries and felt by anyone who creates, views, and interacts with information. With a reputation for excellence and a portfolio of many of the most respected and recognizable software brands, Adobe is one of the world’s largest and most diversified software companies.

Today, Adobe is better positioned than ever to push the boundaries of the digital universe. Under the leadership of President & CEO Shantanu Narayen, we're driving even greater innovation with powerful, compelling software solutions that meet the needs of customers and markets ranging from designers and filmmakers, to enterprises and governments, to developers and home users.

Recognizing that employees are at the core of our success, Adobe recruits and retains highly qualified and motivated individuals, creates an environment where they can innovate and achieve their best, and rewards them for their performance by giving them an opportunity to share in the company’s success.

Position Overview
Adobe Information Assurance Solutions enable organizations to more securely engage with employees, external associates, and customers by protecting the information lifecycle. Security can be persistently applied to information independent of storage and transport, inside and outside an organization. Adobe's ecosystem of security partners provides interoperability with many information security infrastructures including identity and access management, single-sign-on, public key infrastructures, smart cards, and biometrics.

This Sr. Product Manager position in the Security Solutions team of Adobe's Business and Productivity BU will significantly contribute to growing Adobe’s market share in information assurance solutions by identifying and prioritizing feature requirements, providing product competitive analysis, understanding customer usage workflows and customer satisfaction, driving and evaluating technology trends, ease of use, standards and certifications.

Requirements
Requires at least 5 years of experience in enterprise software product management. BS in Computer Science or related technical discipline, and in-depth experience with identity management, electronic and digital signatures, encryption, J2EE authentication, public key infrastructure, smartcards, maintaining documents of record, and information lifecycle workflows.

This position also requires significant cross-group interaction, a strong customer and partner focus, excellent communication, presentation, and negotiation skills, attention to detail, solid technical abilities to collaborate with engineering and direct market experience. Candidates must be passionate about the technology to make Adobe solutions more secure and easy to use. Preference given to candidates with security certifications.

Adobe believes personal fulfillment and company success go hand in hand, sustaining one another. In fact, our dynamic, rewarding working environment is well known – including eight years on FORTUNE magazine’s "100 Best Companies to Work For" and other, similar accolades. By hiring the very best and brightest, Adobe continues to be a simply better place to work – creating a dynamic environment today and providing incentives for future achievement.

Posted by John Landwehr at 2:26 PM | Permalink

electronic signature,digital signature,admissibility,assurance,e-sign act,EU signature directive,SAFE

This entry is the third in our “What is an Electronic Signature, Anyway?” (Part One / Part Two) educational series.

First, a disclaimer.  This blog entry is not intended to provide legal advice.  You should discuss issues relating to the use of electronic signatures in your business with your own legal counsel and compliance officers.

With that out of the way, welcome back to our series on electronic signatures.  Up to now we’ve covered what can be defined as an electronic signature, and how one can provide assurance as to the validity of an electronic signature.  However, our clients and customers are mainly concerned with one thing:  are electronic signatures legality and admissible in a court of law?  Will my contract be null and void if use this electronic signature pad?  Will my account documents be tossed out because they’ve been digitally signed?  Can I accept electronic signatures on my contracts?

Only your legal counsel can answer these specifically, but, in this lengthy entry, we can offer some very high-level information on the applicable laws, what is meant by legal effect versus admissibility, the availability of case law, and where you can go to find out more information.

Laws

In 2000, President Clinton digitally signed into law the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).  This public law provides that:

a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and (2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

At the state level, the Uniform Electronic Transactions Act (UETA), passed by 48 US States, provides much the same protections to electronic signatures and records. (The remaining 2 states have other legislation covering electronic signatures.)

Note that neither piece of legislation specifies a particular electronic signature technology.  In fact, the E-Sign Act states that:

The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

By keeping the legislation technology-agnostic, the law doesn’t create a bias and also does not have to be changed as technology changes.  It therefore has the added benefit of allowing for a wide spectrum of electronic signature technologies (click-thru, signature pad, biometrics, digital signatures, etc), as long as the systems provide a signature that is “attached” to the electronic document needing to be signed, and provide evidence to the fact that the signatory actually signed the electronic document, showing an “intent to sign.”  The laws do prohibit the use of electronic signatures on certain legal documents such as wills and adoption papers, though.

Other US laws and regulations provide guidance in specific industries.  For instance, 21 CFR Part 11 covers the use of digital signatures in communications with the Food and Drug Administration.  This is a good time to mention that laws are not the only things to be concerned about when it comes to electronic signatures.  You also have to be aware of any regulatory standards or recommendations that may be in place for your industry. 

Using the pharmaceutical industry again as an example, the SAFE-BioPharma Association ( Signatures and Authentication for Everyone), interested in promoting the use of electronic documents and reducing costs, created a technical, legal & business model around the use of electronic signatures among pharmaceutical manufacturers, clinical investigators and regulators.    In fact, SAFE requires the use of digital signatures, and has certified (and recently re-certified) PDF-based digital signatures in Adobe Reader®, Acrobat®, and LiveCycle® Digital Signatures within the SAFE standard.

Outside of the US, most countries have electronic signature laws in place, as well, though they vary in complexity.  For the 27 member states of the European Union, Directive 1999/93/EC on a Community Framework for Electronic Signatures (EU Signature Directive) provides an in-depth legal framework for electronic signatures and their validity inside and between EU countries.  It creates several categories of electronic signatures, with so-called “Qualified” signatures required to be legally accepted and valid in all EU member states.  The high assurance requirements around Qualified Electronic Signatures (QES) do point to digital signature technology, with a requirement for a ‘Secure Signature Creation Device’ and best practices around key generation, storage, and certification of the providers of the signing credentials themselves.

Adding to the fun, EU member states are required to individually transpose EU Directives into their own legislation.  Certain countries decided to tweak the text on the way to implementation, and in so doing, created another layer of complexity that makes working with cross-border electronic signatures quite a challenge!

Note that electronic signatures applied in the US may not be provided legal admissibility in the European Union, especially on documents like electronic, or e-, invoices.

Legal Effect vs. Admissibility

We’ve tossed these terms around in this entry, so it’s probably time to clarify the difference between the two.  While lawyers around the globe may cringe at my over-simplification, here we go...

“Legal effect” pretty much means that, yes, the court will accept that an “electronic signature” is a “signature” as already defined by precedent and law.  So, in other words, an electronic signature and a wet ink signature are equivalent in most respects, and they can be brought into trial.

However, just like their wet ink counterparts, each document intended to be entered into evidence in a trial will need to be assessed for its “admissibility,” whether it’s signed with ink or a digital certificate.  Does it represent the intent of the signatory?  Has the document been altered?  Who had the right to sign this document?  How was the signature derived, and what controlled access to the document for its signature?  These questions come into play no matter the type of signature.

However, wet ink signatures have been in use for quite a long time and have established a certain amount of credibility.  Electronic signatures, on the other hand, are a newer phenomenon, and thus may be more subject to the critical eye of the court.  This is where the concept of assurance, as described in the previous entry in this series, can come into play.  Higher assurance signature methods that authenticate the signer, use document fingerprinting (‘hashing’) to provide integrity, and store signature keys (and thus, the “pen”) in a secure manner, are more likely in the long run to be provided with the benefit of the doubt than those signature technologies which provide lesser assurance.

So, in the end, your electronic signature may be a legal signature, but it could be tossed out of court if the judge feels that the signature process did not provide the appropriate level of assurance.

Case Law 

Well, we’d love to point you to a particular case which ruled this or that technology admissible or signatures captured on these types of documents were OK, but there are none.  In the United States, there are likely hundreds of cases that cover subjects related to the use of electronic documents and e-discovery, but none that specifically cover challenges to electronic signatures.  While this could mean that cases are being handled in arbitration (outside the courts), or that challenges have not been filed, it is all the more likely that the courts have been holding electronic signatures as accessible.  

What the future holds, no one is certain.  The EU Signature Directive provides a clear sign that assurance does play a role in admissibility.  Will the ideas of the Directive take hold in other countries around the world?  How will US and state case law react to increasing numbers of electronic signatures?  We’ll keep watching...and we’ll keep you informed!

The good thing is that with Adobe products like Acrobat and LiveCycle you are gaining the ability to sign electronic documents (PDF) with a spectrum of electronic signatures, whether they’re electronically captured on a tablet PC, created with digital certificates, or even required to be compliant with the EU Signature Directive.  You can rely on Adobe’s global expertise in the field and years of collaboration with our Security Partner Community to meet your electronic signature needs, no matter the requirements.

Links

Here are some links to continue your reading.  Again, be sure to confer with your legal counsel on these topics.

• ABA Digital Signature Guidelines Tutorial – A great starting point for understanding digital signatures from the American Bar Association.
• The Sedona Conference® – Though focused primarily on electronic records, this educational non-profit organizations provides substantial coverage of related case law and issues that may come into play.
• Electronic Signatures & Records Association (ESRA) – This association brings together vendors and business owners in its efforts to extol the benefits of electronic signatures and documents.  Adobe is a board member of the Association.

Next in our “What is an Electronic Signature, Anyway?” series will be an exploration of real world examples of electronic signatures in action around the world today and what the implications are for the businesses implementing them and the customers using them.

Posted by John B Harris at 1:32 PM | Permalink

Long Term Validation,Signature Validation,Time Stamp Signature,Preserving Signature Validity

     Time is a critical component in establishing the sequence of activities in real life. It is an equally important aspect of the value proposition of digital signatures that establishes the authenticity and integrity of a document or transaction. Certificates have a significantly shorter life span than the demands records management requirements place on a document. So, how does one create long term records of compliance for digitally signed documents?  Will the digital signature become invalid when the signing certificate expires? The key to unraveling this problem is first to establish the point in time the validation takes place.

    Let us start with an example of a home loan document that I digitally signed in 2005 when the interest rates were so low. Next, let us define that my certificate used to sign had a validity period of three years, 1 Jan 2004 to 31 Dec 2006.  So, technically any attempt to validate the signatures after 31 Dec 2006 would be somewhat troublesome. Surely it would be easy if we mimicked the paper based workflows. The financial institution that honored my wet ink signature for the life of the document should have a similar experience with a digital signature. After all, the undeniable (non–repudiable) fact is that the signature was valid at a previous point in time and there should be a way to present this fact. The rest of the article describes the mechanism of accomplishing this using Adobe Acrobat or Adobe Reader.

    Adobe Acrobat 8.0 provides the ability to validate the signature at three relevant points in time that is determined by the relying party. The default is the validation at “Secure” time. Secure time is the timestamp signature time that is part of the digital signature. A signer can use a timestamp server of choice by configuring the Time Stamp Authority security setting in Adobe Acrobat. This is a user preference that is tucked in the security preferences section. It can also be tuned within an organization.  Alternatively, if the signing certificate has this information in the signing certificate, it is used to automatically include the timestamp signature at the time of signing. 

    Click to view the demo.

    Including timestamp signature is a good first step but is not sufficient information for a relying party to validate the signature in the future. Including the revocation information of the signer’s certificate along with the timestamp signature now provides the relying party enough information to validate the signature at a future point in time.

    The relying party with the two pieces of information (secure signing time and revocation information of the signer’s cert) now has the “default” experience that the signature is always verified at the secure signing time and immediate access to the revocation details that were evaluated at that secure time. If required, the relying party can also verify the signature at “Current” time. Current time represents the time on the relying party’s computer clock at the time of validation of the signature.

Posted by at 5:00 PM | Permalink

electronic signature,digital signature,assurance,authentication,document integrity,eSignature

This entry continues our “What is an Electronic Signature, Anyway?” educational series.

Merriam-Webster defines assurance as “something that inspires confidence” and “freedom from self-doubt or uncertainty.”  When you receive an electronic document, how do you know it’s the document the author intended you to receive?  Likewise, if that document is an electronically-signed contract, how do you know who actually signed it?  How do you know the other party didn’t change the document after you sent it?  Assurance, as you can see, is critical to trusting the work that we store, put or send online.  Electronic signatures can provide a way to enhance your confidence in these documents in a paperless environment.

We can break down the most significant aspects of electronic signature assurance into the following components:

• Authentication

Authentication deals with how a user verified him or herself to the signing system.  The more complex the type of authentication and the more ‘factors’ of authentication you combine, the higher the level of assurance becomes.  Did they simply click a button or did they first have to enter a username and password?  Authentication to a system is stronger if a user must present both a physical device (token or smart card) and a PIN or password to the system - a combination known as ‘two-factor authentication.’  Handwritten eSignatures inherit some level of assurance from their historical wet ink cousin.  Even biometric technology could be added to the picture, requiring persons to present ‘something they are,’ like a fingerprint or iris, to verify themselves. 

• Identity Vetting

Identity vetting, or identity verification, answers the question, “How did the system arrive at trust in this signer?”  In other words, how did an organization or system grant a signer her signing credential or access to the signing system?  The intensity of this process can help to define assurance.  Is the signer being asked to appear in person and present multiple forms of government ID, or are they simply required to enter their name and click “OK”?  The more intense the scrutiny, the better the level of assurance.

• Integrity

Integrity is one of the key capabilities of an electronic signature.  An electronic signature often includes the capability to “fingerprint” or hash a document so that a recipient can verify that a signed document was not changed post-signature.  Integrity can be achieved in a number of ways.  Some methodologies use cryptographic calculations, like a signed hash and digital signature embedded in a document verifiable by the reader of a document, to achieve integrity.  Others systems may offer integrity through secure archiving of original electronic documents and a strong audit trail of events that lead to the signature event itself. 

• Validity

Validity, or put another way, the legitimacy of the user’s signing credential or access at the time of signature, is another critical aspect of assurance.  The user may be who he says he is, and may have used the proper methods for authentication, but what if they signing credential had been revoked before the time of signing because the user was fired from their organization?  Signing systems offering higher levels of assurance should be able to establish validity at the actual time of signing.

• Time of signing

The time of signing is the final key element of assurance in electronic signatures.  A PC clock may be modified to fraudulently indicate time of signing, and thus a trusted third party clock can provide more assurance.

Not all electronic signatures are equal, however, when it comes to assurance.  The following diagram shows a stereotypical breakdown of assurance compared with average cost.

You can see that click-through electronic signatures inhabit the low end of the spectrum and multi-factor authenticated digital signatures occupy the high ground.  But not everything is as it seems.  If certain pieces of the assurance puzzle are missing, the arrangement above could be completely scrambled.

For example, you may have a digital signature system that requires the user to possess a device that requires both their fingerprint and a PIN code in order to sign a document.  On its face, this looks pretty secure.  But what if the system used to provide the user with the signing credential (a digital ID) never checked into that user’s identity?  Bob Smith could be signing in the name of Adobe's CEO and no one would be any wiser.

Coming from the other direction, you might imagine a contract workflow that only requires a button click to process a signature.  This seems low assurance at first glance.  But if we add fingerprint authentication, strong identity vetting (in-person proofing), and a secure infrastructure in which the documents are processed and stored, one could argue the assurance of this system surpasses other technologies.

In the end, you will need to educate yourself and ask questions about the assurance capabilities of the electronic signature systems you intend to deploy.  The choice of an electronic signature method comes down to a decision about what you’re trying to protect and provide assurance to.  Simple travel expense reports do not require significant assurance measures, but multimillion dollar contracts definitely would.  Interoffice memos proclaiming a new copier in the mailroom don’t require much assurance, but critical government documents like the US Federal Budget do.

The next in our “What is an Electronic Signature Anyway?” series will focus on the legal admissibility of electronic signatures and the laws that govern their use.

Posted by John B Harris at 11:39 AM | Permalink

As I reviewed the blog entries here from my fellow Adobe Security Solutions teammates, I realized that with all of the gory technical information, we may have lost some of you, our dear readers.  With this entry, we’ll start a new series of articles that move the conversation up to a high-level, out of the dense fog of acronym warfare, and explain from a business user’s point of view what all this stuff means and how it can be useful for you in your organizations’ daily business processes.

So...electronic signatures.  We’ve variously mentioned digital signatures, eSignatures, electronic signatures, and signature odors.  Ok, well, not the last one, but to start, I’ll suggest that we use electronic signature as a generic term.  Electronic signatures can be defined as any electronic process signifying an approval to terms, and/or a document, presented in electronic format.  Electronic signatures frequently also have the added benefit of ensuring the integrity of the signed document to signify that (1) the document has not been changed since it was signed and (2) the signer cannot ‘repudiate’ or claim that they did not sign the document.

Electronic signatures encompass a broad gamut of technologies and methodologies, ranging from an “I agree” button in a click-thru agreement...

...to an electronic tablet which accepts a handwritten signature (oftentimes referred to as an eSignature)...

...to a digital signature cryptographically tied to a digital ID or certificate.

They can be used for internal approval processes for things as simple as time-off requests, for more formal documentation and acceptance of account opening terms in a branch office of a bank, for signing off on critical infrastructure planning documents, and to protecting the reputation of a country’s electronic documents by certifying authorship and the integrity and status of the document itself.

Organizations choose electronic signatures for many reasons.  Among them:

• Workflow Efficiency - It’s faster for someone to click a button or enter a password than to route a document to them through interoffice mail or courier.
• Save Money - By going electronic, you eliminate the cost of paper, printing, and courier services.
• Document Integrity – Organizations publish vast amounts of material to the internet, but are now becoming increasingly concerned about what happens to those documents in the wild.  It’s critical to reputations and revenue that documents are not modified to create a false or fraudulent impression of the organization.

You’ll notice that many of these reasons mirror those that accompanied the rise of the electronic document and form in the first place.  This is not accidental — electronic signatures are a natural extension of the movement to electronic documents.  Many companies have gone fully electronic only to come to the signature step and require customers to print out documents which are signed in wet ink and then sent via the mail to be re-entered into a system. This is neither efficient, nor timely, nor a good use of resources.  Electronic signatures, at their core, represent a vital way to leverage a company’s assets and increase savings based on key technology investments.

Adobe supports all of the electronic signatures described above via our LiveCycle® ES suite as well as our Adobe® Acrobat® and Adobe Reader® client software packages.  Adobe’s Security Partner Community plays an essential role as well, supplying key components for electronic signature solutions.  Adobe is also a member of the Electronic Signatures and Records Association, a new organization which seeks to expand knowledge on both electronic signature and records and also play an active role in public policy on these topics.

Posted by John B Harris at 10:34 AM | Permalink

A new case study is available showcasing Tribunale di Cremona, one of the Courts within the District of Tribunale di Brescia, using Adobe Connect with Adobe LiveCycle solutions to support an end-to-end process for holding legal proceedings with dispersed parties and efficiently delivering all required case documents.

In addition to supporting dynamic web conferences with streaming audio and video, Adobe solutions deliver other benefits to the Digital Connect project. For instance, the court can store court papers for each trial in Adobe PDF; plus staff can handle documents remotely and securely via digital signature authentication.

These capabilities are handled by Adobe LiveCycle solutions to address the need to assign policy controls to protect documents.

“These features are critical,” says Beluzzi. “A trial transcript can be shared among participants, downloaded, digitally signed just as if participants were physically next to each other. In addition, the transcript goes through a workflow and is automatically added to the remaining court papers.”

The project is the result of a productive collaboration with Adobe. First electronic court papers, then web conferencing-based court trials give the Italian justice system a new image: fast, efficient, and on time.

“By collaborating with Adobe and using products such as Adobe Policy Server, Adobe LiveCycle Workflow, and Adobe Connect, the court is designing a powerful system that can be replicated in other areas without customization,” says Beluzzi. “This is important because it allows Tribunale di Cremona to achieve great results with limited efforts, without developing ad hoc software.”

The Court has documented the excellent cost benefits of the system. The total cost of training and traveling for detainees and lawyers is about €467,000 a year. Using Digital Connect to perform trials and to train employees could save the Court over €1 million in three years.

Posted by John Landwehr at 10:01 PM | Permalink

The Executive Office of the President, Office of Management and Budget (OMB) released a statement stating this is the first time the White House will not order hard copy versions of the budget, and has instead posted the budget online as fully searchable PDF documents. 

With an estimated total of nearly 2,200 pages in the four-book budget set, and a projected order of more than 3,000 copies for the media, Capitol Hill and the White House, the E-Budget will have a “green” focus above and beyond the fiscal sense. This step will save nearly 20 tons of paper, or roughly 480 trees. In terms of fiscal savings, we estimate the E-Budget will save nearly a million dollars over the next five years.

GPO has implemented a new digital seal of authenticity for their PDF documents, including today's release of the FY2009 budget:

For almost 150 years, the U.S. Government Printing Office (GPO) has been the official disseminator of Government documents and has assured users of their authenticity.

In the 21st century, the increasing use of electronic documents poses special challenges in verifying authenticity, because digital technology makes such documents easy to alter or copy, leading to multiple non-identical versions that can be used in unauthorized or illegitimate ways.

To help meet the challenge of the digital age, GPO has begun implementing digital signatures to certain electronic documents on GPO Access that not only establish GPO as the trusted information disseminator, but also provide the assurance that an electronic document has not been altered since GPO disseminated it.

The visible digital signatures on online PDF documents serve the same purpose as handwritten signatures or traditional wax seals on printed documents. A digital signature, viewed through the GPO Seal of Authenticity, verifies document integrity and authenticity on GPO online Federal documents, at no cost to the customer.

More information on GPO's authentication program is available at http://www.gpoaccess.gov/authentication/

Opening the Nation's Fiscal Outlook from GPO Access with Acrobat 8.1.1 on Windows XP SP2:

Opening the Nation's Fiscal Outlook with Acrobat 8.1.1 on Mac OS X 10.5.1 (Leopard)

The digital signatures on the GPO documents automatically validate with Adobe Acrobat and Adobe Reader version 7 and higher on Mac and Windows, via the Certified Document Service (CDS) program. No additional software or configuration is required to validate CDS signatures. 

There are several ways recipients can verify the signature status.  First is the document message bar across the top of the document, showing the certifying blue ribbon as well as information contained in the signer's certificate:

The left navigation panel also has an icon of a pen over paper, which brings up the digital signature pane, showing additional information on the document signature:

Clicking on the GPO document seal in the PDF will also bring up the Signature Validation Status:

Clicking on that Signature Properties button above provides even more detail of the signature, including the authenticity, integrity, and timestamping indicators - with the ability to drill down deeper to review revocation status, certificate chaining, and other security information associated with the signature.

For digital signatures to automatically validate in Acrobat and Reader, the Public Key Infrastructure (PKI) certificates must have been issued by a Certificate Authority (CA) participating in the CDS Program. These CAs comply with the Adobe CDS Certificate Policy.  This is a program Adobe released in 2003 with Acrobat and Reader 6.  The CA/Browser Forum released a program with similar intentions for web browser SSL sites in 2007. 

Certifying signatures can be applied to PDF documents on the desktop using Adobe Acrobat, or on the server using Adobe LiveCycle Digital Signatures.  Recipient's approval signatures can also be applied using Adobe Acrobat or Adobe Reader (via Adobe LiveCycle Reader Extensions) and then subsequently validated on the server with Adobe LiveCycle Digital Signatures as part of an automated workflow process.

Adobe Systems has been providing security technologies in PDF for over a dozen years.  Adobe uses FIPS 140 approved cryptography, has been approved by the US Department of Defense, and certified by the SAFE BioPharma Association. Adobe's security solutions are also supported by a strong partner ecosystem to extend the native capabilities of authentication through hardware and software integration.

Posted by John Landwehr at 8:52 AM | Permalink

Here is a demonstration of a PDF document that has a certifying signature plus four recipient signatures from four different certificate authorities that are part of Adobe's Certified Document Services (CDS) program.

Click here to download the PDF for Adobe Acrobat and Adobe Reader version 6 and higher.

In v8 and higher, you will see a status bar across the top, indicating the valid document certification:

followed by the recipient signatures from each of the CAs:

For long term digital signature validation, each of these signatures also include an embedded OCSP response from the certificates in the chains and RFC3161 timestamps. This shows that the certificates were valid at the time of signing - even if the document is subsequently opened after certificate expiration or revocation.

Posted by John Landwehr at 11:30 PM | Permalink

The amazing proliferation of PDF files—over 1 billion at latest estimate—combined with the ubiquity of the internet and online information makes it critical that document creators and document readers consider the authorship and integrity of documents we trust on a daily basis as sources of information, conduits for personal data (forms), and, truly, receptacles for corporate and organizational reputation.

Let’s consider the “pump and dump” stock scams that have occurred over the past few years. By creating false press releases, fraudsters were able to ‘pump’ up the price of a stock by creating fake, positive news items for the company, and then ‘dump’ before the scam was discovered and the company's reputation damaged.

This type of fraud is but one possibility. When you fill out and submit information in a PDF form online, do you ever check for the authorship of the document? Who’s to say the form wasn’t modified to send your personally identifiable information (PII) to the government office AND to an identity thief at the same time? What about corporate annual reports? Government laws and regulations? Analyst reports? Licensing documentation?

Several years ago, Adobe recognized these threats, and worked with GeoTrust (acquired last year by Verisign) to create the Adobe Certified Document Services program alongside the release of Acrobat® and Reader® 6.0.

By joining this program, interested individuals and organizations were required to submit to a strong identity vetting process to make sure they were who they said they were, and then would be issued a credential (digital certificate) on a hardware token (USB or smart card device). When used with the Adobe software, an author could choose to ‘certify’ a document upon authoring. Once certified with a CDS credential, the document’s integrity, authorship, and even time and date of creation would be embedded with the document. And because the credential was provided under Adobe’s high assurance policies, the digital signature is automatically trusted in both Acrobat and Reader v6.0 and above, giving the recipient an immediate notification of the document’s integrity with a blue ribbon and bar at the top of the window.

Now, Adobe has partnered with three additional credential Providers for the CDS Program: Chosen Security, GlobalSign and Keynectis. (Providers' announcements are here, here and here.)  This program expansion will substantially enhance the standing and awareness of the CDS program, while at the same time offering a broader range of services to all aspects of the marketplace through innovative services and solutions. In addition, these companies, as well as current CDS member Verisign, have a global footprint, which means that the document integrity capabilities offered by these CDS Providers, and built into Adobe Acrobat and Reader, will benefit documents created throughout the world.

For more information, click here.

Posted by John B Harris at 7:49 AM | Permalink

Every once in a while, someone asks "How long has Adobe offered content protection?" Turns out, Adobe's information assurance efforts have been ramping up for over a dozen years. Adobe provides security features in numerous products and also provides dedicated security solutions such as LiveCycle Digital Signatures and LiveCycle Rights Management. Here's a brief history:

Adobe's history of content protection started with Acrobat 2.0 in 1994. At the time, this was simple 40-bit RC4 password-based encryption and digital rights management (DRM) to restrict who can open the document and what they can do with it.

Acrobat 4.0 in 1999 added support for Public Key Infrastructure (PKI) enabling a single PDF document to be protected for multiple recipients, with different permissions based on their own keypair. Depending on who opened the document, printing, modification, and clipboard actions are enabled/disabled. This release was also the first to add digital signatures using PKI. This was important for paper documents to move to digital with an opportunity for higher levels of assurance than a pen could provide on paper with a wet signature (ink) by utilizing cryptographic protections of authenticity, integrity, and non-repudiation. Acrobat 5.0 added support for 128-bit RC4 encryption for stronger levels of confidentiality. Acrobat 6.0 added support for the Microsoft CryptoAPI to (CAPI) so the keypair could be stored in the Windows certificate store or through a Crypto Service Provider (CSP) to smartcards and other tokens.

In 2005, Acrobat and Reader 7.0 shipped along with LiveCycle Policy Server and Security Server. AES128 encryption was added to PDF. The enterprise rights management capabilities of Policy Server integrate with an organization's LDAP or Active Directory. A policy coupled with an information classification such as "Insider Restricted" restricts who can open the document, what they can do with it, and also provides enterprise auditing measures. Absolute (e.g. on 12/31) and relative (e.g. 7 years from document creation) expiration dates can be set to automatically expire documents. All these permissions in a policy are dynamic and can change after the document is published - to add or delete users, change permissions, or even revoke the document entirely. This revocation feature is used by many to enable version control outside a repository, so as a document is changed on the server all distributed copies of that document are automatically revoked providing the recipient with a notification to go back to the server for a current version. Visual watermarking capabilities on PDF are able to show the policy name, recipient opening the document, and the date/time. Acrobat and Reader 7.0 were also US Department of Defense (DoD) certified by the Joint Interoperability Test Command (JITC). The LiveCycle Security Server provided the ability to apply and validate digital signatures as well as encrypt and decrypt document in an automated business process. Flash Media Server 2 provided protected streaming capabilities for delivering video to Flash Player.

As we wrap up 2007, there has been a lot going on over the last 12 months. Acrobat, Reader, and LiveCycle shipped with new FIPS 140 approved encryption libraries. LiveCycle Rights Management (formerly Policy Server) now supports native Microsoft Office documents as well as Dassault CATIA. LiveCycle Digital Signatures (formerly Security Server) provides XML signature support as well as certified documents and is integrated with automated forms and document generation processes. Adobe's rights management has been integrated into hardware devices such as Multi Function Peripherals (MFPs) from Ricoh and others. Third party software vendors including PTC and Hitachi/Lattice3D are integrating Rights Management into their native applications. Adobe Media Player is in public pre-release with support for content protection on downloadable and offline Flash video.

What about 2008 and beyond? Stay tuned for more entries as Adobe's security solutions expand to protect even more aspects of the information lifecycle - independent of storage, independent of transport, across operating systems and file formats.

Posted by John Landwehr at 9:32 AM | Permalink

Karen Pauli from the Tower Group recently published a research note on progress and opportunities with electronic signatures and secure forms in the Insurance Industry.

Summary from the report:

Electronic commerce is no longer a "nice-to-have" capability. A more global business model demands that carriers adopt capabilities for moving documents electronically. Consumers are becoming less tolerant of paper-based transactions because of both the time and volume required. Insurance business processes are bound by many legal requirements, and fulfilling those requirements in a cost-effective and documented way is a critical concern for the insurance industry. The ever-increasing demand to establish competitive advantage and deal with pervasive problems related to fraud and compliance requires new and creative solutions. Electronic signature technology has enterprise applicability to address all these issues.

Insurance carriers must transition away from traditional paper-based, wet-signature processes and adopt secure document and electronic signature technology. The technical complexity may appear daunting, but technology solutions providers and experts in the marketplace can partner with carriers to overcome this hurdle. The legal barriers have been eliminated by ESIGN and UETA enactment. The pen is now on the Web, and the time is right for carriers to reach out and grab it.

Posted by John Landwehr at 8:18 PM | Permalink

Making PKI, and in turn, digital certificates (digital IDs), work in today’s marketplace involves several critical factors:

• a strong commitment to the technology;
• a well thought-out system for provisioning of digital IDs to users;
• the availability of tools to use and employ the digital IDs; and
• applications which deliver a potent value proposition and benefit to the end user.

The deployment of electronic identity cards with on-board digital IDs represents a powerful new front in the effort to address these issues and bring PKI to the masses.

These cards, commonly known as eIDs, put a government-issued ID in a smart card (“chip card”) form factor. The smart card provides several critical advantages over other types of card technologies, particularly in the realm of security and privacy. In addition, the smart card has an inherent capability to protect and utilize a citizen digital ID.

The citizen can then use this digital ID, working in coordination with digital ID-friendly applications such as internet browsers and Adobe® Reader® or Acrobat®, to digitally sign tax forms, securely logon to government benefit sites, access resources, etc., all easily over the internet. Not only does this save the citizen time and money in interacting with the government, it can also dramatically save governments money and response times on delivery, paper handling, data entry, and production costs.

Learn more about the benefits of eIDs and how Adobe can deliver extended value to these deployments in this white paper, “eID cards: Improving trust and reducing the cost of e-government transactions,” posted on the Adobe Government website at: http://www.adobe.com/government/pdfs/eid_cards_wp.pdf .

Posted by John B Harris at 5:34 AM | Permalink

Arcot, a member of Adobe's security partner community, just announced their Flash-based two-factor browser authentication solution as well as support of Adobe Integrated Runtime (which was also announced today as available in beta, and formerly codenamed Apollo). Arcot's "software smartcard" solution provides greatly improved simplicity and security for consumer logins to online applications.

Usernames and passwords alone have reached the end of their useful life for protecting valuable online transactions because they are often reused by consumers across sites, easily guessed, and subject to phishing. While today's web browsers provide PKI authentication using SSLv3 client authentication, there is not a consistent or friendly user experience across browsers and operating systems to provision and utilize the necessary PKI credential. That's why you often hear PKI = Painful Key Infrastructure instead of Public Key Infrastructure.

Arcot has developed a seamless provisioning and utilization of PKI credentials in the form of an ArcotID. While the user logs in with their existing username/password, a SWF in the browser is providing PKI authentication behind the scenes using a locally stored credential in the form of an ArcotID.

ArcotID Flash client is part of WebFort, Arcot's two-factor authentication system for large enterprises in financial services, healthcare and other industries facing increasing regulatory pressure to protect and verify end-users’ identities such as those from the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA).

Posted by John Landwehr at 8:21 AM | Permalink

Adobe Systems today introduced Adobe LiveCycle Enterprise Suite (ES), an integrated family of software for more securely automating processes that help businesses and governments engage with customers, citizens, employees, partners, and suppliers.

With LiveCycle ES, organizations can deliver applications that are easier to interact with. This enables companies to better communicate with people who may be frustrated with, or confused by on-line procedures, and are likely to abandon transactions, resorting to higher cost avenues such as in-person visits or phone assistance. By transforming processes such as account enrollment, claims processing or guided self service into engaging applications, businesses and governments can improve customer service, decrease costly cycle times, and manage information faster, more accurately, and more securely.

LiveCycle ES includes scalable solution components to build, manage and optimize business critical processes. Information assurance capabilities are provided by LiveCycle Rights Management ES and LiveCycle Digital Signatures ES.

Click below for more information on:
* New features in LiveCycle Rights Management ES
* New features in LiveCycle Digital Signatures ES
* Adobe LiveCycle ES Platform Support

Posted by John Landwehr at 9:59 PM | Permalink

Adobe LiveCycle Digital Signatures ES (formerly Adobe LiveCycle Document Security) lets you use digital signatures to preserve the integrity and authenticity of a document as it is transferred among users within and beyond the firewall, when it is downloaded offline, and when it is submitted back to your organization.

With Digital Signatures ES, you can automate the process of bulk certifying and signing documents, as well as
validating signatures in documents that are submitted back to your organization.

Key features
Digital Signatures ES can apply security features to any PDF document whether it is generated by other Adobe server products, on a desktop by Acrobat, or even by a third-party solution. Because PDF documents can contain any type of information, such as text, audio, and video files, you can use Digital Signatures ES to secure any type of information that is saved in a PDF document.

Digital Signatures ES can apply the appropriate security features through automated business processes
or programmatically through the API:

Certification and Approval signatures: Specify digital signing of documents so that recipients can validate the authenticity and integrity of the content. Digital signatures can be applied individually or in batches by using digital certificates from third-party vendors. With digital signatures applied, documents maintain authenticity even when archived.

Signature validation: Specify signature validation so that your organization can verify the authenticity of returned documents it receives. When digitally signed documents are received, Digital Signatures ES can open the document and validate it based on its signature status.

How Digital Signatures ES secures a document
In a typical Digital Signatures ES process, a developer creates an application that retrieves a PDF document from a specified repository, applies a digital signature by using a credential (private key) in a specified keystore (including HSMs), encrypts the document with a password, and sends the document to several specified recipients by email. In another example, a custom application created by using the Java API may get a series of documents, apply a digital signature to all of them, and distribute them online through the web to a number of specified locations.

This new LiveCycle Digital Signatures ES release offers many new features, including:

Signing operation: The signing operation lets you control several aspects of digital signatures used in a document. When designing a PDF document, you can define the following items:
● The appearance of the digital signature when it displays on the document
● The signature algorithm used for signing
● The properties set in signature profiles used while signing
● Embedded revocation checks in the signature field property.

Signature field creation: Digital Signatures ES supports seed values through the Signature APIs that are defined in the PDF 1.7 specification. You can create these using LiveCycle Designer 8.0 or 8.1.

Signature validation: Digital Signatures ES supports several new signature validation features:
● Validation of XML digital signatures
● Configuration of revocation check failover from OCSP to CRL, and CRL to OSCP
● Enhanced Signatures Status information that can be used when developing business processes
● RFC3280-compliant validation, and support for specifying path validation options at runtime
● Per invocation control of the verification time and revocation check styles which are used for revocation checks (rather than a global setting).

TrustStore configuration: Digital Signatures ES now uses the TrustStore repository as the database in which security data is stored. Trust chains are dynamically added to the TrustStore repository without requiring a restart of the server.

New API functionality: The following new APIs enable granular control over signature processing:
ClearSignature(), ClearSignatureField, RemoveSignatureField. The Signing Profile can also be controlled using the API (seed values). You can also use the API to specify a policy OID for each trust anchor.

Added standards compliancy: Digital Signatures ES now supports the following standards:
● XML digital signature standards (http://www.w3.org/TR/xmldsig-core)
● SHA-2 family of encryption algorithms
● RFC3280 certificates and certificate revocation lists

Support for FIPS mode: You can enable the Federal Information Processing Standards (FIPS) option restricting data protection to FIPS 140-2 approved algorithms using the RSA BSAFE Crypto-J 3.5.2 encryption module with FIPS 140-2 validation certificate #590

Configure service attributes in a web-based interface: You can configure Signature service attributes in the Archive Administration area of the LiveCycle Administration Console. For example, you can set up watched folders and endpoints for service invocation, configure remote APIs and parameters for processing.

Posted by John Landwehr at 8:39 PM | Permalink

Adobe Systems Incorporated today announced the United States Department of Defense’s (DoD) Forms Management Program has licensed Adobe Acrobat Professional and Adobe LiveCycle software. The new solution will help automate processes and streamline operations by providing fillable forms to all DoD entities, including the Army, Navy, Air Force, Marines, Coast Guard and Joint Chiefs of Staff, as well as the Office of the Secretary of Defense and Defense Agencies.

“Government agencies and militaries around the world are realizing the benefits of Adobe solutions and tools to deliver services to their constituents,” said Eugene Lee, vice president of vertical and solutions marketing at Adobe. “By incorporating Adobe’s software, the DoD Forms Management Program will be able to easily institutionalize automated processes that allow DoD officials to meet their mission requirements faster and more effectively.”

The DoD Forms Management Program will provide nearly 1,000 electronic PDF forms across the military, ranging from officer commissions to facilities, medical claims, purchasing and accounts payable. DoD constituents will be able to electronically fill, save, digitally sign and submit Department of Defense (DD) and Secretary of Defense (SD) forms electronically using the free Adobe Reader that is present on every desktop. By applying a digital signature with their Common Access Card (CAC), DoD users will be able to save time and minimize the need for hard copies.

“By leveraging the free Adobe Reader that already exists on DoD desktops, we aren't forcing our users to download additional software,” said Robert Cushing, Program Manager for the DoD Forms Management Office. “Additionally, our DD and SD forms become more portable and user friendly in field environments. The Adobe LiveCycle solution will provide an efficient and cost-savings addition to the DoD Forms Program.”

Adobe Acrobat and Adobe Reader desktop software has been certified by the US DoD JITC.

Posted by John Landwehr at 9:30 PM | Permalink

The United States Department of Defense Joint Interoperability Test Command (JITC) has certified both Adobe Acrobat and Adobe Reader version 8.

Many programs supporting the Department of Defense missions require security services, such as authentication, confidentiality, non-repudiation, and access control. The JITC certification demonstrates compliance with DoD policy as well as showing confidence that the applications are properly and securely using Public Key Infrastructure.

Here are the direct links for certification of Adobe Acrobat and Adobe Reader

Certification was also achieved for Acrobat and Reader version 7.

Posted by John Landwehr at 7:09 AM | Permalink

If you're looking for more details on how digital signatures, encryption, and other security features work in Adobe Acrobat and Adobe Reader, here are some good resources updated for v8:

Document Security User Guide for Adobe Acrobat and Adobe Reader Version 8 (PDF, 2.2 MB)
This document describes how to configure and use the application user interface, register a digital ID for use in Acrobat, and manage other people's public key certificates within your system.

Digital Signature User Guide for Adobe Acrobat and Adobe Reader Version 8 (PDF, 3 MB)
This guide describes the digital signature features of the Acrobat 8.x family of products both for Adobe Acrobat and Adobe Reader Version 8 users as well as for security administrators.

Adobe Acrobat 8 for Microsoft Windows Group Policy and the Active Directory service (PDF, 378KB)
This document describes using Group Policy to deploy Acrobat 8 or Adobe Reader 8 products on a Windows network.

Sharing Acrobat settings and data with FDF files in Acrobat 8 (PDF, 456 KB)
Learn how to use FDF files to exchange data between the Acrobat family of client and server products.

Posted by John Landwehr at 8:18 PM | Permalink

Two announcements today on electronic mortgages in PDF:

New PDF eSignature Guidelines for Mortgages
MISMO Guidelines to Help Standardize Implementation of PDF in the Mortgage Process
Adobe Systems Inc. (Nasdaq: ADBE) and MISMO® Inc. today announced the release of guidelines for the standardization of electronically signed PDF documents in the mortgage process. The guidelines are intended to help standardize the implementation of PDF and electronically signed PDF documents across the mortgage banking industry, moving the industry to a new level of interoperability with PDF for end-to-end electronic mortgage workflows...

Adobe and Wolters Kluwer Financial Services Team to Deliver Mortgages Electronically
Companies to Enable Lenders to Secure and Streamline Mortgage Processes in PDF
Adobe Systems Incorporated (Nasdaq:ADBE) and Wolters Kluwer Financial Services today announced an agreement to provide lenders with a new option for delivering mortgages electronically. With this agreement, the companies will work together to provide integration between Wolters Kluwer Financial Services Expere® Integrated Enterprise (IE) solution and Adobe® LiveCycle® interactive process management software...

Posted by John Landwehr at 10:08 PM | Permalink

Adobe Systems today announced that SAFE(Signatures and Authentication for Everyone)-BioPharma Association has certified Adobe Acrobat software, Adobe Reader with Adobe LiveCycle Reader Extensions and Adobe LiveCycle Document Security software for compliance the with the SAFE digital signature standard. These are the first software products ever certified by SAFE, a non-profit association that manages digital identity and signature standards for pharmaceutical industries.

With today’s announcement, legally binding digital signatures are more readily available to biopharmaceutical professionals who need help eliminating the inefficiencies and inaccuracies of paper-based processes while improving end-to-end electronic document workflows. By using the Adobe products certified by SAFE, biopharmaceutical organizations, clinical investigators and regulators can collaborate more securely and efficiently to better service patients, conduct pharmaceutical research, and help bring new drugs to market more quickly.

SAFE-BioPharma Association is a non-profit association that manages the SAFE digital identity and signature standard for the pharmaceutical industries. The SAFE standard provides a secure, legally enforceable, and regulatory compliant way to provide identity verification, non repudiation, and content integrity for electronically signed documents. To become certified by SAFE, products and solutions must successfully pass product certification testing by an independent laboratory accredited by SAFE-BioPharma Association.

Posted by John Landwehr at 6:41 AM | Permalink

Today CIC announced their new electronic signature offering for Adobe Acrobat 8, delivering a proven enterprise solution for use within small to mid-sized businesses.

Sign-it is specifically designed to extend the digital signature framework within Acrobat 8. The combination of CIC Sign-it and Adobe Acrobat has been successfully deployed within several major enterprise accounts and, with the new capabilities of these recent products, can now be easily utilized within smaller businesses at a reasonable price.

"The combination of Acrobat 8 and Sign-it allows organizations to accelerate the move toward efficient and legally binding paperless transactions in their respective markets," said Russ Davis, Chief Technology Officer at CIC. "Our goal is to provide out-of-the-box solutions for our customers that utilize the latest in security technologies to enable them to execute secure transactions and documents electronically from the office and field as well as over the web, leveraging the type of eSignature that fits their unique requirements. The new features and increased flexibility of Acrobat 8 enable CIC to rapidly bring its next generation eSignature solutions to market. Acrobat and PDF are fundamental elements in many of CIC's major electronic signature deployments and this release represents significant benefits and enhanced value for our clients."

"Acrobat 8 helps small and mid-sized businesses save time and money by allowing them to share their PDF content more efficiently and more securely," said John Landwehr, Director of Security Solutions at Adobe. "CIC's latest release extends the capabilities of Acrobat to include targeted, adaptable electronic signatures, making CIC an important member of our Security Partner Community."

Posted by John Landwehr at 7:29 AM | Permalink

Acrobat and Reader 8 includes a new "Roaming Credential" feature to make digital signatures easier to use and deploy. Arcot has just announced their SignFort server to utilize this capability.

Digital signatures historically required credential provisioning to desktop clients in the form of software or hardware-based PKI certificates - before a signature could ever be applied. These credentials can be accessed by Acrobat and Reader via PKCS#12 files on disk, or via PKCS#11 libraries and CryptoAPI Crypto Service Providers (CSPs) in Microsoft Windows, or via custom client plug-ins. Both PKCS#11 and CSPs usually require additional 3rd party software libraries to be distributed to the clients for hardware tokens such as smartcards and usb keys. Additionally after the first certificate is issued, they ultimately expire and need to be reguarly renewed at the client by requesting a new certificate from the Certificate Authority. Distributing the additional software and managing client certificates is why some people have referred to PKI as "Painful" Key Infrastructure, instead of Public Key Infrastructure.

The new "Roaming Credential" capability in Acrobat and Reader 8 does not require additional software deployment or credential management (provioning or renewal) on the client to do a digital signature. A new webservice protocol was developed to utilize a product, such as Arcot's SignFort, to broker the credential management in a centralized server.

When signing a document with roaming credentials, the user clicks a signature field, authenticates, and saves the signed document. That's it.

The address of the roaming credential server can be specified as a "seed value" preference in the signature field itself, on a per-document basis. Or, the Acrobat and Reader application itself can be configured to use a roaming credential server for all documents, even without seed values on the signature fields of documents.

Authentication is either username/password, Windows kerberos single-sign-on, or the ArcotID.

When the roaming credential service is used, the user authentication is sent to the server along with the hash of the document. The server verifies the authentication and maps to a user's credential stored on the server, optionally in a Hardware Security Module (HSM). That credential then signs the hash and returns the value to the desktop to be embedded in the document.

This capability is especially useful when sending documents outside an organization's firewall for business partners and customers to apply digital signatures. As long as those external users already have a supported authenticaiton credential as described above, and have Adobe Acrobat or Reader 8, they can sign a document tied to a roaming credential server without any additional software deployments or configuration on their client.

Posted by John Landwehr at 9:40 AM | Permalink

Posted by John Landwehr at 4:37 PM | Permalink

Communication Intelligence Corporation (“CIC”) announced the release of their latest Sign-it software for electronic signatures in applications from Adobe Systems.

It is estimated that fifty billion original paper documents are generated each year in the US alone, that the expense associated with paper documents is over 15% of annual corporate revenue and that 60% of those paper documents are signature dependent (Coopers & Lybrand, Gartner Group). Leveraging electronic signature solutions to achieve a truly paperless environment affords organizations major benefits including significant expense reduction, compressed business cycles and enhanced security.

Adobe’s support of CIC in the development and release of this new eSignature capability represents our commitment to further advancing LiveCycle for use in paperless transactions within the large enterprise. In concert with our LiveCycle products, CIC’s Sign-it allows the flexibility to address a broad range of electronic signature needs for the modern enterprise and enables organizations to complete the final step in automating their document processes. The rich set of integration and implementation tools CIC provides in combination with Sign-it also provide tremendous value to our Adobe System Integrators and ISV partners.

Posted by John Landwehr at 4:40 PM | Permalink

Adobe Acrobat and Adobe Reader version 7 have demonstrated complaince with the Public Key Interoperability Test Suite (PKITS) developed by the National Institute of Standards and Technology (NIST) along with DigitalNet and NSA.

PKITS is a comprehensive X.509 path validation test suite designed to cover most of the features specified in X.509 and RFC 3280.

Because path validation is natively included in Adobe Acrobat and Adobe Reader, digital signatures are able to consistently validate across operating systems and versions. The Adobe compliance tests may be viewed in the following locations for Windows, Macintosh, and Linux.

Posted by John Landwehr at 8:45 AM | Permalink

The United States Department of Defense Joint Interoperability Test Command (JITC) has certified both Adobe Acrobat and Adobe Reader version 7.

Many programs supporting the Department of Defense missions require security services, such as authentication, confidentiality, non-repudiation, and access control. The JITC certification demonstrates compliance with DoD policy as well as showing confidence that the applications are properly and securely using Public Key Infrastructure.

Here are the direct links for certification of Adobe Acrobat and Adobe Reader

Posted by John Landwehr at 8:28 AM | Permalink

At last week's RSA Security Conference, Adobe participated in a panel discussion (click here for presentations) on how the BioPharma industry is using digital signatures in PDF to bring life saving drugs to market faster, cheaper, and more securely. The panel was moderated by Richard Guida from Johnson & Johnson, and also included Guy Talent from GST Advisors, Matthew Tuttle from Cybertrust, and John Landwehr from Adobe.

The panel discussed how the highly competitive BioPharma industry joined forces to create SAFE - Signature and Authentication For Everyone - a user identity standard and network for healthcare. This global standard enables more trusted, secure and legally enforceable paperless healthcare transactions. SAFE provides a common credential for access control to internal and business partner systems, replacing hand-written paper signatures with digital signautres in PDF documents.

This initiative was created because approximately 40% of all R&D costs are due to paper based business processes - totalling $9 billion in the US drug market alone. Instead of driving up to the FDA's doorstep with a semi-tractor trailor filled with millions of pages of paper, new drug submissions can be sent electronically. This allows submissions to be completed and approved faster, bringing new life saving drugs to market faster. By creating, moving, and storing less paper - this process is expected to save more than $350M per year in the biopharma industry, which should help keep everyone's healthcare costs down.

An electronic document alone was not sufficient without providing security measures to track authenticity and integrity of the electronic information. Digital signatures are used so these electronic documents are cryptographically signed from investigators, to clinical research organizations, to sponsors, and ultimately to the FDA - to significantly improve the security of these documents as they move from organization to organization.

Adobe has joined the SAFE vendor partner program so the ubiquitous free Adobe Reader as well as Adobe Acrobat and Adobe LiveCycle Solutions can be used for exchanging electronic healthcare informaiton. Click here for more information.

Posted by John Landwehr at 9:34 AM | Permalink

Posted by John Landwehr at 12:24 PM | Permalink