If you have a PIV or PIV-I card, and are interested in digitally signing documents for consent/approval signatures or certified publishing – Adobe Acrobat and Adobe Reader will automatically validate digital signatures via US Federal Common Policy.  Through the Adobe Approved Trust List  (AATL) program, the following trust anchors are included in version 9 and higher:

• Common Policy — 2010 expiry — Common Hardware, Common High, Medium HW CBP
• Common Policy — 2027 expiry — Common Hardware, Common High, Medium HW CBP
• Federal Common Policy CA — 2030 expiry — Common Hardware, Common High, Medium HW CBP, SHA1 Hardware

1. You publish files and want the recipients to know that the files really did originate from you and they have not been accidentally or maliciously modified since you published them.
2. You distribute electronic forms with pre-populated information, and want to make sure recipients are not accidentally or maliciously modifying your form data when returning them to you.

To certify a document,you can use Acrobat on the desktop or LiveCycle Digital Signatures as part of an automated process on a server.  To verify the certification on a document, desktop users simply open PDFs with the free Adobe Reader or Adobe Acrobat.  If you would like an automated process to verify certified documents on a server, LiveCycle Digital Signatures can also verify certified document status.

When a document has valid certification, a blue ribbon in a blue bar will show above the document in the viewer, like this:

In this case, the document originated from the United States Government Printing Office.  It was published as part of an automated Adobe LiveCycle process, and the source document is publicly available here (http://www.gpo.gov/fdsys/pkg/BILLS-106s761enr/pdf/BILLS-106s761enr.pdf) as part of their Federal Digital System which has very specific requirements on authentication when publishing official US Government documents to the public.  In 2008, the Executive Office of the President, Office of Management and Budget (OMB) stated the White House was no longer ordering hard copy paper versions of the US Federal budget, and instead has posted certified PDF documents online.

Certified documents are also implemented at Antwerp Port Authority for electronic invoices and at a number of higher education institutions for delivering student transcripts electronically, including Penn State, Northwestern, Stanford, and more.

In addition to static documents, certifying a document increases the level of security in electronic forms workflows.  Here is an example:
a) Organization generates a form for recipient to complete and return
b) Form contains some specific transactional information, like an interest rate (3%) and term (15yrs).
c) Recipient decides they will change the rate and term to be more favorable, and then digitally signs it and returns it.

Typically, the form publisher would have to manually review every completed form to look for such errors, and they can often be overlooked.  The better solution is to certify the form as it is published to the recipient.  The added assurances here are that the recipient knows it’s an official form that hasn’t been tampered with, and when the publishing organization receives a completed and signed form back – they know that what was sent out has not been changed along the way.  The certification also allows the form author/publisher to specify which fields and form elements are locked, and which can be filled in by the recipient.

Here is an example of a certified form:

The source PDF file is available here as a Sample.

In either of these cases, if an unauthorized change is made to a certified document, the blue ribbon will turn to a red X – indicator.

More information on automating digital signatures for documents and forms is available in this previous post (LiveCycle Digital Signatures: Three Common Use Cases)

Certified documents utilize PKI and digital signatures to provide the assurances of authenticity and integrity.  These are capabilities built into the ISO 32000 standard PDF specification as well as Adobe Acrobat, Reader, and LiveCycle.  Adobe products utilize FIPS certified encryption implementations of RSA and SHA hashing algorithms (up to RSA4096 and SHA512).  The publisher/signer utilizes their private key certificate to sign documents on the desktop (Acrobat) or server (LiveCycle) and recipients simply use Acrobat or Reader to view them.

Recommendations and best practices:

A. Make sure your signing certificate is trusted by your recipient community.  This can be accomplished in several ways:

1) Utilize the Adobe CDS/AATL program, where certificates are automatically trusted and the recipients have zero configuration to validate digital signatures.  You can either obtain a certificate from a registered Adobe provider, or if you meet the strict program requirements – have your certificate authority automatically trusted.  NOTE: If you are publishing documents to the general public, CDS/AATL is the only recommended option.

2) Utilize enterprise install and management capabilities to push out trust anchors in pre-configured installations as well as maintained on an internal server

3) Utilize an enterprise desktop configuration setting to trust the existing certificate store in the operating system (e.g. Windows CAPI)

B) When certifying a document, make sure that all certificates from the trust chain are available on the signing system (desktop or server).  This includes not only the end-entity signing certificate, but also any intermediate certificates up to the trust anchor.  That way, the recipient only needs to have the trust anchor, as described in the previous section.

C) When publishing a certified document with a digital signature, make sure you are online and able to reach the revocation information published by the certificate authorities.  That way, long term validation (LTV) information is stored in the document.  If this information is not included, the certified document will no longer validate after a signing certificate expires.

D) By default certified documents utilize the system clock as a date/time indicator.  If you have higher assurance needs for time, utilize an RFC3161 based timestamp authority as part of the digital signature process

http://www.nsa.gov/ia/_files/vtechrep/I73_025R_2011.pdf
Redaction of PDF Files Using Adobe Acrobat Professional X
Enterprise Applications Division of the Systems and Network Analysis Center (SNAC)
Information Assurance Directorate, National Security Agency

But you still have questions:  Is it legal?  Can I use these technologies internationally?  In which sectors can I leverage these technologies?  Who else is using electronic signatures, and what benefits are they seeing in the real-world?

The E-Signatures 2011: Electronic Signatures and Records Conference will provide the answers!  Organized by the Electronic Signatures and Records Association (ESRA) and scheduled to be held in Washington, DC on November 9th and 10th, the conference brings together a number of government, industry, vendor, and customer speakers to cover topics including:

• IRS eSignature Programs and Initiatives
• International Adoption and Cross Jurisdiction Issues for eSignatures
• Enabling eSignatures and eRecords for eFiling and eTitling with Motor Vehicle Registration Offices
• eSignature Case Studies
• …and more!

As a result, key among the new features in Adobe Reader 10.1 for Mobile is support for accessing files secured by Adobe LiveCycle Rights Management. LiveCycle Rights Management protects sensitive documents by encrypting them with industry-standard AES encryption and enabling central management of their access permissions. Protections persist even when documents are accidentally distributed via email, the cloud, or saved on a lost mobile device.

Whether you’re working in private industry and reviewing confidential information like price lists on your Android tablet, or you’re a government employee and are viewing sensitive information via your mobile phone, Adobe Reader 10.1 for mobile and LiveCycle Rights Management allow you to securely access these documents. No longer are you stuck on your laptop or desktop simply to review materials!

Here’s a screenshot from an Apple iPad showing a user logging into a Rights Management-protected PDF.  (Click the picture to the right to see a larger version.)

To learn more about how our Rights Management product works check out: http://www.adobe.com/go/rm.

Some answers to frequently asked questions during our preview release testing of Reader 10.1 for Mobile are answered here.

Be sure to download Adobe Reader 10.1 for Mobile today!

In this specific instance, Adobe Acrobat and Reader X have been certified by JITC for their compliance with the DoD’s application requirements for Public Key Enabled services, e.g digital signatures.  The testing included intensive, comprehensive evaluations of Acrobat and Reader’s capabilities in:

• Certificate operations
• Signature and certificate status validation
• Path processing and validation
• Configuration and documentation

Adobe is proud to note that we have consistently been certified for JITC compliance in every version of Adobe Acrobat and Reader back to version 7 back in 2006.

Click here for a link to the official JITC list of software and solutions that have been tested for Public Key Enabled compliance.

With this latest action, new digital signatures created with certificates from these certificate families will no longer show as valid in Acrobat and Reader, regardless of version.  This is due to the fact that Acrobat and Reader check if certificates associated with the signing credential are revoked at signing and at document open.

Note that this will not necessarily invalidate existing documents, if you are opening them with Acrobat or Reader 9.1+.  This is due to the fact that these versions of the product check the validity of the signature at the signing time by default, not at the current time–assuming that the signature includes validation information from when it was signed.  For example, a PDF signed one year ago will still show as valid and trusted, whereas one created next Friday will show as invalid.

The action by the Dutch government also means that Adobe will not need to take any action regarding the Staat der Nederlanden roots in the Adobe Approved Trust List.

To be sure your copy of Adobe Reader or Acrobat will get the update, you can force a download of the AATL.  Go to Preferences->Trust Manager->Automatic Updates and click the Update Now button.  Also, be sure the “Load trusted root certificates from an Adobe server” option is checked.

A future product update of Adobe Reader and Acrobat version 9.x will enable dynamic updates of the AATL. In the meantime, users of Adobe Reader and Acrobat 9 can manually remove the DigiNotar Qualified CA using instructions provided in the blog post.

Also note that the Dutch government has published a document regarding the impact of the removal on signed PDFs.  That document (in Dutch and English) can be found at the links below:

Dutch version:

http://www.logius.nl/actueel/item/titel/verwijdering-diginotar-uit-adobe-reader/

English version:

http://www.logius.nl/english/news-message/titel/removal-of-diginotar-from-adobe-reader/

This posting is provided “AS IS” with no warranties and confers no rights.