McAfee and Adobe today announced their global strategic partnership across enterprise and consumer businesses. For enterprises, the companies are developing an integrated solution to expand data protection across the enterprise using data loss prevention and rights management technologies. For consumers, McAfee's free diagnostic tool, McAfee Security Scan, is available as an optional download to customers when installing Adobe Reader and Adobe Flash Player.

Continue reading "McAfee and Adobe Team on Automated Data Protection (DLP + DRM)" »

Posted by John Landwehr at 9:01 PM | Permalink

Canon announced today their imageRUNNER Advance Series to seamlessly bridge the distance between user and multifunction printer (MFP). These models have a tighter collaboration with Adobe technologies, by offering the ability to print and scan into a variety of Adobe PDF formats and integration with Adobe LiveCycle Rights Management ES to bring secure collaboration to PDF documents.

Integration with LiveCycle Rights Management is provided directly on the imageRUNNER ADVANCE control panel to easily select document security policies that persistent protect the electronic document after it is scanned on the device.

Posted by John Landwehr at 7:29 AM | Permalink

For the first time in history, the Honorable John M. Facciola, Magistrate Judge for the U.S. District Court in the District of Columbia, signed a judicial order, not with paper and pen, but with a digital signature!  Press release here.

Judge Facciola viewing his just-digitally signed order in Adobe Acrobat.  Courtesy National Notary Association (NNA). 

Talk about setting precedent--while electronic filing has been required for some time, orders are typically printed out, signed, and then re-scanned into systems for filing.  Not until now has there been such a vote of confidence in the legal significance and weight of a digital signature.  By keeping the generation, signing and filing of the order completely electronic, the process is made much more efficient, potentially driving costs down and making the court’s systems work more effectively.  This is the latest example of organizations understanding not only the integrity and authenticity benefits of digital signatures, but the resource savings also.  Remember, it’s not so much the signature event that consumes time and money--it’s the processes around it.

Continue reading "History...signed with Adobe products: US District Court Judge issues first digitally signed judicial order" »

Posted by John B Harris at 8:51 AM | Permalink

Several weeks ago, Adobe launched the Adobe Approved Trust List (AATL), our latest effort at making the use of digital signatures easier through better trust mechanisms.  VeriSign, already a Provider in our flagship trust program Certified Document Services (CDS) through its acquisition of GeoTrust, announced the inclusion of its Non-Federal SSP in the AATL, widening VeriSign's trust foundation in Adobe Acrobat and Reader.

According to Mike Stewart, CIO at the Kansas Secretary of State's office:

As a VeriSign Non-Federal SSP-PKI customer, we are excited to now have the ability to use the certificates we've already issued to digitally sign Adobe documents as part of the AATL program.  VeriSign and Adobe have made it easy to deploy and use.

Adobe is excited too!  VeriSign, along with other AATL charter Members and CDS Providers, is improving the capability for today's agile enterprises and organizations to use digital signatures and bring cost efficiencies, integrity, and non-repudiation to more document workflows.

For more information on the Adobe Approved Trust List, please visit our website.

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:digital signature,electronic signature,trust,aatl,adobe approved trust list,security partner community,press

Posted by John B Harris at 1:36 PM | Permalink

Over the years, Adobe has made electronic documents and workflows easier, more efficient, and more secure.  With one of the leading implementations of electronic signatures on the market, Adobe products allow you to go the last mile by eliminating the need to print a document out just to sign it.  At the same time, we’ve also been busy behind the scenes working on ways to better deliver trust in those electronic and digital signatures so users can rely fully on these new workflows.  Today, we’re announcing the launch of our latest trust effort, the Adobe Approved Trust List...available now.

The AATL will allow millions of users around the world to create digital signatures that are trusted whenever the signed document is opened in Acrobat or Reader 9.0 and above.  Essentially, both Acrobat and Reader have been programmed to reach out to an Adobe-hosted web page to periodically download a list of trusted root digital certificates.  Any digital signature created with a credential that can trace a relationship (‘chain’) back to a certificate on this list will be trusted by our products.  Trust is only one of many questions Adobe products ask when validating an electronic signature, but it is a critical one.

Several countries and organizations have already placed their ‘trust’ in the AATL:

• DigiNotar
• DigiNotar Qualified CA
• GBO.Overheid – Netherlands
• Staat der Nederlanden Root CA – with Certificate Policies defining secure hardware
• Staat der Nederlanden Root CA – G2 – with Certificate Policies defining secure hardware
• GlobalSign
• DocumentSign CA
• Keynectis
• ICS CA
• SwissSign
• SwissSign Platinum CA — G2
• TC Trustcenter / ChosenSecurity
• CA 7:PN
• CA 8:PN
• US Federal Common Policy Root
• Common Policy – 2010 expiry @  Common Hardware, Common High, Medium HW CBP
• Common Policy – 2027 expiry @  Common Hardware, Common High, Medium HW CBP
• VeriSign
• Class 3 Intermediate Non-Federal SSP @ Medium-Hardware

Starting today, valid signatures with credentials from these providers, chaining up to these certificates, and meeting a set of Technical Requirements will be automatically trusted in Acrobat and Reader 9.0 and above, including most US Federal HSPD-12 / PIV cards.

So how do you take advantage of the AATL?  Well, if you’re using Acrobat or Reader 9, you don’t need to do anything!  This feature is turned on by default when you install these products, and the Trust List will automatically be updated every 90 days, though you must open a signed document (like the one here, for example) or open a signature-related menu item to trigger the timer and update.

If you want to verify the AATL is enabled, go to Edit (‘Acrobat’ on Mac)->Preferences->Trust Manager and be sure that the “Load trusted root certificates from an Adobe server...” check box is checked.  (See image below.)  You can then click the “Update Now” button in that same dialog box to download the latest version of the AATL from Adobe.  In any case, be sure to review the User FAQ if you’re having any problems or have any questions about how the AATL works.

The launch of the AATL complements our existing Certified Document Services (CDS) trust program, where new digital IDs that are chained to the Adobe Root certificate embedded in Adobe products are automatically trusted.  CDS is key to document certification efforts at the US Government Printing Office, Avow Systems, the Antwerp Port Authority, and many other customers who use high assurance signatures to protect the integrity and authorship of key electronic documents.  Anybody who opens a PDF document signed or certified by a CDS credential automatically gets a ‘blue ribbon’ experience with trust provided to the signature without any user interaction.  Five certificate authorities currently offer CDS certificates. 

While the high level benefits of the Adobe Approved Trust List program are similar, the AATL is only available in Acrobat and Reader 9 at this time.  It is not backwards compatible.  CDS credentials, on the other hand, are backwards compatible from the current generation of Acrobat and Reader all the way back to version 6. Also CDS Providers offer certificates that meet a similar high standard for assurance and feature additional capabilities including the automatic embedding of robust timestamping and real-time revocation to provide for easy, long term validation of digital signatures.  However, existing certificate communities, such as government national ID card programs, can join the AATL, as the chain to the Adobe Root certificate is not required.  Contact Adobe to get more information about which program is right for your organization / government.

If you’d like to test the AATL (and you've verified that it's enabled and downloaded per the instructions above and in the FAQ), please browse our sample documents available here.

And the story doesn’t end there!  Several more government and commercial entities are lined up to join the program in the coming months...stay tuned.

Please visit the AATL webpage for more information.

Tags:Trust List,trust,acrobat,reader,digital signature,electronic signature,assurance,cds,certified document services,AATL

Posted by John B Harris at 6:09 AM | Permalink

This is the latest entry in our “What is an Electronic Signature, Anyway?” series.  You can find previous entries here.

Recently, I’ve received a number of emails from our users asking questions about electronic signatures, so I thought it would be useful to briefly answer some of these frequently asked questions and also direct you, dear reader, to a variety of resources here at Adobe that can help.

First, I recommend you read the other blog entries in our “What is an Electronic Signature, Anyway? “ series to better understand the terminology and issues surrounding electronic signatures.

Now onto the questions...

I want to electronically sign a PDF—what do I need to do?

There are lots of different ways to electronically ‘sign’ documents, but they vary in terms of reliability, longer-term validity, and application.

Continue reading "“Sign here...” Getting started with electronic signatures in Adobe products" »

Posted by John B Harris at 1:59 PM | Permalink

Tired of those paper bank statements, or having to log into your bank’s website to get your account information?  Adobe and Arcot announced Monday the launch of a new managed service called SEND to provide the ability for organizations to literally send secure PDF files to your email inbox, without requiring you to install anything other than the latest version of Adobe Reader or Acrobat.  Financial institutions, utilities, government agencies—really any organization or company that sends periodic paper documents, bills or notices—can take advantage of SEND.  The organization provides SEND with the PDF files and email addresses of recipients, and SEND takes care of the rest, encrypting the documents and delivering them to recipients. 

The idea of having information sent directly to you resonates strongly, even in our highly connected world, because you are empowered to manage the information and store it however you want.  Many have yet to opt for online solutions for this very reason.  However, paper statements are static, potentially subject to identity theft, and require action from recipients to service their accounts. 

With online statements, recipients no longer ‘receive’ information.  They must actively retrieve it from by logging into their institution’s website.  While certainly saving money for the institution and the end customer, this ‘pull’ model breaks the mold recipients are accustomed to, and makes it more difficult for recipients to manage their own information.  However, more dynamic marketing and at-your-fingertips service options are readily available at the institution’s website. 

With SEND, organizations can proactively bridge the gap from a paper to an electronic delivery model.

Continue reading "Adobe and Arcot Partner to SEND Secure Electronic Documents to Your Inbox" »

Posted by John B Harris at 12:58 PM | Permalink

Following on the heels of a number of successful customer deployments, Adobe is proud to welcome another respected organization to the CDS Program.  Entrust announced today they have joined the CDS Program and will begin offering certificates under its auspices in early 2009.  This will bring to five the number of CAs in the program, along with ChosenSecurity, GlobalSign, Keynectis, and VeriSign.

CDS makes creating and receiving authentic documents easier by not requiring a recipient to explicitly trust the author of the document.  CDS signatures automatically validate in Adobe Acrobat or Adobe Reader 6.0 and above, providing integrity and long-term assurance to electronic documents of record.  Providers involved in the CDS Program are required to meet stringent requirements for identity vetting, security, and operations.

According to Entrust's President and CEO Bill Conner:

While electronic documents are an efficient method to do business, until recently they lacked the security necessary to be accepted for official enterprise use.  With the advent of this standard and the specialized certificates, organizations can be confident that electronic documents are authentic and have not been tampered with or altered.

Read more about CDS here.

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:digital certificate,digital signature,electronic signature,CDS,Certified Document Services,Adobe,Entrust

Posted by John B Harris at 10:01 AM | Permalink

Since its induction into the Adobe Certified Document Services (CDS) Program, GlobalSign has been very busy working to build a customer base eager to leverage the native trust and assurance that CDS brings to any recipient opening a CDS digitally signed PDF document in Adobe Acrobat or Reader 6.0 and above.  That work has paid off in three separate customer announcements this year, including one just released today:

• December 8, 2008: In partnership with Adobe and SafeNet, GlobalSign today announced the success of the Antwerp Port Authority project.  This port is the second largest in Europe and the fourth largest in the world.  Looking to save time and money by eliminating paper invoices, and required by law to provide for the integrity and authenticity of the resulting electronic invoices for value-added taxes (VAT), the Port of Antwerp deployed a solution combining:
• LiveCycle ES document generation and digital signature servers;
• DocumentSign CDS digital certificates from GlobalSign; and
• SafeNet hardware security modules (HSMs) to protect the signing keys themselves.

“We’ve seen a marked increase in the number of projects across the whole of Europe in recent months as the worldwide economic climate causes enterprises both large and small to re-evaluate their invoicing processes to drive down costs and remain competitive.  DocumentSign is not only a cost effective and easy solution for businesses to use, but is also compliant with European e-VAT legislation.”  -Steve Roylance, Business Development Director, GlobalSign.

• May 2008: At the annual National Notary Association conference, GlobalSign announced the positive results of a pilot undertaken with the UK Notaries Society in which the cost efficiency and legal admissibility of eNotarization performed with GlobalSign CDS credentials was well-documented.

• May 2008: Bodycote, a leading provider of testing and thermal processing services, announced  that it had selected GlobalSign’s DocumentSign program, based on CDS credentials, to certify its test data and reports.  With this solution Bodycote can provide results to its clients in PDF form, confident in the both the accuracy and integrity of the data contained within. 

  “DocumentSign services our security requirements but is also instantly deployable and very scalable - essential factors for rolling out a solution that can be easily understood by every person in the reliance chain.  For our clients' customers, they simply open the test results in [R]eader.” - Alan Slater, Head of IS & IT Architecture, Bodycote
  

Tags:digital signature,electronic signature,GlobalSign,PDF,Adobe,Reader,Acrobat,LiveCycle,Certified Document Services,CDS,e-invoice,e-invoicing,eNotary,enotarization,Antwerp Port Authority,Bodycote,NNA

Posted by John B Harris at 8:46 AM | Permalink

We’re always pleased to see our partners taking advantage of key, integrated capabilities of our products to better serve our joint customers' needs.  Yesterday, ARX (Algorithmic Research) announced that its CoSign product now supports the Adobe Signature Service Protocol (ASSP), built into Adobe Acrobat and Adobe Reader version 8.0 and above.

CoSign is a hardened, plug-and-play appliance that allows organizations to easily set up a centralized repository of digital IDs.  These credentials are securely stored on the appliance, eliminating the need for users to carry hardware tokens, which can add to the cost of a digital certificate (PKI) rollout.  The user simply authenticates to the server to access their credentials.

Prior to this announcement, ARX required users to install a small client to provide signing capabilities in Adobe products.  Now, with ARX’s ASSP support, users can set up Acrobat and Reader to access their centralized (roaming) credentials in CoSign for digital signatures without any additional software.  The ASSP protocol provides users with the ability to choose a roaming credential, specify an ASSP-capable server, and then, after clicking on a signature field, simply enter the appropriate authentication information to access their credential.  ASSP handles the behind the scenes communication between client and server, passing the hash (fingerprint of the document) up to the server for signature and then returning it to the client to be embedded back into the document.

Here’s a brief demo of how the system works...note that I'm using a test credential here.

Easy, huh?

With today’s announcement, ARX joins our other security partner Arcot in featuring support for the ASSP protocol.  This protocol is just the latest step in Adobe’s strategy to make electronic signature workflows easier and more productive. 

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:Adobe,ARX,digital signature,roaming ID,roaming credential,appliance

Posted by John B Harris at 5:26 AM | Permalink

Version 9.0 of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 2.1.0.3 encryption module with FIPS 140-2 validation certificate #828. Instructions here will also enable FIPS mode in Acrobat and Reader 9.0 to restrict document encryption and digital signatures to FIPS approved algorithms (AES/RSA/SHA) in this library.

Adobe LiveCycle ES still includes the RSA BSAFE Crypto-J 3.5.04 encryption module with FIPS 140-2 validation certificate #590. FIPS mode is configured in the product installer.

Posted by John B Harris at 10:29 AM | Permalink

As we've mentioned in earlier posts on this blog, LiveCycle Rights Management ES has a growing set of integrations with 3D CAD/CAM packages. Today we have integrations in the market to provide for rights management IP protection in native Pro/ENGINEER, CATIA, and XVL files.

Adobe recently hosted a joint webcast with PTC to showcase how customers can improve design collaboration while reducing risk using Pro/ENGINEER and LiveCycle Rights Management. In today’s global manufacturing marketplace, survival depends on fast time-to-market.  Spreading the design process across the supply chain continues to increase design complexity as customers demand better products, quickly.   The key is better collaboration, but as companies try to deliver better information, earlier in the process, to a broader audience, the risk of intellectual property (IP) loss goes up dramatically.  Survey after survey has shown that protection of design information is at the top of the list for most engineering organizations.  Companies that learn to balance improved collaboration with the risk of IP loss will be the winners moving forward.

You can replay the webcast by going to: http://www.ptc.com/view?im_dbkey=76710

Posted by Jonathan Herbach at 12:00 AM | Permalink

...to the E-Signatures '08 Conference, scheduled for November 12-13, 2008, at the Omni Shoreham hotel in Washington, DC.   This conference, organized by the Electronic Signatures and Records Association, features compelling presentations from industry experts on the leading business, legal, and technology topics surrounding e-signatures, and prominently highlights several case studies.

Included in these case studies, Adobe customers will describe how electronic signature solutions involving products from Adobe and our Security Partner Community have improved their internal workflows and, in turn, saved them significant amounts of money, time, and resources.  You can expect to hear from:

• John Hannan, Chief Information Security Officer, U.S. Government Printing Office
• Kay Bross, Senior PKI Specialist, Information Security & Solutions, Procter & Gamble
• Thomas Niman, Director, Business Operations & Systems Integration, Snap-on Credit LLC

In addition, conference attendees will learn about government and insurance industry views on e-signatures; legal, regulatory & standards updates; and finally how the new administration might affect the future of e-signature policy.  For an updated agenda, keep checking here.

Sign up this week!  Early bird registration ends Monday, October 6th.

Tags:e-signature,conference,ESRA,adobe customers,electronic signature,digital signature

Posted by John B Harris at 10:16 AM | Permalink

Partners are critical to everything we do in the security space, and we are very proud of the best-of-breed Community we have fostered in order to best create solutions based on Adobe’s capabilities and customized to each customer’s needs.

With that in mind, we’re always extremely pleased to see cooperation among our many security partners so that they can also mutually leverage their capabilities which in the end is all the better for our own customers.

One of our partners, Communication Intelligence Corporation (CIC), a key electronic signature industry player, recently announced a partnership with 4Point Solutions, one of our foremost LiveCycle systems integrators, to promote closer integration of their technologies.

And ARX, Inc., a security partner offering a convenient , virtually plug-and-play CA and signing appliance, CoSign, announced relationships (here and here) with two of our Certificate Authority partners, GlobalSign and ChosenSecurity,to provide more complete and easy-to-deploy solutions around these two companies’ digital ID offerings.

So, how do these new relationships benefit Adobe’s customers? CIC’s relationship with 4Point means that customers deploying LiveCycle will have more electronic signature options on the table. With ARX, customers looking to speed workflows with digital signatures can deploy the ARX CoSign product, centrally storing user signing credentials from GlobalSign or Chosen Security, both leading certificate authorities in their own right.

Posted by John B Harris at 11:46 AM | Permalink

This entry is part of our continuing educational series, “What is an Electronic Signature, Anyway?” (Parts 1, 2 and 3.)

In June, at an event at the National Press Club, Jerry Buckley, Founding Partner at the Buckley Kolar law firm in Washington DC, as well as Counsel to the Electronic Signatures and Records Association (ESRA), an organization devoted to promulgating the use of electronic signatures & documents and educating the public & industry on those matters, stated that the “train had left the station” when it came to electronic signature usage around the world. As the demand for more fully electronic workflows becomes more pronounced, especially given the meteoric rise in gas, and thus shipping, prices, as well as an increasing desire on the part of enterprises and organizations to ‘go green,’ electronic signatures will become even more ubiquitous.

Continue reading "“The train has left the station!” - Electronic Signatures in the Real World" »

Posted by John B Harris at 9:55 AM | Permalink

In early 2008 PTC shipped Pro/ENGINEER Wildfire 4, their integrated solution for 3D CAD/CAM. As announced in our relationship last year, PTC and Adobe have worked together to integrate Adobe LiveCycle Rights Management ES directly into Pro/ENGINEER, providing native CAD document protection. Sold as the Pro/ENGINEER Rights Management Extension, this solution exclusively works with Adobe LiveCycle Rights Management ES, allowing designers to provide persistent and dynamic access control to Pro/ENGINEER part, assembly, and drawing files.

Adobe's latest release of the LiveCycle Rights Management -- ES Update 1 -- provides additional functionality for Pro/ENGINEER customers wishing to manage and track iterated versions of protected parts and assemblies. These extensions enable designers to ensure that suppliers are instantly updated to the latest version of a design, decreasing the pain of mismatched versions when designing products sourced from multiple organizations.

Click on the following screenshot of Pro/ENGINEER for a brief tour of the functionality:

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 4:59 PM | Permalink

Two weeks ago, Adobe held its annual 2008 Security Partner Summit.  The Summit is designed to offer partners the chance to see where our products are headed, to learn how they can best leverage the security capabilities in those products, and, most importantly, to interact directly with our product management & engineering teams to affect the future course of our products.  The Summit also provides Adobe with a great opportunity to listen to what our partners are hearing from their customers and how the changes we make in our products impact their business.

Partners in attendance were able to gaze into the future of both Adobe Acrobat and LiveCycle ES.  They also heard the latest on Adobe’s...

• thought leadership on electronic signatures;
• EMEA partner strategy and unique regional requirements; and
• Rights management capabilities and partnering opportunities.

For Adobe, partners are absolutely essential when it comes to matters of security as we define it: electronic / digital signatures, authentication, and rights management / encryption.  Our philosophy is to build robust capabilities into our own products and then adapt to particular customer needs through the careful selection of partners who can bring these solutions into being.  Whether it’s a handwritten electronic signature required to open an account at a bank branch office, single sign-on authentication into a LiveCycle administration portal, or certifying the US Federal Budget, our Security Partner Community is part and parcel of our ability to deliver powerful, compelling security solutions to clients the world over.

If you are a developer or systems integrator working with Adobe products and focusing on security, you owe it to yourself and your customers to join Adobe’s Solution Partner Program and Adobe’s Security Partner Community (SPC) .  As a member of these two programs you’ll get access to a wide variety of benefits, including invitations to the annual Security Partner Summit & our MAX Conference. 

If you're already a member of our Solution Partner Program, but haven't yet reached out to the SPC, what are you waiting for?  Adobe’s next Security Partner Summit is scheduled for 5-6 May 2009...we look forward to seeing you there!

And oh...about my speech relating security to my vacation in the Bahamas?  Well, you had to be there.  ;-)

Posted by John B Harris at 4:11 PM | Permalink

The RSA Conference is one of the most highly respected information security conferences and exhibitions in the industry.  This year, the Conference runs from April 7-11 in San Francisco, California, at the Moscone Convention Center.  Anyone who’s anyone in the information security space, specifically companies and individuals involved in authentication, identity management, encryption, and cryptography, will be there.  Attendees (over 17,000 expected) represent every key vertical market and range from C-level executives to front line IT staff.  Heck, even Al Gore is making an appearance (no really...he’s one of the keynotes at the event!).

Adobe will be exhibiting at Booth 828 and demonstrating our LiveCycle ES and Acrobat products, highlighting their electronic signature and rights management capabilities.  If you are planning on attending, please come by and say hello!  Learn about the latest updates to our product and feature line-up, as well as our integration with a wide variety of partners, many of whom will also be exhibiting at the event (see below).  We’ll be happy to answer any questions you have. 

The extended Security Solutions team, including product managers, engineering, and sales engineers will be on hand during RSA, not only manning the demo stations at the booth, but also roving the floor, and speaking at the conference itself.  For example, John Landwehr, director of Security Solutions and Strategy at Adobe, will be speaking on Thursday, April 10 at 8:00 AM on a panel (DEPL-301) with Deloitte & Touche covering the topic of Information Classification and its critical application to the questions of security policy, data leakage and rights management in the enterprise.

If your company is interested in a partnering relationship with Adobe, please visit the booth and ask for John Harris, who manages our security alliances.

We look forward to meeting you in San Francisco next week!  Our Security Partner Community will also be exhibiting at RSA...be sure to visit them and ask how they work hand-in-hand with Adobe:                                                

Partner	Booth #
ActiveIdentity	Booth 657
Athena Smartcard Solutions	Booth 1350
Arcot Systems, Inc.	Booth 1045
CoreStreet Ltd.	Booth 1350
Entrust	Booth 817
Gemalto Inc.	Booth 1923
nCipher Inc.	Booth 2129
RSA, The Security Division of EMC	Booth 1717
SafeNet, Inc.	Booth 1039
SOFTPRO GmbH	Booth 1332
VeriSign, Inc.	Booth 1316

Posted by John B Harris at 2:36 PM | Permalink

Here is a demonstration of a PDF document that has a certifying signature plus four recipient signatures from four different certificate authorities that are part of Adobe's Certified Document Services (CDS) program.

Click here to download the PDF for Adobe Acrobat and Adobe Reader version 6 and higher.

In v8 and higher, you will see a status bar across the top, indicating the valid document certification:

followed by the recipient signatures from each of the CAs:

For long term digital signature validation, each of these signatures also include an embedded OCSP response from the certificates in the chains and RFC3161 timestamps. This shows that the certificates were valid at the time of signing - even if the document is subsequently opened after certificate expiration or revocation.

Posted by John Landwehr at 11:30 PM | Permalink

The amazing proliferation of PDF files—over 1 billion at latest estimate—combined with the ubiquity of the internet and online information makes it critical that document creators and document readers consider the authorship and integrity of documents we trust on a daily basis as sources of information, conduits for personal data (forms), and, truly, receptacles for corporate and organizational reputation.

Let’s consider the “pump and dump” stock scams that have occurred over the past few years. By creating false press releases, fraudsters were able to ‘pump’ up the price of a stock by creating fake, positive news items for the company, and then ‘dump’ before the scam was discovered and the company's reputation damaged.

This type of fraud is but one possibility. When you fill out and submit information in a PDF form online, do you ever check for the authorship of the document? Who’s to say the form wasn’t modified to send your personally identifiable information (PII) to the government office AND to an identity thief at the same time? What about corporate annual reports? Government laws and regulations? Analyst reports? Licensing documentation?

Several years ago, Adobe recognized these threats, and worked with GeoTrust (acquired last year by Verisign) to create the Adobe Certified Document Services program alongside the release of Acrobat® and Reader® 6.0.

By joining this program, interested individuals and organizations were required to submit to a strong identity vetting process to make sure they were who they said they were, and then would be issued a credential (digital certificate) on a hardware token (USB or smart card device). When used with the Adobe software, an author could choose to ‘certify’ a document upon authoring. Once certified with a CDS credential, the document’s integrity, authorship, and even time and date of creation would be embedded with the document. And because the credential was provided under Adobe’s high assurance policies, the digital signature is automatically trusted in both Acrobat and Reader v6.0 and above, giving the recipient an immediate notification of the document’s integrity with a blue ribbon and bar at the top of the window.

Now, Adobe has partnered with three additional credential Providers for the CDS Program: Chosen Security, GlobalSign and Keynectis. (Providers' announcements are here, here and here.)  This program expansion will substantially enhance the standing and awareness of the CDS program, while at the same time offering a broader range of services to all aspects of the marketplace through innovative services and solutions. In addition, these companies, as well as current CDS member Verisign, have a global footprint, which means that the document integrity capabilities offered by these CDS Providers, and built into Adobe Acrobat and Reader, will benefit documents created throughout the world.

For more information, click here.

Posted by John B Harris at 7:49 AM | Permalink

Every once in a while, someone asks "How long has Adobe offered content protection?" Turns out, Adobe's information assurance efforts have been ramping up for over a dozen years. Adobe provides security features in numerous products and also provides dedicated security solutions such as LiveCycle Digital Signatures and LiveCycle Rights Management. Here's a brief history:

Adobe's history of content protection started with Acrobat 2.0 in 1994. At the time, this was simple 40-bit RC4 password-based encryption and digital rights management (DRM) to restrict who can open the document and what they can do with it.

Acrobat 4.0 in 1999 added support for Public Key Infrastructure (PKI) enabling a single PDF document to be protected for multiple recipients, with different permissions based on their own keypair. Depending on who opened the document, printing, modification, and clipboard actions are enabled/disabled. This release was also the first to add digital signatures using PKI. This was important for paper documents to move to digital with an opportunity for higher levels of assurance than a pen could provide on paper with a wet signature (ink) by utilizing cryptographic protections of authenticity, integrity, and non-repudiation. Acrobat 5.0 added support for 128-bit RC4 encryption for stronger levels of confidentiality. Acrobat 6.0 added support for the Microsoft CryptoAPI to (CAPI) so the keypair could be stored in the Windows certificate store or through a Crypto Service Provider (CSP) to smartcards and other tokens.

In 2005, Acrobat and Reader 7.0 shipped along with LiveCycle Policy Server and Security Server. AES128 encryption was added to PDF. The enterprise rights management capabilities of Policy Server integrate with an organization's LDAP or Active Directory. A policy coupled with an information classification such as "Insider Restricted" restricts who can open the document, what they can do with it, and also provides enterprise auditing measures. Absolute (e.g. on 12/31) and relative (e.g. 7 years from document creation) expiration dates can be set to automatically expire documents. All these permissions in a policy are dynamic and can change after the document is published - to add or delete users, change permissions, or even revoke the document entirely. This revocation feature is used by many to enable version control outside a repository, so as a document is changed on the server all distributed copies of that document are automatically revoked providing the recipient with a notification to go back to the server for a current version. Visual watermarking capabilities on PDF are able to show the policy name, recipient opening the document, and the date/time. Acrobat and Reader 7.0 were also US Department of Defense (DoD) certified by the Joint Interoperability Test Command (JITC). The LiveCycle Security Server provided the ability to apply and validate digital signatures as well as encrypt and decrypt document in an automated business process. Flash Media Server 2 provided protected streaming capabilities for delivering video to Flash Player.

As we wrap up 2007, there has been a lot going on over the last 12 months. Acrobat, Reader, and LiveCycle shipped with new FIPS 140 approved encryption libraries. LiveCycle Rights Management (formerly Policy Server) now supports native Microsoft Office documents as well as Dassault CATIA. LiveCycle Digital Signatures (formerly Security Server) provides XML signature support as well as certified documents and is integrated with automated forms and document generation processes. Adobe's rights management has been integrated into hardware devices such as Multi Function Peripherals (MFPs) from Ricoh and others. Third party software vendors including PTC and Hitachi/Lattice3D are integrating Rights Management into their native applications. Adobe Media Player is in public pre-release with support for content protection on downloadable and offline Flash video.

What about 2008 and beyond? Stay tuned for more entries as Adobe's security solutions expand to protect even more aspects of the information lifecycle - independent of storage, independent of transport, across operating systems and file formats.

Posted by John Landwehr at 9:32 AM | Permalink

Arcot, a member of Adobe's security partner community, just announced their Flash-based two-factor browser authentication solution as well as support of Adobe Integrated Runtime (which was also announced today as available in beta, and formerly codenamed Apollo). Arcot's "software smartcard" solution provides greatly improved simplicity and security for consumer logins to online applications.

Usernames and passwords alone have reached the end of their useful life for protecting valuable online transactions because they are often reused by consumers across sites, easily guessed, and subject to phishing. While today's web browsers provide PKI authentication using SSLv3 client authentication, there is not a consistent or friendly user experience across browsers and operating systems to provision and utilize the necessary PKI credential. That's why you often hear PKI = Painful Key Infrastructure instead of Public Key Infrastructure.

Arcot has developed a seamless provisioning and utilization of PKI credentials in the form of an ArcotID. While the user logs in with their existing username/password, a SWF in the browser is providing PKI authentication behind the scenes using a locally stored credential in the form of an ArcotID.

ArcotID Flash client is part of WebFort, Arcot's two-factor authentication system for large enterprises in financial services, healthcare and other industries facing increasing regulatory pressure to protect and verify end-users’ identities such as those from the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA).

Posted by John Landwehr at 8:21 AM | Permalink

Adobe information assurance solutions enable organizations to more securely engage with employees, business associates, and customers by protecting the information lifecycle. Security can be persistently applied independent of storage and transport, reaching inside and outside an organization. Adobe's ecosystem of security partners provide interoperability with many security infrastructures including identity and access management, single-sign-on, public key infrastructures, smart cards, biometrics, multifunction printer/scanner devices, and other third party applications and file formats.

2007 will be a year of increased focus on security partners. We are firm proponents of the idea that strong and successful security solutions only come from a strong security partner ecosystem, and we are making significant changes in the way we interact with this community.

To hear more about our new partner programs, features and focus - and participate in upcoming Security Summits, see additional details here.

Posted by John Landwehr at 8:41 AM | Permalink

Acrobat and Reader 8 includes a new "Roaming Credential" feature to make digital signatures easier to use and deploy. Arcot has just announced their SignFort server to utilize this capability.

Digital signatures historically required credential provisioning to desktop clients in the form of software or hardware-based PKI certificates - before a signature could ever be applied. These credentials can be accessed by Acrobat and Reader via PKCS#12 files on disk, or via PKCS#11 libraries and CryptoAPI Crypto Service Providers (CSPs) in Microsoft Windows, or via custom client plug-ins. Both PKCS#11 and CSPs usually require additional 3rd party software libraries to be distributed to the clients for hardware tokens such as smartcards and usb keys. Additionally after the first certificate is issued, they ultimately expire and need to be reguarly renewed at the client by requesting a new certificate from the Certificate Authority. Distributing the additional software and managing client certificates is why some people have referred to PKI as "Painful" Key Infrastructure, instead of Public Key Infrastructure.

The new "Roaming Credential" capability in Acrobat and Reader 8 does not require additional software deployment or credential management (provioning or renewal) on the client to do a digital signature. A new webservice protocol was developed to utilize a product, such as Arcot's SignFort, to broker the credential management in a centralized server.

When signing a document with roaming credentials, the user clicks a signature field, authenticates, and saves the signed document. That's it.

The address of the roaming credential server can be specified as a "seed value" preference in the signature field itself, on a per-document basis. Or, the Acrobat and Reader application itself can be configured to use a roaming credential server for all documents, even without seed values on the signature fields of documents.

Authentication is either username/password, Windows kerberos single-sign-on, or the ArcotID.

When the roaming credential service is used, the user authentication is sent to the server along with the hash of the document. The server verifies the authentication and maps to a user's credential stored on the server, optionally in a Hardware Security Module (HSM). That credential then signs the hash and returns the value to the desktop to be embedded in the document.

This capability is especially useful when sending documents outside an organization's firewall for business partners and customers to apply digital signatures. As long as those external users already have a supported authenticaiton credential as described above, and have Adobe Acrobat or Reader 8, they can sign a document tied to a roaming credential server without any additional software deployments or configuration on their client.

Posted by John Landwehr at 9:40 AM | Permalink

The Adobe Security Solutions Team is scheduled to present at Oracle OpenWorld San Francisco. Session S283319, titled "Using Adobe LiveCycle to Secure and Control documents in Oracle Content Database and Oracle Records Database" will be held in Moscone West Room 2012 from 4:00-5:00pm on Wednesday October 25, 2006.

This session describes a joint Oracle/Adobe solution in which Adobe LiveCycle products provide enterprise rights management, digital signatures, encryption, and security policies to documents stored in Oracle Content Database and Oracle Records Database. The session describes both the problem space and the technology and software architecture applied to address the problem.

Posted by John Landwehr at 11:56 AM | Permalink

Posted by John Landwehr at 4:37 PM | Permalink

Today at the AIIM/ON DEMAND Conference, Ricoh and Adobe announced an agreement to develop and co-market document scanning, printing and security solutions. The integration of Adobe's Policy Server enterprise rights management software and Adobe print + scan technologies with Ricoh multifunction (MFP) devices transforms the way knowledge workers convert paper processes into more secure digital workflows. Paper can be easily scanned and encrypted into PDF to control who has subsequent electronic access and usage permissions.

"We are natural partners in that Ricoh has long provided world class digital products and solutions, and Adobe is the standard in document software," said Katsumi Yoshida, Corporate Executive Vice President, Ricoh. "We look forward to developing together new document solutions that truly bridge the paper and digital worlds. Our Fortune Global 500 customers demand the most advanced solutions and we will deliver."

Posted by John Landwehr at 12:27 PM | Permalink

Communication Intelligence Corporation (“CIC”) announced the release of their latest Sign-it software for electronic signatures in applications from Adobe Systems.

It is estimated that fifty billion original paper documents are generated each year in the US alone, that the expense associated with paper documents is over 15% of annual corporate revenue and that 60% of those paper documents are signature dependent (Coopers & Lybrand, Gartner Group). Leveraging electronic signature solutions to achieve a truly paperless environment affords organizations major benefits including significant expense reduction, compressed business cycles and enhanced security.

Adobe’s support of CIC in the development and release of this new eSignature capability represents our commitment to further advancing LiveCycle for use in paperless transactions within the large enterprise. In concert with our LiveCycle products, CIC’s Sign-it allows the flexibility to address a broad range of electronic signature needs for the modern enterprise and enables organizations to complete the final step in automating their document processes. The rich set of integration and implementation tools CIC provides in combination with Sign-it also provide tremendous value to our Adobe System Integrators and ISV partners.

Posted by John Landwehr at 4:40 PM | Permalink

Adobe offers Active Directory Single Sign On in LiveCycle Policy Server, including support for smartcard authentication.

As announced by Quest Software, Adobe utilizes Quest's Vintela Single Sign-on for Java to provide native authentication of Java and J2EE applications and services with Active Directory.

This technology is currently shipping in Adobe LiveCycle Policy Server providing users with cross-platform access to Active Directory and single-sign-on. When a user is logged into their Windows desktop, they do not need to log in again to view a Policy Server protected document. The kerberos authentication information from the operating system is passed through Adobe's desktop applications (e.g. Adobe Acrobat, Adobe Reader, and other native Rights Management plug-ins) to the Policy Server. If the user logged in using a smartcard to authenticate to their desktop, that credential can also used by Policy Server as a single sign on token.

Posted by John Landwehr at 6:58 AM | Permalink

At CeBIT this week, IBM announced that they are working with Adobe on Enterprise Rights Management (ERM) solutions to help companies protect their intellectual property and digital data from product theft.

The protection of commercial rights is becoming a major issue for many international companies. As a result of globalization, supplier and cooperation networks are becoming increasingly complex, and development and production data is being made accessible to ever-larger groups of users. Much of the development data and documents in question are "unprotected" against unauthorized access and redistribution.

IBM and Adobe are collaborating to offer joint solutions and services for worldwide Enterprise Rights Management that extends beyond the company firewall.

"The global access rights are issued by the Adobe LiveCycle Policy Server, which we host in our IBM computer centers with high availability and global access options", said Michael Diemer, Vice President Strategic Outsourcing, IBM Information Technology Services.

"This means that we are immediately able to offer our customers the full ERM functionality of the Adobe LiveCycle Policy Server. In addition, we advise our customers on all ERM requirements and work with Adobe to offer complete end-to-end solutions to ensure maximum protection of their intellectual property, thereby making it difficult for intellectual property thieves."

Adobe and IBM are demonstrating this solution in the front row of IBM's primary CeBIT Booth F41/51, dempoint #1.

Here are links to the Enlgish and German press releases.

Posted by John Landwehr at 6:31 AM | Permalink

Posted by John Landwehr at 12:24 PM | Permalink