I had a customer ask me about why signatures in their PDFs that they had signed with Acrobat would not verify. Doing a little digging, it became apparent that while the group had created and begun using signatures in Acrobat, they had not established trust within the group.
An electronic signature, like a pen-and-ink signature, is only as good as your belief that the signature is genuine. In a paper workflow, we can witness someone applying their mark to the paper. We use ink because it is hard to remove from the paper. How, then, do we trust an electronic signature when we can’t witness the signature being applied to the PDF?
There are several mechanisms to establish and maintain trust in the context of Adobe PDF workflows. In this article, we’ll look at the ad hoc signature workflow. In order to for a signature workflow to work, we need two elements: signatures and Identities. In this workflow, all of the parties create electronic signatures and Identities with Acrobat, and all of the parties must exchange Identities in advance of using the signatures.
In Acrobat X, signatures depend on digital identities, so we must start with creating an identity. When you have a document open, you can click on the Tools panel and then choose Sign & Certify>More Sign & Certify>Security Settings… At any time, you can find these controls under Edit>Protection>Security Settings…
Note: Click on these or any of the following images to view them full size.
You create a Digital Identity in the Security Settings Panel. A Digital Identity is a file that contains information specific to you, such as your name, email address, and company contact information. In addition, it contains half of a key that can be used to decrypt content that you have encrypted. This is important, because the person with whom you are sharing a signed PDF needs this key in order to be able to decrypt your signature and verify that you are who you say you are. Without this key, we don’t have trust in the workflow, so the key is how we establish this trust.
Let’s make a Digital Signature. In the Digital Signatures panel, click the Add ID button and then choose A new digital ID I want to create now and then click Next.
Now, you need to enter your personal information, select an encryption strength, and also make a choice about how you’ll be using this ID. In this example, I have entered my personal information, chosen my region, and have chosen 2048-bit RSA encryption. The default is 1024-bit RSA for backwards compatibility, but in this age of WikiLeaks and other data security compromises, I’ll opt for more modern protection. I’ve also chosen to use this digital ID for Digital Signatures and for Data Encryption. This is the default setting, but you can choose to use this ID exclusively for either Digital Signatures or Data Encryption.
A note about Unicode Support: if you need to use this signature in a region that uses Unicode characters, such as many parts of the Middle East and Asia, then you will want to enable Unicode support here as well. Enabling Unicode Support will expose another set of fields that allow you to enter Unicode data in addition to the Western characters.
Having made your choices, click Next.
Now, choose your password. This is a tricky business, since once you create the signature, you will need to know this password in order to use it. Ah, yes, in order to use it, you need to know its key to entry. This protects you from anyone else using the signature to impersonate you. To this end, choose a strong password. Acrobat X provides a thermometer that lets you know how strong your password is, or how hard it would be to guess. It bases this strength on a number of factors, including use of upper and lower case, use of special characters, apparent randomness of the string, and length of the string.
When you’re done, click Finish to complete the ID creation process, then close the Security Settings panel.
Now that we have an ID, we can share it with people with whom we want to exchange signed documents. In a paper workflow, we can compare an ink signature against a government-issued ID, such as a passport or a driver’s license. In an electronic signature workflow, we exchange Digital IDs in advance of exchanging signed documents. This establishes the trust between the participants and allows Acrobat to verify the signatures on documents as having come from trusted sources.
There are several ways to exchange Digital IDs in Acrobat X, and I’ll focus on the two easiest ways to do it.
Let’s pause a moment to consider what’s being shared when you export an ID. An ID is an encrypted token that contains your personal information. The encryption scheme depends on two very large prime numbers. When you encrypt a signature (or any electronic content), the encryption routines use the key in your ID to do the encryption. Under this scheme, if someone has one of your two prime numbers, known as a public key, they can use it to decode your encrypted content. Sharing the public part of your ID is critical to establishing trust, because it enables the person with whom you are exchanging signatures to read the encrypted information in your signature.
Having that out of the way, let’s go back to the workflow. From the Security Settings panel, choose the ID you want to share and then click the Export button.
Here you’ll have to decide whether you want to email the ID to someone or save it somewhere on your computer. If you choose to email, then Acrobat will compose an email containing instructions as to how to import the ID. It will also include the ID as an attachment to the email. If you choose to save to a file, then Acrobat will save the ID as a file to the location of your choice. You will then be able to send it to whomever needs it without having to return to Acrobat. Make a choice, and click Next.
In either case, Acrobat exports the ID as an FDF file. The recipient just needs to double click on the FDF file to install in either Reader or Acrobat.
You can also request that someone send you their ID. In Acrobat X, click on Sign & Certify>More Sign & Certify>Manage Trusted Identities and then choose Request Contact…
Enter your name, email address and phone number. Enable the Include my Certificates option, and choose Email request. Then, click Next…
In the following screen, select the ID you want to send and click Next. Then, enter the email address of the person with whom you want to exchange IDs. Click Send for Acrobat to compose the email and send it with your computer’s email program.
Making your digital mark
Now that we have created an ID and established trust, it is time to sign a document.
Open the PDF you want to sign. This PDF could be a PDF with a special form field for signatures or it could be a document with no signature field. If you have permission to sign the document, then you will be able to apply an electronic signature. The Sign & Certify panel has several options in it, including Sign Document and Place Signature. There is a subtle difference between these options: if the document is an electronic form and there is an existing signature field, then Sign Document will put the signature into the signature field. If there is no signature field on the document, then it behaves the same as Place Signature. Place Signature asks you to draw a box on the PDF where you’d like the signature to be.
Note: There is also an option called Apply Ink Signature, but that makes an annotation that looks like you signed the document with a pen. It is not an electronic signature like we’ve been discussing up to now and should not be used in an electronic signature workflow unless both parties agree that the annotation-type signature is acceptable as a signature. I want to take advantage of the work we’ve put in up to now, so we’ll be talking about Signing and Placing a Signatures.
I’ll assume that you are signing a document that does not have a signature field. Choose Sign & Certify>Place Signature. Acrobat will ask you to draw a box where you want the signature to go. Once you release the mouse from drawing the box, you’ll be able to determine which ID to use and also how the signature looks.
Choose the ID you want to use from the Sign As drop-down menu. Choose the ID that you used when you established trust earlier and enter the password for that ID.
You have options as to how the signature will appear on the document. By default, Acrobat includes your name and some of your personal information from the certificate. It is common to add a photo or scan of an ink signature to an electronic signature. To change the appearance, click on the Appearance menu and choose Create New Appearance…
Enter a name for the new appearance and configure the graphic option. You can have no name, choose to show your name, or choose the Imported graphic option and then browse to an image file. You can select just about any image file type that Acrobat can convert to PDF and have it appear in the signature. In this example, I chose a jpeg. You can also enable or disable different fields from the certificate. Make your choices and click OK.
When you have set all of your options, then you can click the Sign button to sign the document. You must save the signed PDF immediately. You may want to establish a naming convention for your signed documents, such as original_filename_SIGNED.pdf for signed PDFs. Having saved the PDF, you are done.
Note: If you are the last person in the workflow who needs to sign a document, then you may want to lock the document after you sign it. You can enable that option before you apply the signature.
Once signed, you can validate signatures in the Signature panel. This panel appears in any PDF that has a signature applied. You can also hover your mouse over a signature, and the tooltip will tell you whether the signature is valid. You can also click on a signature to check its validity.
There are times when you would want to remove a signature from a document. If you are the signer, then you can right-click on the signature and choose Clear Signature from the contextual menu.
Extending signature workflows to Reader users
You can include Reader users in your signature workflow by saving your PDF as a Reader Extended PDF. From the File menu, choose Save As>Reader Extended PDF>Enable Additional Features… A notice will appear letting you know what features will be enabled for Reader. Click Save Now to save the Reader Extended PDF. Give the Reader Extended PDF a name like original_name_Reader_Extended.pdf.
Once you create a Digital ID, then you can establish trust with someone else and exchange signed documents with them. Remember that you’ll need to establish trust by exchanging IDs with the other person in order to validate signatures.