Setting Signature Trust in Adobe Reader & Adobe Acrobat – Part One – “The Why”

PostsThe Archives

A few months ago, I wrote about the nature of assurance in electronic signatures and how aspects like authentication, audit, and integrity add to the trust you place in a signature.

When we consider electronic signatures, recognize that there are typically two parties to the transaction: the author / signer and the recipient, or relying party.  The signer’s role is obvious.  The relying party, on the other hand, is the one who is in the position to accept the signature and therefore the signer’s approval of the terms or nature of the signed document.  When faced with an electronic signature, the relying party must be aware (or have resources he/she can turn to, such as a lawyer) of three intersecting zones of validity—legal, contractual, and intrinsic—and how Adobe products can assist. 

First, signature validity is provided by national, regional and local legislation, as well as industry regulations.  E-Sign and the EU Signature Directive at the national level, UETA at the regional / local level, and industry standards like MISMO, NAVA, and SPeRS, all are informative as to an electronic signature’s standing.

The second category is that of contractual validity. Organizations may jointly accept each other’s electronic signatures via contract and thus impart additional validity to those signatures. As an example, the SAFE-BioPharma initiative among pharmaceutical and life sciences companies has as its backbone a strong business contract that stipulates each member will trust other members’ digital signatures and accept them as legally valid. SAFE members can therefore easily rely on each other’s signatures without worry.

Adobe products cannot provide specific feedback on these first two aspects of trust and assurance. Adobe Reader can be found on practically every computer in the world and thus Adobe can’t be aware of every single law, regulation, or contractual relationship a user may be subject to—we have to leave the lawyers something. But, Adobe products can provide clear guidance on that most important aspect of electronic signatures, the signature’s intrinsic validity.

Adobe products like Acrobat, Reader and LiveCycle ES Digital Signatures ask three questions of an electronic signature:

  1. Is the signature credential valid and in good working order?
  • Is the digital certificate in good standing? Has it expired? Has it been revoked?
  • Has the document been altered since it was signed?
    • Integrity checking. Has the document been changed? What’s been changed, if so? Is it an authorized change (another signature, for example)?
  • Is the signer trusted by the relying party?
  • The answers to these questions remain critically important no matter whether a signature is governed by legislation or established in a contractual relationship. The first two questions are handled behind the scenes by Adobe products through industry standard cryptographic protocols. The third question, however, is, by its very nature, answered by the relying party, based on their knowledge of relationships the organization may have, business colleagues, etc.

    Adobe products cannot answer this question in most circumstances. Adobe understands that the relying party must be free to make their own trust decisions based on their own unique circumstances. If Adobe were to trust every signature credential, users might accept signatures from false identities or trust documents that should not be trusted in the first place. However, as you’ll read later in this series, Adobe has been looking at ways to help relying parties make this determination since 2005, and will be announcing an even more comprehensive approach starting later this year.

    Next time, though, I’ll cover how a relying party can trust a signer from a user perspective.


    Posts, The Archives

    Posted on 08-28-2008