Confused on certifying authority

Report · Mar 26, 2020

I have few documents that I want our customers to fill out and digitally sign and in a perfect world I would not want them to create a self-signed certificate as it seems there is nothing stopping someone from forging that, unless I am wrong on that.
The plan we have is for us to email these documents on an as needed basis to customers to sign, how do I require/setup some a certifying authority? I looked around and didn't find what I needed.
At this time I do not have the ability to use adobe sign.

thanks!

Report · Mar 26, 2020

You are absolutely right that a self-created certificate is no proof of identity. They can have a place in a secure workflow. What happens is that the self-created public certificate is shared FIRST and by a TRUSTED method. This is about human trust, not technology; for example you might phone to say "I'm sending you a certificate"; if your identity is known to the person you call, you have trust set up. Certificates issued by a certifying authority, however, may cost several hundred dollars, will your customers happily bear that?

Report · Mar 26, 2020

Our company can pay for the certificates I just need to know the easier process to go about it.

Report · Mar 27, 2020

You need to purchase a certificate (for each user) from a recognized Certificate Authority. I don't know where you reside, but there are Adobe recognized CAs in many countries. The requirements for issuing a user certificate that is recognized as Trusted by Acrobat is that the certificate be on a smart card or USB token, so that the signer is in control of the device. You can look at the Trusted authorities list in Acrobat to find potential issuers. If you are using AdobeSign, there is also the possibility of a cloud-based signature. Check on the AdobeSign site for a list of cloud signature providers.

Report · Mar 27, 2020

Bear in mind each user must buy their own. You cannot buy a certicate on someone else's behalf, that would really break the whole identify-check thing.

Report · Mar 28, 2020

We have restrictions about using anything hosted or in a cloud due to confidentiality. So there is no way to assign a specific certificate authority to a pdf and have the user verify themselves prior to signature?
My current plan and please let me know if there is a better option given my situation.

1.Emails pdf to perspective client via encrypted email

2.Client fills out 10 demographic questions, self signs with a digital id

3.Client emails pdf back through encrypted chain

4.I store encrypted email chain and pdf as proof document was signed by user

Report · Mar 28, 2020

I’m not sure how your restrictions on using Cloud-based services affect buying certificates.cerificstes are not Cloud-hosted but certification checks require the authority to be contactable; to check the authenticity of the certificate chain, not to recheck the person. I think we’re not seeing the whole picture though I can see the workflow. Certificates CAN provide authenticity checking, but there are very different needs, and it’s easy to do too little, too much, or completely the wrong thing. What are your authenticity checking needs now, in 5 years and in 20 years? Who needs to prove authenticity: yourself only, the client only, both? External auditors? A court of law - is this a binding contract?

Report · Mar 28, 2020

I need to be able to authenticity of the signature for 5 years. I would like to be able to show that if an issue came up that this person was the was who signed the document. Maybe an IP address? Anything more that I could point back to. In playing with the self signing certificate I am fine with how the document locks and validated no changes were made.

It is an application for services, not a legally binding contract but I want assurance the document was not forged. There is little benefit in forging the document so the risk is low but I would rather over due it there.

Report · Mar 28, 2020

Self-signed certificates can be created by anyone, with any name, so they are not adequate. Documents signed on a local computer are not associated with an IP address. The task of assuring that a certificate represents a particular person is handled by the CA when they issue a signing certificate. Signing certificates typically expire after 2 years, so the task of validating a signature after 5 years involves Long Term Validation, where Acrobat stores not only the signing certificate, but also all the supporting certificate chain and revocation information, then countersignes with a secure Timestamp.

Report · Mar 29, 2020

Thanks. Very helpful. If I am only looking for two years am I able to point a pdf to a specific certainty authority? What is the logistics there? I'm not seeing much out there on the internet about this with pdfs if it isn't docusign,abode, etc.

Report · Mar 29, 2020

The signing certificate points to the Certificate Authority. You don't have to point Acrobat to anything. You can see a list of Acrobat trusted providers by going to Edit->Preferences->Signatures->Identies and Trusted Certificates->Trusted Certificates. When you validate a signature, you can use the option "Validate at Signing Time"

Report · Mar 29, 2020

Is my setup with having them create a self digital signature as good as it'll get for me without using a docusign or equivalent?

What would be better?