Multiple digital signatures

Hi cunninj76,

My guess is the the 1st approver is using Adobe Reader and you did not Reader enable the file. Open the certified file in Acrobat 8 and then select the Advanced > Enable Usage Rights in Adobe Reader  menu item. Click the Save Now button and save the file back to the shared directory and ask the 1st approver to try again.

Steve

Thanks Steve,

But I don't seem to have "Enable Usage Rights in Adobe Reader" in the

Advanced menu options. Also, the 1st Approver has Adobe 8 Standard.

From:

"Steven.Madwin" <forums@adobe.com>

To:

cunninj76 <jamie.cunningham@basf.com>

Date:

10/03/2011 01:11 PM

Subject:

Multiple digital signatures

Re: Multiple digital signatures

created by Steven.Madwin in Acrobat Windows - View the full discussion

Hi cunninj76,

My guess is the the 1st approver is using Adobe Reader and you did not

Reader enable the file. Open the certified file in Acrobat 8 and then

select the Advanced > Enable Usage Rights in Adobe Reader menu item.

Click the Save Now button and save the file back to the shared directory

and ask the 1st approver to try again.

Steve

Replies to this message go to everyone subscribed to this thread, not

directly to the person who posted the message. To post a reply, either

reply to this email or visit the message page: [

http://forums.adobe.com/message/3951435#3951435]

To unsubscribe from this thread, please visit the message page at [

http://forums.adobe.com/message/3951435#3951435]. In the Actions box on

the right, click the Stop Email Notifications link.

Start a new discussion in Acrobat Windows by email or at Adobe Forums

For more information about maintaining your forum email notifications

please go to http://forums.adobe.com/message/2936746#2936746.

Hi Jamie,

So much for my guess. One thing, you need Acrobat Pro to add Reader Usage Rights, you can't do it in Acrobat Standard. That explains why you didn't see the menu item.

What it doesn't explain is why the first approver can't sign. Are you sure that the file isn't marked as read only when viewd on the common directory? What if the person trying to sign as the 1st approver copies the file to their local machine and trises to sign?

Steve

Hi Steve,

This didn't work either... do you want me to send you some print screens

or any other references?

Thanks,

Jamie M. Cunningham

Engineering Support Specialist II

Phone: 409-960-5205, Fax: 409-960-5333, E-Mail: jamie.cunningham@basf.com

Postal Address: PO Box 2506, Port Arthur, TX, 77643

From:

"Steven.Madwin" <forums@adobe.com>

To:

cunninj76 <jamie.cunningham@basf.com>

Date:

10/03/2011 02:16 PM

Subject:

Multiple digital signatures

Re: Multiple digital signatures

created by Steven.Madwin in Acrobat Windows - View the full discussion

Hi Jamie,

So much for my guess. One thing, you need Acrobat Pro to add Reader Usage

Rights, you can't do it in Acrobat Standard. That explains why you didn't

see the menu item.

What it doesn't explain is why the first approver can't sign. Are you sure

that the file isn't marked as read only when viewd on the common

directory? What if the person trying to sign as the 1st approver copies

the file to their local machine and trises to sign?

Steve

Replies to this message go to everyone subscribed to this thread, not

directly to the person who posted the message. To post a reply, either

reply to this email or visit the message page: [

http://forums.adobe.com/message/3951543#3951543]

To unsubscribe from this thread, please visit the message page at [

http://forums.adobe.com/message/3951543#3951543]. In the Actions box on

the right, click the Stop Email Notifications link.

Start a new discussion in Acrobat Windows by email or at Adobe Forums

For more information about maintaining your forum email notifications

please go to http://forums.adobe.com/message/2936746#2936746.

Hi Jamie,

Thanks for the file. Before I get into what is going on in your case here's a bit of background.

With a regular approval signature you get two thing. One is you assert who actually signed the document (known as non-repudiation because the person can't deny their signature). The other thing is proof of document integrity, that is, if the document has been modified it will invalidate the signature.

With a certifying signature you add in protection to prevent the document from being modified. This is to help sustain the integrity and fidelity of the document. When you certify a PDF file you have one of three options to protect the document. The first is no changes allowed. With that option no one (not even the author) can modify the document at all. The next option is form fill-in and signing. As an aside a signature field is just a special purpose form field so signing a document is just another type of filling in of a form field. The third option is to allow commenting along with form fill-in and signing. Regardless of which option you select you cannot modify the underlying structure of the file, and adding a form field would do just that. With the place signature option the signer gets to add a form field (in this case a signature form field) anywhere on the document they like, and because adding form fields to a certified file is verboten the option is disabled in the menus and tools.

As the document author what you need to do is add the signature fields to the document before you certify the file. Adding the certifying signature should be the last operation you do before posting the file to the shared drive. Then the other approvers will be able to sign.

On another note, when an approver goes to sign the document they will get an alert if the certifying signature isn't trusted. Because you are using a self-signed digital ID to add the certifying signature ever one else that is going to sign will need to add a copy of your public-key certificate into their Manage Trusted Identities list with the trust setting set to both "Use this certificate as a trusted root" and "Certified documents" if they don't want to see the alert.

Steve

Hi Steve,

Thanks for the information. I had two approvers stamp the document before

I certified it. Since I was one of the approvers, I added the 2nd approver

to my Trusted Identities list. The signatures still had a checkmark and

warning on them and when the warning details were view it read " Signature

is valid, but there were subsequent changes to the document"; however,

when I added a third signature it had no warnings. I then tried to

certify the document at the end but the option was grayed out.

We don't necessarily need the document certified and the signatures with

the warnings may be ok for our purposes, since the document will be a PDF

and approvers can't alter it except with the mark-up tools anyway.

I really appreciate your help, if you have more insight on the above

please send it my way.

Thanks,

Jamie M. Cunningham

Engineering Support Specialist II

Phone: 409-960-5205, Fax: 409-960-5333, E-Mail: jamie.cunningham@basf.com

Postal Address: PO Box 2506, Port Arthur, TX, 77643

From:

"Steven.Madwin" <forums@adobe.com>

To:

cunninj76 <jamie.cunningham@basf.com>

Date:

10/04/2011 01:03 PM

Subject:

Multiple digital signatures

Re: Multiple digital signatures

created by Steven.Madwin in Acrobat Windows - View the full discussion

Hi Jamie,

Thanks for the file. Before I get into what is going on in your case

here's a bit of background.

With a regular approval signature you get two thing. One is you assert who

actually signed the document (known as non-repudiation because the person

can't deny their signature). The other thing is proof of document

integrity, that is, if the document has been modified it will invalidate

the signature.

With a certifying signature you add in protection to prevent the document

from being modified. This is to help sustain the integrity and fidelity of

the document. When you certify a PDF file you have one of three options to

protect the document. The first is no changes allowed. With that option no

one (not even the author) can modify the document at all. The next option

is form fill-in and signing. As an aside a signature field is just a

special purpose form field so signing a document is just another type of

filling in of a form field. The third option is to allow commenting along

with form fill-in and signing. Regardless of which option you select you

cannot modify the underlying structure of the file, and adding a form

field would do just that. With the place signature option the signer gets

to add a form field (in this case a signature form field) anywhere on the

document they like, and because adding form fields to a certified file is

verboten the option is disabled in the menus and tools.

As the document author what you need to do is add the signature fields to

the document before you certify the file. Adding the certifying signature

should be the last operation you do before posting the file to the shared

drive. Then the other approvers will be able to sign.

On another note, when an approver goes to sign the document they will get

an alert if the certifying signature isn't trusted. Because you are using

a self-signed digital ID to add the certifying signature ever one else

that is going to sign will need to add a copy of your public-key

certificate into their Manage Trusted Identities list with the trust

setting set to both "Use this certificate as a trusted root" and

"Certified documents" if they don't want to see the alert.

Steve

Replies to this message go to everyone subscribed to this thread, not

directly to the person who posted the message. To post a reply, either

reply to this email or visit the message page: [

http://forums.adobe.com/message/3953483#3953483]

To unsubscribe from this thread, please visit the message page at [

http://forums.adobe.com/message/3953483#3953483]. In the Actions box on

the right, click the Stop Email Notifications link.

Start a new discussion in Acrobat Windows by email or at Adobe Forums

For more information about maintaining your forum email notifications

please go to http://forums.adobe.com/message/2936746#2936746.

Hi Jamie,

A certifying signature has to be the first signature applied to the document. You can add approval signatures post certification, but not the other way around.

Beginning with version 9, if the only change to an uncertified document is a subsequent signature you won't see the warning that changes have been made to the document, but because you are using version 8 that still occurs. However, if the document is certified and the only changes are subsequent approval signatures you don't get the warning, even in version 8.

All of this is predicated on using digital signatures. If the approvers are using stamps, that is not really a digital signature, but rather an annotation. Annotations are anything that sits on top of the actual PDF layer such as comments (sticky notes), stamps, drawings or mark-ups. Because they are not digital signatures (even if the stamp is a representation of a wet ink signature it's still not a digital signature) you can certify the file after it's been stamped.

Steve

Hello Mr. Madwin:

Your reply for Jamie in Oct 5, 2011 seems to be very important for our company now - "A certifying signature has to be the first signature applied to the document. You can add approval signatures post certification, but not the other way around."

We have Acrobat XI Pro and require digitally signed pdf design plans for approval in our offices; we have certified signatures, probably the designer's too. But when we sign, the designer's signature becomes invalid.

Subsequent signatures may be required. So, in order to avoid invalidation and have all signatures valid, what would be your advice?

In another reply (Oct 4, 2011) you talk about 3 options; since the original design must remain untouched, the one I see as adequate is "form fill-in and signing". Is this correct or are there aditional options for Acrobat XI?

Hi Julio,

A second signature should not invalidate the previous signature. Does the PDF document contain a signature field for each planned signer prior to it being signed the first time, or, are you expecting the signer's to inscribe (create) a signature field at signing time?

Thanks,

Steve

Thanks for the prompt answer, Steven.

Let me add that this is a new process for us in Puerto Rico's government, and it's probably the same for the mayority of the designers. What this means is that we are still learning about digital signatures and what are the options with Acrobat XI. As we institute policy, it also means that we need to understand what requirements are needed for designers to comply.

Designers are probably signing with default settings or choosing "no changes allowed", which invalidates their signature when we sign.

I asked our main department to look for somekind of training regarding these options, but they're taking too long and these are costly and liable processes.

The process is - 1. Designers submit a pdf plan digitally signed. 2. We check the design and if OK, we digitally sign (a certified signature). 3. Designers may submit the plan (with 2 valid signatures) to other agencies which may digitally sign too.

We need this pdf plan to accept and validate all these signatures, starting with the designer's. So, what is your advice?

Hi Julio,

I think we may be using "certified signature" in different contexts. If the designer digitally signed the plan and then submitted it for review, then the reviewer could not add a certifying signature in Acrobat because the certifying signature must be the first signature. Acrobat will not allow a certifying signature to be created once the file has been signed. If a certifying signature is to be created it must be the first signature and then all subsequent digital signatures will be regular signatures (also know as "approval signatures").

The certifying signature is what puts the blue ribbon icon on the document message bar

With a valid regular signature on an uncertified file you would see this icon on the document message bar

I think what you need to do is create a template file for the designer to use to that includes places for approval signatures along with his/her own signature. That way, once they create their design they can convert the document to a PDF file (unless they they are creating the document in Acrobat, but that's not usually how this works) that already has places for people to sign if they approve the design. Since the designer is going to be the first person to sign the PDF file, they (and only they) will have the opportunity to create a certifying signature, and it's here that you need to make sure that they don't totally lock down the file by setting No changes allowed.

I would recomend that if they are creating a certifying signature that they select Annotation, form fill-in, and digital signatures so that the reviewers can use Acrobat to add comments to the file if they are not planning on approving the design. That way they can return the file to the designer, and the designer can see the comments as to why the plan was not approved.

Steve

Actually, since we prepare letters for our comments, "Form fill-in and digital signatures" would suffice.

Incidently we do have an official project info and ink signature template; designers paste it to the bottom right of plans and submit. CAD designs are converted to pdf and usually the digital signature is located there, that's where the "Form fill-in" should be done.

As I said before, all this is new to us, so... Where do I learn about "Form fill-in" for digital signatures?

A question; does the first signature always certifies the document or is this an option you must choose?

What if the designer is not certifying the document and just adding a signature?

Hi Julio,

The first signature is NOT automatically a certifying signatutre, it can be a regular signature. What you get with a certifying signature is the ability to restrict the document recipients from editing the file by using the drop-down list seen in the screen shot above.

Steve

Does whomever doing the certifying need to create all the empty, as-yet-unsigned digital signature blocks for the approvers to sign just before he certifies the document?  Or can the approvers place their own signature blocks anywhere they choose at the time they sign their approvals after the certifier has placed his certification with the options chosen as you've described?

It's always best for the document creator to add the signature fields in the places that they expect to be be signed as it eliminates confusion.

You don't need a signature field for the certifier, because when you add a certifying signature you have the option of signing invisibly (that is, there is no signature appearance). You can have a signature field for the certifying signature, you just don't have to.

Does that mean it's optional whether the document creator/certifier does it or the approver does it *LATER* so long as the creator/certifier selects the correct options when certifying?  Just want to ensure I don't misunderstand you and end up painting myself into a corner.

Usually, if it's formal enough that they require approvers' signatures visible, they'll require the creator's/certifier's signature visible as well.

There is no one answer here. The processed was designed so the author of the document could add the certifying signature as the first signer and thus prevent anyone from altering their work. There is no rule that the person that created the file must be the first signer of the file. However, whoever is the first signer (and only the first signer) has the option of creating a certifying signature instead of a regular (approval) signature. All subsequent signatures must be regular (approval) signatures. If the document author (creator) wants the file certified to take advantage of the locking options along with getting the blue ribbon to display in the document message bar then it is incumbent upon them to be the initial signer of the file.

Steve

Man, I've been browsing and reading the site and can't find a simple explanation on this feature.

I'm guessing we'll create a suitable signature area template which designers will add to the pdf plan, just as they have done with the current ink signature one. The requirement should be for them to create a signature box over the signature area, which they will use to sign (visible) and certificate the pdf document, then choose "form fill-in and signing" for subsequent approval signatures. Is this correct?

If so, we need this in every page and all signatures must be visible. How is this set?

Message was edited by: Julio9807

I have a similar question on multiple digital signatures. I created a form on Adobe LiveCycle Designer ES 8.2 adding mutiple digital signatures. I opened the form in Adobe Acrobat 9 Pro and I extended features in "Adobe Reader" since the staff using these will be sigining the form with their clients. I did a "trial" run signing (using Topaz) on the first line (right clicking and choosing "certify with visable signature" and selected "form fill-in and digital signautres." I sent it to a co-worker to sign. She has Adobe Pro as well, but wasn't able to sign on the second line. Any idea? I've been struggling with this for a while now and haven't used this feature because I can't get it to work. Thanks!

Hi kher23,

First a bit of back-story. When Acrobat was invented 21 years ago one of the things the designers did was to make it extensible. That means that third-party software developers (i.e. someone not associated with Adobe) could create their own plug-in to extend the capabilities of Acrobat so the application would be able to do more than what Adobe had designed it to do. As long as the third-party developer kept within the scope of the PDF specification they could modify PDFs using their software running inside of Acrobat. Topaz is one of those companies. They created a plug-in that allows the end-user (in this case that would be you) to create a bio-metric digital signature by capturing your handwriting.

Digital signatures based on the Topaz plug-in must be validated using the Topaz plug-in. Acrobat (or Reader) has no notion of a bio-metric signature, that concept lives in the plug-in provided by Topaz. If you sign a PDF file using the Topaz software along with their corresponding bio-metric capture device then that signature can only be validated using the same Topaz software.

Also, when you create a digital signature using the Topaz software you are creating the signature based on their rules, not Adobe's. The Topaz plug-in has no notion of a "certifying signature", all it know is bio-metric handwriting capture.

Please don't get me wrong, I think Topaz created a great product that provides functionality that is not part of Acrobat/Reader as it ships from Adobe. If you need a bio-metric signature then I think they do as good a job as anyone, but it's not a CMS type signature (i.e. a signature based on a public/private key-pair and the associated public-key certificate). Acrobat/Reader only understands CMS type signatures and without the Topaz plug-in has no ability to process the bio-metric signature.

Steve

I know this is an old thread, but I am also having problems with sequential signing. We are trying to validate a workflow with Acrobat for internal use, and then use EchoSign for 21CFR compliant signatures. I have valdiated the process through EchoSign, but there are a few problems.

1. Using an internal signature process, I apply a Signature with Certificate and everything I know of configured correctly. When the second person receives the file by e-mail, or opens from the network location and attempts to sign they are receiving a "file is read only" error, so the file must be save as under a new name?

2. The workflow I would like to have is send the document for signature with the restrictions applied under the Certifying dialog. But then once it is signed my QAU wants to apply a final security to prevent anyone from being able to print out the final doc. The security cannot be changed because the file is signed.

3. If we have a finalized document internal with signatures, when it is sent through EchoSign the signature fields are removed and EchoSign takes precedence (so it destroys the original document properties).

Hi Joe,

In its current configuration, the EchoSign electronic signature workflow is not compatible with cryptographic digital signatures. When a file is uploaded to EchoSign it is flattened, that is active form-fields are are turned into images, and then as users sign they are just adding an image to the flattened file. At the end of the electronic signature workflow the file is digitally signed with a certifying signature to preserve the integrity of the electronic signature images.

The advantage of using an cryptographic digital signature is the files integrity is preserver even though it is out in the wild so to speak. With EchoSign, the integrity is provided by the file being only on the EchoSign Server which acts as a trusted third-party, backed by an audit trail that logs file access. Also access to the file is controlled by the document author (that is, the person who decides who gets to sign electronically).

The bottom line is, you need to pick one work-flow that works best for you and stick with either PKC based digital signatures or server based electronic signatures.

Steve

Okay I will need to address that, but what about the internal issue?

Files that are worked through the steps outlined in that thread are showing as “read-only” on the receivers workstation and can’t be signed without saving under a different name.

Also is there any means of applying a security policy that will lock a document form editing/printing, but allow signatures? Would it need to be like some others in that thread where a simple signature is applied for submission and review, and then the final signature is the certifying one with no further changes?

Joe Burge

Metrologist

Wilson Division

joe.burge@microbac.com<mailto:first.last@microbac.com>

252.265-5157 p

252.237.9341 f