Adobe Reader Certificates tool...how do you verify who actually signed a pdf?

Question

I work for a company and they recently had us switch to using Adobe Reader signatures instead of pen and paper signatures. The procedure is to click on the Certificates tool, then Digitally Sign, then choose your signature file and place it in the pdf. This all works fine. When I do it, it adds my name and the current date and time and some text that says that it's digitally signed.

However, as a test, I tried it again and I clicked the "Configure New Digital ID" button and created a new Digital ID with a fake name. That worked fine and allowed me to sign a pdf using this fake name. So, by that reasoning, I could create a Digital ID using anyones name. This seems like a problem to me.

I would like to make sure that signed documents are really signed by the people whose name is on the pdf. How do you prove that?

I assume that somewhere within the pdf file itself is some secure crypto data. Does that somehow link the pdf back to the true person who signed it? If so, how do you go about checking it?

try67 · Answer

The only way to do that is to ask the physical person to provide the key for validating the signature. As you saw, the name on the signature is meaningless. Anyone can create a signature profile with any name they want, but only the true author can provide the public key for that profile.

Alternatively, you would need a third-party to verify the identity of each person, manage the certificates, make sure the passwords are not shared between people, etc., which is much more complicated and will require a very substantial expense.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded