Copy link to clipboard
Copied
I have a doubt that in Adobe Acrobat reader anyone can create digital signature with any other person name and email/organization - all of which are publicly available in any organization.
My question is: anyone can create a self signed digital signature using someone else's name and email. So, how can such digital signature be used to ascertain that the document is not signed by impersonation?
- Yes, they can.
- Digital signature profiles are meant to prove that a specific person signed the document (because they can provide the public key to validate it), not the identity of that person. In order to do that a third-party must be involved, which validates the person's identity and then issues them with a unique signature profile. That's not the case in Acrobat where anyone can sign under any name they wish to. So they do not prevent impersonation, nor are they meant to. It's important
...Secure signatures require one of the following:
- a certificate issued by an official organisation with identity checking. (These cost money).
- swapping the public key in advance on a safe channel.
So, you can send the public certificate to someone and confirm (perhaps by telephone) that they have the certificate. Now, in future, they can check your identity using the certificate, which cannot be faked, and the fact that they confirmed the certificate. Very important, if setting it up in an org
...Copy link to clipboard
Copied
It depends how does you get the public key from the person.
Copy link to clipboard
Copied
- Yes, they can.
- Digital signature profiles are meant to prove that a specific person signed the document (because they can provide the public key to validate it), not the identity of that person. In order to do that a third-party must be involved, which validates the person's identity and then issues them with a unique signature profile. That's not the case in Acrobat where anyone can sign under any name they wish to. So they do not prevent impersonation, nor are they meant to. It's important to understand that.
Copy link to clipboard
Copied
Secure signatures require one of the following:
- a certificate issued by an official organisation with identity checking. (These cost money).
- swapping the public key in advance on a safe channel.
So, you can send the public certificate to someone and confirm (perhaps by telephone) that they have the certificate. Now, in future, they can check your identity using the certificate, which cannot be faked, and the fact that they confirmed the certificate. Very important, if setting it up in an organisation, to make sure everyone is REQUIRED to do this, otherwise there is no proof at all. Larger organisations use certificate repositories.
Copy link to clipboard
Copied
++Adding to the discussion,
You may also need to add a custom time stamp server instead of using the Adobe Default signature verification method. This methods always assumes the trust of such self-signed certificates are always valid, and there is no certificate revocation when there are employed like this.
The identities associated to the signing certificate must also match the root certificate authority (as Test_Screen_Name pointed out), which should be issued to ervery user by a computer administrator, who in addition, should define the expiration dates, as well as assigning passwords to the signing users to access a time-stamp server for signature time verification.
In order to verify and establish the trust of a digital signature, a computer administrator must enforce these policies in a workgroup.
Only the certificates and identities issued by a computer administrator will be able to employ a trusted signature time-stamp if the computer administrator also takes care in assigning unique passwords to each user (prompted at signing time) to obtain a legimitate signature time-stamp from the default time stamp server (which is also managed and configured by the computer administrator, not just anyone).