Highlighted

Possibility of digital signature misuse (impersonation)

New Here ,
Oct 10, 2020

Copy link to clipboard

Copied

I have a doubt that in Adobe Acrobat reader anyone can create digital signature with any other person name and email/organization - all of which are publicly available in any organization.

My question is: anyone can create a self signed digital signature using someone else's name and email. So, how can such digital signature be used to ascertain that the document is not signed by impersonation?

Most Valuable Participant
Correct answer by Test Screen Name | Most Valuable Participant

Secure signatures require one of the following:

- a certificate issued by an official organisation with identity checking. (These cost money).

- swapping the public key in advance on a safe channel.

So, you can send the public certificate to someone and confirm (perhaps by telephone) that they have the certificate. Now, in future, they can check your identity using the certificate, which cannot be faked, and the fact that they confirmed the certificate. Very important, if setting it up in an organisation, to make sure everyone is REQUIRED to do this, otherwise there is no proof at all. Larger organisations use certificate repositories.

TOPICS
Security digital signatures and esignatures

Views

76

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Possibility of digital signature misuse (impersonation)

New Here ,
Oct 10, 2020

Copy link to clipboard

Copied

I have a doubt that in Adobe Acrobat reader anyone can create digital signature with any other person name and email/organization - all of which are publicly available in any organization.

My question is: anyone can create a self signed digital signature using someone else's name and email. So, how can such digital signature be used to ascertain that the document is not signed by impersonation?

Most Valuable Participant
Correct answer by Test Screen Name | Most Valuable Participant

Secure signatures require one of the following:

- a certificate issued by an official organisation with identity checking. (These cost money).

- swapping the public key in advance on a safe channel.

So, you can send the public certificate to someone and confirm (perhaps by telephone) that they have the certificate. Now, in future, they can check your identity using the certificate, which cannot be faked, and the fact that they confirmed the certificate. Very important, if setting it up in an organisation, to make sure everyone is REQUIRED to do this, otherwise there is no proof at all. Larger organisations use certificate repositories.

TOPICS
Security digital signatures and esignatures

Views

77

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Oct 10, 2020 0
Adobe Community Professional ,
Oct 10, 2020

Copy link to clipboard

Copied

It depends how does you get the public key from the person.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 10, 2020 1
Most Valuable Participant ,
Oct 10, 2020

Copy link to clipboard

Copied

- Yes, they can.

- Digital signature profiles are meant to prove that a specific person signed the document (because they can provide the public key to validate it), not the identity of that person. In order to do that a third-party must be involved, which validates the person's identity and then issues them with a unique signature profile. That's not the case in Acrobat where anyone can sign under any name they wish to. So they do not prevent impersonation, nor are they meant to. It's important to understand that.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 10, 2020 1
Most Valuable Participant ,
Oct 10, 2020

Copy link to clipboard

Copied

Secure signatures require one of the following:

- a certificate issued by an official organisation with identity checking. (These cost money).

- swapping the public key in advance on a safe channel.

So, you can send the public certificate to someone and confirm (perhaps by telephone) that they have the certificate. Now, in future, they can check your identity using the certificate, which cannot be faked, and the fact that they confirmed the certificate. Very important, if setting it up in an organisation, to make sure everyone is REQUIRED to do this, otherwise there is no proof at all. Larger organisations use certificate repositories.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 10, 2020 1
ls_rbls LATEST
Adobe Community Professional ,
Oct 10, 2020

Copy link to clipboard

Copied

++Adding to the discussion,

 

You may also need to add a custom time stamp server instead of using the Adobe Default signature verification  method. This methods always assumes the trust of such self-signed certificates are always valid, and there is no certificate revocation when there are employed like this.

 

The identities associated to the  signing certificate must also match the root certificate authority (as Test_Screen_Name pointed out), which  should be issued to ervery user by a computer administrator, who in addition, should define the expiration dates, as well as  assigning  passwords to the signing users to access a time-stamp server for signature time verification.

 

In order to verify and establish the trust of a digital signature, a computer administrator must enforce these policies in a workgroup.

 

Only the certificates and identities issued by a computer administrator will be able to employ a trusted signature time-stamp if the computer administrator also takes care in assigning unique passwords to each user (prompted at signing time) to obtain a legimitate signature time-stamp from the  default time stamp server (which is also managed and configured by the computer administrator, not just anyone).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 10, 2020 1