cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Possibility of digital signature misuse (impersonation)

R S Rajput
New Here ,
Oct 10, 2020 Oct 10, 2020

Copy link to clipboard

Copied

I have a doubt that in Adobe Acrobat reader anyone can create digital signature with any other person name and email/organization - all of which are publicly available in any organization.

My question is: anyone can create a self signed digital signature using someone else's name and email. So, how can such digital signature be used to ascertain that the document is not signed by impersonation?

TOPICS
Security digital signatures and esignatures

Views

2.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 2 Correct answers

try67 Community Expert
Community Expert , Oct 10, 2020 Oct 10, 2020

- Yes, they can.

- Digital signature profiles are meant to prove that a specific person signed the document (because they can provide the public key to validate it), not the identity of that person. In order to do that a third-party must be involved, which validates the person's identity and then issues them with a unique signature profile. That's not the case in Acrobat where anyone can sign under any name they wish to. So they do not prevent impersonation, nor are they meant to. It's important

...

Votes

Translate

Translate
Test Screen Name
LEGEND , Oct 10, 2020 Oct 10, 2020

Secure signatures require one of the following:

- a certificate issued by an official organisation with identity checking. (These cost money).

- swapping the public key in advance on a safe channel.

So, you can send the public certificate to someone and confirm (perhaps by telephone) that they have the certificate. Now, in future, they can check your identity using the certificate, which cannot be faked, and the fact that they confirmed the certificate. Very important, if setting it up in an org

...

Votes

Translate

Translate
replies 4 Replies 4
latest latest Jump to latest reply
Bernd Alheit Community Expert
Community Expert ,
Oct 10, 2020 Oct 10, 2020

Copy link to clipboard

Copied

It depends how does you get the public key from the person.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
try67 Community Expert
Community Expert ,
Oct 10, 2020 Oct 10, 2020

Copy link to clipboard

Copied

- Yes, they can.

- Digital signature profiles are meant to prove that a specific person signed the document (because they can provide the public key to validate it), not the identity of that person. In order to do that a third-party must be involved, which validates the person's identity and then issues them with a unique signature profile. That's not the case in Acrobat where anyone can sign under any name they wish to. So they do not prevent impersonation, nor are they meant to. It's important to understand that.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Test Screen Name
LEGEND ,
Oct 10, 2020 Oct 10, 2020

Copy link to clipboard

Copied

Secure signatures require one of the following:

- a certificate issued by an official organisation with identity checking. (These cost money).

- swapping the public key in advance on a safe channel.

So, you can send the public certificate to someone and confirm (perhaps by telephone) that they have the certificate. Now, in future, they can check your identity using the certificate, which cannot be faked, and the fact that they confirmed the certificate. Very important, if setting it up in an organisation, to make sure everyone is REQUIRED to do this, otherwise there is no proof at all. Larger organisations use certificate repositories.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ls_rbls Community Expert
Community Expert ,
Oct 10, 2020 Oct 10, 2020

Copy link to clipboard

Copied

LATEST

++Adding to the discussion,

 

You may also need to add a custom time stamp server instead of using the Adobe Default signature verification  method. This methods always assumes the trust of such self-signed certificates are always valid, and there is no certificate revocation when there are employed like this.

 

The identities associated to the  signing certificate must also match the root certificate authority (as Test_Screen_Name pointed out), which  should be issued to ervery user by a computer administrator, who in addition, should define the expiration dates, as well as  assigning  passwords to the signing users to access a time-stamp server for signature time verification.

 

In order to verify and establish the trust of a digital signature, a computer administrator must enforce these policies in a workgroup.

 

Only the certificates and identities issued by a computer administrator will be able to employ a trusted signature time-stamp if the computer administrator also takes care in assigning unique passwords to each user (prompted at signing time) to obtain a legimitate signature time-stamp from the  default time stamp server (which is also managed and configured by the computer administrator, not just anyone).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
About Adobe Acrobat
Adobe Acrobat Learn & Support
Adobe Inc
Whats new in Acrobat DC
Adobe Inc
Plan and Pricing
Adobe Inc
Adobe Acrobat features and tools
Adobe Inc
Adobe Acrobat Feature & Workflow
Edit PDFs
Edit Scanned PDFs
PDF Forms
Sign a PDF
FAQs
How to Edit Scanned or Secured document
Rotate | move | delete and renumber PDF pages
Acrobat download and installation help
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices