Skip to main content
A
Anonymous
December 19, 2011
Question

Digital signatures...

  • December 19, 2011
  • 2 replies
  • 1637 views

We have about 100 people in our organization all using Acrobat X Pro. We currently sign PDFs (only used internally--we don't sign things to be sent out to customers, vendors, etc.) using the self-signed, self-generated PKS#12 option. This has worked well for us in the past, but we find ourselves having to backup each user's signature in case it gets lost, deleted, hard drive crashes, etc. Is there a more central way to sign documents so our users don't generate their own signatures, email them to other users, etc.? We'd like to use something that can incorporate the users' domain credentials so they don't have to remember a separate password. Or if it's better to buy digital signatures from a trust like Verisign that would be an option. We're on a 2008 R2 domain. I have little experience in this and appreciate any help anyone can offer. Thanks!

This topic has been closed for replies.

2 replies

Steven_Madwin
Adobe Employee
Steven_Madwin
Adobe Employee
January 4, 2012

Hi,

The short is no. Regardless if you procure a digital ID from a trusted third party certificate authority, or just use Acrobat/Reader to generate a free self-signed digital ID, in the end you are going to want to escrow (backup) the digital ID for all the reasons you noted above. It is all part of managing the PKI overhead that Ben referred to. Of course the biggest issue tends to be someone forgets the password to access their digital ID, thus rendering it useless. That's not such a bad deal if it didn't cost the company anything, but might tend to annoy someone if they paid for the digital ID out of their budget.

There is a lot of advantages to having a robust PKI environment, the main being that it proves document integrity, personal assurance (aka "non-repudiation), trust, and long term validation. However, they all come with a price, and managing the PKI environment tends to be the biggest cost.

Steve

EnterpriseHelp
Community Manager
EnterpriseHelpCommunity Manager
Community Manager
December 19, 2011

Well it looks like you get to have "Fun with PKI."

First, admins should always backup sigs. Archiving is part of a pki, but if you're using self signed certs there's not much point anyway. Users can always create another and they are easily spoofed. If you actually care about security, you need to purchase your certs or choose an alternative signing methodology (see below).

You can integrate with LDAP servers whether or not you buy certs from from a vendor I think.

Usually the admin manages trust so that users don't have to set this up themselves on each machine. End user certs should chain to a trust anchor (such as the company's or Verisign, etc.) So if all your users trust the anchor, they trust each other.

I think you might benefit from one of these:

Adobe Acrobat Trust List (AATL)

Adobe Echosign service (not cert based).

And read these: http://www.adobe.com/go/learn_acr_security_en

hth,

Ben

A
Anonymous
December 19, 2011

We have a root CA that we purchased by VeriSign or Entrust I think--but I know it's purchased and we use it SSL for our website. So I know we have a root CA (I hope I'm calling it by the correct name).

Would I generate this certificate through MS Active Directory Certificate Services? Would each user need to generate one, or is this something I can deploy?

EnterpriseHelp
Community Manager
EnterpriseHelpCommunity Manager
Community Manager
December 19, 2011

You need to talk to your cert vendor about how to create end entity certs that chain up to your trusted root.

Ben

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices