Digital signatures...

Report · Dec 19, 2011

We have about 100 people in our organization all using Acrobat X Pro. We currently sign PDFs (only used internally--we don't sign things to be sent out to customers, vendors, etc.) using the self-signed, self-generated PKS#12 option. This has worked well for us in the past, but we find ourselves having to backup each user's signature in case it gets lost, deleted, hard drive crashes, etc. Is there a more central way to sign documents so our users don't generate their own signatures, email them to other users, etc.? We'd like to use something that can incorporate the users' domain credentials so they don't have to remember a separate password. Or if it's better to buy digital signatures from a trust like Verisign that would be an option. We're on a 2008 R2 domain. I have little experience in this and appreciate any help anyone can offer. Thanks!

Report · Dec 19, 2011

Well it looks like you get to have "Fun with PKI."

First, admins should always backup sigs. Archiving is part of a pki, but if you're using self signed certs there's not much point anyway. Users can always create another and they are easily spoofed. If you actually care about security, you need to purchase your certs or choose an alternative signing methodology (see below).

You can integrate with LDAP servers whether or not you buy certs from from a vendor I think.

Usually the admin manages trust so that users don't have to set this up themselves on each machine. End user certs should chain to a trust anchor (such as the company's or Verisign, etc.) So if all your users trust the anchor, they trust each other.

I think you might benefit from one of these:

Adobe Acrobat Trust List (AATL)

Adobe Echosign service (not cert based).

And read these: http://www.adobe.com/go/learn_acr_security_en

hth,

Ben

Report · Dec 19, 2011

We have a root CA that we purchased by VeriSign or Entrust I think--but I know it's purchased and we use it SSL for our website. So I know we have a root CA (I hope I'm calling it by the correct name).

Would I generate this certificate through MS Active Directory Certificate Services? Would each user need to generate one, or is this something I can deploy?

Report · Dec 19, 2011

You need to talk to your cert vendor about how to create end entity certs that chain up to your trusted root.

Ben

Report · Dec 30, 2011

Or you could enlist a third-party certificate provider which also serves as your SaaS signing solution.

SIGNiX issues and manages certificates, and their MyDox service can enable you to upload a PDF and drag and drop digital signature fields into the document, then manages the workflow of sending it out to all named parties in a linear system, email intros included.

Worth a look.

Report · Jan 03, 2012

Hi,

The short is no. Regardless if you procure a digital ID from a trusted third party certificate authority, or just use Acrobat/Reader to generate a free self-signed digital ID, in the end you are going to want to escrow (backup) the digital ID for all the reasons you noted above. It is all part of managing the PKI overhead that Ben referred to. Of course the biggest issue tends to be someone forgets the password to access their digital ID, thus rendering it useless. That's not such a bad deal if it didn't cost the company anything, but might tend to annoy someone if they paid for the digital ID out of their budget.

There is a lot of advantages to having a robust PKI environment, the main being that it proves document integrity, personal assurance (aka "non-repudiation), trust, and long term validation. However, they all come with a price, and managing the PKI environment tends to be the biggest cost.

Steve

Adobe Community

Digital signatures...