In past weeks, I’ve posted a general ‘Introduction to PDF security‘ and an overview of Acrobat 7’s eEnvelopes and security policies. While it’s not strictly necessary to read those articles first — particularly if you already have some familiarity with PDF security — it is helpful, as it provides a solid introduction to PDF security concepts.
This installment covers the key issue of digital signatures. ‘What are they?’ ‘How are they used?’ ‘When should they be used?’ This article tackles these questions and more in order to further de-mystify PDF security.
‘What are digital signatures?’
A digital signature is similar to the more familiar hard copy or analog signature, in that it indicates approval or authorization of a document’s contents at the time of signing. The major difference is that while a hard-copy signature is represented by a physical mark, a digital signature is instead represented by a set of digital information unique to the signer.
In both cases, changes made to the document after a signature is applied mean that it is no longer the same as the document that was approved. Hence, the signature will become invalidated.
How are they used?
Digital signature fields
In Acrobat 7 Standard or Professional, it’s possible to create digital signature fields using the Digital Signature Tool. This can be accessed from either the Advanced Editing Toolbar, or by selecting Tools > Advanced Editing > Digital Signature Tool. Once the area of the signature field has been created via the click-and-drag interface, it’s possible to do things like set actions (e.g. executing menu items or going to a certain page view) for when the field is selected or configure the document’s behavior once it is signed. This allows users to conditionally set individual form fields or entire forms to read-only once a document is signed, allowing form information to be validated with more confidence.
It should also be noted that users of the free Adobe Reader can be included in the digital signature process, along with form-filling in general, using Adobe LiveCycle Reader Extensions. This is a high-end server product that allows document providers to add form-filling capabilities on the document level, allowing Reader users to fill out and save PDF forms.
Signing a document
If you are the first person to sign a document, then you have the option of applying a certifying signature instead of a regular signature. This will be invalidated if unauthorized changes are made to the document, and allows people receiving the document to peruse it with more confidence, knowing that it has not been altered. Whatever the signature type chosen, its addition is handled by a simple, wizard interface.
Self-sign vs. 3rd-party certificates
A Digital ID contains signature information that is either created by you or provided by a third party. A Digital ID provided by a third party will include a certificate that serves to confirm your signature information and help to secure your document.
When you sign a document — physically or digitally — you are indicating that you both approve the document’s contents and that you have the right to certify that document.
Digital IDs provided by 3rd parties are generally considered more secure, because an independent certificate authority has ratified them. Think of it like this: a signature applied using a Self-Sign Certificate signature tells a document consumer that ‘This document is valid, and I am authorized to sign it,’ while a signature applied using a 3rd party digital ID tells them that ‘This document valid, I am authorized to sign it, and [CERTIFCATE AUTHORITY X] verifies my identity.’ The additional assurance can make a big difference when it comes to legal documents or those sent out to a wide audience.
‘When should digital signatures be used?’
With PDF holding its position as the de facto standard for document interchange, more and more document transactions that were previously the realm of hard-copy workflows are being replaced by electronic equivalents. When it comes to proofing documents, filing of court documents and similar transactions where content fidelity is crucial. When they are conducted electronically, digital signatures are equally important.
That’s the end of part three in my series on PDF security. In future articles, I’ll address 3rd party tools and provide some more in-depth information on Adobe Policy Server. If you’re not familiar with those terms, you may just want to read those columns to find out more!