Digital signature in PDF and Acrobat

The Good, the Bad and the Ugly

Almost everyone has a signature they use to sign every kind of agreement, from credit-card slips to contracts. A signature is commonly understood as a recognizable scrawl (or flourish, if you are so inclined) that indicates: 'I (the signer) record my agreement to this document as it exists at the time of my signing.'

Placing pen on paper - or "inking" - is a key event in establishing enforceable agreements. Ink is neutral, a third-party witness to the joining of hands. Without ink, it seems, we have no deal.

So what do we do when our documents aren't printed on paper, but delivered electronically, as PDF files? To "ink" them in the conventional sense, we first have to print them, neutralizing the utility of the electronic document format.

PDF digital signatures are beginning to emerge as a viable solution to keeping the "inking" process in the digital realm. The infrastructure for digital signatures exists in Acrobat, but vendors in this space must do a lot better before digital signatures - in PDF files and otherwise - become a significant part of everyday reality. There were a few recent rollouts of digital signatures on a large scale, such as in Belgium, but these remain few and modest compared to the concept's clear potential.

Of course, it's not all up to Adobe, or any other single vendor in the digital signature world. Significant barriers remain. Digital signatures are not yet regarded as legal in many jurisdictions, and most approaches to implementation remain organized around the technology rather than the user, akin to the well-understood role of the ballpoint pen. Digital signature key systems, signature devices and the other accoutrement of secure electronic documents remain arcane to all but the well-initiated. Where digital signatures are gaining in implementation, such as in Belgium, privacy concerns have followed.

Beyond the technical, representational and privacy issues, potent business-cultural and usage barriers to digital signature implementation remain as well.

Most legal and other paper-document workflows are rooted in filing cabinets and fax machines because paper remains the one document medium that is reliably horizontal - i.e., moves easily between organizations. Integrating digital signatures and electronic documents into these workflows without replacing the whole system often doesn't appeal. One of the most serious hurdles is the necessity (under the current implementation) of both sender and receiver being at least somewhat savvy to digital signatures in order to make the whole process work as intended. Today's digital signature technology is principally effective in a vertically integrated environment.

The Good: Digital signatures are here, and they actually work

If you've imagined that a digital signature meant using some magic pen to scratch away on the screen to embed your penmanship into the document, you should forget it. Writing on the screen itself is never going to be good for the screen, and it's pretty uncomfortable as well.

Current theory has it that in electronic documents, one needs to do a lot more than simply bind a signature image onto the electronic page. The good news is that the technology exists to make it all work reasonably well. Once users create a Digital ID (more on that in the "Bad" section), design their signatures, know how to recognize a Signature field and understand what to do with it, they can sign PDF documents quickly, effectively and paperlessly.

Digital signatures have a number of advantages over their inky ancestors:

Figure 1: A certified and signed PDF identifies itself as such when opened

Figure 2: Mouse-over a PDF signature to view its status

Figure 3: If changes have been made since signing, you'll know

Figure 4: Acrobat provides information about the signature

Figure 5: If the document has changed, you'll get a warning

Figure 6: Use any signature you like; includes graphics, text and information about your organization or location.

It seems digital signatures should be easy, their usefulness obvious, and their implementation widespread. Such is not yet the case. Let's look at why.

The Bad: Digital signatures remain complex

iCiX works with Fortune 500 companies to improve document workflows at every level. Digital signatures should be a big part of this package, but due to differing technology standards and security models, they are proving very difficult to implement in multi-enterprise applications. For the moment, iCiX resorts to tracking the identity of users accessing and approving documents via simpler login protocols. "We should take digital signatures for granted, like an email address or a DNS lookup," Paul Horan, iCiX North America's COO says. "Until [it] becomes transparent, digital signature technology is not reality for our application."

Integrating a digital signature infrastructure requires a strategy both broad and deep. First, one must confront the basic requirement that all users in the document lifecycle possess an adequate mix of software, configuration and knowledge of digital signature workflows — not to mention approximately equivalent trust in the very concept of digital signatures. For most users, this remains a big step up.

From configuration to training to adoption, Adobe Acrobat is probably one of the easiest signature applications to deploy and use, but that doesn't mean it's easy or obvious from the end-user's perspective. On the plus side, there is no server-side configuration and network downtime to install Reader or Acrobat, and the only real prerequisite (assuming either Acrobat or use of the Reader Extensions technology or service) for signing is the "Digital ID." Still, to meet their potential, digital signature implementations require a lot more than just a signature field and a Digital ID, but nowhere will you find this clearly laid out in the Acrobat documentation.

Digital signature adoption is thus far limited to vertically integrated applications such as that of the Land Title Branch of the Province of British Columbia (PDF) and the Orange County Planning and Development Services Department (PDF). Acrobat also offers Hanko signatures support, as well as support for electronic signature tablets via partnerships such as those with CIC and Interlink. Digital signature solutions that use hardware/software combinations are steadily getting more exciting. For the moment, however, power users make up the (modest) balance of current digital signature aficionados, because for these users, Acrobat makes it reasonably easy to create self-signed IDs and add a signature image to a signature field. Most of the world, however, is still using ink.

The Ugly: Technobabble overkill

What's necessary to take advantage of today's PDF digital signatures? Adobe's digital signature solutions in Reader and Acrobat have something for everyone -— i.e., they include the bare bones of a solution for all levels of information assurance. Unfortunately, even the basics get complicated pretty quickly.

First, you can't sign just any PDF. A signable PDF file must include a Digital Signature field, the device that offers the author greater control over the future use of the document. No special skill is required to make a PDF signable — just a copy of Adobe Acrobat Standard or Professional and a minimal understanding of form fields.

Note that the free Adobe Reader cannot sign a PDF unless the PDF has been "blessed" with extended usage rights (Reader Extensions). Without such rights, every "signer" must have Adobe Acrobat, or equivalent.

Apart from using the right software or a PDF with extended rights, signing a PDF requires a Digital ID. What's that? It's not a familiar concept, even to users who consider themselves savvy to website logins, cookies, PIN numbers and other means of online identification. Digital IDs are issued by third parties, and may also be self-signed — that is, created without a third-party certificate authority. Adobe doesn't recommend self-signed signatures, but offers precious little information as to the distinction, why one might care, or what exactly one should do to acquire a third-party ID.

Now, is a self-signed Digital ID as good as a third party's ID? In some ways, yes, in others, no. For example, with a self-signed ID, you'd have to share your certificate with the other user in order for them to authenticate your signature. Once you've sent them your certificate, they need to know what do to with it. Third-party IDs help to solve this problem, but establishing such an infrastructure - with the associated implementation and training costs - has yet to show obvious payoffs for most organizations. Adobe provides the "plumbing" to automate the sending and delivery of digital signature information, but they leave the actual implementation very much up to you.

Adobe does not recommend the use of self-signed IDs — they are essentially convenience items for experimentation and training, for use among trusted parties or within a small workgroup. Automatic validation is available via the Adobe's Certified Document Service. For other certificates, all the recipient has to do is trust the chain of the sender's certificate in the Advanced > Trusted Identities menu. An official Adobe guide, reference and glossary to the process and considerations of digital signatures is sorely lacking.

On the other hand, a PDF signed with a self-signed ID will announce any changes that occurred since signing. That, by itself, is of real value.

There are hurdles to self-signed signatures too, even for experienced users. Creating a Digital ID, for example, is an 11-step process, well-documented in the Acrobat Help file, but lavish with technical terms, and far from intuitive. See Resources at the end of this article for links to detailed descriptions of the basic digital signature processes.

Even for users who set themselves up with Digital IDs and get to signing their PDFs, nagging doubts often remain. For example, the current self-signed digital signature method almost inevitably means that the "signing" entity is not "really" a person, but the user login under which that digital signature was created. Access to a user's logged-in computer provides access to their digital signature as well. This issue is unaddressed in the documentation. Acrobat 7's Help file offers no advice on how to really employ digital signatures, but focuses entirely on the mechanics of setting up the individual workstation (or is it user login?) to sign a document.

Most users think of their signatures as something that is something only they — not their computer — can create. They want to know, how do you use your digital signature on different computers? (It depends, see Resources, below) What happens when you upgrade your hardware and forget to transfer your signature? You must make a new one. What happens to people using your old certificate? They are unaffected. Should you worry about giving your old computer away? Not necessarily, but if you give away your login as well, then yes. Answers do exist to all these concerns, but many (most) are involved, and anything but obvious.

Let's review the terms that digital signature user wannabes will encounter before they could claim to have reviewed their options and made an informed choice. Those terms would be (with added editorial comments):

• Digital ID also variously known as a private key, credential or profile, depending on when and how you use it. A Digital ID is required in order to digitally sign PDFs.
• Digital ID Certificates may be sent to a recipient of your signed PDF for use in authenticating your signature. Not everyone will find authentication strictly necessary – after all, the PDF is “signed,” and can’t be changed without unsigning itself.
• Third-party digital IDs – Digital IDs that are issued by an independent third party ( i.e., a Certificate Authority). Examples of a third party that issues certificates to consumers or businesses or server is Verisign, CyberTrust, Entrust and Geotrust.
• PKCS#12 and/or PKCS#11 (smartcard) files, or otherwise the Windows Credential Store – perhaps the first time you’ve ever heard of such a thing. See the Resources list, below.
• Trusted Identities. In order to validate a Digital Signature, the sender’s valid and unexpired Certificate must be in your list of Trusted Identities.
• Policies. Policies allow document creators to regulate and track PDF usage.
• Self-signed Signatures “Versus some other kind of signature, not by me?”, I often hear.
• Trusted roots (as opposed, or course to those nasty untrusted roots). There’s only one reference in the entire Acrobat Help file, and it’s not at all clear what’s meant here, nor by trusted anchor, or what trusted roots (or anchors) should mean to the user.
• The distinction between certification and signing (sort of the same, sort of different)

Frankly, ‘nuff said. People still trust the pen in their hands when it comes to signing because they understand what it means to literally put ink on paper. Digital signatures require a radical new level of trust, and trust is not easy to find in a blizzard of unfamiliar, interlocking terms. No wonder most people are still hitting “print” and grabbing a ballpoint.

Conclusion

Digital signatures are, in fact, almost here. Adobe has done a lot of good groundwork on the infrastructure of highly evolved digital signature solutions. What escapes them thus far is a simple way for users to treat a PDF as if it were a fax, skipping (or assuming) the arcana of certificate stores, trusted roots, and the like. Let’s review the use case:
To sign a document, Joe User wants to…

• Open the document (from a local folder, e-mail or website, it shouldn’t matter. Nor should Joe’s current location or current computer matter, he should be able to sign wherever he is)
• “Sign” the thing, without a lot of messing around. All that’s really called for is that he…
• Sees his signature scrawl appear in the right place
• Has some reasonable, uncomplicated assurance that the PDF is now “locked” and can’t be changed
• Save it
• E-mail or Submit it to a Web server

Many compatible technologies hold real promise to assist in the acceptance and integration of digital signatures. Signature pads and biometric devices such as thumb-print and retinal scanners – if seamlessly integrated into the signature process – offer dramatic potential for the future.
Signatures are one of the most horizontal of all applications. Gaining broad acceptance means that the basic signature method needs to be both as simple and as safe as humanly possible. We may all tack on third-party Digital IDs from a Trusted Root with full contact-manager integration without a second’s thought in 2012. Before that happens, we’ll need a revolution in simplicity and trust in the electronic-only environment.

Resources

Adobe Solutions Brief on Secure Electronic Documents (PDF, Adobe Systems)
Sample signatures for use with Acrobat Digital Signature plug-ins (PDF, Adobe Systems)

From the Acrobat Help File
Using digital IDs and certification methods
Obtaining a Digital ID from a third party
Creating a Digital ID
Finding and adding Digital IDs
Selecting a Digital ID
Managing Third Party Digital IDs
Managing Digital ID Certificates
Sharing a Digital ID Certificate
Getting Digital ID Information from Other Users

Some Third-Party Solutions
Adobe Security Partners
FormRouter’s Digital Signature Solutions