These forums are now Read Only. If you have an Acrobat question, ask questions and get help from one of our experts.

Confirming the uniqueness of a digital signature

Forum Index > Security > Confirming the uniqueness of a digital signature
2007-05-30 13:39:02
ballgame57
Registered: May 30 2007
Posts: 2

Hi everyone.

I am the SOX Manager for a mid-sized company. I am working on using Adobe Pro 7.0 to increase the efficiency of the process. One of my major hurdles is using the digital signatures. Our auditors are looking for assurance that the digital signitures are unique and unable to be duplicated. For example, what keeps one of our clerks from creating the controller's signature and using that on forms? Is there a password validation or active directory check? Unfortunately, my search into the software documentation has yielded nothing. Any hints, tips or help is appreciated.

Thanks.

Top
2007-06-07 22:17:25
#1
amenachem
Registered: Jun 7 2007
Posts: 3
As someone who works in an FDA-regulated industry, I would also be interested in finding this out. We are looking to implement digital signatures for our multinational corporation. Our understanding of 21 CFR Part 11 is that a signature without entering a password to ensure uniqueness of the signer would not be compliant.

Any help would be greatly appreciated.
Top
2007-06-14 15:48:48
#2
MD
Registered: Jun 14 2007
Posts: 1
In fact digital signature is always unique because it is 'computed' on the content you sign. So I don't understand what you mean by "unable to be duplicated".

Since the signature value is always unique and can easily be checked, 'signature duplication' is something useless, any signature application will detect mismatch.

Hope this helped.
Top
2007-06-16 13:53:41
#3
amenachem
Registered: Jun 7 2007
Posts: 3
Hi MD!

Thanks for replying - of course you're right about the uniqueness aspect. We have two reasons to try and implement passwords.

The first reason is to ensure that the person doing the signing is fully cognizant of the signing action - per our understanding of the regulatory requirements there should be a dialog box stating something like "You will be signing this document - please authorize". The authorization - to ensure that the person is who we think s/he is would put in a unique (and not group) password. Once the password is entered, the "act" of signing would happen.

From a security perspective (the second reason) there is always a window of opportunity from when you get up from your computer to when the screen saver / automatic lock kicks on for someone to go to your workstation and use your computer to sign. The password would deny the would-be fraudulent signer this opportunity. Of course there are solutions that get around this from the OS - make the desktop lock sooner / training - ensure that everyone locks their computers as soon as they get up, but I think in the end, we're dealing with regulators that have these expectations.

So, again, if anyone knows of a solution like the one I describe above - with a password requirement to allow the act of signing to occur, I'd really love to hear about it.

Thanks...
Top
2007-09-13 15:21:10
#4
randomandy
Registered: Sep 13 2007
Posts: 4
I know there is a way to require this. In Windows I think you make this determination when you first import your private key. If you select high security it will require a password every time the key is used. Lower security settings can alternatively require only one authorization per session.

I can't remember if this happens when importing to Acrobat's certficate store or to Windows certificate store. But I know it's there somewhere.
Top