These forums are now Read Only. If you have an Acrobat question, ask questions and get help from one of our experts.

Self-Signed Digital ID

Forum Index > Security > Self-Signed Digital ID
2010-03-25 11:30:15
Jenn
Registered: Mar 25 2010
Posts: 4

Hi all,

We are looking at implementing digital IDs for our internal documents. I think purchasing validated IDs is overkill and self-signed digital IDs are the way to go. However, the question has arisen as to what is preventing someone else from creating a digital ID and signature with my name and information?

Thanks,
Jenn

My Product Information:
Acrobat Pro 8.1.3, Windows
Top
2010-03-25 15:11:32
#1
Dimitri
Expert
Registered: Nov 1 2005
Posts: 1389
Hi Jenn,

I guess I would ask what's to prevent someone from ink signing your name to something and mailing it off somewhere? Mostly we all trust ink and or electronic signatures because we have some communication/connection with the person signing. I'm not saying I don't understand you concerns or that they are valid, but people seem to have so much more concern over electronic signatures when the exact same problems exisit with pen/paper ones. As with passwords and pin numbers, you would protect your digital ID in the same way by not providing it to untrustworthy sources. Nothing is foolproof against the fraudsters out there.

Hope this helps,

Dimitri
WindJack Solutions
www.pdfscripting.com
www.windjack.com

Dimitri Munkirs
WindJack Solutions
pdfscripting.com

Top
2010-03-25 16:34:35
#2
smadwin
Expert
Registered: Jul 10 2009
Posts: 40
Hi Jenn,

The key with digital signature processing in Acrobat (and when I say Acrobat I mean both Acrobat and Reader, but I'm too lazy to type both words) is trust. Before Acrobat does anything with a signature it has to establish that at least one of the certificates in the signing chain has been designated as a trust anchor. Obviously, with a self-signed digital ID the chain will be a link of one. It will be up to the document recipient to trust the signers public key in order for signature processing to complete.

This means that it is incumbent on the document recipient to do the due diligence and ensure that the document signer is who they say they are. There is a lot of room here for the bad guy to do social engineering. As you noted, the first thing they can do is create a self-signed digital ID that is in your name. They would also have to convince the eventual document recipient that they are you. One thing they could do is create a free e-mail account and use your name. If they are a bit more sophisticated they could hijack your real e-mail. They could also just pick up the phone, call the recipient and establish a relationship that way in order to get them to trust the certificate.

This is an advantage you get when you use a reputable CA that has vetted the identity of the person to whom they have issued the digital ID. CAs come in different classes where a low assurance CA will give out certs for free, but they don't provide any subsequent revocation checking nor do the check the person's identity. On the other end of the scale a high assurance CA will make sure you are who you say you are and will provide revocation information in order to protect the digital ID should it become compromised. It's a case of you get what you pay for.

Steve

Steven Madwin
Software QA Engineer
Adobe Systems Incorporated
345 Park Avenue, MS-W15
San Jose, CA 95110-2704 USA
408.536.4343 p, 408.537.4053 f
Steven [dot] Madwin [at] adobe [dot] com

Top