Skip navigation
RudolfJan
Currently Being Moderated

How can my customers know if they can trust a signature?

Feb 12, 2012 4:45 AM

As a short introduction, I work for a major Dutch company for production and supply of electrical energy and gaz to 2 million Dutch homes and companies. My company aims to go digital with all customer communication including invoices. For our online invoices we already sign them digitally and there comes the problem.


I stumbled upon a problem viewing a pdf invoice, which said “the signature is problematic”. I first thought there was a problem with the certificate, but after reading your column and some discussion with colleagues, I discovered this behavior is “as designed” by Adobe, when reading this blog:

 

http://blogs.adobe.com/security/2008/08/setting_signature_trust_in_ado _2.html

 

 

From a technical point I can understand the point of view, as explained in the blog mentioned above, but …

 

This means that if our customers notice the text “this signature is problematic” they may think something is wrong with the invoice. This may result in expensive calls to our helpdesk and difficult discussions, because it is hard to explain what really happens and why this happens. Or, worse, they may see this message on many invoices and just ignore it  because they get used to it. Then they may miss a situation with a forged certificate and not respond accordingly.

The three “solutions” provided in the blog  are not real solutions for the problem. Essentially, Adobe Reader tells our customers that they should find out for themselves somehow that if they want to trust our digital signature or not. When customers decide to trust the signature, they are told that it is not recommended tot decide to trust signatures.


So, this breaks the chain of trust and with it the system of certification. The customer is left on is own, as in the days of paper only invoices. I really cannot believe it really works like this. Dis I miss something? I think there must be a possibility to verify the signature using an online connection with a trusted partner.

 

Can anyone give me advice how to proceed? I really need a solution that does NOT confuse or mislead out customers.

 

Regards,

 

Rudolf

 
Replies
  • Currently Being Moderated
    Feb 13, 2012 6:03 AM   in reply to RudolfJan

    Rudolf

     

    I would suggest that you start using a "Certified Docuemnt Service" (CDS) credential to sign the documents.  A CDS certificate can be purchased from various Adobe partners, the certificates that are issued for CDS have been signed by an Adobe root certificate, this means that the "Trust" is built into Reader and Acrobat.  End users who receive a document "certified" with a CDS certificate will see that the signature is trusted automatically.  Check out http://www.adobe.com/security/partners_cds.html for more details.

     

    Regards

    Steve

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 15, 2012 6:32 AM   in reply to RudolfJan

    Any certificate from any issuer (CA) can be trusted to be used for digital signatures or certifying signatures, but configuring Reader or Acrobat to trust these certificates must be configured.  Either you need to add the certificate as a "Trusted Identity" and\or you need to enable Acrobat or Reader access to the Windows Cert Store (Edit > Prefererences > Security)

     

    I expect one of the reasons that Adobe chose to have it's own Root CA for the Certified Document Service was to be able to guarantee that the "trust" was established automatically (Reader and Acrobat have built in trust for the Adobe Root CA), and any document certified with an official CDS certificate would be "Trusted" (assuming the document has not been tampered with).

     

    Regards

    Steve

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points