As a short introduction, I work for a major Dutch company for production and supply of electrical energy and gaz to 2 million Dutch homes and companies. My company aims to go digital with all customer communication including invoices. For our online invoices we already sign them digitally and there comes the problem.
I stumbled upon a problem viewing a pdf invoice, which said “the signature is problematic”. I first thought there was a problem with the certificate, but after reading your column and some discussion with colleagues, I discovered this behavior is “as designed” by Adobe, when reading this blog:
From a technical point I can understand the point of view, as explained in the blog mentioned above, but …
This means that if our customers notice the text “this signature is problematic” they may think something is wrong with the invoice. This may result in expensive calls to our helpdesk and difficult discussions, because it is hard to explain what really happens and why this happens. Or, worse, they may see this message on many invoices and just ignore it because they get used to it. Then they may miss a situation with a forged certificate and not respond accordingly.
The three “solutions” provided in the blog are not real solutions for the problem. Essentially, Adobe Reader tells our customers that they should find out for themselves somehow that if they want to trust our digital signature or not. When customers decide to trust the signature, they are told that it is not recommended tot decide to trust signatures.
So, this breaks the chain of trust and with it the system of certification. The customer is left on is own, as in the days of paper only invoices. I really cannot believe it really works like this. Dis I miss something? I think there must be a possibility to verify the signature using an online connection with a trusted partner.
Can anyone give me advice how to proceed? I really need a solution that does NOT confuse or mislead out customers.
I would suggest that you start using a "Certified Docuemnt Service" (CDS) credential to sign the documents. A CDS certificate can be purchased from various Adobe partners, the certificates that are issued for CDS have been signed by an Adobe root certificate, this means that the "Trust" is built into Reader and Acrobat. End users who receive a document "certified" with a CDS certificate will see that the signature is trusted automatically. Check out http://www.adobe.com/security/partners_cds.html for more details.
Thanks for your reply Steve, I will check it out and discuss this with the management. But one more question. Why do you not trust the Windows certification base? Is this for competitive reasons or is something wring with Microsofts policies in allowing certificates? To be very honest, I do not like the idea very much to be dependent on Adobe only.
Any certificate from any issuer (CA) can be trusted to be used for digital signatures or certifying signatures, but configuring Reader or Acrobat to trust these certificates must be configured. Either you need to add the certificate as a "Trusted Identity" and\or you need to enable Acrobat or Reader access to the Windows Cert Store (Edit > Prefererences > Security)
I expect one of the reasons that Adobe chose to have it's own Root CA for the Certified Document Service was to be able to guarantee that the "trust" was established automatically (Reader and Acrobat have built in trust for the Adobe Root CA), and any document certified with an official CDS certificate would be "Trusted" (assuming the document has not been tampered with).