5 Replies Latest reply on Feb 7, 2013 3:09 AM by SimonESATS

    Creating and exporting secure Digital IDs for third party verification

    Scott Boyer

      Hi everyone-


      I work for a company that employs a stable of drivers, who are required to send in time sheets every other week with their payroll details. These sheets must be signed off on by a third party manager after being written up by the drivers to verify that the information they provide is accurate. In order to streamline the payroll process, I have created a fillable .pdf version of the payroll form in the hopes that the drivers will complete it, sign it, submit it to management for approval, and send it back in all electronically rather than print it off, get it signed and then scan it and send me a copy of the scan as some of them are choosing to do. The issue I am encountering is finding a way to be sure the approval e-signatures are coming from the actual managers and not simply being created and plugged in by the drivers. I have been trying to find a way for the managers to send me their actual signatures and a password of their choice so that I could create a secure ID for them and send the ID file back to them as a valid means of ensuring that they end up in the right hands, but am not sure if this is feasible at all or how to pull it off if so - any suggestions or advice would be much appreciated.

        • 1. Re: Creating and exporting secure Digital IDs for third party verification
          George_Johnson MVP & Adobe Community Professional

          You should not create the IDs for the managers, they should create their own. Once they do you can have each manager digitally sign a simple form and you can choose to trust the certificate (public key) that you can extract from the signature. Do not choose to trust it if you are not absolutely confident that it was in fact the manager who sent it to you. If the future, if someone attempts to impersonate a manager by creating a bogus ID, you can tell it's bogus because you have not chosen to trust it. The only signatures that will pass verification will be ones from IDs that you have chosen to trust. Since you have only chosen to trust certain ones, there should not be a problem. A problem can occur if somone other than the manager gains access to the manager's private key or machine/password, but that a different matter. This would be a potential problem even if you used third-party certificates.

          • 2. Re: Creating and exporting secure Digital IDs for third party verification
            Steven Madwin Adobe Employee

            Hi Scott,


            I have a different feeling about this then George does. What you are looking to do is become your own Certificate Authority (CA) and if you're willing to do the work then I don't see a problem within the context you are talking about. What you are looking to do is create self-signed digital IDs, which although create a valid digital signature, they do have a limited scope of trust. You have the advantage of being the CA in that you can escrow copies of the digital IDs because some of the mangers will loose them (usually due to a computer failure, but some times just because they are careless) as well as being able to procure the public-key before you even send them the file. This way you can add the public-key to your Acrobat list of "Trusted Identities" so the signature on the time sheet will be valid right off the bat.


            A digital signature provides two different things. First it provides a test for document integrity, that is, has the document been modified since it was signed. It doesn't matter where the digital ID used to sign the document came from for this. The other thing a digital signature provides is signer integrity, that is, the signer is who they say they are. There is a lower degree of assurance if the digital ID the signer uses is a self-signed digital ID generated by Acrobat because there is no method to revoke the signing credential. This is where you have to decide on the degree of assurance you need. On one end you have digital ID that are on bio-metric devices where you have a high degree of assurance that the issuer is who they say they are, and maybe slightly less secure is a digital ID that is on a two-factor smart card, and this is the current standard for high assurance digital IDs. But, since you are the one who is creating the digital ID you get your hands on the public-key certificate before you even send the file out to the ultimate recipient (the manager) so you'll know the digital signature was created by a trusted digital ID. The one thing you don't know is has the manager's computer been compromised so one of the drivers has signed a bogus timesheet. Knowing that the driver would have to both gain access to the computer and gain access to the digital ID's password will give you some degree of assurance, and that's all I think you are looking for.


            The only thing I'd suggest is you save the digital IDs you create for the managers in a couple of different places (I mean each one has a copy of itself on a different drive), and access to the drives are password protected with a password you only you know AND it's a secure password (some combination of numbers, letters and symbols at least eight characters long and not a word you can find in the dictionary). In the end the hardest part is getting the manager to either remember the password they created, or more likely they will forget the password you end up creating for them (which is probably what will end up happening). I know there are people that will tell you that you shouldn't know the password, but if the whole purpose of this exercise is for you to get timesheets from others it doesn't matter if you know the password because if you wanted to fudge the times you could do that now. In the end all you want to do is trust the data that comes to you and nobody else is going to care.



            • 3. Re: Creating and exporting secure Digital IDs for third party verification
              Dave Merchant MVP & Adobe Community Professional

              It sounds a lot of effort for a non-critical workflow - if the drivers  are so untrustworthy that they would fake digital IDs, you should be addressing that as a priority. For example, the driver must know that the manager will recognize a faked timesheet if it's sent back, so if you announce the implementation of a random audit process, the high risk of being caught (and presumably fired) would outweigh any gains. You don't necessarily need to do the audits for it to be an effective deterrent.


              In terms of acting as a private CA, the tricky part is transferring the IDs to the managers in the first place, as you say they're "third-party". Unless they visit your office and are told their password face-to-face, you will need to ensure the keyfile and  password are delivered separately, so that someone else in their office can't retrieve both elements. If you have a handful of managers, making and distributing the keys yourself isn't too onerous a task - but if you have hundreds of them to manage it's going to be a hassle. George's suggestion of making the managers send you a pre-signed form would share the workload, and with a sensible way to ensure the forms are indeed signed by the person in question it would be just as 'trustworthy'.


              The obvious way to implement George's workflow is to include another field on the returned form. If they can't meet you face-to-face, phone the manager and give them a random word to type in the box - so when the form comes back you know it's from them.


              Another option would be to switch to the Adobe EchoSign system. Given the number of forms being processed there would be a subscription cost, but the major advantage of EchoSign is that there's no local keyfile to carry about (or lose!) - each manager would be identified by an AdobeID, and could sign the form from any Web-connected computer using the EchoSign web portal. EchoSign is closely-integrated into Adobe Reader so it's really easy for a novice to use.

              • 4. Re: Creating and exporting secure Digital IDs for third party verification
                George_Johnson MVP & Adobe Community Professional



                It's interesting you should mention that approach. I suggested what I did specifically so he wouldn't be burdened with that responsibility. When digital signatures were first available with Acrobat I tried to manage a system that was essentially what you describe and I wouldn't want to do it again. As you say, people lose their IDs and passwords and I found it easier (on me) to have them create a new one. It can work if the numbers are small, but it does become more cumbersome as they grow. What you describe is helpful when you encrypt documents for folks using certificate security as it's more troublesome to re-secure a collection documents with a new certificate rather than reminding them what their password is and/or having them install their escrowed ID.

                • 5. Re: Creating and exporting secure Digital IDs for third party verification
                  SimonESATS Adobe Employee

                  Just to Echos (ha) Dave's recommendation to look into Echosign. You can setup a form/approval workflow and have everyone electonically sign, which doesn't involve the managing certificates.

                  it's not limited to using an Adobe ID either, any email can be used for this.


                  see https://www.echosign.adobe.com/en/how-it-works/echosign-resources.html for some videos on the subject as well