5 Replies Latest reply on Oct 17, 2012 3:35 PM by George_Johnson

    Digital Signatures - how to prevent anyone from using my name

    luvsql1234

      I've created a bunch of forms that have digital signatures enabled.  When I've created one either with the PKCS or the Windows Certificate, what's to prevent anyone else from just typing my name, email address and Company Name?  Yes, I can create one and save it with a password, but anyone can do that.  I'm confused how I can ask our users to use digital signatures on internal documents, then have them email to accounting or HR, yet there's nothing to prevent anyone from using anyone else's name (ie how can I prove that it wasn't me that signed it)? 

       

      Is there nothing that's tied to Windows ie I can't use my login ID on our domain unless I use my network password?  That's really the ONLY way I can prove I'm me. 

        • 1. Re: Digital Signatures - how to prevent anyone from using my name
          Dave Merchant MVP & Adobe Community Professional

          Self-signed digital signatures are precisely that - the person creating them is the only one attesting to the contents, so you can make a perfectly-valid self-signed ID for Canta Claus of you want to. The critical thing to remember is that a self-signed ID will only validate if the recipient has your keyfile to compare it to. On your own machine it will show as valid because the key is present, but if you send the PDF to anyone else it will show as invalid unless you have separately transferred them a copy of your keyfile. It's that second file which tells them the ID is really yours, as they can physically check where it came from (e.g. by phoning you up). The recipient would then have to manually add the keyfile to the trusted list in Acrobat or Adobe Reader, and finally your PDF signature will get the green tick.

           

          Self-signed IDs are find for internal company workflows as everyone can share their keyfiles, and the IT department can manage what's going on. If you're using digital IDs in a public setting you should never use self-signed certificates, instead you should purchase an ID from a Certificate Authority - a company whose IDs are tied to the 'root certificates' embedded in Acrobat and Adobe Reader. The CA will require proof of identity before selling you the cert, and so anyone can verify it's genuine without needing to contact you. CAS-issued certs for signing PDF files are not cheap, there are several vendors out there and I won't comment on which may be better.

          • 2. Re: Digital Signatures - how to prevent anyone from using my name
            luvsql1234 Level 1

            So basically anyone can open this pdf, create a signature file with my name and email and insert it into the pdf file then email it and the user the receives the pdf has no way of verifying that I was the actual person that signed it?

            • 3. Re: Digital Signatures - how to prevent anyone from using my name
              Test Screen Name Most Valuable Participant

              The important thing is that working with signatures is a multi step process

               

              1. Send your public keyfile to the person who will be working with you.

              2. They import it.

              3. You each acknowledge that this has happened.

               

              4. Send a signed file.

              5. The recipient uses the keyfile they received earlier to check the authenticity.

               

              In other words, there needs to be a "trused" communication at the start of the process where identity is actually verified. Perhaps a phone call or personal visit.

               

              Thereafter the keyfile is used as a shorthand to replace double checking with the original human.

               

              Trying to combine this in one step, sending the keyfile and PDF together, or sending the PDF alone where there is no keyfile to check against is - you are absolutely right - of no value at all.

              • 4. Re: Digital Signatures - how to prevent anyone from using my name
                Dave Merchant MVP & Adobe Community Professional

                Unless you use a certificate issued by a CA, which is the reason they cost so much.

                Test Screen Name wrote:

                 

                The important thing is that working with signatures is a multi step process...

                 

                • 5. Re: Digital Signatures - how to prevent anyone from using my name
                  George_Johnson MVP & Adobe Community Professional

                  Note that there is no need to send a separate file (what has been called a keyfile in this discussion), as the recipient is able to extract it (user's certificate, aka public key) from a signed document, though it may be a good idea. As T.S. Name said, it is a matter of trust. If the recipient chooses to trust that the signed document they receive came from you, then they can feel free to extract the certificate from a signature and add it to their list of trusted certificates. The signature and any future signatures signed with the same digital ID can then be fully validated. I hope it's obvious that a user should not choose to add a certificate to their list of trusted certificates unless they trust the source of the document or other file that contains their certificate. There are many scenarios where such trust can be easily and reasonably established.