5 Replies Latest reply on May 3, 2013 12:25 PM by IsakTen

    Adobe Acrobat XI Pro SIGNATURES

    akanick Level 1

      My subject: Employee Onboarding


      My short-term goal: To allow user to save his or her signature securely, when they access the form with Adobe Reader, so that they can access it for future use.


      My long-term goal: To set up an employee onboarding access page on our agency's website to allow employees to complete forms via a secure online portal and sign their document electronically. (For now, I will have the employee use a laptop for completion of the form.)


      My current setup: I have an extensive Adobe Acrobat XI Pro form set up. Users can click in the signature field and opt to create a new ID or use an existing signature.


      My problem: I am unsure of where I should have employees save his or her signatures. Should they be stored securely on my server, or should they be stored in the cloud?

        • 1. Re: Adobe Acrobat XI Pro SIGNATURES
          Steven.Madwin Adobe Employee



          Just so we are on the same page, you are not talking about "signatures" but rather about digital IDs. You use the digital ID to create a digital signature in the electronic world just as you use a pen to create a wet ink signature in the paper world.


          When it comes to storing a digital ID there are four options; you can store it in a password protected file (e.g. a PFX or P12 file), you can store it on a hardware device (e.g. a smart card or token), you can let the computer's operating system manage the digital ID (e.g. Mac Keychain Access or Windows Certificate Store), or it can reside on a roaming credential server. There are pros and cons with all three options, but as with everything in computer management you need to balance ease against both security and cost.


          The cheapest and simplest is probably to let everyone save their digital ID in a password protected file. The next question is where do you save the file. You could save the file on a flash drive and let people take it with them from computer to computer. The downside to this approach is people tend to lose their flash drives. You could also store the file on a network location that everyone has access to, but here the problem is what happens if the network is down. And of course in all cases with the digital ID saved in a password protected file is people tens to forget their password.


          Putting the digital ID into the operating system eliminates the forgotten password problem, but now the digital ID is only available from one computer. The concept here is if you can log in and get to your desktop then you are who you say you are and the OS gives you access to the digital ID. Your log in is in essence the password to the file.


          Using a hardware device is know as two factor authentication as you have to have the device and know the PIN. This is different from just putting the PFX file on a flash drive because with a secured hardware device the the device itself has protection software on it and the private key (which is what you sign with) never can leave the device. The signature is actually created on the device and sent back to Acrobat.


          Finally, using a roaming credential server is akin to cloud signing. Like with the secured hardware device, the private key never leaves the server and as long as you have Internet access you can sign from anywhere (hence the "roaming" part of the name). You also have the advantage that if someone does forget their PIN (and someone will) you can reset it on the server. If someone forgets their password to access a PFX file then the file (and ultimately the digital ID) becomes useless.


          I know I didn't answer your question because there is no one right answer. You just have to decide what best fits your work-flow.



          • 2. Re: Adobe Acrobat XI Pro SIGNATURES
            akanick Level 1

            Well, here's the thing. I have a PDF document containing 19 or so pages that amounts to an employee onboarding packet. I've created the document in Acrobat XI, and will be accessing it with Adobe Reader. My agency currently has about 160 employees and we are growing. The turnover rate for most of our employees, due to the nature of their work, is great. I want to be able to have a new employee sit down at a computer, access the file with Adobe Reader, complete each page--signing where necessary throughout the document, and save their work. I've spent hours on the phone with Adobe as well as our tech folks, and cannot seem to figure out how to do this. My big question is how to do the signature. As I've said, they have to sign on multiple pages throughout the entire document. I have administrative powers to save signatures wherever necessary and plan to save them to a protected separate drive. My agency's director seems to prefer to have the employee sign with their "real" signature as opposed to using a digital format. With Reader 10, I had the option to "apply ink signature". I see that the new version of Reader does not have that option available. I could scan their actual paper signature to my pc, clear the background, save it as a png. file, and sign with a stamp under the comments tab. But I'm not sure if there is an easier/better way to get a signature. There has to be a better way?

            • 3. Re: Adobe Acrobat XI Pro SIGNATURES
              Test Screen Name Most Valuable Participant

              This phrase is a danger sign if you are considering digital signatures (I know you say your preference is otherwise): signing where necessary throughout the document We see it over and again, and leads to terrible difficulties. The essence of digital signatures is that they are always on the whole document [corrected], and the requirement for multiple signatures almost always means a paper-based system that is converted to the new world of digital signatures without first understanding the new world. It also suggests that the plan remains to "look at a scribble" and this is a dangerous approach with digital signatures; the appearance of a signature is a minor irrelvance, perhaps a clue to what has been done, but the signature itself should always be verified digitally against the certificate. Just something to bear in mind if you do go that way.


              You should take a measured approach to the risks of faked signatures, which is what digitial signatures protect against. Paper signatures are essentially worthless in the digital world because anyone who has sight of someone else's signature could scan it or capture it from the screen and add it to a file indistinguishable from the original; this is not rocket science and any motivated employee could do it after getting advice from their younger nephew! On the other hand it's not very hard to copy a scribble on paper, so if there were huge rewards from faking this signature you'd already have a potential problem.

              • 4. Re: Adobe Acrobat XI Pro SIGNATURES
                JP Hackworth Level 1

                I agree with Test Screen Name's comments, and would make the following suggestion:  replace the multiple signature fields with standard text fields, and require the user to type their name or initials in each.  Only at the end of the document do you then have the digital signature.  From a US legal perspective, simply typing one's name is often sufficient to count as a valid electronic signature.  (Unless you are subject to stricter requirements, e.g. 21 CFR Part 11.)


                In terms of the trust issues, I would suggest having a policy that the certificates used for signing are either individually approved by you, or issued by a Certificate Authority that performs a satisfactory level of identity checking.  That way you have a chain from the person's real-world identity to their signing certificate.


                (If your onboarding packet consists of multiple separate forms, splitting them into distinct files would solve the problem, and reduce the problem of sharing extra information should only one or two of them need to be retrieved later.)

                • 5. Re: Adobe Acrobat XI Pro SIGNATURES
                  IsakTen Level 4

                  The other way to do it is to sign up for Adobe EchoSign service. In this case you do not use certificate-based digital signatures but rather electronic signatures whose validity is controlled by the server. At the end of the process with all multiple signatures applied you get a PDF digitally signed by EchoSign which ensures integrity of the document in the future.In your environment (with employees turnover and the need to maintain multiple certificates) that might be a better solution.