Building trust in electronic documents

When enterprises distribute documents electronically, it is often important that recipients can verify three important aspects of a document:

• Integrity: That the content has not been altered
• Authenticity: That the document is coming from the actual person who sent it (authenticity)
• Repudiation: That an individual who has signed the document cannot deny the signature

Digital signatures address these security requirements. A digital signature is an electronic identification card that contains certain information about the person or entity that has digitally signed the PDF document. A PDF document can have two kinds of digital signatures:

1. A certification signature, which can be applied by the document's author.
   Adobe Reader or Acrobat automatically checks the authenticity of this signature when you open the document, and then displays a window that indicates whether the signature is valid (that is, authentic and current). This guide also refers to the certification signature as the "author's digital signature".
2. A standard signature, which can be applied by anyone who has permission to digitally sign the document.
   Adobe Reader or Acrobat can automatically check the authenticity of standard signatures when you open the document, or you can check them manually from within the application.

Note: Adobe Reader or Acrobat must have access to the Internet to check digital signatures.

Establishing trust for unconfirmed digital signatures
Any time that Adobe Reader or Acrobat reports that a digital signature has a status of "Validity Of Author Not Confirmed" or "Signature Validity Is Unknown", you must decide whether to establish trust for that signature.

This task involves three basic steps:

1. Obtain a certificate for the digital signature from a known, trusted individual or website. If you are at work, request this certificate from your company's IT department. A certificate is an electronic counterpart to driver licenses, passports, membership cards, and so on. Certificates are electronic files containing information about an individual or organization that is used to establish their digital identity.
2. Add the certificate in Adobe Reader or Acrobat, and then set the trust level for the certificate in the application.
3. Revalidate the signature. Usually, your computer administrator will provide this setup information for you. For general instructions on how to build a list of trusted identities, see "Digital IDs and certification methods" in Adobe Reader Help or Acrobat Help. If you need additional assistance, consult someone who has technical experience in security and the security features of Adobe Reader or Acrobat.

   Be aware that establishing trust for a certificate involves a certain amount of risk. In general, you should only configure Adobe Reader or Acrobat to trust a certificate that you personally downnload from a known and trusted Web site, or that you receive directly from a trusted individual (after confirming in person or on the phone that he or she indeed sent the certificate).

Finally, you may want to consider establishing trust for a certificate if you are likely to receive multiple documents that are signed by the same author or company. Then each time you choose Validate Signatures, Adobe Reader or Acrobat can check against your list of trusted signatures for a match.

Lori DeFurio is a developer evangelist in Adobe Systems' Intelligent Documents Business Unit.