CERTIFYING PDF FILES
Adobe PDF provides two types of digital signatures: standard and certification signatures. Documents with a certified digital signature are significantly different from those signed with a regular PDF digital signature. Signatures that certify a PDF are called certifying signatures.
A PDF document signed with a CDS certificate carries the security assurance of the issuing Certification Authority. Only the first person to sign a PDF can add a certifying signature. A certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified.
With non-certifying digital signatures, a user must explicitly trust the author of a document or trust all identities in the Microsoft Certificate Store. With certifying signatures chained to the Adobe root certificate, trust is built into the Adobe software. No additional software or configuration is required to validate its authenticity.
Benefits of certifying with BlueRidge
BlueRidge provides a way t easily check the authenticity of issued PDF documents. The longevity of digitally signed documents with embedded CRL or OCSP responses also aids long term document archival and auditing. There is no need for additional software or swapping trusted CA's or special configuration for time-stamping and CRL or OCSP. It's already integrated. If digitally signed, with a valid timestamp and revocation check, your signature shall remain valid even after the certificate has expired or even if it was revoked after the fact. The OCSP/CRL and time stamping features are provided in the base price of the service.
Signature Generation Service
A certified PDF has a certification signature applied by the originator when the document is ready for use. The originator can specify what changes are allowed by choosing one of three levels of modification that are permitted:
No changes,
Form fill-in only, or
Form fill-in and commenting
Certifying signatures are generated in the same way as traditional digital signatures. A hash value is computed for the entire file, this digest is encrypted with the private key and the result is inserted into the file.
The certifying signature is always the first signature applied to a PDF and rules are added to the PDF that indicate what changes are allowed before the author's signature becomes invalid. The BlueRidge solution provides the critical components (Time stamping and OCSP/CRL) to assure recipients of its authenticity. BlueRidge has a digital signing solution that allows publishers to create PDF files that certify to the recipient that the author's identity has been verified by a trusted organization and that the document has not been altered in any way.
The Adobe CDS Certificate Policy highlights the need to ensure the security by ensuring all digital certificates are created on FIPS compliant Cryptographic Hardware.
Signature Validation Service
In Adobe Reader, Blue Ribbon, Question Mark and Red X trust messaging allow users to determine if the certified PDF is from a legitimate source or not. BlueRidge enables document authors to certify PDF files, which automatically validate using free Adobe Reader 6.0+.
When a certified PDF is opened the document as it existed at the time it was certified is compared to the document which is being viewed, including all incremental changes. If necessary, a modification analysis is done and the recipient is notified if there have been modifications that were prohibited by the author. Recipients simply need to open the document using the free Adobe Reader to instantly understand if the authenticity of the document can be trusted. Blue Ribbon, Question Mark and Red X trust messaging allow users to determine if the document is from a legitimate source or not. By selecting signature properties recipients can view additional information, such as the signing certificate, OCSP/CRL and timestamp details. The recipient needs no special software or special configuration, just Adobe Reader 6.0+ to validate the document. In Adobe Reader 8.1 the blue security bar was introduced to ensure an even greater level of trust.
OCSP/CRL
If a certificate that was used for signing is revoked, the serial number and other relevant information will be placed in a file used in revocation checking. During the certification process BlueRidge will verify the status of the certificate against the CRL or using OCSP (Online Certificate Status Protocol). If the certificate is valid BlueRidge will embed the digitally signed CRL or OCSP response in the signature. This shows that the certificate was valid at the time of certification, even if the document is subsequently opened after certificate expiration or revocation. Only documents signed after revocation will be affected if the OCSP/CRL response was embedded in the signature. No special plug-in or separate validation engine is required. If no OCSP/CRL response is embedded in the signature the validity of the signature expires with the validity of the certificate used to sign the document.
Signature Browser Plug-in
The Signature Browser Plug-in is used when the certificate to be used for signing is located in the keystore of the local computer and the user signs in semi delegated mode. So, the Signature Browser Plug-in acts as a bridge between the web application and the keystore on the computer of the user. By using a HTTP(s) based client-server communication protocol, problems with firewalls are greatly reduced.
This module is available as a Java applet and a .Net ActiveX version.
Time Stamping Service
BlueRidge also embeds a timestamp in the signature. The trusted time stamp is issued by a RFC 3161 compliant Time Stamp Authority server. The TSA server is authenticated using a digital certificate issued from the very same CA which issued the certificate used to apply the certified digital signature. This results in a fully trusted signature that provides strong authentication and non-repudiation. When signing with the time stamping server is available, BlueRidge will embed the secure time into the signature. This provides the signature benefit of non-repudiation.
Copyright 2014 © All Rights Reserved.
