PDF Authentication

From Drumlin Security Wiki
Jump to navigation Jump to search

Authentication is the process of determining whether a document is from the person or organization it claims to be from and/or is correctly signed by them. The basic ideas are summarized by Adobe as follows (with Digital Rights Management systems the issue of authentication can largely be ignored, as the source and distribution of secured files is centrally managed and controlled):

"PDF supports two kinds of digital signatures: approval signatures and certification signatures. Any number of approval signatures may be applied to a PDF document but only one certifying signature may be applied and it must be the first digital signature. Approval signatures are used in the same manner as the ink on paper signatures we are all familiar with. Certification signatures are considered a part of creating the PDF file so only occur once at the beginning."

The screenshot below provides an example of the use of Digital Signatures with the Adobe software - the provision of such information regarding signatures is not implemented in all PDF readers, so for such files use of Adobe's reader is recommended. Also notice that the first signature shown here is recorded as being by DocuSign, i.e. via a third party document signing service.

Digital Signatures

Digital Certificates (certification) is slightly different from applying signatures - it involves use of an independent certifications authority. Adobe approves the following certifications authorities: Entrust, GlobalSign, and DigiCert (these signing authorities do tend to change over time). The screen shot below illustrates the prompt provided when using the signing tool in Adobe's Certificate Signing option:

Digital Certification