Using certified digital signatures on documents to increase trust in online information

Image credit: Adobe Stock/ boonchok.

In a world where people increasingly question the validity of the information they consume online, readers need to know that what they download from a trusted organization has been authored by that organization and has not been tampered with. Today, all types of organizations face new challenges to help ensure document authenticity and bolster reader confidence.

Digital document authenticity in the public sector

Fake or counterfeit documents are not a new problem. The potential impact of such documents, however, intensifies as we continue to become a more digital society. The federal government is noticing and taking action. Senator Ron Wyden introduced a bill that would improve procedures for the authentication, security, and tamper-evident delivery and transmission of certain court orders. As you can imagine, a fraudulent court order could have serious repercussions.

The Government Publishing Office (GPO) faces similar high-stakes document challenges as it must ensure the integrity of budgets and other official documents that agencies require to advance and deliver on their mission. The GPO’s stated mission is to keep “America informed as the official, digital, and secure source for producing, preserving, and distributing official federal government publications and information products for congress, federal agencies, and the American public.”

According to its website, the GPO works to provide transparency in the integrity and authenticity of their PDF documents by taking measures that help prevent unauthorized or accidental changes to data. And by “authenticity,” the GPO means a user can see evidence verifying a digital publication’s identity, source, and ownership.

The GPO accomplishes these goals by using a “certified digital signature,” which Adobe introduced in 2005 as part of Adobe Acrobat. A certified digital signature is an electronic signature that is backed by a digital certificate, which specifies what changes are allowed to a document while still maintaining its integrity. A certified digital signature is often used with forms, where organizations want people to enter responses into fields but not change content around those fields. Certified digital signatures are more difficult to forge than handwritten signatures because they contain encrypted information that is unique to the signer. This information can be easily verified and informs recipients of whether the document was modified after the signature was applied.

A document integrity and authenticity lesson for education

Beyond government entities, educational institutions also face significant document integrity and authenticity challenges. College transcripts have always been a target for counterfeiters. Cornell University leverages certified documents to counteract forgery attacks and communicate to the recipient that the document is authentic and unaltered. According to Cornell's website:

“Cornell’s official eTranscript is a certified PDF that displays a blue ribbon on the notification bar across the top of Adobe Reader, ensuring the recipient that the digital signature is authentic and the contents of the eTranscript have not been altered.”

Certifying documents for all industries

Government and higher education might be two of the more obvious industries with clear reasons to use certified documents to ensure authenticity — but they aren’t the only ones who can benefit. Other highly regulated industries, such as food processing and manufacturing, utilities, as well as energy, face similar document certification requirements.

The world of trade finance, which historically used manual and paper-based processes, such as bills of materials, is entering the digital age. The ability to certify the authenticity of their documents is essential to enabling digitization processes, which they expect will expand the pace and volume of international trade.

Certify for confidence

Adobe offers various tools to help organizations ensure the integrity and authenticity of their documents.

Certifying a document with Adobe Acrobat is useful if you want the user to be able to make approved changes to a document. When you certify a document and a user makes approved changes, the certification is still valid. You can certify forms, for example, to guarantee that the content is valid when the user receives the form. You, as the creator of the form, can specify what tasks the user can perform. You can specify that readers can fill in the form fields without invalidating the document, for instance. However, if a user tries to add or remove a form field or a page, the certification will be invalidated.

When you open a certified PDF in Adobe Acrobat and Acrobat Reader, these attributes are displayed with a “ribbon” and additional information across the top of the document – making it clear to that reader that the document was certified as originating from a specific organization or individual.

PDFs can also be certified at scale using Adobe Experience Manager, as part of an organizational automated digital publishing workflow designed to improve efficiency while helping ensure transparency of origin. In this latter case, an organizational or role-based digital certificate may be used. For instance, the GPO uses the “Superintendent of Documents” as the name of the organization listed on the digital certificate used to certify documents as opposed to a person’s name.

To expedite document validation, Adobe Acrobat and Acrobat Reader rely on the Adobe Approved Trust List (AATL) and the European Trust Lists (EUTL). Both lists contain trusted “root” digital certificates. Thus, a digital signature (including a certifying signature) that was created with a credential that can trace a relationship (a “chain”) back to the digital certificates on this list will be displayed as trusted by Adobe Acrobat and Acrobat Reader — as evidenced by the blue bar at the top of the PDF. When you obtain a specific certificate from one of the organizations on the Adobe Approved Trust List, you can use this digital certificate to certify your documents.

Using long-term validation to help ensure your certified document & signature are valid

Not all certified digital signatures are created equally. Organizations need to be sure their implementation uses long-term validation (LTV). LTV allows you to check the validity of a signature long after the document was signed. To achieve this, all the required elements for signature validation must be embedded in the signed PDF. The required elements for establishing the validity of a signature include the signing digital certificate chain, digital certificate revocation status (a system that checks to make sure a certificate is still valid), and a timestamp. Embedding these elements occurs when the document is signed, or even after a certified digital signature is created.

If some of this information is not added to the PDF, a certified digital signature can only be validated for a limited time. This limitation occurs because digital certificates related to the certified digital signature eventually expire or are revoked. Once a digital certificate expires, the issuing authority is no longer responsible for providing revocation status on that certificate. Without confirming revocation status, the certified digital signature cannot be validated. But, if the required elements are available and embedded during signing, the certified digital signature can be validated without requiring external resources for validation.

Fortunately, Adobe has the solutions to help.

Visit our other pages for more information on certifying documents, Adobe Experience Manager Forms, Adobe Acrobat, and Adobe Acrobat Sign.