Security Matters

Straight Talk about PDF & Digital Signatures - ISSE 2009

2009-11-03T15:58:01Z

Jim King, PDF Architect, senior principal scientist at Adobe and one of the key drivers behind the PDF format and its adoption and continuing development by ISO as a standard (ISO 32000), recently delivered a keynote presentation to the ISSE (Information Security Solutions Europe) 2009 Conference in The Hague, Netherlands. He discussed the evolution of the PDF format and standard, and spent most of his talk introducing the new PAdES signature standard and what it encompasses.

During that conference, Jim sat down with Roger Dean, executive director of eema UK, for a conversation about PDF, the need for digital signatures, challenges of communicating the benefits of digital signatures, and finally a description of the PAdES standard. This interview is now available below (and here)...enjoy!

Acrobat and Reader 9.2 update

2009-10-13T16:34:24Z

On October 13, 2009 - Adobe released critical updates to Acrobat and Reader. All users are recommended to update their systems to the these releases as soon as possible.

These releases provide a number of security enhancements as described in security bulletin APSB09-15.

9.2 and 8.1.7 also include changes to user experience for JavaScript execution, which is described in technote cpsid_50432. A new framework has also been introduced to provide granular control over the execution of specific JavaScript APIs - as described in technote cpsid_50431.

For more detailed release notes on version 9.2, see technote cpsid_50026

To download the updates, the following links are available:

Adobe Reader

New installations of 9.2 are available here: http://get.adobe.com/reader

Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Acrobat

Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows

Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

McAfee and Adobe Team on Automated Data Protection (DLP + DRM)

2009-09-28T04:01:05Z

McAfee and Adobe today announced their global strategic partnership across enterprise and consumer businesses. For enterprises, the companies are developing an integrated solution to expand data protection across the enterprise using data loss prevention and rights management technologies. For consumers, McAfee's free diagnostic tool, McAfee Security Scan, is available as an optional download to customers when installing Adobe Reader and Adobe Flash Player.

McAfee is bundling Adobe LiveCycle Rights Management with McAfee DLP (Data Loss Prevention), so organizations can automate the discovery and protection of critical information assets. This integration lowers the complexity and cost of data protection without the need to change the way users go about their daily business. The result is that more sensitive data is proactively protected based on corporate governance and information assurance policies, but not at the expense of slowing the necessary information exchange inside and outside the firewall.

The combination of these technologies provides an additional persistent protection mechanism for new and existing McAfee DLP customers who have classified content, intellectual property and regulatory compliance information on laptops and desktops. Once sensitive data is identified by DLP, LiveCycle Rights Management instantly applies an enforcement policy based on the content of the document to subsequently restrict who can view the content and what they can do with it. This powerful combination ensures sensitive information is protected at all times (and all places), while allowing external users such as partners, suppliers, or customers to gain access and collaborate on sensitive information as needed. If the protected content is accidentally or maliciously forwarded to or accessed by unauthorized recipients, the content is not viewable.

Adobe is also sponsoring McAfee's upcoming annual security conference, Focus 09, taking place October 6-9 at the Palazzo in Las Vegas. At 4:30pm on the first day of the conference, the companies are holding a conference session, Adobe and McAfee: Securing Data Always on the Move, to demonstrate the integration and provide additional product details. Event registration is available here.

We are pleased to have McAfee join our growing information security ecosystem. Additional details and demonstrations will be posted on this blog soon.

Eliminating the Pen...One Step at a Time: PAdES PDF Advanced Electronic Signature Standard Released for EU

2009-09-23T19:29:47Z

Building on the delivery of the PDF format to the International Standards Organization (ISO) as ISO 32000-1, Adobe has been collaborating with standards bodies around the world to make it easier for companies, organizations and individuals to leverage the ubiquity of PDF to make business processes quicker, easier and more reliable. However, the rush to go paperless has often fallen short of its true potential because signing a document oftentimes brings business critical processes crashing to a halt, requiring users to print out the previously electronic document in order to apply their nom de plume with an ancient writing implement. Electronic signatures are obviously the solution, but there’s still the question of interoperability and the use of electronically signed documents within certain legal frameworks, such as the European Union (EU). With last week’s announcement of an ETSI open standard for PDF digital signatures, that question can now be answered.

ETSI/ESI Technical Standard (TS) 102 778, better known as PAdES (pronounced with either a long or short a), documents how the digital signature format described in ISO 32000-1 meets the needs of the 1999 EU Signature Directive (see previous blog entry), and then goes on to describe how that format can be expanded to take advantage of certain capabilities such as long-term document validation, where digital signatures placed on documents today can be validated five, ten and even 50 years later. (The standard can be downloaded free of charge from the ETSI website at http://pda.etsi.org/pda/.)

While the digital signature technology built into Adobe Acrobat, Reader and LiveCycle ES is described and included in ISO 32000-1, and in turn based on a broad spectrum of industry and international standards, there has been debate about how PDF digital signatures fit into the European Union’s concept of an Advanced Electronic Signature (AdES), as described in the Directive. PAdES ends those debates.

The long and the short of it? Organizations doing business in the European Union that may have hesitated about settling on PDF as a replacement for their paper processes now must consider reevaluating these solutions as viable and credible alternatives. Not only is PDF a ubiquitous and open document format, PDF digital signatures are non-proprietary, standardized, and now, when used properly, recognized as an Advanced Electronic Signature format, just like XAdES and CAdES. PDF digital signatures help make organizations more agile and flexible in the face of constantly changing business requirements. PDF digital signatures can be applied directly to the document itself and can even be displayed on the document just like wet ink signatures. Moreover, PDF digital signatures are technically integrated into the document itself, meaning you only need one software application to both view the document and validate the electronic signature.

Another bonus? You can use Acrobat and Reader 9 (as well as LiveCycle Digital Signatures ES) today to create and validate digital signatures that meet both the PAdES standard and the EU Directive. Click here to download a document that walks you through setting up Acrobat and Reader 9 to produce and consume PAdES Part 2-compatible digital signatures. A document covering LiveCycle Digital Signatures ES is forthcoming.

Adobe has collaborated with key players in the European standards field to develop a white paper that details the importance of developing open standards for interoperable electronic signatures and trust. The paper describes not only PAdES, but also other ETSI advanced electronic signature profiles such as CAdES and XAdES, and explains how they each fit into the discussion. The white paper, “The AdES Family of Standards: CAdES, XAdES and PAdES -- Implementation Guidance for Using Electronic Signatures in the European Union,” can be downloaded here.

For more information about how digital signatures and PDF can lower costs and speed up workflows, check out the links below:

E-invoicing Made E-asy - Security Matters blog entry on e-invoicing and how PDF and LiveCycle can help.
“Applying best practices for secure, automated electronic invoicing.” - White paper
Security Matters blog entries on electronic signatures
Adobe Security Solutions home

Tags:electronic signature,digital signature,digital certificate,PADES,XADES,CADES,CMS,PDF,Acrobat,Reader,ISO,ETSI,standards,format,LTV,long-term validation

Canon introduces imageRUNNER ADVANCE with LiveCycle Rights Management

2009-09-22T14:29:09Z

Canon announced today their imageRUNNER Advance Series to seamlessly bridge the distance between user and multifunction printer (MFP). These models have a tighter collaboration with Adobe technologies, by offering the ability to print and scan into a variety of Adobe PDF formats and integration with Adobe LiveCycle Rights Management ES to bring secure collaboration to PDF documents.

Integration with LiveCycle Rights Management is provided directly on the imageRUNNER ADVANCE control panel to easily select document security policies that persistent protect the electronic document after it is scanned on the device.

History...signed with Adobe products: US District Court Judge issues first digitally signed judicial order

2009-09-21T15:51:35Z

For the first time in history, the Honorable John M. Facciola, Magistrate Judge for the U.S. District Court in the District of Columbia, signed a judicial order, not with paper and pen, but with a digital signature! Press release here.

Judge Facciola viewing his just-digitally signed order in Adobe Acrobat. Courtesy National Notary Association (NNA).

Talk about setting precedent--while electronic filing has been required for some time, orders are typically printed out, signed, and then re-scanned into systems for filing. Not until now has there been such a vote of confidence in the legal significance and weight of a digital signature. By keeping the generation, signing and filing of the order completely electronic, the process is made much more efficient, potentially driving costs down and making the court’s systems work more effectively. This is the latest example of organizations understanding not only the integrity and authenticity benefits of digital signatures, but the resource savings also. Remember, it’s not so much the signature event that consumes time and money--it’s the processes around it.

A fully electronic filing system - that includes electronic signatures - makes sense for America's courts, Facciola said. "This is the next logical development in the transition from paper to electronic filing," Facciola continued. "Implementing electronic signatures will keep the court's processes consistent and contemporary with the actual practices of the society the court serves. We can hope that it will be universally accepted by all those who have to rely on the contents of an electronic document that is in the court's electronic filing system."

A consortium of companies and organizations collaborated with the US District Court to make this happen, including several members of Adobe's Security Partner Community. The National Notary Association provided identification and authentication (I&A) duties and was the lead on this project, using their Trusted Enrollment Agent program. SAIC manages the NNA's credentialing service and was the lead orchestrator of the project. The judge's medium assurance, Federal Bridge cross-certified signing credential was provided by VeriSign, and trusted by Adobe's new Approved Trust List (AATL) program. The signing credential, in turn, was protected by a USB token provided by SafeNet, and the trusted timestamp associated with the signature provided by ChosenSecurity in their capacity as an automatically trusted Certified Document Services Provider. Finally, the actual PDF order was signed in Adobe Acrobat 9.1.

Courtesy SAIC

From left to right: Bill Anderson (NNA), Jacques Francoeur (SAIC), Ed Chase (Adobe), Magistrate Facciola, Nick Blend (US District Courts), Anton Le (US District Courts), Elaine Wright (NNA - Trusted Enrollment Agent™). Courtesy NNA.

"This significant milestone reaffirms that digital signatures offer greater assurances than traditionally signed documents, as they meet higher authentication standards and are protected throughout the document lifecycle," said John Landwehr, director of Security Solutions and Strategy, Adobe. "Signers and recipients alike can easily and confidently validate signatures using the free Adobe Reader deployed on millions of desktops around the world. As a result, documents can be processed more quickly and more securely, in a cost-effective manner."

Click here to see a signed judicial memo from Judge Facciola. The document should automatically validate (with a green checkmark) if you are opening the document in Adobe Reader or Acrobat 9.x and above. If not, be sure to check out the Adobe Approved Trust List FAQ here.

For more information about digital signatures in Adobe products and our Security Partner Community, please visit the following links:

Tags:digital signature,judicial order,partner,electronic signature,precedent,PDF,reference,AATL,CDS,electronic filing,judge,facciola

Contracts @ the speed of light: Adobe's new Click-to-Accept solution

2009-09-14T19:46:27Z

Recently, Adobe launched its C2A (Click-to-Accept) service, providing partners and customers with the ability to electronically sign certain Adobe agreements without a lengthy approval and review process. And what’s more, not only was it developed with the cross-functional support of product, information technology and legal teams within Adobe, it’s also based on off-the-shelf Adobe server and client products, including Adobe LiveCycle® ES, Flash, and Adobe Reader®. We’ve talked in this blog about Adobe’s capabilities to support a wide range of electronic signatures within a single workflow, and here’s a clear example of that in production right here at Adobe.

When Adobe personnel need to send one of these agreements out for execution, they navigate to the Adobe Intranet and access LiveCycle Workspace ES to initiate the process.

They walk through a series of screens (Form Guides) to add information about the recipient.

When complete, this information (name, address, etc) is added to the agreement automatically by LiveCycle Forms ES, and an email sent to the recipient letting her know an agreement is ready for her signature.

Within that email, the recipient clicks on a link which brings her to Adobe.com. The recipient enters her AdobeID and password.

The recipient is presented with the PDF version of the document in her browser and is given two options to either click “I Agree” or “I Do Not Agree” with the terms of the agreement.

If the recipient chooses Agree, the recipient is thanked, and LiveCycle, in the background, appends a page to the end of the document with details about the recipient and Adobe, as well as a paragraph describing the acceptance of the agreement by the recipient. The document is also certified by LiveCycle Digital Signatures ES to lock down the contents of the document for integrity and archiving purposes.

The finalized document is then delivered into Adobe’s contract management system and a copy also emailed to the recipient.

Alternatively, depending on the type of agreement, the recipient may be sent a link by her Adobe representative to the Adobe.com site where she will be prompted to authenticate and fill-in her specific information. Upon completion, the document is rendered, complete with her information, and the recipient can then execute the contract as described above.

Click here to see a copy of a sample non-disclosure agreement processed through the C2A system.

While only three North American agreements are currently covered by C2A, others may go live as the system matures.

For more information about how you can leverage Adobe’s products, including LiveCycle ES, to optimize and accelerate signature and approval workflows within your organization and support a wide range of electronic signature types for legal coverage worldwide, be sure to check out the resources below and/or contact your local Adobe representative. (Also be sure to read other past entries in this blog on signatures - here.)

Adobe Solution Accelerators - Used in the creation of the C2A project, these Solution Accelerators provide jumping off points for enterprise deployment with LiveCycle ES.
Solution Accelerator Blog
LiveCycle ES - Adobe LiveCycle® ES (Enterprise Suite) software is an integrated server solution that blends data capture, information assurance, document output, process management, and content services to help you create and deliver rich and engaging applications that reduce paperwork, accelerate decision-making, and help ensure regulatory compliance.

Tags:electronic signatures,reference,click-thru signature,click-thru,click-through,Adobe,certification signature,certify

Finding your way in the wood: Signature Terminology and Security Resources

2009-08-27T14:02:41Z

If you've been following this blog, you'll know that we toss around lots of terms in each entry, along with references to standards, technologies, products and services. Even if you haven't read this blog before, you may have struggled trying to understand the difference between electronic and digital signatures, or what a "PKCS#11" is, or, for that matter, a trust anchor.

Well, struggle no more--today we published our latest security terms glossary, which should help to clearly define terms and keep everyone here in line with usage. (Let us know if we don't!) Over 140 terms are defined, along with spelled out acronyms, so you are no longer in the dark!

What's more, the glossary is posted on our Security Document Library site, part of the learn.adobe.com wiki area of Adobe's web presence. The Document Library contains links to the latest security documentation, including an omnibus guide, "Digital Signatures & Rights Management in the Acrobat Family of Products," which consolidates many separate documents we've had in the past on signatures, preferences, registry settings, encryption and the like. In addition, there are links to many useful one page 'keys' on signature validation, icons, signature creation, etc.

Find the glossary here. If we've missed any terms or some element of documentation, please email John Harris at jbharris(at)adobe.com.

Tags:electronic signature,digital signature,terms,glossary,resources

News from Adobe’s Security Partner Community: VeriSign Joins the Adobe Approved Trust List

2009-08-25T20:36:54Z

Several weeks ago, Adobe launched the Adobe Approved Trust List (AATL), our latest effort at making the use of digital signatures easier through better trust mechanisms. VeriSign, already a Provider in our flagship trust program Certified Document Services (CDS) through its acquisition of GeoTrust, announced the inclusion of its Non-Federal SSP in the AATL, widening VeriSign's trust foundation in Adobe Acrobat and Reader.

According to Mike Stewart, CIO at the Kansas Secretary of State's office:

As a VeriSign Non-Federal SSP-PKI customer, we are excited to now have the ability to use the certificates we've already issued to digitally sign Adobe documents as part of the AATL program. VeriSign and Adobe have made it easy to deploy and use.

Adobe is excited too! VeriSign, along with other AATL charter Members and CDS Providers, is improving the capability for today's agile enterprises and organizations to use digital signatures and bring cost efficiencies, integrity, and non-repudiation to more document workflows.

For more information on the Adobe Approved Trust List, please visit our website.

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:digital signature,electronic signature,trust,aatl,adobe approved trust list,security partner community,press

Casting a Wider Trust Net: Announcing the Adobe Approved Trust List

2009-07-17T13:09:13Z

Over the years, Adobe has made electronic documents and workflows easier, more efficient, and more secure. With one of the leading implementations of electronic signatures on the market, Adobe products allow you to go the last mile by eliminating the need to print a document out just to sign it. At the same time, we’ve also been busy behind the scenes working on ways to better deliver trust in those electronic and digital signatures so users can rely fully on these new workflows. Today, we’re announcing the launch of our latest trust effort, the Adobe Approved Trust List...available now.

The AATL will allow millions of users around the world to create digital signatures that are trusted whenever the signed document is opened in Acrobat or Reader 9.0 and above. Essentially, both Acrobat and Reader have been programmed to reach out to an Adobe-hosted web page to periodically download a list of trusted root digital certificates. Any digital signature created with a credential that can trace a relationship (‘chain’) back to a certificate on this list will be trusted by our products. Trust is only one of many questions Adobe products ask when validating an electronic signature, but it is a critical one.


Document Before AATL	Document After AATL

Several countries and organizations have already placed their ‘trust’ in the AATL:

DigiNotar

DigiNotar Qualified CA

GBO.Overheid – Netherlands

Staat der Nederlanden Root CA – with Certificate Policies defining secure hardware
Staat der Nederlanden Root CA – G2 – with Certificate Policies defining secure hardware

GlobalSign

DocumentSign CA

Keynectis

ICS CA

SwissSign

SwissSign Platinum CA — G2

TC Trustcenter / ChosenSecurity

CA 7:PN
CA 8:PN

US Federal Common Policy Root

Common Policy – 2010 expiry @ Common Hardware, Common High, Medium HW CBP
Common Policy – 2027 expiry @ Common Hardware, Common High, Medium HW CBP

VeriSign

Class 3 Intermediate Non-Federal SSP @ Medium-Hardware

Starting today, valid signatures with credentials from these providers, chaining up to these certificates, and meeting a set of Technical Requirements will be automatically trusted in Acrobat and Reader 9.0 and above, including most US Federal HSPD-12 / PIV cards.

So how do you take advantage of the AATL? Well, if you’re using Acrobat or Reader 9, you don’t need to do anything! This feature is turned on by default when you install these products, and the Trust List will automatically be updated every 90 days, though you must open a signed document (like the one here, for example) or open a signature-related menu item to trigger the timer and update.

If you want to verify the AATL is enabled, go to Edit (‘Acrobat’ on Mac)->Preferences->Trust Manager and be sure that the “Load trusted root certificates from an Adobe server...” check box is checked. (See image below.) You can then click the “Update Now” button in that same dialog box to download the latest version of the AATL from Adobe. In any case, be sure to review the User FAQ if you’re having any problems or have any questions about how the AATL works.

The launch of the AATL complements our existing Certified Document Services (CDS) trust program, where new digital IDs that are chained to the Adobe Root certificate embedded in Adobe products are automatically trusted. CDS is key to document certification efforts at the US Government Printing Office, Avow Systems, the Antwerp Port Authority, and many other customers who use high assurance signatures to protect the integrity and authorship of key electronic documents. Anybody who opens a PDF document signed or certified by a CDS credential automatically gets a ‘blue ribbon’ experience with trust provided to the signature without any user interaction. Five certificate authorities currently offer CDS certificates.

While the high level benefits of the Adobe Approved Trust List program are similar, the AATL is only available in Acrobat and Reader 9 at this time. It is not backwards compatible. CDS credentials, on the other hand, are backwards compatible from the current generation of Acrobat and Reader all the way back to version 6. Also CDS Providers offer certificates that meet a similar high standard for assurance and feature additional capabilities including the automatic embedding of robust timestamping and real-time revocation to provide for easy, long term validation of digital signatures. However, existing certificate communities, such as government national ID card programs, can join the AATL, as the chain to the Adobe Root certificate is not required. Contact Adobe to get more information about which program is right for your organization / government.

If you’d like to test the AATL (and you've verified that it's enabled and downloaded per the instructions above and in the FAQ), please browse our sample documents available here.

And the story doesn’t end there! Several more government and commercial entities are lined up to join the program in the coming months...stay tuned.

Please visit the AATL webpage for more information.

Tags:Trust List,trust,acrobat,reader,digital signature,electronic signature,assurance,cds,certified document services,AATL

“Sign here...” Getting started with electronic signatures in Adobe products

2009-05-28T20:59:00Z

This is the latest entry in our “What is an Electronic Signature, Anyway?” series. You can find previous entries here.

Recently, I’ve received a number of emails from our users asking questions about electronic signatures, so I thought it would be useful to briefly answer some of these frequently asked questions and also direct you, dear reader, to a variety of resources here at Adobe that can help.

First, I recommend you read the other blog entries in our “What is an Electronic Signature, Anyway? “ series to better understand the terminology and issues surrounding electronic signatures.

Now onto the questions...

I want to electronically sign a PDF—what do I need to do?

There are lots of different ways to electronically ‘sign’ documents, but they vary in terms of reliability, longer-term validity, and application.

At a very basic level, you could create a signature stamp or use the (new in Acrobat 9) ‘Apply Ink Signature’ capability to put a handwriting-like signature on the PDF that could be printed out or emailed, much in the same way a fax signature might work. These signatures don’t get you much more than that fax signature, and can be manipulated, duplicated or deleted unless the document is ‘flattened,’ but it’s one way to get started. Unfortunately, these kinds of signatures will not lock out changes or notify the recipient if something has been changed in the document...which is not so different than a wet ink signature, is it?

At a more sophisticated level, you could use a dedicated signature pad and software to capture your signature and embed it into the document. This can lock the document and notify the recipient if changes have been made. Several of our partners provide hardware and software plug-ins to manage this type of signature: CIC, Interlink, and SoftPRO.

Finally, you have digital signatures, which can lock down the document and notify recipients that the document has been changed, resulting in higher trust in the document. Acrobat provides you with the capability to create so-called ‘self-signed’ digital IDs (credentials) used to create digital signatures. While these are convenient, they do not offer the recipient any proof of the signer’s identity...the signer is vouching for his or her self. However, this may be sufficient for personal use or small-medium businesses exchanging documents in trusted relationships.

You can also purchase digital IDs from third party ‘Certificate Authorities,’ who can validate your identity and provide better assurance as to your digital signature. These digital IDs may offer other benefits too, such as automatic trust in Acrobat and Reader, and embedding of secure time & validation information (Certified Document Services). More below...

Does Adobe provide digital IDs (certificates) for use with digital signatures? If not, where do I get them?

No, Adobe does not provide digital IDs, other than giving you the ability to create self-signed ones. We rely on close partnerships with a number of leading Certificate Authorities (CAs) from around the world to provide these certificates to our customers. Certificates can be bought on a one-off basis to sign your PDF documents and email, or your organization could actually contract with these CAs for a managed service where certificates are provisioned to your users via web interfaces. Other partners sell appliances and other products that can make deploying certificates quite easy. Visit our Security Partner Community and explore the partners and solutions listed under “Digital ID infrastructure.”

Of course, your organization may already be running a PKI (public key infrastructure) in-house that can provide you with a digital ID...be sure to check with your IT department.

I’ve read about CDS...how do I join the program?

I have received a number of inquiries about Adobe’s Certified Document Services (CDS) program and see that there is some confusion about how the program works.

Note that Adobe does not sell CDS certificates per se, but rather administers the program and provides the structure by which our CDS Providers can create these higher assurance, higher trust signing credentials—in use today with the US Government Printing Office, top universities, and other organizations looking to provide assurance as to the authorship and integrity of documents of record.

So, if you are interested in taking advantage of these credentials to sign your organization’s PDF documents and experience the automatic trust provided by CDS, please contact Adobe’s CDS Providers to purchase a CDS digital ID.

However, if your organization actually operates a Certificate Authority, and you would like to learn more about how to participate in the trust programs offered by Adobe, please contact us here.

Where do I go to get more information?

That’s easy!

Start with this blog;
Visit the AcrobatUsers.com Security Forum;
Explore the Learn.adobe.com wiki and documentation site; and
Be sure to use the built-in product help files!

Tags:electronic signatures,digital signatures,tutorial,FAQ,CDS,certified document services,security partner community

“Click on this...” Adobe’s eSubmissions Solution Accelerator Shows Off Click-thru Approvals & Signatures

2009-05-27T17:08:38Z

Electronic signatures come in many shapes and sizes, and for a long time, Adobe has been primarily associated with three of those sub-types—digital signatures, certification signatures, and handwritten eSignatures based on solutions from our Security Partner Community—due to our comprehensive coverage of, and capability for, those technologies. However, customers and partners do not often associate us with click-thru approvals and electronic signatures, where a user authenticates to a website, reviews a document, and then is allowed to approve or reject said document with a simple click of a button.

Actually, Adobe has supported this capability for some time within our LiveCycle ES product line, but the capability was spread across components that can prepare documents for review (PDF Generator, Output, Reader Extensions, Forms), move documents along a workflow (Process Management), present documents for review, comment, and approval (Workspace), and then sign (Digital Signatures) and archive (Content Services) or further process those documents for storage, submission, etc.

The challenge of piecing together these components was not lost on Adobe, and last year we started working on Solution Accelerators--sample code and tooling that brings together task-oriented building blocks composed of LiveCycle components. More than a proof-of-concept, but less than complete production code, Solution Accelerators can be used by a customer or systems integrator to bring projects to fruition in a much shorter timeframe, while providing for flexibility in the final implementation.

The eSubmissions Solution Accelerator, released this Spring, shows how LiveCycle can be used to present documents for review, commenting, & approval in parallel or serial workflows, and incorporates the capability to not only sign with traditional digital signatures or handwritten electronic signatures, but also via authenticated click-thru approvals and server-side signing and certification functions. Download the demonstration video here. Unlike other click-thru solutions on the market, this Solution Accelerator shows the breadth and depth of Adobe’s offering, providing for compliance with electronic signature regulations around the world.

While this Solution Accelerator was designed for the biopharmaceutical market, it can easily be repurposed for contract approvals, financial services transactions, and the like—this is one of the benefits of the Solution Accelerator approach. Moreover, eSubmissions demonstrates Adobe’s intent to provide users with a best-in-class experience when it comes to electronic documents and workflows. There’s no longer any reason to print an electronic document just for review and signature...Adobe provides a one-stop shop for a full range of electronic signature and approval capabilities.

Tags:electronic signatures,click-thru signatures,click-through signatures,digital signatures,electronic approval,electronic workflow,solution accelerator,livecycle,security partner community,click-thru approval

Primer on configuring offline lease and synchronization

2009-05-22T22:30:01Z

Today, I hope to answer some of the questions surrounding “offline lease” and “offline synchronization” settings within the LiveCycle Rights Management ES server configuration. Here is a screenshot showing several settings within our Admin UI:

and within our end-user-facing policy-edit UI:

What are these settings for? The “offline lease period” and “offline synchronization period” are interrelated settings that dictate how and when clients can be trusted to access (view, modify, print, etc) “offline”. There are varied casual definitions of “offline” depending on the scenario: when an executive needs to view confidential documents on an airplane without network access; when a field service technician is on-site at a customer location repairing a device but not entitled to “network guest access” due to security concerns. Both are supported with our solution and in fact are exceedingly transparent to the end user because they “just work” when the client is unable to “phone home” to the LiveCycle Rights Management ES server to authorize access in real time.

Customers appreciate that this offline access mechanism works transparently for users when they need it to most – but only when the author (and administrator) want it enabled. Not all organizations are willing to enable offline features for their most sensitive documents because while they retain complete access to revoke content or change authorization rules at any time, they are not guaranteed that these changes will go into effect immediately for all users world-wide. This is because the users and clients who are physically unable to “phone home” to the server will not receive an updated set of authorization rules while they remain disconnected.

In other words, by introducing offline access, authors retain complete control over protected intellectual property, however they introduce some latency before authorization rules are implemented.

This latency is the period of time before the clients can “phone home” to get the latest set of authorization rules. So we offer customers the ability to set a “ceiling” on the amount of latency they are willing to tolerate between an authorization rule being changed and when it will go into effect worldwide.

The maximum tolerated latency can be configured by document author/owners on a per-policy basis. This offers our customers the greatest flexibility because an internally-targeted policy covering executive “Insiders” may be very different from information classified for external use by customers. So how does this work? Each policy can set the "auto-offline lease period" - refer back to the second screnshot. This is how an author sets the maximum latency associated with one policy (and all documents associated with it). Since not all authors will want to set the latency, we give the administrator the ability to establish a default global latency: see screenshot one, where the administrator can set the default maximum latency – which is the value that is copied into each policy when it is created.

When discussing the feature, customers ask what happens if a disconnected user has access to two different documents with different policies, and different latency thresholds (that offline lease period). An example may help – say we have document A which allows three days of offline access, and document B which allows 15 days, and the client last phoned home to the server on March 1. Through March 3, the client will be authorized to view document A and document B, and from March 4-15 will be able to view document B only. If on March 8 the client phones home again, the clock is reset so document A and B will be viewable until March 11, and B will continue to be accessible until March 23.

Back to the March 1 example. What if somebody gives the offline client document C with 10 days of maximum latency on March 6? Because our system tries to be transparent to the user, and we do not require offline documents to be opened first online, he will be able to open document C from March 6 through March 10.

So…how does “Default Offline Synchronization Period” (screenshot one) relate? It’s a global server setting regulated by the administrator that dictates how long offline accessible documents should remain available offline. We accomplish the feature of not requiring offline documents to be opened first online by having the server give the client enough information to open “all” documents the user should be entitled to use while offline.

Our engineers decided to allow customers to tune whether “all” is really “all documents ever protected in the system” or whether in most customer uses it may mean for example “all documents protected in the last 365 days”, because many customers may not need to grant access to documents offline forever. By tuning this from an infinite (true “all”) period to a rolling-window of XX (e.g., 365) days, it simplifies the amount of information that needs to be sent to the client, and the amount of information that the client must store. The user benefit of this is that if you hire a new employee in the future and want to enable his machine to access documents offline, it’s unlikely he would need to access documents from 1982 while offline.

There are clearly tradeoffs here; the key takeaway is that this value should be set to the amount of time the client should allow protected documents to be viewed offline from the date they are initially protected. Tuning this value to accommodate your scenario may be somewhat complex, so if you have any questions about your setup, do not hesitate to contact your local Adobe support representative.

Some general advice: administrators should set the offline synchronization period to be the total amount you would like documents to be viewable offline. It’s very easy to set this value large at initial deployment and then decide to tune it down later. Increasing this value is possible, but we recommend you contact Adobe support first to understand the implications and interactions in the system.

In conclusion, the “offline synchronization period” is an administrator-tunable setting that makes sure the end-user experience is always straightforward and that people can view confidential intellectual property when on an airplane, at a disconnected customer site, etc. Simply set this as the maximum time any document can be used offline from when it is initially protected.

End users who want to control access to content need only set how long they want their content to be viewable offline—and remember that it will stop being viewable offline once the “offline synchronization period” has been exhausted.

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Seven Technology Habits of Highly Effective CFOs

2009-05-01T15:43:57Z

Recently, Adobe executive vice president and Chief Financial Officer Mark Garrett presented a keynote at the CFO Rising conference, sponsored by CFO Magazine. Speaking to a ballroom full of senior finance executives, Mark outlined the “Seven Technology Habits of Highly Effective CFOs” and utilized several case study examples to illustrate his points.

Here's Mark's list:

1. Eliminate paper – Use digital signatures and electronic workflows

2. Ensure compliance – Utilize technology to control access to sensitive information

3. Provide greater visibility – Create dashboards to monitor each part of the business

4. Walk in your sales force’s shoes – Participate in sales deals to understand where processes create roadblocks, and provide tools to help them be more effective

5. Engage your users – Give your employees a more “consumer-like” experience through applications like electronic forms and organization directories

6. Let ideas travel – Utilize web conferencing solutions to save on travel costs and reduce carbon footprint

7. Invest – Continue to invest in strategic technology projects, because companies that do invest will be best positioned when the economy turns around

Adobe Acrobat, Adobe Reader, Adobe LiveCycle, and Adobe Acrobat Connect Pro offer solutions to help today's CFOs better manage their business.

To learn more - Mark's keynote is available for viewing on the CFO Rising website.

Adobe and Arcot Partner to SEND Secure Electronic Documents to Your Inbox

2009-04-22T19:58:10Z

Tired of those paper bank statements, or having to log into your bank’s website to get your account information? Adobe and Arcot announced Monday the launch of a new managed service called SEND to provide the ability for organizations to literally send secure PDF files to your email inbox, without requiring you to install anything other than the latest version of Adobe Reader or Acrobat. Financial institutions, utilities, government agencies—really any organization or company that sends periodic paper documents, bills or notices—can take advantage of SEND. The organization provides SEND with the PDF files and email addresses of recipients, and SEND takes care of the rest, encrypting the documents and delivering them to recipients.

The idea of having information sent directly to you resonates strongly, even in our highly connected world, because you are empowered to manage the information and store it however you want. Many have yet to opt for online solutions for this very reason. However, paper statements are static, potentially subject to identity theft, and require action from recipients to service their accounts.

With online statements, recipients no longer ‘receive’ information. They must actively retrieve it from by logging into their institution’s website. While certainly saving money for the institution and the end customer, this ‘pull’ model breaks the mold recipients are accustomed to, and makes it more difficult for recipients to manage their own information. However, more dynamic marketing and at-your-fingertips service options are readily available at the institution’s website.

With SEND, organizations can proactively bridge the gap from a paper to an electronic delivery model.

They gain the ability to ‘push’ rich, interactive PDF documents directly to their recipients, improving marketing opportunities and the end user experience, without having to worry about the privacy concerns of sending customer personally identifiable information (PII) via email. The encrypted documents are sent as attachments to an email, accessible via any email client. A strong, yet simple-to-use, PKI-based Arcot two factor authentication system built into Reader and Acrobat manages secure access to the PDF, and once the document is open, recipients are free to save it, ready for archive and instant retrieval without requiring a login to the institution’s site. According to R. ‘Doc’ Vaidhyanathan, vice president of product management at Arcot:

Our SEND service will help institutions migrate from paper to digital delivery as it offers higher fidelity, and is easier to use and more secure than other email delivery solutions. Now, organizations can securely distribute electronic documents to customers, and customers can securely interact with the dynamic PDF document, verifying information, paying bills, and even signing contracts without ever having to log in or print.

The SEND service is available for purchase from both Arcot and Adobe, though Arcot will actually manage the service and host it at the same SAS 70 certified, PCI DSS-compliant secure data center that is now responsible for the authentication of millions of financial customers worldwide.

A datasheet on the solution is available here.

Adobe is exhibiting with Arcot April 20-24 at the RSA Conference 2009 in San Francisco, California. Visit us at booth #939 to see a demonstration of SEND in action.

Arcot is an Adobe Security Partner. To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:Adobe,Arcot,secure electronic document,encryption,SEND