How does advanced digital signature on pdf work by concept (on receiver side)?

0

If someone like an Agency or something wants me to send a pdf signed with an advanced electronic signature, what does that mean for the receiver?

I could now make a local keystore and use any program to somehow sign the pdf, but I don't know how this proves that it's really me for the receiver. Do I get a hash key while generation which is added to the PDF and should I send the same hash key as footer into the email, or should I send a public key or something? I don't know what's the concept behind it?

Bevor

Posted 2014-01-09T13:24:56.690

Reputation: 307

Typically they will let you know if you need a certificate from a specific set of trusted CAs. Only seldomly they will accept self-issued certificates. – eckes – 2017-04-15T20:37:51.763

Answers

2

[Disclosure: I work for CoSign]

An "Advanced Electronic Signature" is a synonym for a Digital Signature, also known as an X.509 digital signature.

I could now make a local keystore and use any program to somehow sign the pdf, but I don't know how this proves that it's really me for the receiver.

In the usual case, your organization would create a long-lived (~10 year) root digital certificate, and then create individual signer digital certs with a 1 year expiration.

Then the relying-party (the document recipient) would add your organization's cert to his trust store. Later, when opening a pdf signed by someone from the organization, the signature would verify properly. In most cases, the verification is done by a free copy of Adobe Reader (not the expensive Acrobat software).

Since digital signatures are an open standard, the pdf's signatures can also be verified by other software.

The "proof" that you signed the document is from two factors:

  1. The relying party decided to trust the cert from your organization
  2. The relying party is trusting that you maintained strict control over your signing key from the time it was issued to you by your organization.

Issue 2 means that it is a bad idea to store private keys in regular file systems. Best practice is for digital keys to be stored in Secure Signature Creation Devices. (Either hardened appliances or smart cards.)

Do I get a hash key while generation which is added to the PDF and should I send the same hash key as footer into the email, or should I send a public key or something? I don't know what's the concept behind it?

Advanced Electronic Signatures use PKI technology to sign a hash value that represents the document. The result is stored in a specific structure that is added to the PDF. See the ETSI PAdES standard.

During signing, the document's hash is calculated by the signing software. Later, during verification, the document's hash is re-calculated by the verification software. The verification software re-calculates the hash from the document to confirm that the document was not changed from the time it was allegedly signed.

This means:

  1. The signature is created and added to the PDF doc in a very specific way as detailed by the standard. You can use on-line services such as CoSign Cloud to create and sign a pdf. Or you can use an on-premises appliance. APIs are also available. You can sign a PDF using software libraries but then you need to worry about key security as mentioned above.

  2. The trust is established by the relying party adding a cert to his trust store. How you send the cert to the relying party is up to you (and what he will accept). You can send it in an email or store it on your web server for others to download.

Larry K

Posted 2014-01-09T13:24:56.690

Reputation: 739

Asked: 2014-01-09T13:24:56.690

Viewed: 307 times

Active: 2017-04-15T18:28:05.673