Best practices in Certifying and Signing PDFs

  • View

  • Download

Embed Size (px)


Talk by Paul van Brouwershaven, Business Development Director EMEA at GlobalSign (iText Summit 2012).

Text of Best practices in Certifying and Signing PDFs

over 10 years of securing identities, web sites & transactions

Best prac*ces in Cer*fying and Signing PDFs

Paul van Brouwershaven

Business Development Director EMEA, GlobalSign @vanbroup on TwiEer

INTERNATIONAL FOOTPRINT Customers spanning all industries


Issued over 1.4m digital certificates / digital IDs to people, web sites & machines

Issued over 200,000 SSL Certificates

Over 20 million certificates worldwide rely on the public trust provided by the GlobalSign root

Founded in 1996 by BE Chambers of Commerce, ING Bank & Vodafone.

Acquired by GMO Internet Inc (ticker symbol Tokyo Stock Exchange: 9449) & re-launched in 2006 as true worldwide operation. GMO parent to over 50 Internet technology & hosting

companies, including largest hosting company in Asia. Current shareholders include Yahoo!,

Morgan Stanley & Credit Suisse. GlobalSign is Digital Certificate

security division of global group. Web services & offline services for

provisioning Digital Certificates for enterprise, Government, developers, hosting & Cloud services.

GlobalSign Products | Visible Trust in an online world

Server, Database & Network Security

SSL Certificates Managed SSL

Developer Solutions Code Signing

Embedded SSL

Secure Email Digital IDs for Individuals Digital IDs for Depts Managed Digital IDs

eDocument /File Security & Compliance Adobe CDS for PDF Microsoft Office Encrypting File System (EFS)

Automated SSL for Web Hosts

SSL Reseller Program One-Click SSL

PKI & Root Signing Trusted Root for CAs

Digital Cer*cates An Introduc*on

Authen*city and Integrity

A normal cer*cate VS an Adobe one

Adobe Cer*ed Document Services

GlobalSign is an authorized Adobe CDS provider

Web-Trust Certified, third party Certificate Authority

Governed by Adobe Certificate Policy

Only CDS issued digital IDs are instantly trusted in Adobe Reader 7.0+ (SHA-256)

Meet or exceed FIPS 140-1 Level 2

Subscriber key pairs must be generated in a manner that ensures that the private key is not known by anybody other than the Subscriber or a Subscribers authorized representative. Subscriber key pairs must be generated in a medium that prevents exportation or duplication and that meets or exceed FIPS 140-1 Level 2 certification standard.

EV Guidelines state: Code signing keys are to be protected by a FIPS 140-2 level 2 (or equivalent) crypto module. Techniques that may be used to satisfy this requirement include: (A) Use of an HSM, verified by means of a manufacturers certificate; (B) A hardware crypto module provided by the CA; (C) Contractual terms in the subscriber agreement requiring the

Subscriber to protect the private key to a standard equivalent to FIPS 140-2 and with compliance being confirmed by means of an audit.

EV Code Signing - Private-Key Protec*on

Adobe Cer*ed Document Services

Allows recipients of PDF documents to know:

who signed the document the content is intact the time the document is

signed Recipients only need to have the

free Adobe Reader 7.0+ (installed on >800M computers worldwide)

Strong Authentication Data Integrity Non Repudiation

Recipients of Certified PDFs need no special software, plug-ins, or special configuration!!!

Simple and eec*ve GUI

Trusted Modified Changed

Signed Certified Unknown Author

Without *me stamping and CRL Services

Certification without time stamping and CRL Services. The validity of the signature expires with the validity of the digital certificate used to sign the document.

2011 2012 2013 2014

What about revoca*on?

With a Revocation Event the validity of the signature expires with the revocation of the digital certificate.

Basic Signatures are not suitable for Long Term Validation signing (Documents)

2011 2012 2013 2014

ETSI TS 102 778

With Services the validity of the signature applied to the document never expires even if there is a revocation event.

Part 1: "PAdES Overview - a framework document for PAdES"; Part 2: "PAdES Basic - Profile based on ISO 32000-1"; (Best Practice) Part 3: "PAdES Enhanced - PAdES-BES and PAdES-EPES Profiles"; Part 4: "PAdES Long Term - PAdES-LTV Profile"; Part 5: "PAdES for XML Content - Profiles for XAdES signatures".

2011 2012 2013 2014

Where do customers use CDS?

A constantly changing landscape No single EU wide solution for

compliance* Recommendations by PWC for 2013

already changing the requirements on a country by country basis.

No consistent approach to preserve authenticity and integrity for Archive and Storage Purposes offering the possibility of legal recourse. (AMEX)

*Adobe CDS offers the only Pan European (Global) authenticity and Integrity validation system. All other systems require a separate system/service that is not automatic, nor guaranteed.

Electronic Invoicing in the EU

The Amex legal case and subsequent lessons learnt?

QES (Qualified Electronic Signature)

Automatic legal standing in EU. Issued on a SSCD Generally issued from a government

root CA. Not usable for Time stamping services.

AES /AdES) (Advanced Electronic Signature)

Unique to the signatory; Identifying the signatory; Created using sole control; Linked to the data to which it relates.

Change of the data is detectable;

Electronic Invoicing Is it legal?

Assumes VAT supply country is consistent

2A. Acceptance of advanced e-signatures to send e-invoices ( = yes / = no )

2B. If yes, can AES be used without obligation to use a qualified certificate ( = yes or not applicable / = no)

2C. If yes, are qualified certificates from other EU Member States accepted ( = yes / = subject to conditions)

2D. If yes, can AES be used without obligation to use a secure signature-creation device ( = yes / = no)

2E. If yes, can the recipient process the invoice without verifying the signature ( = yes / = no)

3A. Other means than AES or EDI accepted? ( = yes / = only other" electronic signatures / = no )

3B. If yes, can other means be used without prior approval? ( = yes / = in some cases / = no ) 3C. Unsigned pdf invoice accepted? ( = as an e-invoice in case authenticity and integrity are guaranteed by other means / = as a paper invoice = no )

Some EMEA Customers

Possible Architecture (e-Invoice)

Document Generation Engine (Content, Layout, Storage and other specific

compliancy rules)


Application of Digital Signature To Customer


Digital Certificates

Optional TSA (>1M)




GlobalSign TSA


over 10 years of securing identities, web sites & transactions

Thank you

Paul van Brouwershaven