Both Acrobat 6 Pro for the Mac and for Windows support document signing and verification. By default, a user who receives a signed document has to import the signer's certificate into an internal Acrobat store. This certificate can come from an LDAP server (Only on Windows), from a cert file stored on the user's machine (A file with a .cer extension containing the Base-64 encoding of the signer's cert), from a PKCS7 structrure (a .p7s file renamed into a .p7b file, for example), or by including it directly from the signed PDF document.
In addition, a user can import a signing authoritie's certificate into Acrobat. This makes it so that any certificates signed by this CA will be trusted to the level that the CA is trusted. How far this chain goes is unknown, we only tried a chain of two certificates (CA and user).
Before a certificate is used for verification, after it is imported into Acrobat's store, the user must specify the trust level for the certificate. If the certificate is trusted because of a CA certificate in the cache, then the certificate gets the default trust level of the CA cert.
To use LDAP functionality, the LDAP must be configured under Advanced->Manage Digital ID's->Configure Identity Search Directories. Afterwards, a user can go into Advanced->Trusted Identities, and search the LDAP for a particular user. If a match is found, then the certificate can be imported into the cache.
Before signing, a key and certificate must be specified by the signer. On Windows, Acrobat supports the certificates that are included in the user's keystore. The user can also import certificates into Acrobat via a .p12 file. Acrobat provides the ability to generate self-signed certificates to be used for signing, but those aren't very useful for a PKI. On the Macintosh, the signer is forced to import a .p12 file or to use a self-signed certificate.
Acrobat allows multiple signatures into a document. To do this, first create the document. Then sign it with a "Certification Signature", which signs all non-editable portions of the document. You can then create signature blocks in the document, which allow other users to sign parts of the document or the whole document. Experiments so far have only been done with one certifying signature and one signing signature.
Acrobat Professional allows a user to create forms for people to fill out. These can have the form data signed, so that an end-user cannot alter the form data. Acrobat Reader only allows the printing or submission (via a web CGI) of filled-out form data, it does not allow the saving of said data. Acrobat Standard or Pro is required to do saving of a form. It's unclear whether or not Standard will do document signing of a filled-out form.
Adobe Acrobat Professional performs most of the operations that are required of a PKI signing solution. The main drawbacks are lack of OCSP support and the cost of the individual licenses. Every user who needs to sign documents will have to have a copy of Acrobat Professional, or possibly Standard, in order to sign.
The ability to have multiple signatures in a document is pretty powerful, however, and the implementation here seems to be pretty good. With a certification signature, users can verify the integrity of the orignal form before they sign it, and administrators can verify the integrity of the form data after the signing, knowing that the form itself is unaltered. Most packages that do signatures allow only one signature at the end, so the administrator would not be able to tell if the end user modified the form before signing it without doing a visual comparison.
Dartmouth College PKI Lab
Last update: 16 Jul 2003