52
Adobe LiveCycle ES
Signature Service
LiveCycle ES Services
About signature fields 114
●
PDF signatures can be created for all PDF documents, such as PDF documents created using
LiveCycle Designer ES or Acrobat.
●
XML signatures can be created only for XFA-based PDF documents, such as PDF documents that are
created using Designer ES, or that the Forms service created.
PDF signatures can be used for purposes beyond the basic authentication of signer’s identity and
validating document integrity:
Approval Signatures: Used for approving document content. For example, a user fills a form and then
signs the form to approve the form data.
Certifying signatures: Used for attesting to the document contents and specifying the types of
changes that are permitted for the document to remain certified. For example, a government agency
creates a form with signature fields. The agency certifies the document, allowing users to change only
form fields and sign the document. Users can fill in the form and sign the document, but if they remove
pages or add comments, the document does not retain its certified status.
Certifying signatures are also known as Modify Detection Prevention (MDP) signatures.
About signature fields
When a form is digitally signed, the signature is added to a signature field. Forms must include a signature
field before they can be signed.
Multiple signature fields can be added to a single form. Each signature field can be associated with a set of
fields on the form so that the signature that is added to that field applies only to the associated fields. After
adding the signature, the associated fields are locked. These types of signatures are known as MDP+
signatures. To use this feature with Adobe PDF forms and Adobe XML forms, users must use Acrobat or
Adobe Reader version 8.0 and above to open the forms.
Seed value dictionaries can be added to signature fields to configure how the field is used when the
document is signed. For example, a list of signing reasons can be provided, or the hashing algorithms that
can be used for creating the document digest can be specified.
You can add signature fields at design time or at run time:
●
Use Designer ES to add signature fields at design time. (See LiveCycle DesignerES
Help
.)
●
Use the Signature service to add signature fields at run time. (See “
Adding, modifying, and removing
signature fields
” on page 120
.)
About the Signature service and form types
LiveCycle ES supports several types of PDF forms. Although Acrobat or Adobe Reader users notice no
apparent difference between the form types, the way in which the PDF form is constructed can be
different. For example, forms can be rendered to PDF by the Forms service on the LiveCycle ES server or by
Acrobat or Adobe Reader.
PDF forms that do not require rendering can be used with the Signature service in any situation. However,
PDF forms that require rendering can be problematic for digital signatures, depending on how they are
used.
When a PDF form that is digitally signed is rendered, the signature on the form is invalidated. For example,
a user opens a dynamic Adobe PDF form in Acrobat, digitally signs it, and saves and sends the file to a
49
Adobe LiveCycle ES
Signature Service
LiveCycle ES Services
About digital signature technology 115
colleague in an email message. When the colleague opens the form, Acrobat renders the form to PDF,
which invalidates the digital signature.
Before you use the Signature service, you must be aware of the type of form you are using.
Acrobat PDF form: PDF forms that are created using Acrobat (or a similar tool). These forms do not
require rendering after they are created.
Adobe PDF form: PDF forms that are created using Designer ES. These files are saved as static or
dynamic PDF forms:
●
The content of static PDF forms, except for field values, does not change. When the file is opened,
Acrobat or Adobe Reader use information in the file to render the PDF form. When the file is saved
for the first time, the PDF form is stored in the file and rendering is no longer required when it is
subsequently opened.
●
The content of dynamic PDF forms can change according to user input. For example, table rows or
subforms can be added as required. The PDF form is always rendered when it is opened using
Acrobat or Adobe Reader.
For more information about the static and dynamic Adobe PDF forms, see Understanding the
Differences Between Static and Dynamic PDF Forms
.
Adobe XML form: XDP files that are created using Designer ES. Adobe XML forms are prepared for
opening in Acrobat or Adobe Reader using the Forms service. The Forms service can be configured so
that the PDF form is rendered by the Forms service on the LiveCycle ES server before being sent to the
client, or by Acrobat or Adobe Reader.
Non-interactive PDF forms: PDF files that users can view electronically or print. For example, files that
are converted to PDF from a different file format are non-interactive. These forms do not require
rendering after they are created.
For information about design requirements for forms that are used in LiveCycle Workspace ES, see
“
Requirements for form design and Workspace ES
” on page 122
.
About digital signature technology
This section provides a brief overview of the technology used with digital signatures.
Public key cryptography
Digital signatures are based on public-key cryptography (or asymmetric cryptography), which involves
using public/private key pairs for encrypting and decrypting text:
●
The private key is used to encrypt text and documents. Private keys are kept safe.
●
The corresponding public key is used to decrypt the text that is encrypted by the private key. The
public key can decrypt only the text that is encrypted with the associated private key. Public keys are
distributed, sometimes widely.
For example, Tony Blue uses his private key to encrypt email messages before sending them to recipients.
The recipients require the public key to decrypt the messages and read them. Tony must provide the
recipients with the public key before they can read his email messages.
48
Adobe LiveCycle ES
Signature Service
LiveCycle ES Services
About digital signature technology 116
Digital certificates
Digital certificates can be used to verify the authenticity of digital signatures. Digital certificates bind a
public key with a person’s identity:
●
Certificates can be issued by certificate authorities (CA), a trusted third party. CAs verify the identities of
the people who they issue certificates. If you trust the CA, you trust the certificates they issue.
●
Certificates can also be self-signed. Self-signed certificates are typically generated by the certificate
owner and are useful when you are certain that you can trust the owner.
CAs publish certificate revocation lists (CRL) that contain the serial numbers of the certificates that are no
longer valid. CRLs have expiry dates, and are typically updated periodically.
Similar to using CRLs, Online Certificate Status Protocol (OCSP) is used for obtaining the status of X.509
certificates. OCSP enables certificate status to be updated and obtained more quickly than CRL systems.
CAs can delegate the authority to issue certificates to lower-level CAs. The result can be a hierarchy of CAs.
A certificate chain indicates the path in the hierarchy from a lower-level CA to the root CA. Certificates that
are issued by lower-level CAs include the certificate chain. The authenticity of each CA in the chain can be
verified.
Digital credentials
Credentials are used to digitally sign documents. A credential contains a user’s private key and other
identifying information, such as an alias. A password is required to access the contents of the credential.
Different standards define the content of a credential and the format. The following standards are two
examples:
●
Personal Information Exchange Syntax Standard (PKCS #12) defines a file format for storing the private
key and the corresponding digital certificate.
●
Cryptographic Token Interface (PKCS #11) defines an interface for retrieving credentials that are stored
in hardware.
Digital Signatures
Digital signatures are an encrypted digest of the document that is signed. The digest and the signer’s
certificate are used to validate the integrity of the document.
When a document is digitally signed, a digest of the document contents is created using a hashing
algorithm. The digest is unique for the document, and the document cannot be reconstructed using the
digest. The digest is encrypted using the signer’s private key to create the signature.
The signature and the certificate that corresponds with the private key used to create the signature are
typically bundled with the document.
Signatures can include time stamps. Time Stamp Protocol (TSP) is used to establish the time at which a
digital signature is created. This information is useful for verifying that a digital signature was created
before the associated certificate was revoked. A Time Stamp Authority (TSA) provides services for
obtaining and verifying time stamp information.
Validating document integrity
To validate the signature, the public key in the certificate is used to decrypt the digest. The digest is then
recalculated and compared with the decrypted digest. If the digests are identical, the document has not
been altered.
46
Adobe LiveCycle ES
Signature Service
LiveCycle ES Services
Integrating with a security infrastructure 117
Integrating with a security infrastructure
The Signature service accesses certificates, credentials, and revocation lists that are stored in Trust Store
Management. It can also use Trust Store Management to access credentials that are stored in Hardware
Security Module (HSM) devices. (See Trust Store Management
Help
.)
The Signature service also supports communicating with external resources for retrieving certificates and
validating signatures:
●
LDAP/LDAPs and HTTP/HTTPs queries for retrieving certificates for chain validation
●
Connecting to TSAs using HTTP and HTTPs
●
Retrieving CRLs using HTTP/HTTPs and LDAP/LDAPs. The Signature service also supports offline CRLs
that are stored using Trust Store Management.
●
Connecting to OCSP servers
●
Integrating with external service providers for retrieving credentials and verifying certificates
Supported technologies and standards
The following table provides a summary of the technologies and industry standards that are supported by
LiveCycle Digital Signatures ES:
The Signature service enforces Federal Information Processing Standard (FIPS) compliance, and uses the
RSA BSAFE libraries.
Item
Supported technology or standard
One-way hash (for creating
document digests)
SHA-1, SHA-256, SHA-384, and SHA-512
MD5
RIPEMD160
Digital signatures
PKCS #1 and #7
RSA (up to 4096 bit)
DSA (up to 4096 bit)
XML signatures
Seed values (enforcement of certificate usage criteria)
Time stamping (using Time Stamp Providers)
Certificate validity
Certificate Revocation Lists (CRL)
Online Certificate Status Protocol (OCSP)
RFC 3280 compliant path validation
61
Adobe LiveCycle ES
Signature Service
LiveCycle ES Services
Using the Signature service 118
Using the Signature service
This section includes the following topics that describe how you can use the Signature service:
●
“
Signing and certifying documents
” on page 118
●
“
Validating document integrity and authenticity
” on page 119
●
“
Removing signatures
” on page 119
●
“
Retrieving signatures and signature fields
” on page 120
●
“
Adding, modifying, and removing signature fields
” on page 120
For information about developing processes that use this service, see LiveCycle WorkbenchES Help
. For
information about developing client applications that programmatically interact with this service, see
Programming with
LiveCycle ES
.
You can use the Applications and Services pages of LiveCycle Administration Console to configure default
properties for this service. (See Applications and Services Administration Help
.)
Signing and certifying documents
You can use the Signature service to sign and certify PDF documents using any credential that the service
can access. When signing or certifying, you specify the signature field to use.
Caution:The following limitations apply to dynamic Adobe PDF forms when used with the Signature
service:
●
You cannot sign a visible signature field.
●
You can certify invisible signature fields.
●
You can certify visible signature fields only if the Signature service is configured to process
documents with Acrobat version 9 compatibility. The form can only be viewed using Acrobat
or Adobe Reader version 9.
Note:For all types of forms, Acrobat or AdobeReader users can delete signatures that the Signature
service added.
When signing or certifying, the following information can be specified:
Credential: The credential that contains the private key to use to create the digital signature.
Document MDP permissions: When certifying, the changes that users can perform on the document
without invalidating the certification.
Revocation information: Whether to embed revocation information in the signature to use for
validating the signer’s certificate. The information enables OCSP checking and CRL checking.
Time stamp information: Whether to create a time stamp for the signature, and the information
required to perform the time stamp transaction with the time stamp provider.
Appearance: Properties that affect the appearance of the signature when it is viewed using Acrobat or
Adobe Reader, such as the reason for signing, the contact information of the signer, a legal attestation,
and the icons to use.
42
Adobe LiveCycle ES
Signature Service
LiveCycle ES Services
Validating document integrity and authenticity 119
Validating document integrity and authenticity
You can use the Signature service to validate signatures that have been added to PDF forms. To validate
signatures, the certificate can be checked for revocation, the time stamp of the signature can be checked,
and the document digest is verified.
Caution:The following limitations apply to validating digital signatures using the Signature service:
●
The Signature service cannot accurately validate signatures on dynamic Adobe PDF forms.
●
The Signature service cannot ensure that field-locking rules for signature fields (MDP+ rules)
are enforced for Adobe PDF forms and Adobe XML forms.
When validating, the following information can be specified:
Signature field: The name of the signature field that holds the signature to verify.
Revocation checking: Whether to check that the signer’s certificate has been revoked. You can specify
information to enable OCSP and CRL types of checking.
Time stamp checking: How to verify the time stamp of the signature.
Path validation: Information that enables the verification of the certificates in the certificate chain that
the signer’s certificate includes.
The following table describes the situations that cause the different signature validity states.
When validating signatures, you need to know whether you are validating a PDF signature or an XML
signature.
Removing signatures
You can use the Signature service to remove signatures from signature fields.
Value
Signature status
Invalid
Signature Invalid
The revision of the document that is covered by the signature has been altered.
Unknown
Status Unknown
Signature validation on the signed contents was not performed.
ValidAndModified
Signature valid but document modified
The revision of the document that is covered by the signature was not modified,
but there were subsequent changes to the document.
ValidUnmodified
Signature valid and document unmodified
The revision of the document that is covered by the signature was not modified.
There were no subsequent changes to the document.
67
Adobe LiveCycle ES
Signature Service
LiveCycle ES Services
Retrieving signatures and signature fields 120
Retrieving signatures and signature fields
You can use the Signature service to retrieve the following items from forms:
●
Information about signature fields and certifying signature fields
●
Digital signatures and information about the signatures
●
The revision of the PDF form as it existed when a signature field was signed
Caution:You cannot retrieve the certifying signature field from forms that are rendered on the client.
Adding, modifying, and removing signature fields
You can use the Signature service to add, modify, and remove visible and invisible signature fields from
forms. When you add and modify signature fields, you can configure the following properties:
●
The field name and, for visible signature fields, the location.
●
The fields to lock when the signature is added.
●
The signature handler that validates signatures.
●
Information about the signature, such as whether to include revocation information, a list of signing
reasons that users can select from, and server URLs used for validating signatures.
●
Whether the field can be used only for certifying the document.
Caution:The Signature service cannot add or modify signature fields on a dynamic Adobe PDF form.
Best practices
The following characteristics of LiveCycle ES and the Signature service result in limitations to the way you
can use dynamic Adobe PDF forms:
●
Digital signatures are invalidated when a signed form is rendered to PDF.
●
The Signature service cannot detect changes that are made to forms through JavaScript.
●
The Signature service cannot enforce field-locking (MDP+) signature rules, or detect that field-locking
signature rules have been violated for Adobe PDF forms and Adobe XML forms.
Generally, you need to decide whether the use of dynamic forms or the use of digital signatures on the
server is more important for your solution:
●
If you need to use features of the Signature service that do not support dynamic Adobe PDF forms, use
a different type of form, and ensure that no rendering occurs in Acrobat or Adobe Reader. (See
“
Ensur
ing that
no rendering occurs after signing
” on page 121
.)
●
If you need to use dynamic forms, you can convert the form to a non-interactive form before using the
features of the Signature service on the form. (See “
Convert
ing
to non-interactive form
” on page 121
.)
●
Before you use the form with the Signature service, you should ensure that the form is not a dynamic
Adobe PDF form. (See “
Check
ing
the form type
” on page 122
.)
Also, to use digital signatures on forms that users open in Workspace ES, your form needs to conform to
specific design criteria. (See XREF).
Documents you may be interested
Documents you may be interested