1. What is Certified Document Services (CDS)?
Certified Document Services (CDS) is a validation service for electronic documents specifically to attest to the authenticity and integrity of data through industry standard highly ubiquitous software (>800Million installations). Created by the Adobe® Root Certificate authority, CDS enables document authors to sign Portable Document Format (PDF) files, using digital certificates, which then automatically validate when recipients use the freely available Adobe® Acrobat® Reader software. No additional client software or configuration is required and the solution is multi-lingual through the wide variety of languages supported. http://www.adobe.com/products/reader/productinfo/languages/
CDS was designed to enable organizations and individuals who publish high-value documents to large and disparate recipient groups to increase the assurance level that the document's integrity and authenticity are preserved. By adding Certifying Signatures and Approver Signature(s) to PDF files document authors can increase this assurance level while at the same time reduce the burden of the recipient regarding how to determine if the document can be trusted.
Click here to learn more about CDS http://www.adobe.com/security/digsig/certifieddocs.html.
GlobalSign offers digital certificates compliant to the CDS program under the DocumentSign brand. DocumentSign Digital IDs are issued to individuals and departments affiliated with verifiable organizations and allow authors to add Certifying Signatures and Approver Signatures to PDFs.
2. How does it work?
DocumentSign Digital IDs are “chained” to the inherently trusted Adobe root certificate found in Adobe Reader 6.0+ and Acrobat 6.0+. Recipients who open certified documents signed with CDS digital IDs receive one of three easy to understand trust messages.
Adobe Reader
Version
|
Certification VALID |
Validity of author
NOT confirmed |
Certification INVALID |
Approval Signature |
Version 6 through 8
Version 9 onwards |
|
|
|
|
3. How do I get a DocumentSign Digital ID?
Step 1: |
Choose the certificate type that best suits your needs (Signing as a ‘natural person’ or as a ‘role’. i.e. PersonalSign or DepartmentSign) |
Step 2: |
Register for the service through the ‘buy now’ link. GlobalSign then verifies the organization |
Step 3: |
GlobalSign performs additional phone verification checks to ensure the subscriber is authorized to enroll for a digital ID by the Organizational Representative who signs and agrees to the terms and service.. See CPS for details http://www.globalsign.com/repository/ |
Step 4: |
Once validation checks are completed GlobalSign will provide a link to install the digital ID to the subscriber on a GlobalSign furnished cryptographic device (typically an iKey USB token from SafeNet). |
4. How is my organization vetted?
After the on-line enrollment is completed by a representative authorized to bind the organization to the terms of the GlobalSign agreement and by reference the DocumentSign Digital ID for Adobe PDF Certificate Practice Statement, GlobalSign shall verify the Organization is legitimate using third party verification services such as Dun & Bradstreet.
5. How are subscribers vetted?
An organization’s identity is verified by GlobalSign’s vetting team in accordance with the steps described in the DocumentSign Certification Practice Statement. Enterprise (ePKI) subscribers are vetted and authorized to enroll for a digital ID in their name or in the case of DepartmentSign, a role by an authorized Local Registration Authorities that have been appointed by the Organization Representative
6. Where can I review the Certificate Practice Statement for DocumentSign Digital IDs?
Click here for the repository where you will find the DocumentSign Certification Practice Statement.
7. Where can I review the Certificate Policy Statement for DocumentSign Digital IDs?
You can obtain the Certificate Policy by visiting: http://www.adobe.com/misc/pdfs/Adobe_CDS_CPv011604clean.pdf
8. Why does my private key associated with my DocumentSign Digital ID need to be stored on cryptographic hardware?
The Adobe CDS Certificate Policy highlights the need to ensure the security of the CDS program by ensuring all digital IDs are created on FIPS compliant Cryptographic Hardware. This maintains the 'singularity' of the Digital ID such that it cannot be duplicated, and therefore preserves non repudiation capabilities of the solution. The only exception to this are Test Certificates which have a separate Test OID and therefore can be created outside of a hardware module.
9. How do I know what type of DocumentSign Digital ID is right for me?
PersonalSign Pro Digital ID for Adobe PDF – low Volume
A client based desktop solution designed for organizations with low volume requirements (up to 500 annual signings) needing named individuals (e.g. John Smith) to add Certifying or Approval Signatures to PDFs. Authors digitally sign using the Adobe Acrobat software and a PersonalSign Pro Digital ID securely stored on a SafeNet FIPS 140-1 level 2 cryptographic USB token.
PersonalSign Pro Digital ID for Adobe PDF – Medium Volume
A client based desktop solution designed for organizations with low volume requirements (up to 1,500 annual signings) needing named individuals (e.g. John Smith) to add Certifying or Approval Signatures to PDFs. Authors digitally sign using the Adobe Acrobat software and a PersonalSign Pro Digital ID securely stored on a SafeNet FIPS 140-1 level 2 cryptographic USB token.
DepartmentSign Digital ID for Adobe PDF - low volume
A client based desktop solution designed for organizations with low volume requirements (up to 2,000 annual signings) needing their departments e.g. Marketing Department or Legal Department to add Certifying or Approval Signatures to PDFs. Departments digitally sign using the Adobe Acrobat software and a PersonalSign Pro Digital ID securely stored on a SafeNet FIPS 140-1 level 2 cryptographic USB token.
DepartmentSign Digital ID for Adobe PDF - medium volume
An automated solution to add Certifying and Approval Signatures to important PDFs and designed for organizations with medium volume requirements (up to 5,000 annual signings). A role-based DocumentSign Digital ID e.g. Marketing Department or Legal Department is issued and securely protected on a SafeNet FIPS 140-1 level 2 cryptographic device such as a Luna® PCI card.
Enterprise PKI for Adobe PDF
Includes two options for the Enterprise to manage the full life-cycle of DocumentSign Digital IDs issued under their organization name. For example:
-
Distributed implementations of PersonalSign and DepartmentSign Digital IDs on USB tokens issued to individuals and departments supporting a medium signing transaction level based on an average across all users (1,500 annual for indivuals and 5,000 for departments).
-
Centralized implementations (maintained on the organization's server) DocumentSign Digital IDs for either departments or individuals
Distributed implementations of PersonalSign and Departmentinvolve providing organization administrators (acting as the organization's Registration Authority) a bulk quantity of PersonalSign Pro or DepartmentSign Digital IDs for medium desk top volume Certifying and Approval Signature requirements and the associated Safenet USB tokens used to protect the Digital IDs.
Centralized, server-based implementations work with SafeNet hardware security modules (optionally sold) that are highly integrated with Adobe’s LiveCycle Enterprise Server suite. The net result is a highly automated solution with robust signing functionality for Certifying and Approval Signature to PDFs. Low (up to 25,000 annually),Medium (up to 100,000 annually), and High (up to 500,000 annually volume signings are available. Custom quotes are available for higher volumes. Contact your GlobalSign sales representative for details.
10. How do I enroll for a DocumentSign Digital ID?
Low volume DocumentSign Digital ID’s are provided on USB iKey 2032/4000 cryptographic tokens which are protected by the customer via a customer assigned pass phrase. Higher volume DepartmentSign Digital ID’s are may be provided on tokens too however it is more likely that a HSM (Hardware Security Module) will initially be delivered to the organization and a CSR (Certificate Signing Request) would be submitted to GlobalSign having been generated on the HSM by the Organization/Data Center. The basic purchase process is highlighted below.
11. What happens if I “lock” myself out of my GlobalSign furnished USB token?
During the application process subscriber’s are required to personalize the USB token ‘passphrase’ with a recommended 8+ mix character secret value. This additional level of security is required by the DocumentSign Certification Practice Statement. Subscribers are responsible for remembering the value and will be permanently locked out of their USB token after (10) failed attempts. GlobalSign is unable to retrieve the passphrase and therefore a replacement certificate will need to be ordered at no additional cost. Note special instructions will be provided by GlobalSign on how to reset your token..
12. Where can I get the Adobe Root and GlobalSign for Adobe CA subordinate CA and what is the root hierarchy?
Visit http://www.globalsign.com.au/document-security/adobe-cds/adoberoot.cer for the Adobe Root; Visit http://secure.globalsign.net/cacert/GlobalSignCDS.crt or http://secure.globalsign.net/cacert/GlobalSignCDS.der for the Adobe CA subordinate CA in CER and DER format.
The Adobe root hierarchy is a high security PKI implementation as follows:
See FAQ for more details on how to install the Adobe Root CA using your Internet Explorer Browser.
13. What information does the DocumentSign Digital ID contain?
PersonalSign Pro Digital IDs for Adobe PDF typically contain the following information:
Organization: ABC Company
Organization Unit (Optional): 123 Business Unit
Common Name: e.g. John Doe or Marketing Department
Email (Optional): e.g. john.doe@yahoo.com
Country Code: e.g. US
State: e.g. Massachusetts
Locality:: e.g. Boston
14. What Adobe applications work with CDS?
Acrobat CDS Authoring Products:
Acrobat Professional v6.x through 9.x
Acrobat Standard v6.x through 9.x
Adobe LiveCycle Document Security Server v8.x and LiveCycle ES Digital Signatures
Acrobat CDS Validation Products:
Acrobat Professional v6.x through 9.x
Acrobat Standard v6.x through 9.x
Acrobat Elements v6.x through 9.x
Adobe Reader v6.x through 9.x
Adobe LiveCycle Document Security Server v.8.x and LiveCycle ES Digital Signatures
15. Where can I learn more about digitally signing Adobe PDF documents?
Go to the Adobe product help section and search under “digital signature” for detailed information.
16. What technical requirements do I need to use a DocumentSign Digital ID?
Software requirements for the SafeNet iKey 2032 USB token
Your computers must contain one of the following Microsoft operating systems:
Windows Server 2003
Windows XP Professional (SP 2)
Windows Vista
Microsoft Internet Explorer V5.5 SP2 or higher
At this time support for the iKey supports both 32 bit and 64 bit versions of the Vista operating system
Hardware requirements for the SafeNet iKey 2032 USB token
An available USB port for your USB iKey token
Minimum of 128MB of RAM
Software requirements for Adobe Acrobat Reader.
http://www.adobe.com/products/reader/productinfo/systemreqs/index.html
Software requirements for the Adobe Acrobat Family.
http://www.adobe.com/products/acrobatpro/productinfo/systemreqs/
17. How can I learn more about server-based CDS implementations?
Contact GlobalSign Sales on (AU free call) 1800 447 568sales-apac@globalsign.com to learn more about highly automated CDS solutions.
18. Where can I find the USB token drivers for XP / Vista systems?
Click below and select Save As. Double click the application to begin installation of drivers.
DocumentSign for Adobe PDF 32 bit Drivers for 32 bit operating systems
DocumentSign for Adobe PDF 64 bit Drivers for 64 bit operating systems
Remember to reboot after driver installation and prior to initiating your first signature through Acrobat.
Please note that previous programs you have installed may also have used InstallShield and therefore may require temporary files to be removed. You will be presented with the following error screen if this is the case.
To correct the problem, please delete the following directories.
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10
and/or
C:\Program Files\Common Files\InstallShield\Professional\RunTime\11
19. Where can I find the USB token Utilities for XP / Vista systems?
Click below and select Save As. Double click the application to begin installation of the utilities.
www.globalsign.com/support/adobe/documentsign.msi
Click here to view a demonstration on how USB Token Utilities and Drivers are installed
20.What do I do if my DocumentSign Digital ID is lost or stolen?
DocumentSign Digital ID holders should immediately report their lost or stolen certificate to their company administrator that issued their CDS certificate. A request for revocation form is located in the GlobalSign Repository.
21. How does a DocumentSign Digital ID differ from any other x.509v3 certificate?
No need for pre-established or pre-understood trust decisions, no need for software plug ins, no desktop or client side configuration, no swapping trusted CAs. No special configuration for time-stamping and revocation checking. It’s already integrated and ready to use out of the box.
22. How does time-stamping work?
DocumentSign Digital IDs contain a special extension that supported Adobe products will use to gain access to a highly available and highly trusted RFC 3161 trusted clock. This assures relying parties of the exact date and time of the signature.
23. How long will my signature remain valid?
If digitally signed on-line, with a valid timestamp and revocation check using Acrobat default settings, your signature shall remain valid well after the certificate has expired or even if it was revoked after the fact. However, note both Adobe Acrobat and LiveCycle Server are highly configurable. Depending on configuration settings on particular versions, signature validation may rely on different methods. Consult your Adobe product specific documentation for more details.
24. What are the differences between Certified and Approval signatures?
Most digital signatures are referred to as approval signatures. Signatures that certify a PDF are called certifying signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature. A certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel.
Approval signatures are performed when someone signs a document to show consent, approval, or acceptance. A certified document is one that has a certification signature applied by the originator when the document is ready for use. The originator specifies what changes are allowed; choosing one of three levels of modification permitted:
no changes
form fill-in only
form fill-in and commenting
Valid approval signatures produce a “green check mark” and certified signatures produce a “blue ribbon”. Both types of digital signatures provide embedded OCSP and RFC 3161 compliant services resulting in valid signatures well past the life of the DocumentSign Digital ID that signed them.
See example of a Certified PDF containing Approval Signatures
25. What are some possible reasons on why my valid DocumentSign Digital ID produced a “question mark” at document opening?
Potential issues could be as follows:
Port 80 is blocked, therefore supported Adobe products cannot reach the OCSP and/ or Time-stamping servers needed for validation
The document of digital signature was performed “off-line”
Author or recipients are not signing or validating with Adobe Reader or Acrobat 6.0+
26. Why isn’t the ikey USB token drivers installing on my Vista operating system?
One reason may be your User Account Control (UAC) setting. You may need to disable the UAC by going to the Windows Vista Control Panel and select User Accounts:
Click on the option for Turn User Account Control On or Off:
Uncheck the Use User Account Control (UAC) to help protect your computer:
This must be done prior to installing the drivers and re-enable after successful driver installation. You may reinstate User Account Control after installation for security for your system.
27. Quick start help guide:
http://www.globalsign.com/support/adobe/QuickStartGuide.pdf
28. I'm having difficulty enrolling with Vista and Internet Explorer 7/8. Are there any special security settings I should be aware of?
Yes, because of the unique nature of the Adobe Root that is not inherently trusted in Windows, and the Active X controls required to install the digital ID on the required Cryptographic Service Provider, there are several security settings that require modification. Subsequent to successful certificate enrollment, GlobalSign strongly recommends that default settings be re-established.
Click here to view a demo on how to import the Adobe Root into your Windows Root Trust Store
Click here to view a demo on how to install a DocumentSign USB token Digital ID
!!Please note that you MUST set your active X and trusted sites settings back to their current setting once you have installed your CDS Certificate!
29. I've upgraded my Acrobat and now Acrobat can't find my certificate on my token.
Although, Acrobat should be able to “discover” your digital ID on your USB token (after initial set-up that includes installation the USB drivers and token utilities and installing the certificate using the Microsoft IE browser), upgrades may disturb certain settings that required you to modify Acrobat security settings. In the remote case, you experience this problem, try adding the PKCS11 SafeNet DLL manually by following the following steps using Adobe Acrobat:
1. Click on "Advanced" located on the top menu bar
2. Select "Security Settings"
3. Select "Digital IDs"
4. PKCS#11 modules then browse for the dkck201.dll found in your Systems32 folder.
30. How do I configure the appearance of the visible signature block for certifying and signing?
Please view the following demo, which highlights how the appearance can be modified. Please note that the signature imported into the signature block is itself a PDF document to aid readability if the signature block is small.
Please click here to view a demonstration of how to configure the appearance of the visible signature block
31. How do I certify a document?
Please view the following demo, which highlights how to certify a document and verify the signature.
Please click here to view a demonstration on how to certify a document
32. How do I set my CDS digital certificate as a default option for certifying my documents?
Please view the following demo, which highlights how to configure the default signature choice and personalize the description.
Please click here to view a demonstration of how to configure the default signature choice
33. I’m using Adobe writer for the first time and there seem to be lots of option boxes. How should I answer the questions?
Please view the following demo, which shows which choices you need to make the first time you sign a document. Your second signature onwards will be far quicker by choosing the ‘remember this option’ check boxes as shown
Please click here to view a demonstration on which choices need to be made the first time you sign a document.
34. Are there any special Windows 7 considerations that I should be aware of when installing the
SafeNet iKey token drivers?
Yes, aside from enabling all Active X settings, Vista W7 users should modify security “Download” settings to “enable” all downloads as depicted in the screen shot below.
|
