I’ve been getting a few laughs lately at presentations when I show this PDF supposedly from the US Congress claiming (on page 20) that budget is being set aside “to further the mission to capture and hold all the territories currently known as New Zealand and Australia “. I joke with the audience that obviously this is not a real document or we’re all in a lot of trouble, but the real point is
How would you know if the document is real or not?
Can you trust the person who gave it to you?
Who / where did they get it from?
Did someone hack the document?
Looking at things like the time & date stamp or the document metadata may give you some ideas, but these can be easily modified…
Have a look at the real US Congress document here and you’ll notice one small difference, the blue certification bar at the top of the document. In a Adobe terms this is called a Certified Document, a PDF document that has been wrapped in a digital ID that enforces the document’s creation time, author and integrity. It doesn’t matter how you obtain the document, from a trusted source or not, the blue bar & certificate is telling you that this is a trusted document.
So what makes the blue bar trustworthy? It’s a combination of Reader & Acrobat and a trusted certificate. Each trusted document must be wrapped in a digital id, the document must not have changed, and the certificate must be trusted by Adobe Reader or Acrobat.
Certifying the document is easy. Adobe Acrobat has allowed you to perform this function for many versions however a user must perform this action at the desktop. Adobe LiveCycle ES allows you to automatically certify documents either in batch mode via watch folders and other inputs, or in real time as document and forms are generated.
In both cases you need to obtain a digital certificate that is trusted by Adobe Reader & Acrobat. In a small group you can create a “Self Signed” certificate and share it between your colleagues, but that doesn’t scale well. For this reason, Adobe supports industry standard digital certificates provided by Verisign and other vendors.
When you open a certified document with a certificate that you haven’t seen before, you will need to “trust” the certificates origin. If it is a self sign certificate you’ll want to double check it’s from the person you think it is before trusting it. Trusting a certificate from a known certificate vendor like Verisign is easier as they verify the ID prior to issuing the certificate, that way you won’t end up with someone pretending to be the White House.
To make things even easier, Adobe has for a few years run a Certified Document Service program, where providers such as GeoTrust provided certificates that were automatically trusted by Reader. This is what the White House are using in the example above to make it easy for end users to trust the published files.
Finally Adobe have added something new called the “Adobe Approved Trust List” or AATL, where Adobe pre-approves vendors and certificate authorities based on strict authentication standards guidelines and place them on this “list” once approved. Members of this list can then distribute content that is automatically authenticated and verified. This means, if you are on this trust list, the content you email to users of Acrobat 9 and Reader 9, will be pre-approved and recipients will not need to go through the usual route of authenticating a document before it is opened. The goal is to simplify the use of digital signatures in order to boost adoption. For more information information on AATL check out the Security Matters blog.
So now we have a way to provided trusted documents to anyone who uses Adobe Reader, using either Adobe Acrobat or LiveCycle ES to add our trusted certificate. Do people trust your documents?