Understanding Rainbow PDF Digital Signature

Rainbow PDF Digital Signature has two separate program parts:

Part 1: The PDF Signature Module is a component to sign, encrypt or verify a PDF. These program functions are accessed via command line program, .NET API, Java API or C++ API. This portion of the program can be integrated with other applications such as content and document management systems.

Part 2: The GUI setting program is used for creating and saving signatures. It is a tool to specify default parameters for Signatures. These parameters are saved in a setting XML file. Then, the PDF Signature module imports the setting file when it runs and uses these parameters as default values.
Rainbow PDF Digital Signature offers encryption functions, by using PKI (public key infrastructure, public certificates) or passwords.
Rainbow PDF Digital Signature is an independent tool from XSL Formatter, but it may be called from the Antenna House XSL Formatter software. When used in conjunction with Formatter, the signature field will be specified within XSL-FO and the digital signature module will sign the PDF that is outputted by Formatter.

How to Create a Digital Certificate

Creating a self-signed signature through the Windows Certificate Store

First, to create a digital signature with Rainbow PDF Digital Signature, a digital certificate with a private key must be registered with the Windows Certificate Store. Certificates within the Windows Certificate Store can be used by both Windows programs (via the Crypt API of Windows) and Adobe Acrobat programs.

To access the Windows Certificate Store:
[Run] [Internet Explorer] [Tools]
[Internet Options] [Content Tab] [Certificates]

There are a few kinds of certificates within the Windows Certificate Store:

Personal Tab - Digital certificates with a private key and a public key are listed under the personal tab.

These are the certificates you will use when applying a digital Signature (signing with a digital signature).

Other People Tab - Digital certificates with a public key only are listed under this tab.

These are certificates used for sending encrypted PDF’s (sending PDF’s so that only a recipient with the corresponding private key can open it).

In most basic terms public keys can be thought of as the mail address and private keys are used to sign PDF’s and open mail sent to the associated public key (mail address).

Note: Using Rainbow PDF Digital Signature with a windows certificate offers users the option to issue a self-signed certificate, similar to those used in Acrobat programs.

If public verification of signatures is not necessary, this option is a very low cost alternative to the fees associated with signatures verified by Certificate Authorities. The windows certificate store mentioned above can be used to issue and manage Digital signature keys for these applications. Managing the security of this information is done within the organization.

However, self-signed certificates do not have an independent trusted anchor who has checked and can vouch for the “signature being associated with an individual.” Therefore, self-signed signatures cannot be validated by Adobe’s PDF Reader device. The reader device will display the message that the signature on the PDF cannot be verified. For most business transactions a self-signed signature is sufficient.

If public verification of signatures is necessary for a higher level of security, Rainbow PDF Digital Signature Module can be used in conjunction with a certificate issued by a Certificate Authority. This will enable a viewer to check that the signature on a document is associated with an individual. Certificate Authority signatures are stored on the Windows Certificate Store. The security of the server that holds the signatures is paramount for protection of the individuals’ private keys.

Adobe PDF Reader property pane view of Certificate Authority issued digital signature:

Other Devices

Other devices such as USB Tokens, or IC cards (Smart Cards) may be used to store certificates for Rainbow PDF Digital Signature.

How to get a certificate of identity verification associated with your digital signature

There are various certificate authorities CA’s (VeriSign, Global Sign, Iden Trust, GeoTrust, Thwart, Chosen Security, etc.) where you may obtain a certificate that passes through with your signature. When a CA issues a certificate for you, the CA signs your certificate with the CA’s own certificate (or Private Key). This “double signature” means that the person associated with the signature presented some form of identification when it was issued. (Credentials can vary from in person verification, to email, combined with IP address, voice and phone verification). Signatures with CA backing offer a higher level of signature authenticity to a recipient.

For example if you receive an electronic bank notification requesting information relevant to your account, you would wish as a receiver to check that the document was signed and sent by your bank official. In this case a third party certificate validating the signature of the sender would be important to you the receiver.

The root CA is the trusted third party anchor for a certificate. The degree of trust associated with your certificate is judged in two ways.

First, if it is possible to trace an unbroken chain from your certificate to the trusted anchor (root authority) then the certificate and digital signature has been “vouched for” by a respected, trustworthy third party who is required to maintain strict standards.

Second, if the certificate associated with the signature is kept current and is it not listed on Certificate Revocation List (CRL), the signature holds a high level of legitimacy.

Rainbow PDF Digital Signature clears the cache of the CRL every six hours to enable it to display the most updated information from Certificate Authorities about revoked or expired (invalid) signatures.

Note: Digital Signatures are on record with the Windows Certificate Store. Therefore, it is important that a secure environment is established for the server that handles these certificates.