Have you just digitally signed a document or received a document with an electronic signature? Do you want to validate these electronic signatures? Adobe has implemented a feature right in their PDFs that allows users of its software suite to verify the validity of electronic signatures very quickly.
Using colour codes to validate electronic signatures
You may have already seen that you can instantly validate signatures right in Adobe Acrobat Reader when you open your signed PDF.
You can see these signature verifications in a banner displayed at the top of the document. This banner can show one of three signature statuses:
- A green tick with the message: "Signed and all signatures are valid"
- An orange mark with the message: "At least one signature has problems"
- A red cross with the message: "At least one signature is invalid"
Everyone can agree that it is best that the signature comes with a green tick when the PDF is opened. However, while a red cross means that one or more signatures are invalid, an orange mark does not always mean there is a problem.
Seeing the green and orange ticks for what they really are
To validate electronic signatures, Adobe Acrobat Reader has several criteria that it uses to "classify" signatures.
The PDF reader checks the document's integrity from a purely structural standpoint: Is the data consistent with what was signed? Was the PDF altered after the signature?
Since signatures use a certificate, Acrobat will analyse this certificate to determine if it was expired or revoked when it was used or if it appears in the certificate store when deciding whether to consider it as trusted. There are several ways to obtain Acrobat's trust:
The first way is to be on the EU Trusted List (EUTL), governed by the European regulation in force (also called eIDAS). LThe EU Trusted List only includes qualified services. This is the highest level in Europe. This qualification is based on:
- a face-to-face identity check of the signer
- security measures applied to the entire certificate issuing service
- A security audit to which the qualification is subject and the results of which are confirmed by ANSSI.
- Unlike AATL, the requirements and rules for appearing on this list are governed by European regulations. For now, this list is the only one with an objective legal value.
Another way to gain trust is to be on the AATL (Adobe Approved Trust List) for certification authorities. This Adobe-specific programme includes certificate authorities on the basis of technical requirements that are dictated entirely by Adobe. These lists are managed by the American company, according to the rules that it itself has made. Of course, these rules are subject to change by Adobe.
Finally, the certification authority that issues the certificate is included manually on a specific workstation. Therefore, if the signatures included in the document are verified on the local system where the authority was manually included in the certificate store's trusted authorities, Acrobat Reader will display a green tick. However, if the same document is opened on a PC that does not belong to the same network, the tick will have a different colour.
So, to get a green tick in Acrobat and validate your electronic signature, you need to be on either the AATL or the EUTL or, even better, on both lists.
How can a valid signature still result in an orange tick?
There are grey areas where a certification authority can get an orange tick even though it complies with the appropriate rules and regulations.
Par exemple, dans le cas de la signature avancée, être dans l’AATL ou l’EUTL ne suffit plus pour obtenir une coche verte.
Another selection criterion comes into play: the level of certification to verify the electronic signature.
We won't go into the details aboutthe various signature levels since we have already written a full article on it. For advanced signatures, everything comes down to the certificate level used. There are six, but for the purposes of this article we will refer to two:
- LCP (Lightweight Certificate Policy): LCP is governed by eIDAS and consists in a proof of an identity check against a proof of identity uploaded via a platform
- NCP (Normalized Certificate Policy): NCP is an LCP with an in-person, face-to-face proof with the signer.
Thus, an advanced signature with an LCP certificate can be certified and respects eIDAS regulations. However, this same advanced signature will be given an orange tick instead of a green tick in Adobe Acrobat Reader.
Thanks to Acrobat Reader, validating electronic signatures in documents is extremely easy.
However, the colour-coding system trades nuance for clarity. Obviously, the green tick in Acrobat is a good sign but is not necessarily the final word when validating an electronic signature. On the other hand, the red tick obviously indicates that the signatures are totally invalid. The orange tick is somewhere in between and must be qualified. An orange mark is not always proof of a problem with the integrity of the signatures present in your document.