This subject has been on and around our plates for some time. That said, it is on the road map now and we are seriously investigating and considering it for a future release.
So, as I do, I have looked up the "what", "how" and "when" of digital signatures...to allow all of us to better understand the basic principles of this *thing*.
"In essence, a digital signature is a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic or genuine. Authentic means that one knows who created the document and one knows that it has not been altered in any way since that person created it.
Digital signatures rely on certain types of encryption to ensure authentication. Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Authentication is the process of verifying that information is coming from a trusted source. These two processes work hand in hand for digital signatures.
There are several ways to authenticate a person or information on a computer:
- Password
- Checksum
- CRC (Cyclic Redundancy Check)
- Private key encryption
- Public key encryption
- Digital certificates
The Digital Signature Standard (DSS) is based on a type of public key encryption method that uses the Digital Signature Algorithm (DSA). The format for digital signatures that has been endorsed by the US government is DSS. The DSA algorithm consists of a private key that only the originator of the document (signer) knows and a public key."
Meanwhile, some customers have shown some real originality dealing with the issue. Take the City of Lisbon, Portugal, where Henrique Saias has faced the problem head on and currently implemented a work around.
For now, they rely on a signed declaration, which states that the DWF file is a digital version of the legally verified and signed paper version they are still to receive.
"A document management software is used in the process to ensure that digital documents cannot be changed.
The application receives the DWF files, manages its versions and enforces a strict access rules. The application extracts vector data when the DWF files are uploaded at first. As part of the process, users are only granted rights to upload data at this point. Following that, data is compressed and stored in a database. From here on, the DWF file enters the approval process and every time a users access a specific DWF file, vector data is compared with the previously stored in the database.
For added security, XML data is also stored for any markups that might be created as part of the review process and saved in the same database. Once all data has been saved, DWF files are deleted and not saved. Should the same DWF be accessed again going forward, users do have the option to display markups stored earlier in the process."
Note: This is a custom application, developed to handle this particular process.
--Volker
My name is Olga and I work for a company that specializes in digital signatures.
I liked the article - it's very well written and very objective.
If you're interested, there's some useful background (non-commercial) information about digital signatures at http://www.arx.com/digital-signatures-faq.php
Posted by: olga | April 26, 2008 at 07:11 AM
It's surprising to me that the DWF team at Autodesk is behind the curve on digital signatures. The PDF folks have this one figured out. This issue is going to increase resistance to switching from PDF to DWF, despite all the reasons DWF is better. I'm a structural engineer. Both of the states where I do most of my work, Oregon and Washington, have laws enabling digital signatures for engineers. (Architects too, I believe.) Oregon permits self-signed certificates. Washington requires independent certificate issuance (Verisign). Agencies (ODOT, for example) are starting to expect digital signatures; they want to get away from paper, too, but have to have authentication. I use CutePDF Professional for this purpose. It uses PKCS#12 for X.509 keys. See the Wikipedia article. This standard can accommodate multiple signatures, which is important when more than one professional are signing a drawing. When you folks implement digital signatures, pay attention to the image layering used by Adobe. If a seal raster image has an opaque background it can be allowed to blot out the "signature valid" and "signature not verified" messages while permitting the "signature invalid" message to always be on top. This is important because it allows the documents to have their traditional appearance unless invalid. See http://www.adobe.com/security/pdfs/samplesignatures.pdf and the Acrobat Digital Signature Appearances document. Adobe got this right; CutePDF got it wrong, but there is a workaround. Autodesk needs to move on digital signatures. It's becoming an obstruction to progress.
Posted by: Thomas B. Higgins, P.E. | July 10, 2009 at 06:23 PM
Digital signatures where introduced with Autodesk Design Review 2010.
Thank you.
Posted by: Volker Joseph | July 10, 2009 at 06:25 PM