|
We'd like to take our various forms digital and we know we can do this with PDF signature fields. However, we've realized that we need to be able to verify that the signature is indeed the person who's signing it and not just someone who wants to make it look like a higher-up signed a purchase order for the new printer they know they can't have. It seems that the best way to do this would be to use a certificate server, but none of us are sure how to set one up or even what we need to do so. Alternately, if there's a way we can force the appearance of users' signatures so they always include their AD distinguished name, that would seem to work too. Can anyone tell us how to go about this? Edit: I've tried searching, but I'm not turning up what appears to be any useful information. ManiacClown fucked around with this message at 17:09 on May 10, 2016 |
#
?
May 10, 2016 16:40
|
|
|
|
| # ? May 6, 2024 20:04 |
|
|
I'm assuming you are on a Windows domain and you have access to your domain controller? If yes, then you can make your DC the directory/time server in Acrobat and get sigs that look like this with all the important OU info:  A good place to start is here: https://helpx.adobe.com/acrobat/using/certificate-based-signatures.html You'll set the preferences in Acrobat for each user. How many people in your org? I remember doing something similar for a client that only had 3-4 users that wanted PDF signing and S/MIME sigs in emails (and wanted it for a cheap, read free, as possible) so I used trusty StartCom SSL certs to get the job done. No central way to manage those certs though and they need to be renewed once a year, but for FREE, you can't beat them. DigiCert for example offers something similar to what you want but we're talking up to 500 users, and it's almost $400 a year: https://www.digicert.com/document-signing/
|
|
#
?
May 11, 2016 00:44
|
|
|
So there's no way to centrally manage the appearance of signatures? I figured as much, since that's probably not something you can set with group policy. As far as just using the Distinguished Name as listed in AD, we could probably get by with just that instead of fiddling with certificates, so we could definitely set that option in users' copies of Reader. Then again, we should make them as unassailable as possible. We've only got about 200 users, so we're not very big, but at the same time we need absolute accountability as to who signed something. Edit: I should add that I have discovered the Acrobat Customization Wizard DC and I'm tinkering with it. I just don't fully understand everything in it yet. ManiacClown fucked around with this message at 19:59 on May 11, 2016 |
|
#
?
May 11, 2016 19:28
|
|
|
ManiacClown posted:We'd like to take our various forms digital and we know we can do this with PDF signature fields. However, we've realized that we need to be able to verify that the signature is indeed the person who's signing it and not just someone who wants to make it look like a higher-up signed a purchase order for the new printer they know they can't have. It seems that the best way to do this would be to use a certificate server, but none of us are sure how to set one up or even what we need to do so. Alternately, if there's a way we can force the appearance of users' signatures so they always include their AD distinguished name, that would seem to work too. Can anyone tell us how to go about this? certificate signing provides authentication (only) you need authorization and accounting on top of those signatures why are you letting unauthorized users have access to signing private keys?
|
|
#
?
May 11, 2016 22:24
|
|
|
Malcolm XML posted:certificate signing provides authentication (only) To explain what we're looking at, we'd like to be able to take a lot of routine forms paperless, like leave slips and reimbursements. If someone needs to fill out, say, a leave slip we'd like them to be able to sign it themselves and then send it to their supervisor, who can then sign it themselves and pass it along to Payroll. Purchase orders require several signatures and using PDF signatures would really speed up the process for a lot of things. Is there a problem with our logic here? Basically, whether certificates or a simpler way of being able to prove to a reasonable certainty (FIPS compliance would be nice if it's easy, but I'm sure it isn't) that Person X signed a form, even if it's just showing the Distinguished Name to show that the person was logged on when the form was signed and what's that? You say you didn't sign it even though it shows you were logged in? Well, that introduces another problem entirely, dear user. ManiacClown fucked around with this message at 14:58 on May 13, 2016 |
|
#
?
May 13, 2016 14:52
|
|
|
It sounds to me like workflow software (or software with that functionality) would be the better solution. You define a process as e.g.: user starts leave request --> the request goes to the supervisor --> request goes to other people for approval --> substitute or whoever else get a notification --> finally the request is converted to PDF and stored in a digital personnel file. Each user has their own account/password, or you can set up SSO that uses the AD for authentication, whatever. That gives you traceability. My company's software can do this really easily but I know there's a bunch of alternatives too. I'd have no problem taking this to PM if you want some more info...
|
|
#
?
May 15, 2016 08:01
|
|
|
ManiacClown posted:To explain what we're looking at, we'd like to be able to take a lot of routine forms paperless, like leave slips and reimbursements. If someone needs to fill out, say, a leave slip we'd like them to be able to sign it themselves and then send it to their supervisor, who can then sign it themselves and pass it along to Payroll. Purchase orders require several signatures and using PDF signatures would really speed up the process for a lot of things. Is there a problem with our logic here? ok so im not understanding what the log-on gets you.presumably you have an association of key -> user anyway, so it doesn't matter if the user is logged in or not, if the supervisor signed the form then someone had access to the supervisor's private key. if you lose the privacy of the private key then anyone with that key can spoof whatever data they want signed with it.
|
|
#
?
May 15, 2016 16:08
|
|
|
Troubadour posted:It sounds to me like workflow software (or software with that functionality) would be the better solution. yeah you want this. whether or not you set up a cert based thing to actually handle the signatures or not is a bit beside the point when you want accountability and authorization. having a cert per user to deal with authenticating signatures basically only allows you to say "you or someone with your private key signed the following information" and that's it. it's up to some other system to handle whether that user was authorized to have that key and the accounting system allows you to have a log of activity
|
|
#
?
May 15, 2016 16:12
|
|
|
Oh, workflow software would DEFINITELY benefit this place. However, there's no way they'd shell out for it. Any kind of personnel change needed a paper form until two months ago, when the HR Director mandated use of the form I learned ASP.NET/C# almost specifically to build. Basically, I'm just trying to get something in place that if it does cost more money will be minimal. Can any of you recommend workflow software that's both good and cheap? I mean, there's Sharepoint, but I'd imagine there's a simpler solution out there.
|
|
#
?
May 16, 2016 14:26
|
|
|
Do you have sharepoint? Sharepoint handles workflows, depending on what you're looking for.
|
|
#
?
May 16, 2016 14:30
|
|
|
MF_James posted:Do you have sharepoint? Sharepoint handles workflows, depending on what you're looking for. See, for a couple years before I got here one of our other guys tried to set up Sharepoint. It continued until this past winter when our CIO finally decided to just poo poo-can it. I'm sure that at this point if he never hears the word "Sharepoint" again it'll be too soon.
|
|
#
?
May 17, 2016 22:53
|
|
|
|
| # ? May 6, 2024 20:04 |
|
|
ManiacClown posted:See, for a couple years before I got here one of our other guys tried to set up Sharepoint. It continued until this past winter when our CIO finally decided to just poo poo-can it. I'm sure that at this point if he never hears the word "Sharepoint" again it'll be too soon. sharepoint is poo poo, but it actaully handles being a document/workflow thing well, that's what our client uses it for, and it works out excellently. Versioning on documents, assign workflows, hooks into AD blah blah blah. *edit* but it needs to be setup by someone that knows what they're doing etc, that's a whole person to hire just for a thing since it sounds like you don't have anyone on staff with that knowledge. MF_James fucked around with this message at 23:12 on May 17, 2016 |
|
#
?
May 17, 2016 23:07
|
|