Close

Verifying an electronic signature on a PDF

How reliable is the control and what is the Adobe Approved Trust List
Reading time: 4 minutes

Content index

Have you just received an electronically signed document and want to check the validity of the signature? How can I check that an electronic signature on a PDF file is valid? And how do you interpret the various messages displayed in Adobe Acrobat Reader?

While verification of a manual signature can be difficult, in the case of a digital signature it can be proven quickly. Adobe’s Acrobat Reader software lets you check the validity of a signature on a PDF document. It still remains to understand and decipher the various messages that the software can display. By reading this article, you will be able to understand how to interpret these messages and how to ensure the conformity of a electronic signature.

What is Adobe Acrobat?

Adobe Acrobat Reader is a free program that specializes in PDF files. The software publisher has launched a private program called “AATL” (Adobe Approved Trust List), designed to enable users to easily verify electronic signatures. The American company then drew up a set of technical requirements to be met in order to be included on this list. Any Certification Authority (CA) can apply to join the AATL program. The aim of this certification is to provide confidence to users who use and share signed documents. It is also intended to make it easier to understand the validity of a signature.

The 3 different color codes

When you open a signed PDF in the software, a banner appears directly at the top of the document. It provides information on the validity of the signature. There are 3 different color codes to distinguish the different states of the signature:

  • A green tick with the message “Signed with valid signatures”.
  • An orange triangle with the words “At least one signature presents a problem”.
  • A red cross with the message “At least one signature is invalid”.
acrobat electronic signature message

The algorithm analyzes file data according to several criteria:

  • It ensures the integrity of the document, i.e. that its content has not been modified since it was signed.
  • It will check that the certificate has not expired or been revoked at the time of consultation.

At the end of this check, it will display one of the following 3 messages.

Desacralizing the green tick

The software displays a green tick if one of the following criteria is met:

  • The Certification Authority (CA) is referenced on the European EUTL trust list, governed by the eIDAS regulation. These are only qualified services, the highest level in Europe.
  • The CA is part of the AATL and complies with the technical requirements imposed by Adobe.
  • The document is signed using a legal entity certificate (server stamp) issued on the basis of a physical face-to-face meeting or equivalent: this is a simple eIDAS signature.

Shading red and orange ticks

In the case of advanced electronic signatures, this level is subdivided into several certificate levels. These include the LCP and NCP+ levels:

  • LCP (Lightweight Certificate Policy) requires authentication with proof of identity verification of the signatory via a piece of identification.
  • NCP+ (Extended Normalized Certificate Policy) corresponds to the LCP level, but completes authentication with a physical face-to-face or equivalent, and an HSM device.

These different levels of advanced signatures are certified and therefore comply with eIDAS regulations. However, an advanced LCP signature can trigger a red or orange tick, even though it strictly complies with the European regulations governing it. If the OID (signature policy identifier) of the certificate used is not listed in the AATL, the software displays a red cross. The latter does not necessarily mean that there is a problem with the integrity of the signature; it may be perfectly valid cryptographically.

This is also the case for a simple signature, which may be valid and recognized as such by a French court, and have a red tick in Acrobat.

If the certificate has expired and the signature has not been performed for long-term validation (i.e. it does not contain the certificate revocation data), then the software displays an orange triangle. The document may have previously displayed a green tick, but only temporarily: this is known as an ephemeral green tick.

The red and orange ticks are therefore nuanced and may concern perfectly valid signatures. But red messages can also concern certificates containing errors: when the document has been modified since the signature was affixed, or when the timestamp is missing.

To decipher why a red or orange message appears, we need to take a closer look at the data in the document.

Check properties

To check the certificate information :

1. First step, open your PDF file

2. On the left-hand panel, select the feather icon, then unfold the information and click on the arrow.

3. Last step, click on “certificate details”.

4. A window appears with the contents of the signatory’s certificate information.

You can also obtain information by right-clicking on the signature and then “View signature properties”. In the case of a red cross, it may seem important to check the detailed information on the certificates. We can ensure that the document has not been modified since it was signed, or that it contains a time stamp. You can also manually validate the signature in the Approval tab. The red cross instantly turns into a green tick.

To check the software configuration and ensure that the trust list is up to date:

  • In the Edit panel, select Preferences
  • Select the “Approvals manager” category
  • Update the AATL.

In some cases, the software asks for manual signature approval and displays the following message: “At least one signature must be validated, please fill in the following form”.

The limits of the AATL program

Despite the program’s ambition to make it easier to check the status of an electronic signature, it has a number of limitations that we need to be aware of.

Remember that this program is run by a private company, which does not guarantee the legal validity of a digital signature. Two signatures providing an identical proof file, only one of which is referenced in the AATL, will have the same legal value, but will potentially demonstrate differences in Adobe Acrobat.

The color code displayed is no guarantee of safety. It simply democratizes the legibility of an electronic signature, which can sometimes prove complex. The legal value of a signature cannot be called into question by this interpretation alone.

Red and orange messages do not necessarily indicate a problem with the integrity of the signature. Finally, holding a green mark is a good thing, and demonstrates a valid signature, but may be the legacy of less restrictive rules that cannot be reversed (AATL V1).

Namirial’s electronic signature

A trusted third party recognized as a Registration and Certification Authority, Namirial offers electronic signature solutions compliant with the eIDAS regulation and is part of the AATL Adobe Approved Trust List.

TAG