digital signature validation code question

[NBPE]

I am a professional engineer and the State of Florida and some of the building departments are requiring electronic digital signatures on our documents. They have specific rules about how to do this and I am trying to learn. We have PDF-Xchange Viewer software and I think I can use it to comply. But I am not sure.

I am being asked to provide an "authentication code" under separate cover (hard paper copy) to accompany the digitally signed documents. They want to use that authentication code to match it to the digital signature on the electronic documents.

Can I get some instruction on how to do this with PDF-Xchange Viewer software? I see how to affix an electronic signature. I see but am not sure I understand the certificate stuff. I see a serial number and suspect that this might be OK as an "authentication code".

Please help.

[Paul - PDF-XChange]

Hi NBPE

an authentication code is not, as far as I know, a part of a digital ID.

Can you give us more detail on exactly what this is and how you are being asked to use it? For example is it an arbitrary number you put with your Digital Certificate? In that case you could use the Viewer to use an image of the number as in the attached sample. This would work as long as you are using the same number each time. If it changes each time then you would need to make a new image and that's time consuming.

This KB article has some good stuff on managing the look of your Digital Certificate: https://www.pdf-xchange.com/knowledgeba ... a-document as does this: https://www.pdf-xchange.com/knowledgeba ... ertificate

Hopefully these will help. Let me know if you need more.

regards

[NBPE]

I dont know what it is. That s what I am asking you. Here's the cut & paste of the requirements from the board of engineers.

61G15-23.003 Procedures for Signing and Sealing Electronically Transmitted Plans, Specifications,
Reports or Other Documents.
(1) Engineering work which must be sealed under the provisions of Section 471.025, F.S., may be signed
electronically or digitally as provided herein by the professional engineer in responsible charge. As used herein,
the terms “digital signature” and “electronic signature” shall have the meanings ascribed to them in Sections
668.003(3) and (4), F.S. The affixing of a digital or electronic signature to engineering work as provided herein
shall constitute the sealing of such work.
(a) A scanned image of an original signature shall not be used in lieu of a digital or electronic signature.
(b) The date that the electronic signature file was created or the digital signature was placed into the
document must appear on the document in the same manner as date is required to be applied when a licensee
uses the manual sealing procedure set out in Rule 61G15-23.002, F.A.C.
(2) A professional engineer utilizing a digital signature to seal engineering work shall assure that the digital
signature is:
(a) Unique to the person using it;
(b) Capable of verification;
(c) Under the sole control of the person using it;
(d) Linked to a document in such a manner that the electronic signature is invalidated if any data in the
document are changed.
(3) A professional engineer utilizing an electronic signature to seal engineering work shall create a
“signature” file that contains the engineer’s name and PE number, a brief overall description of the engineering
documents, and a list of the electronic files to be sealed. Each file shall have an authentication code defined as
an SHA-1 message digest described in Federal Information Processing Standard Publication 180-3 “Secure
Hash Standard,” October 2008, which is hereby adopted and incorporated by reference by the Board and can
be obtained from the Internet Website: http://www.flrules.org/Gateway/referenc ... =Ref-00790 or
http://csrc.nist.gov/publications/fips/ ... _final.pdf. The licenses shall then create a report that contains the
engineer’s name and PE number, a brief overall description of the engineering documents in question and the
authentication code of the signature file. This report shall be printed and manually signed, dated, and sealed by
the professional engineer in responsible charge. The signature file is defined as sealed if the signature file’s
authentication code matches the authentication code on the printed, manually signed, dated and sealed report.
Each electronic file listed in a sealed signature file is defined as sealed if the listed authentication code in the
signature file matches the electronic file’s computed authentication code.

[Stefan - PDF-XChange]

Hello NBPE,

Reading those requirements - I am happy to say that using the normal digital signing feature of our Viewer/Editor you would comply with all of them. You can use a digital certificate issued by an independent authority or one created on your own, and place all the rest of the required information in a visible form (e.g. date of signing) as part of the digital signature you will create.

I would recommend you to download the Viewer or Editor and try signing a sample document and send it to your colleagues for verification whether the signature placed meets their requirements.

Regards,
Stefan

[NBPE]

Stefan,

Thanks for stating your opinion that your software will meet the necessary requirements.

If you will re-read my original post, you will see that we already own your viewer software (paid version and everything) and are now at the point of actually (not theoretically) complying with the digital signature requirements.

How EXACTLY, do I print - on a piece of paper - a "validation code" that can be verified with the digitally signed document in accordance with the above requirements?

[Stefan - PDF-XChange]

Hello NBPE,

You might need to check with someone who has applied this standard already, and ask him to demonstrate to you how it is applied in practice, but how I understand it is that you need to digitally sign the file first:
https://www.pdf-xchange.com/knowledgebase/155
Then click on the digital signature itself, and print e.g. the attached image on paper, however printing a digitally signed document and the certificate details on paper can't guarantee that the printout is untouched - as a file could be modified and then printed on paper - and you won't be able to tell that from the paper copy. You would still need the digital copy of the file with the valid signature to confirm the paper copy is the same as the digitally signed document, and nothing else printed on paper could prove that the two documents are the same.

Regards,
Stefan

[NBPE]

so you think that the "thumbprint" field generated by your software would be acceptable as the "validation code" that is required?

[Stefan - PDF-XChange]

Hello NBPE,

I am only guessing here - as this specification / requirement was written by someone else - and for the proper way to implement it or for a valid sample/template you'd need to speak with them. We would be happy to point you to our KB articles on how to create digital signatures and how to customize them but those requirements for the paper version are out of the scope of digitally signing PDF files and beyond me, so sorry I can't be of much more assistance in this respect.

Regards,
Stefan

[Paul - PDF-XChange]

Hi NBPE,

I would ask your board of Engineers how it's done in Adobe. Many people consider Adobe Reader the defacto standard and I expect you'll get much better response from them that way. Ask for examples and step by step if necessary because that description of requirements doesn't make it clear to me what you are being asked to do.

I assume this is a new requirement for you. Do you know anyone else who is currently doing this who can point out how he/she does it? Once we understand the process as it is done in Adobe we can easily tell if there are any technical differences between us.

hth