19

Context:

I'm filling my taxes and my country requires me to upload certain documents from my employer to verify the numbers I give to the government. These documents are "digitally signed", like so:

enter image description here

Now, before I use these certificates, I'm required to "validate" these signatures so that the sign above becomes a green tick mark:

enter image description here

One process to do this is outlined in this government document.

I've discovered that if I email this PDF and download it on a different computer, the validation (the Green Tick mark) disappears, and I'm back to how it was before validation. This makes me believe that validation is a local exercise -- it only tells if the current PC I'm on "trusts" this digital signature.

I've also found that this validation only appears on Adobe Reader. If I open it up on a Browser (even from the same PC), it disappears.

My questions:

  1. Is my assumption that validating a digital signature through this method is "local"?
  2. If that's right. what's the point of validating a digital signature when, if, when someone else opens it on their PC, it's going to appear like it's not valid (without the green check mark) anyway?
Bruno Rohée
  • 5,507
  • 30
  • 41
WorldGov
  • 333
  • 2
  • 6
  • 2
    It has to be local. What if someone tampered with your email? Everyone has to validate the PDF for themselves on their own machine. – John Wu Jul 17 '22 at 08:00
  • The instructions in that document are the exact opposite of validating a signature. – Mooing Duck Jul 19 '22 at 21:47

2 Answers2

34

One process to do this is outlined in this government document.

This document basically instructs you to trust the issuer of this signature on the local machine by importing the issuers certificate in the document into the local trust store. It is local only, i.e. it only makes changes to the local machine and not the document itself and thus these steps need to be retaken on any other machine were the signature should be checked.

If these instructions are all what you get, then I find this very questionable. The point of validating a document signature is to check that the document is issued by the expected person - so there need to be some expectation already. Since you don't know the issuer and signer of the document personally there is usually some trust chain involved to get to this expectation, i.e. you don't know the person directly but you trust the government (in this case) and the government cryptographically tells you that they trust this person (as government employee). See chain of trust for a deeper explanation of this concept.

What you are asked to do in the instructions is different though. There is no mentioning of a trust chain (even if there is one shown on page 3) but instead you are expected to simply trust the person because the instructions tell you to trust them. Blindly following these instructions will also make you trust non-government persons, i.e. potential scammers. Adobe even kind of warns you against doing thus, but unfortunately only in a technical terminology useless for most users (page 4):

enter image description here

Additionally these instructs ask you to grant very broad permissions, specifically to make the certificate associated with the document a trusted root. I'm pretty sure that this is not needed and could in fact be harmful. In fact, it specifically says that in this case it will not be checked if the certificate gets revoked, which might happen if the government removes the trust from this employees certificate (like certificate compromised, employee left, ...). Unfortunately again only in technical terms (page 5):

enter image description here

In other words, these instructions are not intended to actually provide security. They are only intended to somehow show the green tick mark. My hope is that the person who ultimately needs to get these documents will do some proper checking, your task here is basically only to weed out early problems before uploading.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • 6
    So, basically: Congratulations, the unverified(!) signer of the document is now allowed to install arbitrary viruses disguised as system drivers on your PC? – Hagen von Eitzen Jul 18 '22 at 15:48
  • 9
    @HagenvonEitzen I think this is only for the per-user Adobe trust store. If it were the system-wide trust store, it would prompt for the admin password. There might be some per-user system trust store I'm not aware of, though. – wizzwizz4 Jul 18 '22 at 15:55
  • @HagenvonEitzen what? You don't trust the government not to install viruses and spyware on your machine? That's preposterous!! Everyone knows they come pre-installed with your proprietary OS! – Mindwin Remember Monica Jul 19 '22 at 15:50
1

A verified signature denotes a very volatile state, since there is a standard possibility of revoking certificates, which also may reach the end of their intended lifetime (expiry date) etc.

For this reason, revocation lists may be checked online, before the static check of the signed hash value (which is indeed constant) takes place.

So even on the same PC it can't be taken for granted, that the verification has the same result when attempted at a later point in time. (Except, of course, if it was already invalid the previous time.)

guidot
  • 159
  • 3