electronic signatures

[alanth]

Hello all,

I am a Florida PE and have recently been informed by one of our clients that from now on, all the construction drawings have to be submitted electronically with electronic signatures (NOT digital facsimiles of the stamp and signature, but locked PDF files). I have read the FL rules and I think I understand the requirements but I am clueless as how get started. I read language about third party signature verification's and signature files with document list and encryption keys,.....

Does anyone know of a source for guidance on this?

Thanks

 

[IRstuff]

If you have Acrobat, or even other similar software, there's a toolbar for "Sign & Certify" which allows you to sign with digital certificates. There seems to be lots of help entries for that:

https://helpx.adobe.com/search.html#q=sign & certify&t=All&sort=relevancy&CommonProduct=Acrobat

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!

https://www.youtube.com/watch?v=BKorP55Aqvg

faq731-376 forum1529

 

[JedClampett]

We use SafeNet. I'm not familiar with the other options, but our people who studied this picked SafeNet.

 

[JAE]

We use Bluebeam

Check out Eng-Tips Forum's Policies here:
faq731-376

 

[Ron]

Currently, the Florida Board does not recognize Adobe PDF's signature system as compliant. While I disagree with their decision, it is what it is! There are several systems that will meet the Florida requirements and you will have to use one of those if your client requires electronic signatures.

In a discussion I had with the FBPE's general counsel, he indicated that the Adobe Encryption process was not acceptable but was not clear on the reason. He indicated that it was not unique and verifiable....I disagree; however, they make the decisions and we must live with them until we work to get them changed!

 

[Ingenuity]

FBPE's general counsel...they make the decisions and we must live with them until we work to get them changed!

Engineer's governed by lawyers!

 

[FreddyNurk]

Ron, it sounds like a technicality, Adobe's approved certificate arrangements are one of the more stringent around (certificate has to be stored on a separate medium like a USB stick, and there is a limit on number of signatures per year or something equally silly), but Adobe also allows signing using self generated certificates, which aren't 3rd party verifiable.

Of course, if it is the case, convincing them to change it is another thing entirely. Its certainly very easy to get quite lost in how to manage electronic signatures.

 

[SteelPE]

JAE, what version of Bluebeam are you using. I'm am currently using "Revu" (I think) and I don't think it has the encryption talked about in this thread.

 

[JAE]

We are using Revu and it has a "signature" option under the Documents tab at the top. This is a simple digital signature system whereby if the pdf is altered, or even merged with other pdf's, the signature changes to indicate that the document has been changed.

Whether this meets all the requirements of Florida I don't know. On a recent Florida project we wet signed everything I think.

Check out Eng-Tips Forum's Policies here:
faq731-376

 

[Terratek]

When you use ADOBE, the banner at the top shows "unverified" to anyone who opens the document on another PC than the one on which it was certified. It still tells you the last date the document was modified. So, if there is a seal on the report and a date on the report you know that document is bad if there are modifications after the date - even if it says "unverified" in the banner.

 

[FreddyNurk]

Terratek, that's only true if a self-generated certificate is used.
If you pay separately for an Adobe accredited signature certificate, then Acrobat will indicate that the signature is verified.
However, you're correct in the regard that document modifications should show up, regardless of what certificate is used.

 

[Terratek]

Yes, I am referring to the self generated kind.

 

[nonplussed]

Aussie here and please mind my ignorance on this subject. My company uses electronic signatures (for drawings only) and we just copy and paste the scanned signature on the drawing while in the CAD file. I guess after reading all this my question is: what is the point of all this special signature software?

Let's say someone simply copies and pastes your signature from a different pdf, or creates their own imitation electronic signature using similar software. The only way anyone can actually verify the signature is if someone calls you and asks if it is indeed valid. And as far as i know, electronic signatures can only be verified by the creator by checking against their private encryption key. And if it can only be verified by you, then you may as well just check your saved drawings on your computer or your sent emails to check whether the drawings are valid.

We tell our on going clients that the only verification we accept is an invoice for the job. If someone is willing to forge a signature then really nothing will stop them unless you somehow find out and tell the police.

 

[JAE]

The point of the encrypted signature is, to my understanding, that the local engineering board, or local courts, could, after the fact of a problem, look at the actual drawing (pdf) used and determine if that encrypted signature was valid (i.e. the engineer of record is therefore responsible) or if the signature/seal is simply a blank jpg image and the EOR can show that they previously delivered an encrypted signature, then the EOR is off the hook as someone has messed with their plans.

So the encryption only serves to exonerate, or lay blame, on the EOR.



Check out Eng-Tips Forum's Policies here:
faq731-376

 

[FreddyNurk]

nonplussed, purchasing of a 3rd party accredited certificate allows for verification by anyone that also trusts the certificate authority.

https://en.wikipedia.org/wiki/Chain_of_trust

indicates the trust process (which deals with computer security, but the implementation is effectively the same for electronic signatures). Self-generated certificates do suffer from the lack of verification, as previously indicated.

The overall intent of electronic signatures would be the same as keeping wet signed copies, and any changes to the fact would be able to be detected through a manual review. Its also entirely possible to electronically sign documents without a visible signature, thus there's no image to copy. This makes it harder when only issuing printed copies, but I suspect that most places will issue electronic documents anyway.

I've personally seen a couple of instances of fellow employees misrepresent approved documents, in these cases with a scanned signature image stored somewhere there's an internal risk, not just for 3rd parties altering records; and for this reason I've never used the cut and paste method on anything I'd approve.

As an aside, PDF used to be used instead of native document formats (such as MS Word) as it was perceived to be quite difficult to change compared to the native formats. Another forum member here noted that a client was easily able to edit their submitted PDF and change the results, thus some means of protection is likely a good idea.

It is possible to generate encryption checksums (e.g. MD5SUM) to verify whether a document has been altered (Linux distributions have been doing this for years) but the electronic signature is probably easier to implement, as the checksum has to be generated at document issue, and then stored for later comparison. It also doesn't replace the requirement of EOR or similar to approve the document.

 

[XR250]

Our board (NC) requires a third party verified digital signature. Companies such as GlobalSign provide this. You pay for a certain amount of signatures and they send you a dongle that goes in the USB port. It is integrated into Adobe. Do I use it? - NO! It is just another $500 a year for me to spend on something useless that does nothing to prevent fraud.
I think most boards are going to this type of system.